What happened
On 5 November 2025, Have I Been Pwned (HIBP) — the widely used breach notification service — absorbed the Synthient Credential Stuffing Threat Data corpus. The dataset contained 1,957,476,021 unique email addresses and 1.3 billion unique passwords, of which 625 million passwords had never previously appeared in the Pwned Passwords database.
This was not a single company breach. Synthient was a threat intelligence aggregation — compiled from stealer logs, credential stuffing lists, and multiple prior breaches — assembled into a single searchable dataset used by attackers to automate login attempts at scale.
What are stealer logs and credential stuffing lists?
Stealer logs are files created by infostealer malware running on infected devices. They capture every password saved in a browser, plus session cookies and autofill data. Credential stuffing lists are compiled collections of email/password pairs tested against multiple websites automatically.
Both feed into large aggregated datasets like Synthient. The Synthient corpus specifically was used to test credentials against online services at massive scale — 26 billion attempts per month globally according to Fortinet 2025 data.
What to do if your email appears
- Change the password for every account that uses that email address — starting with work accounts
- Ensure every account has a unique password (use a password manager)
- Enable MFA on every account that supports it
- Contact [email protected] if your work email appears in any breach database
What "appearing in HIBP" actually means
Finding your email in HIBP does not mean your account has been actively hacked right now. It means your email and an associated password appeared in a breach dataset at some point. The risk is: if you still use that password anywhere, attackers may be testing it against your accounts. The fix is simple — change the affected password.