Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Two new Have I Been Pwned datasets added with millions of accounts.
- Emails and passwords exposed in recent data breaches.
- Check if your info was leaked and learn what to do next.
Cybersecurity expert Troy Hunt has added two new sets of compromised account records to the Have I Been Pwned database, including a massive dataset of 183 million accounts.
What is Have I Been Pwned?
Have I Been Pwned (HIBP) is a data breach “search engine” that allows anyone to submit their email address to see if any links to a data breach are publicly known.
Also: AT&T customer? Claim up to $7,500 from $177M data breach settlement — don’t miss the new deadline
HIBP is a free service that can give you an overview of whether or not it is likely your online accounts have been “pwned,” or compromised, in a data breach. Once you’ve submitted your email address for review, you are told how many data breaches, if any, your information has been leaked in. A timeline will show when the data breach occurred, along with a useful summary of the stolen or dumped data.
Also: I’m ditching passwords for passkeys for one reason – and it’s not what you think
You can also use the HIBP side service, Pwned Passwords, to see if a password you commonly use is linked to exposed datasets.
You can’t use the service to view stolen or leaked data. Instead, HIBP gives you an overview of compromised data. At the time of writing, 917 breaches have been added to the service, which now brings its count to 15.32 billion accounts.
What information is included in these datasets?
According to the Have I Been Pwned updates, the first set includes 183 million records. Data was uploaded to HIBP on Oct. 21 with the assistance of Synthient, a threat intelligence service that shared the data with Hunt. In total, 183 million unique email addresses, the websites they were used on, and the passwords they were associated with were included.
Also: 7 password rules security experts live by in 2025 – the last one might surprise you
The second addition is smaller at 3.9 million accounts. Added to HIBP on Oct. 27, this data breach relates to MyVidster, a video-sharing website that closed earlier this year and was reportedly used to bookmark and share pornography. Email addresses, usernames, and profile pictures were leaked on a public hacking forum.
Why does this dataset matter?
Synthient’s contribution to HIBP is particularly interesting considering its sources. The data was aggregated while researcher Benjamin Brundage was exploring the stealer log ecosystem, in which website addresses, email addresses, and passwords are captured by information-stealing malware loaded onto victim devices.
After crawling sources including Telegram, social media websites, and forums, 3.5TB of information was collected — or 23 billion rows of data.
Also: How I easily set up passkeys through my password manager – and why you should too
It’s often the case that these types of logs are reposted and recycled, and so Hunt worked with the researcher to check if any of the logs were already loaded into HIBP. In total, 92% of the dataset was preexisting, but this still left 183 million unique email addresses and 16.4 million previously unseen email addresses across both HIBP and infostealer logs. This highlights that just because data has been dumped online, it doesn’t mean that it does not contain valid credentials that risk our online accounts.
Credential-stuffing lists were also in the Synthient dataset, which could be used in automated attacks against organizations. This dataset will be added in the near future once its accuracy is established.
Also: A whopping 94% of leaked passwords are not unique – will you people ever learn?
“The truth is that, unlike a single data breach such as Ashley Madison, Dropbox, or the many other hundreds already in HIBP, stealer logs are more of a firehose of data that’s just constantly spewing personal info all over the place,” Hunt noted. “The data itself is still on point, but I’d like to see HIBP better reflect that firehose analogy and provide a constant stream of new data. Until then, Synthient’s Threat Data will still sit in HIBP and be searchable in all the usual ways.”
How do I know if I am involved in this collection?
The first step to take is to visit Have I Been Pwned and submit your email address. You will then be able to see what data breaches you are connected to, including Synthient’s dataset.
Also: Why multi-factor authentication is absolutely essential in 2025
If you find that your email address has been exposed, ensure you immediately change any password associated with it. You might also want to reduce your risk by deleting any online accounts you no longer use.
This latest update also brings home the lesson that you shouldn’t reuse passwords across your online services. Of course, it is difficult to remember unique, complex passwords, but that’s where a password manager can help you out.
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
Source: Robotics - zdnet.com
