Massive data breach: over 2 billion credentials exposed, indexed by HIBP

Troy Hunt, Australian web security consultant known for creating (and running) the free service Have I Been Pwned (HIBP, a service that helps people verify whether their personal information has been compromised following a data breach), announced theindexing a huge amount of data on the portal.

The dataset, named “Synthient Credential Stuffing Threat Data”includes a staggering number of compromised credentials which include: approximately two billion email addresses, over a billion passwords (of which 625 million have never been seen before by the service). Let’s find out more details and what you can do to protect yourself.

HIBP indexed a huge set of compromised credentials

As anticipated at the beginning, on the platform Have I Been Pwned (which for convenience we will call HIBP from now on) were indexed over two billion email addresses And over a billion passwords with what was the largest dataset ever processed by the platform (three times larger than the previous “record”).

The processing was time-consuming and expensive: HIBP had to complexly optimize SQL Server indexes and maximize cloud resources for nearly two weeks; However, this processing did not block the rest of the services offered by the platform, which provides notifications to over 5.9 million subscribers (of which 2.9 million were present in the breach just indexed).

Where does this data come from?

The data of the set “Synthient Credential Stuffing Threat Data” come from:

• Lists of credential stuffing – a type of automated cyber attack in which attackers use bots to continually attempt to log in to a website with credentials purchased from the Dark Web, taking advantage of the fact that many users tend to reuse the same password across multiple accounts.
• Malwer stealer log – data packets that contain sensitive information (such as login credentials, financial data, system information, and other sensitive data) stolen from infected devices via malware.

Among the data also “strong” passwords

Before disclosing this enormous indexing on the HBIP platform, which includes a lot of data not previously present, the consultant conducted some checks with credentials that directly concerned him: for example, Hunt found his old e-mail address and a password associated with it but, fortunately, it was a very old password.

Extending his testing to his subscribers, Hunt later discovered that the indexed data included: old passwords (even from 10 or 20 years ago), active and critical passwords (old ones but still used, even only on some accounts with the same email, by users), strong passwords (although they met some complexity criteria, for example 8 characters with uppercase, lowercase, numbers and special characters).

The breach does not come from Gmail

To avoid the spread of false news, the consultant wanted to clarify that This data breach is in no way a security flaw in Google or Gmail: in the dataset indexed on HIBP are present 32 million different email domains (with the largest including 394 million unique addresses).

This means that 80% of the data indexed has nothing to do with Gmail and that the remaining 20% ​​are the result of malware infection taken by the various victims; Google and its security have nothing to do with it.

What can users do to protect themselves?

One of the most dangerous aspects of this HIBP-indexed dataset is that users tend to use the same password across multiple platforms.

Data from a breach can be used (by anyone who comes into illegitimate possession of it) to access completely unrelated accounts such as e-commerce accounts, social network accounts or other email addresses of the same person.

All compromised email addresses and passwords are now searchable on the platform (via this search page). You can then check for yourself whether or not your credentials have been moved.

We close by underlining theimportance of two measures: change passwords often And use different passwords for each account. To do even better, you can use password managers, tasking them with generating unique, secure passwords for each account, switching passkeys, and enabling multi-factor authentication where available.