Have I Been Pwned Adds 183M Leaked Logins

Gregory Zuckerman
By Gregory Zuckerman
Technology
8 Min Read

If you reuse your passwords, or haven’t revisited your email in search of breaches recently, it’s time. Cybersecurity researcher Troy Hunt has uploaded a massive new batch of compromised account data to his breach notification site Have I Been Pwned, including 183 million accounts exposed during the breach of “game-related ecosystem” platform StormDev. The free service allows anyone to check if their email address appears in known data breaches — and then some.

Have I Been Pwned, commonly referred to as HIBP by its users, functions like a search engine for data breaches. Enter an email, and you get back a list of breached services associated with that address, the types of leaked data that account for each breach, and recommendations on what to do. Today, HIBP is home to hundreds of incidents and billions of exposed records, and it’s the creepy data breach search engine that millions of people use.

Table of Contents
The Have I Been Pwned logo, featuring the phrase in a stylized blue gradient font against a dark background, resized to a 16:9 aspect ratio.

What was added to HIBP and why the update matters

The flagship new data here is that of 183 million unique email addresses harvested with the assistance of a threat intelligence company called Synthient. The cache matches addresses with the sites they were accessed on — and in many cases, the passwords associated with them. A second set of 3.9 million, belonging to the defunct video-sharing site MyVidster, was also slipped in and included email addresses, usernames, and profile photos.

Synthient’s researcher Benjamin Brundage assembled data from the stealer-log underground, a type of information-stealing malware that lifts credentials, cookies, and autofill data off infected machines. By systematically scraping from sources including Telegram channels, forums, and social platforms, he collected some 3.5TB of data across an estimated 23 billion rows. At the point I deduplicated with HIBP, 92% of the data set was now known material, but that still left 183M unique addresses for HIBP and an additional 16.4M previously unseen across both my data set and those widely circulated stealers.

That matters because attackers rely on these logs in their automated credential stuffing — trying sequences of stolen emails and passwords across many sites, sometimes in a span of seconds. Hunt has also highlighted the inclusion of a number of big credential stuffing lists in the feed that he’ll be adding after validating their veracity. As he describes it, stealer logs are a “firehose” of new and reused data, putting the challenge as one in which he’s always falling behind in simply folding validated items into HIBP.

How to check your email for breaches in HIBP

Checking is straightforward. Type your email into Have I Been Pwned to see whether you have been pwned. You will see which breaches include your data, what the exposure was (email address, passwords, phone numbers), and whether newly added Synthient-sourced records belong to them. You don’t see the stolen passwords or personal data; HIBP displays only aggregate data to prevent re-victimizing those who have already suffered.

A screenshot of the Have I Been Pwned? website, showing the homepage with a search bar to check if an email or phone number has been compromised in a data breach.

Next, take your favorite passwords and run them through the HIBP Pwned Passwords feature. It employs a privacy-preserving “k-anonymity” technique so that the service never receives your actual password, but can tell you whether your password appears in known dumps. If it does, retire it immediately everywhere.

What to do if your accounts are exposed in breaches

  • Immediately change passwords on compromised accounts, particularly for email, banking, and cloud storage.
  • Long, unique passwords for every site (ideally generated and stored by a good password manager).
  • Turn on multi-factor authentication where available in order to reduce the success of credential stuffing and phishing attacks.
  • If a service does support passkeys, perhaps it’s time to switch; they are resistant to both phishing and reuse by design.
  • If you used it across multiple sites, rotate not just your password but also that password everywhere else it was used.
  • End active sessions, deauthorize remembered devices, and get app-specific tokens.
  • In your email account, check forwarding rules and recovery settings — attackers frequently implant silent forwarding to divert sensitive mail.
  • Be vigilant against phishing that uses the breached service as bait; attackers frequently exploit breach disclosures to phish other accounts by luring people into a trap where they are asked to reset their password at a fake site.

The problem of reuse is pervasive: in industry after industry analysis, from SpyCloud’s annual report to countless others, the statistic remains that about 94% of leaked passwords are not unique. Stealer malware typically also grabs browser-stored passwords and session cookies, so even passwords you haven’t changed could be misused through hijacked sessions. Clearing out saved passwords, updating browsers, and running reputable anti-malware software can all help lock that door.

Why stealer logs are proliferating across forums

Infostealers such as RedLine and other malware families like Raccoon and Lumma are cost-effective turnkey tools for low-skilled attackers to employ when they do not have the necessary tooling/tech stack in place. A user’s entire digital footprint — logins, cookies, details for autofill — can be returned from a single infection, and the logs that result are endlessly traded and reposted across Telegram and dark web forums. That recycling is why 92 percent of Synthient’s find lay atop known information yet still yielded millions of fresh, actionable credentials.

The spillover risk is not just personal. SMBs that permit sharing or reuse of passwords are sitting ducks for automated attack. The use of stolen credentials continues to be one of the top initial access vectors, as illustrated by the Verizon Data Breach Investigations Report. Basic hygiene — unique passwords, MFA, and rapid rotation after exposure — greatly mitigates that risk.

Bottom line: take action now to reduce breach risks

The HIBP update adds 183 million new records — with millions more being reviewed — and it’s one of the largest warnings yet that it’s long past due to audit your digital life. And so go check your email in HIBP, retire that weak or duplicate password already, turn on MFA, and move to passkeys where you can. The attack data flood isn’t going away any time soon, but a couple of judicious moves will keep you at least out of the splash zone.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News