A massive collection of 1.3 billion passwords alongside nearly two billion email addresses has been exposed online.
Have I Been Pwned (HIBP), an online service that notifies people if they were exposed in a data breach, processed the data compiled from multiple sources where cybercriminals had published stolen credentials.
HIBP CEO Troy Hunt, who admitted his password made the list, said: ‘This corpus is nearly three times the size of the previous largest breach we [have ever] loaded.’
The dataset includes 1,957,476,021 unique email addresses and 1.3 billion unique passwords, 625 million of which had never been seen before by HIBP.
With more than 5.5 billion people worldwide using the internet, researchers warned that a staggering number of individuals likely had at least some of their accounts compromised.
These records combined past breaches with credential-stuffing lists, a type of data used by attackers to try stolen passwords across multiple accounts.
HIBP verified the dataset by checking actual users’ credentials. Many passwords were old or unused, but others were still actively protecting accounts, illustrating the real-world risk. Even seemingly complex passwords can appear in breaches and be exploited, reinforcing the need for strong, unique credentials.
Hunt offered HIBP to help users determine if their credentials were compromised, allowing them to check email addresses and passwords with instant results.
The dataset includes 1,957,476,021 unique email addresses and 1.3 billion unique passwords
‘I hate hyperbolic news headlines about data breaches, but for the ‘2 Billion Email Addresses’ headline to be hyperbolic, it’d need to be exaggerated or overstated – and it isn’t,’ Hunt said.
‘Oh – and 1.3 billion unique passwords, 625 million of which we’d never seen before either. It’s the most extensive corpus of data we’ve ever processed, by a margin.
Cybersecurity experts are now urging immediate action, telling individuals they should use a secure password manager and create unique, strong passwords for each account.
Two-factor authentication should be enabled on all accounts, with priority given to email and administrative logins.
Organizations are advised to run credential checks to identify reused or exposed passwords among users.
Breached-password detection should be implemented during logins and password changes. Access privileges should be audited, service accounts restricted, and outdated credentials removed.
These measures are critical to reduce the risk of account takeover. Following these steps helps protect both personal and corporate accounts from cyberattacks.
For individuals, the key takeaway is clear: passwords alone are no longer enough.
With more than 5.5 billion people worldwide using the internet, researchers warned that a staggering number of individuals likely had at least some of their accounts compromised
Users should switch to password managers, generate strong and unique passwords for every account, and enable multi-factor authentication (MFA) wherever possible.
HIBP’s Pwned Passwords service allows anyone to check if a password has been previously exposed without revealing which email addresses it was linked to, preserving privacy while improving security.
Organizations face similar challenges but on a larger scale. Credential-stuffing attacks are particularly dangerous because a single leaked password can give attackers access to corporate systems, email accounts, and sensitive data.
Enterprises are advised to adopt zero-trust access models, enforce least-privilege policies, implement MFA and monitor for exposed credentials continuously. Breach-response plans should be active, and automated systems should detect and prevent credential-stuffing attempts.
From a technical standpoint, processing this massive corpus posed significant challenges.
HIBP had to optimize its Azure SQL infrastructure to manage two billion records alongside its existing 15 billion, while keeping the live service available to millions of daily users.
Data was hashed and inserted in batches, with multiple rounds of verification and testing to ensure performance and accuracy. Email notifications to affected subscribers were carefully staggered to prevent throttling and maintain deliverability.
Ultimately, this massive dataset highlights the continuing risks posed by reused and compromised credentials.
