Cybersecurity researchers are warning the public after a massive cache of 1.3 billion passwords was discovered circulating online, putting millions of digital accounts at immediate risk.
The discovery was confirmed by Have I Been Pwned (HIBP), the global breach-notification platform widely used to check compromised data. HIBP founder Troy Hunt described the trove as “the most extensive corpus of data we’ve ever processed,” underscoring the scale of the threat.
The dataset contains 1.3 billion unique passwords, including 625 million that HIBP says it had never encountered before. It also includes nearly 2 billion unique email addresses. Hunt confirmed that even some of his own personal information appeared in the files, highlighting how widespread the exposure is.
“This corpus is nearly three times the size of the previous largest breach we’d loaded,” Hunt said. “The truth is that once the bad guys have your data, it often replicates over and over again via numerous channels and platforms.”
The passwords were uncovered by a group known as Synthient and appear to come from a mix of sources, including large “credential stuffing” lists. Credential stuffing occurs when hackers take stolen email-and-password combinations from one breach and attempt to use them to access accounts on completely different platforms. Because so many people reuse passwords, the method is often successful — which is why experts repeatedly warn against recycling login credentials.
HIBP has now added the entire dataset to its searchable system, allowing users to check whether their email address appears in any breaches. Users simply enter an address on the HIBP website, and the system reports whether it has been found in known compromised data. People can also sign up for alerts so they are notified the moment new breaches involving their information are added.
With this latest upload, HIBP now contains more than 17.2 billion account records — a sobering indicator of the scale of ongoing global data leaks. The update comes only weeks after HIBP flagged another collection of 183 million stolen passwords.
Hunt urged users to adopt stronger security practices: use a password manager to generate unique, complex passwords, switch to passkeys where possible, and enable multi-factor authentication on all accounts to reduce the likelihood of unauthorized access.
Cybersecurity analysts say the incident is another reminder that the internet’s underground data-trading ecosystem continues to grow — and that individuals must take active steps to protect themselves as massive breaches become more common.
ALSO READ: Cloudflare outage causes error messages across the internet
Very engaging — I liked the friendly tone and clear structure.