Overview
- HIBP reports 1,957,476,021 unique email addresses and 1.3 billion unique passwords in the corpus, including about 625 million not previously in its datasets.
- The data was aggregated by Synthient from infostealer-derived stealer logs shared on forums and messaging channels, not from a single corporate breach.
- Exposed passwords have been added to HIBP’s Pwned Passwords using an anonymity model that avoids storing email–password pairs and enables private lookups.
- HIBP has begun staggered notifications, and users are urged to change reused passwords, enable two-factor authentication or passkeys, and adopt a password manager.
- Organizations are advised to detect and block credential stuffing, audit for reused or exposed credentials, enforce MFA, and harden access controls.