Massive Leak Exposes Billions of Stolen Email Addresses and Passwords Online

NEW YORK — November 30, 2025 — A vast trove of stolen login credentials, including 2 billion unique email addresses and 1.3 billion unique passwords, has been discovered online, marking one of the largest exposures of its kind, according to cybersecurity experts.

The data was uncovered by Synthient, a threat intelligence firm that combed through both the open and dark web to identify leaked credentials. Unlike a single breach, this collection is an aggregation of information from hundreds of sources, including old breaches and recent thefts caused by malware on infected devices.

Benjamin Brundage, founder of Synthient, compiled the dataset by gathering stolen logins from numerous hidden sources across the internet. The firm partnered with Troy Hunt, a security researcher known for running the website Have I Been Pwned, to verify the authenticity and novelty of the data. Hunt confirmed that the dataset contains previously undisclosed stolen credentials, including some that had never appeared in earlier breaches.

Credential stuffing attacks, where hackers use stolen login details to gain unauthorized access to multiple accounts, are a primary concern stemming from this exposure. The stolen credentials are often repurposed from old breaches, but this new dataset also includes fresh information obtained through malware.

Users are advised to check if their email addresses appear in the leak by visiting Have I Been Pwned, which has incorporated the new dataset. If an email is found in the database, immediate action is recommended.

Cybersecurity experts urge individuals to change any exposed passwords without delay. It is critical to create strong, unique passwords for each account to prevent unauthorized access. Leaving compromised passwords unchanged increases the risk of account takeover by cybercriminals.

This incident highlights the ongoing risks posed by credential theft and the importance of proactive security measures to protect personal and professional online accounts.