Have I Been Pwned, the website that lets you know if your data was involved in any breaches, has processed and indexed the largest corpus of breached data in its history. The batch is known as the Synthient Credential Stuffing Threat Data. It features almost two billion email addresses and 1.3 billion passwords, 625 million of which have never been seen by HIBP before.
Troy Hunt, who created HIBP, said that the data comes from credential stuff lists, originating from prior data breaches, and then bundled and redistributed by criminals. He said that this data is different from the 183 million Synthient stealer log email addresses mentioned before.
To verify if the data was correct, Hunt verified his own exposed data and reached out to a mix of HIBP subscribers to verify their data too. Many of them confirmed the exposed passwords were real, including some that were still being actively used. The passwords varied in age, with some being used 10-20 years ago. The exposed passwords ranged from weak to strong, so if you find yours, you should change your passwords just in case.
HIBP has added the passwords from this stash to its Pwned Passwords service. These are added without any association to the email address for security. Checking a standalone password is enough, if you find yours there, you should not use it ever again. Hunt says that users should check the Pwned Passwords search page, the k-anonymity API, or password managers like 1Password’s Watchtower to check their exposure.
There have been rumors of a Gmail breach online recently, but this is false, Gmail has not been breached. Troy Hunt reiterated this saying that this corpus contains 32 million different email domains. While gmail.com is the largest at 394 million addresses, 80% of the data has nothing to do with Gmail, and the Gmail addresses are not due to any security vulnerability on Google’s part.
This corpus is almost three times the size of the previous largest breach loaded by HIBP. Hunt said that loading and manipulating the data in Azure SQL Hyperscale was extremely hard and expensive, maxing out resources for two weeks. Simple SQL update commands often crashed or had to be killed, meaning batch processing was resorted to. Sending notifications to 2.9 million affected subscribers was also slow as delivery had to be controlled to avoid being throttled or blacklisted by mail servers.
As for advice to end users, Hunt said that you should get a password manager to store unique passwords, pick strong or unique passwords and use passkeys, and enable multi-factor authentication. Most web browsers come with a password manager that you can sync across devices including Google Chrome and Firefox.