Huge password breach exposes billions of stolen credentials online

If you haven’t verified your credentials recently, now is a good time.

There are 1.3 billion unique passwords and 2 billion unique email addresses on the Internet. This event is one of the largest revelations of stolen logins we have seen.

This is not the result of one major violation. Instead, Synthient, a threat intelligence company, searched the open and dark web for malware. Leaked credentials. You may remember the company from its previous discovery of 183 million exposed email accounts. This time, the scope is much larger.

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.

Revealing the most used password in America in 2025

Synthient has uncovered a huge collection of stolen passwords and email addresses pulled from the open and dark web. (Kurt “CyberGuy” Knutson)

Where did this huge treasure come from?

Most of the data comes from credential stuffing lists. Criminals pull these lists from old breaches and use them in new attacks. Syntheent went further. Its founder, Benjamin Brundage, collected stolen logins from hundreds of hidden sources across the web.

The data includes old passwords from Past violations And new passwords stolen through malware that steals information on infected devices. Synthient has partnered with security researcher Troy Hunt, who runs the company Have you been Pwned. He verified the data set and confirmed that it contained new exposures.

To test the data, Hunt started using one of his old email addresses. He already knew that he had been added to previous credential stuffing lists. When he found it in the new batch, he reached out to trusted Have I Been Pwned users to confirm the results. Some of them had not appeared in breaches before, proving that this leak included new stolen logins.

183 million email passwords leaked: Check it now

Hackers use these stolen logins to launch credential stuffing attacks that target accounts across multiple sites. (Istock)

How to check if your passwords are stolen

To see if your email has been affected,

• Visit Have you been Pwned. This is the first and official source for the newly added dataset.
• Enter your email address to see if your information appeared in the leak.
• When finished, Return here for Step 1 below.

What really happens on the dark web, and how to stay safe

Verification tests showed that the data set contained new stolen credentials that had never appeared in previous breaches. (Kurt “CyberGuy” Knutson)

How to protect yourself after this massive credential leak

These simple actions quickly harden your accounts and help you outsmart criminals who rely on stolen passwords.

1) Change any exposed passwords immediately

Never leave a known leaked password lying around. Change it instantly on every site you used it on. Create a new login that’s strong, unique, and doesn’t look like your old login. This step cuts off criminals who already have your stolen credentials.

2) Stop reusing passwords across websites

Avoid reusing passwords across sites. Once hackers have a valid email and password pair, they try it on other services. This attack method, called credential stuffing, is still successful because many people reuse the same login information. One stolen password shouldn’t unlock every account you own.

3) Use a strong password manager

A powerful password manager can create new secure logins for your accounts. It creates long and complex passwords that you don’t have to memorize. It also stores them securely so you can log in quickly without taking risky shortcuts. Many password managers also scan for breaches to see if your existing passwords have been compromised.

Next, check if your email has been exposed in previous breaches. Our #1 password manager (see Cyberguy.com) Choice includes a built-in penetration scanner that checks if your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com

4) Turn on two-factor authentication

Even the strongest password can be cracked. Two-factor authentication Adds a second step when logging in. You can enter a code from the authenticator app or tap a physical security key. This additional layer prevents attackers who try to access your account using stolen passwords.

5) Protect your devices from malware and install powerful antivirus software

Hackers often steal passwords by infecting your devices. Information-stealing malware hides inside phishing emails and fake downloads. Once installed, it pulls passwords directly from your browser and apps. Protect your phones and computers with powerful antivirus software. It can detect information-stealing malware and block it before it drains your accounts. This protection can also alert you to phishing emails and ransomware, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for Windows, Mac, Android, and iOS at Cyberguy.com

6) Consider switching to passkeys when possible

If you want better protection, start using Pass keys On the services that support them. Passkeys use encryption keys instead of text passwords. Criminals cannot guess or reuse them. It also stops many phishing attacks because it only works on trusted sites. Think of passkeys as a secure digital lock on your most important accounts.

7) Use a data removal service

Data brokers collect and sell your personal data, which criminals can combine with stolen passwords. A reliable data removal service can help you find and remove your information from people search sites. Reducing your exposed data makes it harder for attackers to target you with disguised scams and account takeovers.

Although no service can guarantee complete removal, it significantly reduces your digital footprint, making it difficult for fraudsters to compare leaked credentials with public data to impersonate or target you. These services monitor your personal information and automatically remove it over time, which gives me peace of mind in today’s threat landscape.

Check out my top picks for data removal services and get a free check to see if your personal information really exists on the web by visiting Cyberguy.com

Get a free check to see if your personal information is already on the web: Cyberguy.com

8) Review your security often

Security is not a one-time task. Check your passwords on a regular schedule and update old logins before they become a problem. Review accounts that have two-factor authentication turned on and add them where you can. By staying proactive, you can stay one step ahead of hackers and limit the damage from future leaks.

Click here to download the FOX NEWS app

Key takeaways for Kurt

Massive leaks like this highlight how fragile digital security is. Even when best practices are followed, your information can still fall into the hands of criminals through legacy breaches, malware, or third-party exposure. Taking a proactive approach puts you in a stronger position. Regular scans, secure passwords, and strong authentication give you real-time protection.

With billions of stolen passwords, do you feel ready to verify your passwords and tighten your account security today? Let us know by writing to us at Cyberguy.com

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.

Copyright 2025 CyberGuy.com. All rights reserved.