A massive trove of stolen credentials, including 183 million unique email and password pairs, has been added to Have I Been Pwned (HIBP).
The data, collected and curated by a US-based college student known only as Ben, who works for cybersecurity firm Synthient, represents a vast cross-section of threat intelligence sourced from infostealer malware logs, Telegram groups, and various online forums.
The Synthient dataset comprises more than 3.5 terabytes of threat data. According to HIBP founder Troy Hunt, the collection contains 23 billion rows of data, derived from infostealer malware infections and credential stuffing lists. After deduplication, 183 million unique email addresses remained, each tied to the website they were used on and the corresponding password.
Ben's research reveals how extensive and fast-moving the underground credential theft ecosystem has become. Data was collected from an array of open and semi-open sources, including Telegram, Tor, and underground forums, where logs generated by infostealer malware are constantly shared, resold, and recycled.
The data submitted to HIBP primarily consists of “stealer logs,” records created by malware operating on infected systems. These logs typically contain:
- The website address where credentials were entered
- The email address used
- The corresponding plaintext password
For example, a user logging into Gmail on an infected machine would generate a log with the entry gmail.com | user@example.com | password123.
While the majority of email addresses in the Synthient dataset had previously appeared in other breaches, a significant subset, approximately 16.4 million addresses, were completely new to HIBP. Hunt conducted a verification process by contacting several HIBP subscribers whose credentials appeared in the dataset. In multiple cases, individuals confirmed both the accuracy of the stolen credentials and the presence of patterns tied to their usage habits, such as visits to crypto exchanges, gambling sites, or VPN services.
Troy Hunt
The compromised data is now searchable on HIBP by email address, password, domain, and website, offering both users and domain administrators better visibility into exposure from malware-based credential theft. Additionally, the associated passwords are being progressively added to Pwned Passwords, HIBP's password safety database, allowing individuals and services to screen against known compromised credentials.
The dataset's sheer scale and richness make it one of the most substantial stealer log collections ever integrated into HIBP. While this first release only includes the stealer log component, a second corpus, containing credential stuffing data, is expected to follow soon, pending further validation. Credential stuffing lists are built from existing breaches and used to test reused credentials on unrelated services, a tactic that has led to breaches at 23andMe and others.
Leave a Reply