Have I Been Pwned has processed the largest data corpus in its history, adding nearly 2 billion unique email addresses and 1.3 billion passwords to its breach notification database after security researchers compiled credential stuffing lists circulating among cybercriminals. The massive dataset, provided by threat intelligence platform Synthient, includes 625 million passwords never previously seen in HIBP's Pwned Passwords service, with verification revealing that many remain actively in use on current accounts, creating immediate security risks for individuals and organizations relying on compromised credentials to protect sensitive systems and data.
Have I Been Pwned founder Troy Hunt announced on November 5, 2025, that the service had completed processing 1,957,476,021 unique email addresses (rounded to 2 billion) and 1.3 billion unique passwords sourced from credential stuffing threat data indexed by Synthient. The data represents the most extensive corpus HIBP has ever processed, nearly three times larger than the previous record-holder.
Synthient, a threat intelligence platform run by a college student, compiled the data from numerous locations where cybercriminals had published stolen credentials. The corpus combines two distinct types of compromised data: stealer logs obtained from malware running on infected machines and credential stuffing lists that originate from data breaches where email addresses and passwords are exposed, then bundled, sold, redistributed, and ultimately used to compromise victim accounts.
The processing required HIBP to max out its Azure SQL Hyperscale infrastructure at 80 cores for nearly two weeks, creating significant technical and financial challenges. Hunt described the effort as "extremely laborious, time-consuming and expensive," involving complex database optimization to add new records to the existing 15 billion credential corpus without adversely impacting the live system serving millions of daily visitors.
The exposure points to the reality that passwords alone provide virtually no protection against determined attackers when credential pairs circulate freely among cybercriminals. Of HIBP's 5.9 million subscribers, 2.9 million were found in this dataset, meaning nearly half of security-conscious individuals who proactively monitor for breaches had credentials exposed in these credential stuffing lists.
For healthcare organizations, the implications are particularly severe. The IBM Cost of a Data Breach Report 2025 found that healthcare breaches cost an average of $7.42 million. When credential stuffing attacks succeed against healthcare workers' accounts, attackers potentially gain access to electronic health records, patient data, and systems containing protected health information (PHI).
Troy Hunt issued an emphatic warning about misleading headlines: "This is not a Gmail breach. It pains me to say it, but I have to, given the way the stealer logs made ridiculous, completely false headlines a couple of weeks ago."
Hunt explained that while Gmail is the largest represented platform with 394 million unique addresses, "80% of the data in this corpus has absolutely nothing to do with Gmail, and the 20% of Gmail addresses have absolutely nothing to do with any sort of security vulnerability on Google's behalf." The dataset spans 32 million different email domains.
Cybersecurity analyst Davey Winder warned in TechFinitive that "relying upon a password to protect your data is like buying magic beans." He emphasized that "1.3 billion consequences" now exist in the HIBP database for those who fail to implement proper security measures.
Forbes contributor Zak Doffman noted the danger of credential stuffing attacks, "The reality is that some of your passwords and email addresses are almost certainly leaking somewhere online. This could be a breach of a website or service, or infostealer malware infecting a device you own. Either way, the end result is the same."
Hunt concluded his analysis with practical advice, "I suggest instead putting the energy into getting a password manager, making passwords strong and unique (or even better, using passkeys where available), and turning on multi-factor auth. That would be an awesome outcome for all."
The data is now searchable in Have I Been Pwned as "Synthient Credential Stuffing Threat Data," an entirely separate corpus from previous Synthient stealer log data loaded in October 2025. All 1.3 billion passwords are searchable through the Pwned Passwords service, which stores passwords separately from email addresses to protect user privacy.
HIBP is implementing a gradual notification schedule to contact the 2.9 million affected subscribers without triggering email delivery throttling or reputation issues. The service will increase notification volume by 45% daily, spreading emails over approximately one week. Individuals can check their exposure immediately by searching haveibeenpwned.com rather than waiting for notification emails.
For those wanting to check passwords, Hunt recommends several approaches: using the Pwned Passwords search page (which processes queries in the browser for privacy), accessing the k-anonymity API directly for technical users, or leveraging password managers like 1Password that integrate HIBP's Watchtower feature to automatically check all stored passwords.
The addition of 625 million previously unseen passwords increases the average size of each hash range in Pwned Passwords by approximately 50%, pushing response sizes from about 26KB to 40KB when compressed. Organizations integrating Pwned Passwords should ensure they're maximizing compression in their requests.
Credential stuffing is a cyberattack method where criminals use stolen username/password pairs from one data breach to attempt logging into unrelated services.
Stealer logs are collections of data harvested by malware specifically designed to steal credentials, browser cookies, cryptocurrency wallets, and other sensitive information from infected computers.
Password managers generate strong, unique passwords for every account and store them encrypted, eliminating password reuse.