According to Neowin, Have I Been Pwned has processed the largest corpus of breached data in its history – a massive collection featuring nearly 2 billion email addresses and 1.3 billion passwords. The dataset, known as Synthient Credential Stuffing Threat Data, contains 625 million passwords that HIBP had never seen before. Troy Hunt, who created the service, confirmed this data comes from credential stuffing lists that criminals bundle and redistribute from prior breaches. Despite online rumors, Gmail itself wasn’t hacked – while 394 million Gmail addresses appear in the data, they’re from other breaches, not Google security failures. The operation took two weeks and maxed out Azure SQL Hyperscale resources, with simple SQL update commands frequently crashing during processing.
Sponsored content — provided for informational and promotional purposes.
What this means for you
Here’s the thing – this isn’t about one big new breach. It’s about criminals compiling everything that’s already been stolen over years into one massive shopping list for credential stuffing attacks. And they’re using it to break into accounts right now. Hunt verified this by checking with subscribers who confirmed their exposed passwords were real – some were even still actively using them.
Think about that for a second. People found passwords they’re currently using in this criminal database. Some passwords were 10-20 years old, which tells you how long this data circulates. The scary part? It didn’t matter if passwords were weak or strong – they all ended up in the same criminal hands.
Check your passwords now
So what should you actually do? First, check the Pwned Passwords service – it’s been updated with all these new passwords. The service lets you check passwords without associating them with your email, which is smart for privacy. If you find your password there, stop using it immediately. Don’t just change one character either – create something completely new.
Password managers like 1Password’s Watchtower can automatically check this for you, and most browsers now have built-in password managers that sync across devices. Basically, if you’re still reusing passwords across sites, you’re playing Russian roulette with your accounts.
The bigger picture
This dataset is almost three times larger than anything HIBP has handled before. That should tell you something about the scale of data circulating in criminal circles. And the technical challenge of processing it was enormous – Hunt described maxing out Azure’s resources for two weeks just to get through it all.
But here’s what really worries me: we’re seeing the professionalization of cybercrime. They’re not just stealing data anymore – they’re curating it, organizing it, and making it more useful for attacks. This Synthient dataset represents years of breach data being weaponized more efficiently than ever before.
The advice remains the same but becomes more urgent: use a password manager, enable multi-factor authentication everywhere possible, and consider moving to passkeys where available. Your old password habits simply don’t cut it in 2024.
