Have I Been Pwned (HIBP) has added nearly 2 billion unique email addresses from a sprawling dataset of credential stuffing records, marking the largest single update in the platform's history.
The data, sourced and indexed by US-based threat intelligence firm Synthient, also includes 1.3 billion unique passwords, 625 million of which were previously unseen.
The newly integrated dataset, referred to as the Synthient Credential Stuffing Threat Data, significantly expands the reach of HIBP's exposure database. This follows an earlier October release of 183 million credential pairs from Synthient’s infostealer log collection, also indexed by HIBP. While that first batch stemmed from stealer malware infections, the new trove consists of credential stuffing lists, which aggregate login details from previously breached platforms and are reused by attackers to compromise other accounts.
Credential stuffing data is particularly dangerous because it allows attackers to exploit reused credentials across unrelated services. As HIBP founder Troy Hunt explains, a compromised password from a low-priority site, like a hobby forum, can become the “key to the castle” if reused on more sensitive services such as banking or email platforms.
Data source and validation
Synthient, a private cybersecurity intelligence startup, compiled this dataset by aggregating over 23 billion rows of threat data. Sources included Telegram channels, dark web forums, and Tor-based marketplaces where credential lists and stealer logs are traded or shared freely.
This second tranche includes 1,957,476,021 unique email addresses, significantly more than the first. Unlike stealer logs, which capture credentials as users enter them on infected systems, credential stuffing data typically comes from older breaches that are recombined and repackaged into new lists. These lists are used by attackers in automated login attempts to gain unauthorized access to user accounts across different services.
To validate the accuracy of the dataset, Hunt contacted selected HIBP subscribers whose credentials appeared in the list. Several confirmed that at least some of the passwords, ranging from decades-old to currently active, had indeed been used. In multiple cases, the exposed credentials were still in use on active accounts, underscoring the lingering risk posed by reused passwords.
No, Gmail was not breached
It is critical to clarify, especially amid widespread misreporting seen in the wake of previous Synthient-related disclosures, that this is not a Gmail breach, nor is it a compromise of any specific platform. Although Gmail addresses appear in the dataset (approximately 394 million of them), this simply reflects the scale of Gmail’s global usage, not a vulnerability in Google’s systems.
Google previously responded to similar reports, reaffirming that these exposures stem from malware-infected devices and third-party breaches, not flaws in Gmail itself. The presence of any domain in such datasets should not be conflated with a breach of that service.
In total, the newly added credential stuffing corpus spans 32 million unique email domains, with Gmail comprising just 20% of the total. The data spans many years and includes both long-compromised and never-before-seen credential pairs.
Users should check if their email address or password appears in this dataset by visiting haveibeenpwned.com, and resetting their passwords if the scan result comes back positive. In general, it is recommended to use a password manager to create strong, unique passwords for every site, and enable multi-factor authentication (MFA) on all critical accounts.
Leave a Reply