"The Mother of All Network Leaks": 1.3 BILLION Passwords Exposed Online – Here's How to Check If Yours Has Been Stolen

AutoTech

Express newspaper

19/11/2025 20:56

A gigantic database of 1.3 billion passwords and nearly 2 billion email addresses has been discovered and distributed online, becoming one of the largest data leaks ever recorded.

Cybersecurity service Have I Been Pwned (HIBP), which notifies users if their data has been compromised, has processed this dataset consisting of stolen credentials published on various forums by hackers.

HIBP CEO Troy Hunt – who admitted that his password was also on the list – stated:

"This collection is nearly three times larger than any other leak we've ever uploaded."

What does the database contain?

• 1,957,476,021 unique email addresses
• 1.3 billion unique passwords
• 625 million passwords that HIBP had never seen before

With more than 5.5 billion internet users in the world, experts warn that everyone should change their passwords as soon as possible.

The dataset combines old leaks with “credential-stuffing lists” – lists that hackers use to try stolen passwords on hundreds of different sites, hoping that users recycle the same password.

How serious is the risk?

HIBP verified the authenticity of the data by testing real credentials. Many passwords were old, but a significant portion were still in use, increasing the risk of successful attacks.

Hunt said the headline "2 billion email addresses exposed" is no exaggeration:

“It's the largest corpus of data we've ever processed.”   

How to check if your password or email has been compromised?

HIBP offers two services:

Have I Been Pwned – check your email

Enter your email address to see if it was involved in a data leak.

Pwned Passwords – check your password

Allows checking passwords without linking them to the email address, preserving privacy.

Experts sound the alarm: Change passwords immediately

Top tips:

Use a secure password manager.

Create strong and unique passwords for each account.

Enable two-factor authentication (2FA/MFA), especially for email and administrative accounts.

What should organizations do?

For businesses, the risk is even greater:

• Establishing a zero-trust approach
• Implementing the least privilege policy
• Enabling MFA across all services
• Continuous monitoring for exposed credentials
• Automated systems that stop credential-stuffing attacks
• Privilege audit and removal of old accounts

A single leaked password can give access to:

• internal systems,
• corporate emails,
• and a company's sensitive data.
• Technical challenge: processing 2 billion records

HIBP optimized Azure SQL infrastructure to handle the new corpus along with the existing 15 billion records. Data was hashed and loaded in batches, while notifications to users were distributed in a controlled manner to avoid server congestion.

The main message for users: Passwords are no longer enough.

The increase in cyber attacks shows that security must rely on:

• strong passwords,
• additional verification (2FA/MFA),
• and continuous monitoring of exposures. /GazetaExpress/