According to Neowin, Have I Been Pwned has processed and indexed the largest corpus of breached data in its history called the Synthient Credential Stuffing Threat Data. The massive dataset contains almost two billion email addresses and 1.3 billion passwords, with 625 million of those passwords being completely new to HIBP. Troy Hunt, who created the service, confirmed this data comes from credential stuffing lists that criminals compiled from prior breaches. Despite rumors circulating online, Gmail was not recently hacked – the 394 million Gmail addresses in the dataset are from older breaches, not new Google vulnerabilities. This corpus is nearly three times larger than any previous breach loaded by HIBP, requiring two weeks of intensive processing that maxed out Azure SQL Hyperscale resources. Hunt also verified the data’s accuracy by checking his own exposed information and confirming with subscribers whose old passwords appeared in the list.
Sponsored content — provided for informational and promotional purposes.
What this actually means
Here’s the thing – this isn’t a new breach. Basically, criminals have been collecting login credentials from years of data breaches and compiling them into massive lists for credential stuffing attacks. That’s when they take known email-password combinations and try them across hundreds of websites hoping people reuse passwords. And guess what? Many people do exactly that.
The scary part? Hunt verified that some of these exposed passwords are still being actively used today, even though they range from 10-20 years old. It doesn’t matter if your password is “password123” or some complex 16-character masterpiece – if it’s in this dataset, you shouldn’t use it anywhere ever again.
The technical nightmare
Processing nearly 2 billion records was apparently an absolute nightmare. Hunt described how simple SQL update commands would just crash or need to be killed outright. They had to resort to batch processing because the dataset was so massive it kept overwhelming their Azure SQL Hyperscale infrastructure.
And then there was the notification problem. Imagine trying to email 2.9 million affected subscribers without getting your entire email system blacklisted by major mail providers. They had to carefully throttle delivery rates, which made the notification process painfully slow. This gives you some perspective on just how enormous this dataset really is.
What you should do right now
First, check if your passwords are compromised using HIBP’s Pwned Passwords service. The good news is they’ve added all these passwords without linking them to email addresses for security. So you can check just your password without worrying about exposing your email.
Hunt’s advice is straightforward: get a password manager (your browser probably has one built-in), stop reusing passwords entirely, and enable multi-factor authentication everywhere you can. Oh, and consider using passkeys where available. The days of remembering passwords might be numbered anyway.
Look, the reality is your data is probably in multiple breaches by now. The question isn’t whether you’ve been pwned – it’s what you’re doing about it. Are you still reusing passwords across sites? Because that’s exactly what criminals are counting on.
