Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
You must log in or # to comment.
Stuffing? Just in time for the holiday season!
moans “stuff me santa”
Santa: “we are skipping that house”
This is the type of unhinged shit I signed up for!
Let’s make a master list of all the emails leaked with their passwords, what could go wrong?
That’s not how it works
It’s exactly how it worked. A company called synthient made a master list with all the leaked emails + all leaked passwords. Then they were hacked and it leaked
Synthient wasn’t hacked, as a security company, they aggregated tons of stealer logs dumped to social media, Telegram, etc.
They found 8% of the data collected was not in the HIBP database, confirmed with some of the legitimate owners that the data was real.
They then took that research and shared it with HIBP which is the correct thing to do.
I was also thrown off by the title they gave it when I first saw it, a security company being hacked would be a terrible look. but they explain it in the article. Should probably have named it “list aggregation” or something.
so why hibp calls them data breach??? Ultra misleading, almost defamation, everyone including me only reads the headlines
Someone should make a list of all the leaked credentials that got leaked.
I think that’s HIBP basically?
But then nothing has changed if they were just collating what was already leaked.
Why did you censor yourself in the title?
Probably because they primarily live in a censorship world, be it digital or in-person, and change is difficult for most people.
Pratchett fan
-ing hell, is it?
They’ll censor “fucking”, but still use the Lord’s name in vain. smh.
Who cares about your invented god? Let people speak however they want
No one gave you the memo?
what ******* memo?
You’re allowed to swear on the internet as long as you’re not one of the weird instances.
The thing about this one is no one seems sure of the source (it appears to be from multiple sources, including infostealer malware and phishing attacks), so you don’t know which passwords to change. To be safe you’d have to do all of them.
Some password managers (e.g. Bitwarden) offer an automatic check for whether your actual passwords have been seen in these hack databases, which is a bit more practical than changing hundreds of passwords just in case.
And of course don’t reuse passwords. If you have access to an email masking service you can not only use a different password for every site, but also a different email address. Then hackers can’t even easily connect that it’s your account on different sites.
How do they do that without sending your actual passwords somewhere off your device, or downloading the full list of hacked passwords?
They probably hash the list of hacked passwords the same way your passwords get hashed and check for matches.
Interesting, thanks!
More details about the k-anonimity process. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
The short answer is that they download a partial list of passwords that hash to values starting with the same 5 characters as yours and then check if your password hash is in that list locally. This gives the server very little information about your password if it was not breached and more if it was (but then you should change it anyway), making an elegant compromise
They connect to the Have I Been Pwned database in a secure way.
They make a hash of your password and send just the first characters.
God fucking dammit, I fucking hate seeing people self-censor themselves on the internet.
deleted by creator
I use utterly unique and very long passphrases for the most important stuff (banking, mortgage servicing, email, etc.), 2FA for those and most other things, and just throwaway crap passwords for things I don’t care about (web forums and most everything else).
Proud that my only pwned password is three decades old.
I’ve been “pwned” four times.
None of them due to my end. Every single fucker was a piss poor company security
Comprised of email addresses and passwords from previous data breaches,
So these are previously “hacked” data, and now the aggregator has been hacked?
The aggregator wasn’t hacked, they essentially hacked the hackers and put together this list. This ain’t a data breach per se, it’s just putting together a bunch of past breaches and patching it up to HIBP.
Ah, gotcha. Thanks.
This is why my password is hunter2, no one can see what is says under the asterix,
(it’s asterisk)
for anyone who doesn’t get the reference, it’s an ancient Bash chatlog: https://knowyourmeme.com/memes/hunter2
Yeah gotta make sure you never use the same password in multiple places, use a password manager.
Apparently my email was included in this breach, but none of the passwords I used with it were (before I started using randomly generated ones).
Are we supposed to pronounce the two "data"s differently when reading aloud? Asking for a friend…
One is like data from Ten Forward.
The first one is like Mister, the second one is like “that, uh…”
It’s day-ter not da-ta.
Possibly related question. Layely I’ve been getting email ‘replies’ from various businesses and services (all over the country, USA) all about an ‘inquiry’ that I never made. Apparently someone just got my email address and is using that for – what ? A couple questions:
** What is that someone up to, why doing that?
** Should I do something about that?
** What could I do? Don’t want to change email address.
Probably unrelated, domain spoofing is common, but miss-configured mail servers will accept those emails and process auto replies. They can also abuse input forms to try and send out emails, but that typically does not have much control over content.
If you are getting more emails than you can deal with, than can be used to try and mask other emails by burying them in a large email volume. In that case you should be looking for emails from important accounts you do own (eg banking.)
That’s just your email address being sold by information brokers. Not illegal, not a reason to change your email address. Block, delete & move on.
I got this email a few days ago. I don’t even know who these people are and why they have my details. But I’ve had to change my Google account passwords anyway.
Is there any info regarding how old this data is?
The breach occurred in April 2025.
During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords. Working to turn breached data into awareness, Synthient partnered with HIBP to help victims of cybercrime understand their exposure.
This was added to Have I Been Pwned on Nov 6
