This breached credentials dump has millions of actively used passwords

Credit: Lucas Gouveia/How-To Geek | valiantsin suprunovich/Shutterstock

Published Nov 10, 2025

Arol is a tech journalist who currently works as a contributor at How-To Geek since 2022. He first began writing online for the short-lived portal of Spanish-language gaming forum Emudesc in 2013. Years later, in 2017, he got his true start in tech journalism working for a small Google-focused site called Pixel Spot. He transitioned to a news and feature writer role at XDA Developers that same year, where he worked until 2021 before making the jump to other websites.

Arol brings nearly a decade of writing experience, and the occasional hot take, to his writings. While he's a technology lover at heart, he holds computer hardware and smartphones particularly close to heart. You'll normally find him covering news, although he has also written the occasional deal, buyer's guide, how-to post, and round-up. He's also written for Android Police and MakeUseOf. He's also a Political Science student. When he's not writing, you'll probably find him hitting the gym, trying to ace a new hobby, reading his textbooks, or traveling. You can reach him at me@arolwright.com.

Here is a fact-based summary of the story contents:

Try something different:

Summary

Massive dump: ~2B emails and 1.3B unique passwords compiled from many breaches and logs.
Many exposed passwords are still active; immediate password changes are essential to avoid account takeover.
Check Have I Been Pwned now and use a password manager; stop reusing passwords across sites.

Breaches are always bad, but we often don't find out about many of the smaller breaches, which aren't advertised much and can be just as bad—especially if you're the kind of person to use the same password everywhere. If you need yet another reminder that this is bad practice, this breached credentials dump is just what you need.

Almost 2 billion email addresses and 1.3 billion unique passwords have been uploaded to Have I Been Pwned, a database that allows users to tell whether their email address has cropped up in a data leak. This data was compiled by Synthient and was erroneously reported as being a Gmail breach at first—an explainer post clarifies that there are 32 million unique email domains as part of this trove of data, and that Gmail is the most common one on account of being the biggest email provider. It's not even a single breach, either. It's a massive collection of email/password pairs frommany different sources (stealer logs, other breaches). These kinds of collections are used by attackers to run "credential stuffing" attacks, trying these passwords on unrelated sites (like banking, email, or shopping) until they get a match.

In theory, this is all supposed to be old data, some of it dating back to the 1990s. So why is it important? It's notable for several reasons. Corroborating with several HIBP users, it was found that some people were still using the exposed passwords on their active accounts. One user had to "immediately" make a list of active accounts to change, perfectly illustrating that these credentials are a current danger, not just a historical one.

With nearly 2 billion unique emails and 1.3 billion unique passwords, it is the "most extensive corpus" HIBP has ever processed. The sheer volume (including 625 million passwords HIBP hadnever seen before) dramatically increases the probability that any given person is exposed.

You should head over to HIBP's website now to see if you're part of this dump or previous dumps. And while you're at it,change those passwords and download a password manager. I can't stressthe importance of a password manager enough these days.

Keeper

Supported Desktop Browsers: Chrome, Firefox, Safari, Edge, Opera, Brave
Price: Starting at $3.33/month for the Personal plan

Keeper Security offers a modern, snappy, and sleek interface, making it easy to find and manage your passwords. Other options, such as color coding and subfolders, also make organizing incredibly easy.