Overview
- Following the update, the service tracks about 2 billion unique compromised email addresses, with 625 million of the newly added passwords not previously seen in HIBP.
- Troy Hunt validated portions of the corpus by contacting subscribers, confirming that some passwords were decades old while others were still in active use.
- The data originated from openly accessible cloud storage, Telegram groups and prior breaches, and includes credentials harvested by infostealer malware.
- All added passwords are now in the Pwned Passwords tool as hashes without associated emails, enabling privacy-preserving checks by individuals and organizations.
- Checks highlight the persistence of weak choices, with the password “123456” appearing in 178,863,340 records.