Overview
- Synthient assembled the trove from open and dark‑web sources and infostealer malware, then worked with Troy Hunt to validate its authenticity.
- Have I Been Pwned expanded by roughly 2 billion email addresses and 1.3 billion passwords, including about 625 million not previously in its records.
- Troy Hunt’s sampling confirmed the collection includes both long‑circulating entries and still‑active passwords.
- The passwords have been added to HIBP’s Pwned Passwords service, which checks locally in the user’s browser without sending the password to HIBP.
- Experts urge users to check exposure, change any compromised passwords, enable two‑factor authentication, and adopt password managers or passkeys to reduce takeover risk.