23 Billion Records, 183M Credentials Added to HIBP

Researchers uncovered a 3.5‑terabyte trove — about 23 billion records representing roughly 183 million unique email‑password pairs — and the dataset was added to Have I Been Pwned for checking. Trackers including Synthient say the collection was aggregated from infostealer malware logs and other harvesters such as phishing campaigns, fake downloads and malicious browser extensions, with much of the material recycled from older breaches and about 16.4 million pairs newly observed. Analysts stressed the cache reflects credential harvesting rather than a direct compromise of Google’s servers, and Google said reports of a new “Gmail breach” were incorrect. Because many passwords are in plaintext or reused, experts warned the dataset is highly valuable for credential‑stuffing, account takeover and identity‑theft campaigns. Researchers and authorities urged people to check Have I Been Pwned, immediately change exposed or reused passwords, enable two‑step verification or passkeys, improve device hygiene, and monitor for further exposure.