A staggering trove of 1.3 billion passwords, along with nearly two billion email addresses, has been found publicly accessible online, raising significant concerns about online security.
The revelation comes from Have I Been Pwned (HIBP), an online platform that alerts individuals if their information has been compromised in a data breach. This extensive dataset amalgamates data from several sources where cybercriminals have shared stolen login details.
Troy Hunt, the CEO of HIBP, revealed that even his password was part of this breach. He noted, “This collection is almost three times larger than any previous breach we have ever processed.”
The exposed data includes 1,957,476,021 individual email addresses and 1.3 billion distinct passwords, with 625 million of these passwords being new to HIBP’s records.
Given that over 5.5 billion people worldwide are internet users, experts are advising everyone to update their passwords as a safety measure.
This massive data dump not only consists of information from past breaches but also includes lists used for credential stuffing, where hackers attempt to access various accounts using stolen passwords.
HIBP verified the dataset by checking actual users’ credentials. Many passwords were old or unused, but others were still actively protecting accounts, illustrating the real-world risk.
Hunt offered HIBP to help users determine if their credentials were compromised, allowing them to check email addresses and passwords for instant results.
The dataset includes 1,957,476,021 unique email addresses and 1.3 billion unique passwords
HIBP’s Pwned Passwords service allows anyone to check if a password has been previously exposed without revealing which email addresses it was linked to, preserving privacy while improving security.
‘I hate hyperbolic news headlines about data breaches, but for the ‘2 Billion Email Addresses’ headline to be hyperbolic, it’d need to be exaggerated or overstated – and it isn’t,’ Hunt said.
‘It’s the most extensive corpus of data we’ve ever processed, by a margin.
Cybersecurity experts are urging immediate action, telling individuals to use a secure password manager and create unique, strong passwords for each account.
Two-factor authentication should be enabled on all accounts, with priority given to email and administrative logins.
Organizations are advised to run credential checks to identify reused or exposed passwords among users.
Breached-password detection should be implemented during logins and password changes. Access privileges should be audited, service accounts restricted, and outdated credentials removed.
For individuals, the key takeaway of the data breach is clear: passwords alone are no longer enough.
With more than 5.5 billion people worldwide using the internet, researchers warned that a staggering number of individuals likely had at least some of their accounts compromised
Organizations face similar challenges but on a larger scale.
Credential-stuffing attacks are particularly dangerous because a single leaked password can give attackers access to corporate systems, email accounts, and sensitive data.
Enterprises are advised to adopt zero-trust access models, enforce least-privilege policies, implement MFA and monitor for exposed credentials continuously. Breach-response plans should be active, and automated systems should detect and prevent credential-stuffing attempts.
From a technical standpoint, processing this massive corpus posed significant challenges.
HIBP had to optimize its Azure SQL infrastructure to manage two billion records alongside its existing 15 billion, while keeping the live service available to millions of daily users.
Data was hashed and inserted in batches, with multiple rounds of verification and testing to ensure performance and accuracy. Email notifications to affected subscribers were carefully staggered to prevent throttling and maintain deliverability.
Ultimately, this massive dataset highlights the continuing risks posed by reused and compromised credentials.
