Overview
- Troy Hunt added roughly 1.957–2 billion email addresses and about 1.3 billion passwords to Have I Been Pwned, including around 625 million not previously seen in its database.
- Although the trove includes about 394 million Gmail addresses, reporting states this does not indicate a Gmail breach because entries span tens of millions of domains.
- Hunt validated samples with HIBP users and found many passwords still in active use, with some more than a decade old.
- Analysts report the credentials are already circulating for credential‑stuffing attacks that target accounts where passwords are reused.
- Users can anonymously check email addresses and passwords on haveibeenpwned.com and should change exposed credentials, use a password manager, and enable two‑factor authentication.