Troy Hunt, the founder of Have I Been Pwned (HIBP), recently obtained an unprecedented collection of 2 billion unique email addresses and 1.3 billion unique passwords, sourced from various internet leaks, malicious lists, and Telegram groups. The data, aggregated and summarized by security company Synthient, represents the latest example of how widespread exposed credentials remain, following prior reports of 183 million compromised emails. Most of these credentials were captured by Infostealer malware or made publicly available, underscoring the ongoing risks posed by unsecured and reused passwords.
After filtering out duplicates, the dataset now contains only unique combinations. Hunt verified the data’s integrity by testing old accounts of his own, finding several passwords, though only one remained active. Feedback from other testers revealed that some credentials dated back decades, while others were current, emphasizing the fact that attackers can exploit even long-forgotten passwords via techniques like credential stuffing. Simple passwords, personal information, and predictable patterns remain highly vulnerable to repeated attacks.
To aid user security, Hunt has added these passwords to the Pwned Passwords database, where anyone can check if a password has ever been compromised. Even if a password was linked to someone else’s account, its appearance in a breach makes it unsafe for reuse. Hunt strongly recommends that users frequently check their email addresses and passwords, retire any exposed credentials, and maintain strong, unique passwords across all accounts. The massive scale of this leak is a stark reminder that personal cybersecurity vigilance is more critical than ever in protecting against persistent threats.