Troy Hunt: 2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwned

1st Official Post

    I hate hyperbolic news headlines about data breaches, but for the "2 Billion Email Addresses" headline to be hyperbolic, it'd need to be exaggerated or overstated - and it isn't. It's rounded up from the more precise number of 1,957,476,021 unique email addresses, but other than that, it's exactly what it sounds like. Oh - and 1.3 billion unique passwords, 625 million of which we'd never seen before either. It's the most extensive corpus of data we've ever processed, by a significant margin.

    A couple of weeks ago, I wrote about the 183M unique email addresses that Synthient had indexed in their threat intelligence platform and then shared with us. I explained that this was only part of the corpus of data they'd indexed, and that it didn't include the credential stuffing records. Stealer log data is obtained by malware running on infected machines. In contrast, credential stuffing lists usually originate from other data breaches where email addresses and passwords are exposed. They're then bundled up, sold, redistributed, and ultimately used to log in to victims' accounts. Not just the accounts they were initially breached from, either, because people reuse the same password over and over again, the data from one breach is frequently usable on completely unrelated sites. A breach of a forum to comment on cats often exposes data that can then be used to log in to the victim's shopping, social media and even email accounts. In that regard, credential stuffing data becomes "the keys to the castle".

    2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwned
    I hate hyperbolic news headlines about data breaches, but for the "2 Billion Email Addresses" headline to be hyperbolic, it'd need to be exaggerated or…
    www.troyhunt.com
    • Official Post
    Quote from Morro

    Damn, that is a freaking huge breach. Thank you for the post.

    Yes, it happens more and more now.

    Here’s a breakdown of data breaches in 2025 by industry and the biggest incidents so far:

    Industry Breakdown (Jan–Jun 2025)

    • Healthcare:
      • Most targeted sector, accounting for ~30% of breaches.
      • Common attack vectors: ransomware and phishing.
      • Sensitive patient data remains the primary target.
    • Financial Services:
      • Second highest, with hundreds of incidents.
      • Credential theft and account takeover are major concerns.
    • Business & Retail:
      • Large volume of breaches, often involving third-party vendors.
      • Supply chain attacks surged, with 79 incidents impacting 690 entities.
    • Government & Education:
      • Fewer breaches compared to healthcare and finance, but still significant.
      • Often linked to outdated systems and weak security protocols.

    Biggest Breaches of 2025 So Far

    1. Healthcare Network Breach
      • Impacted millions of patient records.
      • Attack method: ransomware exploiting unpatched systems.
    2. Financial Institution Hack
      • Exposed customer banking details.
      • Attack method: credential stuffing and phishing.
    3. Supply Chain Attack
      • Affected hundreds of businesses through a compromised vendor.
      • Attack method: malicious software update.
    4. Retail Giant Breach
      • Leaked payment card data of thousands of customers.
      • Attack method: point-of-sale malware.

    📈 Trend Insight:
    The first half of 2025 saw 1,732 breaches, and projections suggest 3,000+ breaches by year-end, with healthcare and finance leading the list.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login