16 million credentials that have never been seen before
In the quiet accumulation of years of digital carelessness and corporate vulnerabilities, a single researcher has gathered what may be the largest known collection of stolen human identities online — 183 million email addresses, each one a door left ajar. Discovered and verified by the security community, this repository reminds us that the past does not stay buried in the digital world: credentials we thought forgotten resurface, and the consequences of old exposures arrive on new doorsteps. For millions of people who believed themselves untouched, the unsettling truth is that their private keys may already be in someone else's hands.
- A cybersecurity researcher has assembled 3.5 terabytes of stolen login credentials — 183 million email and password pairs — into a single, searchable database now circulating openly on the internet.
- Over 16 million of those credentials have never appeared in any previously documented breach, meaning millions of people face exposure they had no way to anticipate or prepare for.
- Verified by prominent security researcher Troy Hunt, whose own followers confirmed recognizing their real passwords and visited websites within the data, the database's authenticity is not in doubt.
- The database has been uploaded to Have I Been Pwned, giving anyone the ability to check in seconds whether their email address — and by extension their accounts — has been compromised.
- Security experts urge immediate password changes for any affected accounts, and warn that credential-stuffing attacks against live services may already be underway as the data spreads.
A cybersecurity researcher known as Synthient has compiled what may be the single largest repository of stolen login credentials ever assembled: 183 million email addresses, each paired with associated websites and passwords, totaling 3.5 terabytes of data drawn from breaches spanning years and countless organizations.
While roughly 91 percent of the credentials had already been documented in prior incidents, the remaining 9 percent — some 16.47 million combinations — had never surfaced in any publicly known breach. For those individuals, this represents entirely new exposure. Troy Hunt, operator of the breach-tracking service Have I Been Pwned, examined the database and reached out to followers to verify it. Their responses were confirming: one recognized a password they had genuinely used with Gmail; another identified websites they regularly visited. The data is real.
The consequences are immediate and concrete. Anyone whose email appears among the 183 million has had both their credentials and their associated services exposed to whoever holds — or purchases — this database. The window for misuse grows with every day those credentials remain unchanged.
Hunt and Synthient have made the full database searchable through Have I Been Pwned, where users can enter their email address and learn within seconds whether they are affected and which breach exposed them. The recommended response is unglamorous but urgent: change passwords for any compromised accounts immediately, and address every other service where the same password was reused. The database is now public knowledge, accessible not only to researchers but to anyone with malicious intent — and the clock is running.
A cybersecurity researcher named Synthient has assembled what may be the largest single repository of stolen login credentials ever compiled—183 million email addresses, each paired with the websites they were used on and the passwords themselves. The sheer scale of the collection is difficult to grasp: 3.5 terabytes of data, accumulated from breaches scattered across years and organizations. Most of it is old news. Security researchers have already catalogued roughly 91 percent of these credentials from previous incidents. But that remaining 9 percent—roughly 16.47 million email and password combinations—represents something genuinely new: credentials that have never surfaced in any publicly documented breach before.
Troy Hunt, a well-known security researcher and operator of the breach-tracking site Have I Been Pwned, examined the database and reached out to some of his followers to verify its authenticity. The responses came back confirming. One user found a password they had actually used with Gmail. Another spotted websites they regularly visited. There's no indication the database is fabricated or unreliable. These are real credentials from real accounts, and they're circulating freely on the internet.
The implications are straightforward and unsettling. If your email address is among the 183 million, someone out there has both your login credentials and knowledge of which services you use them on. Even if your account hasn't been breached before—even if you thought you were careful—there's a 1-in-11 chance you're in this new batch of 16 million previously unknown exposures. The attackers holding this data could attempt to log into your accounts directly, or sell the information to others who will.
Hunt and Synthient have uploaded the entire database to Have I Been Pwned, the free service that lets you enter your email address and check whether it appears in any known breach. The process takes seconds. You type in your email. The site searches its records. If you're in the database, you'll see it listed along with which breach exposed you and what information was compromised. It's a straightforward way to find out if you're affected.
The practical response is equally straightforward, though tedious. If your email shows up in this database or any other, the safest move is to change the password for that account immediately. If you used the same password across multiple services—a common mistake—you should change it everywhere. The longer those credentials sit in the wild, the greater the window for someone to use them. The database itself is now public knowledge, which means not just security researchers but anyone with malicious intent can access it and begin testing credentials against live accounts.
Citações Notáveis
Troy Hunt verified the database's authenticity by having users confirm they found their actual passwords and websites they use— Security researcher Troy Hunt
A Conversa do Hearth Outra perspectiva sobre a história
So 183 million email addresses with passwords just sitting in one place—how does something like this even happen? Is this one breach, or a collection?
It's a collection. Synthient pulled credentials from breaches across the internet, going back years. Different companies, different incidents. The researcher basically assembled them into one searchable database.
And 16 million of those are brand new? Never been seen before?
Right. That's the alarming part. Most of the data is old hat—security researchers have already documented it. But 9 percent of 183 million is a lot of credentials that have never been publicly reported. People might not even know they're exposed.
How do we know it's real?
Troy Hunt, who runs Have I Been Pwned, verified it by asking users to check. They found their actual passwords in there, websites they actually use. It's real.
What's the actual risk here? If someone has my email and password, what can they do?
They can try to log into your accounts directly. Or sell the information to someone else who will. The longer it's out there, the more time attackers have to use it.
So what do I do right now?
Check Have I Been Pwned with your email address. If you're in the database, change your password immediately. And if you used that password anywhere else, change it there too.