Have I Been Pwned: Billions of New Passwords in Collection
Troy Hunt, the operator of the Have I Been Pwned service, has integrated 1.3 billion unique passwords into the database. These entries originate from the extensive “Synthient” collection, which gathered publicly available data from cloud storage and Telegram groups.
About two weeks earlier, Hunt had already added approximately 183 million credentials from the same data pool. The newly added information primarily stems from infostealer datasets—malware that records login details on infected devices and transmits them to remote command-and-control servers. Much of this data eventually becomes publicly accessible online.
Origins and Scope of the Synthient Collection
The Synthient collection compiles material from numerous data breaches and credential dumps, collectively referred to by Hunt as “Credential Stuffing” entries. According to his statement, the total database now includes around 2 billion unique email addresses.
“Troy Hunt, operator of the Have I Been Pwned service, has now added 1.3 billion unique passwords to the data collection.”
Many victims are infected through hidden malware bundled with pirated software or through security flaws in legitimate programs. Once installed, infostealers silently extract stored credentials, which later circulate among cybercriminals or appear in open data leaks.
Security Implications
- Users should regularly check if their accounts appear in Have I Been Pwned.
- Strong and unique passwords remain essential to protect online identities.
- Installing software only from trusted sources minimizes infection risk.
Author’s Summary: Troy Hunt expanded Have I Been Pwned by 1.3 billion passwords from the Synthient breach data, warning users about pervasive infostealer threats and data exposure risks.