Massive Data Set Added to Breach Database: 183 Million Credentials Exposed
October 23rd, 2025
❓ What:
A massive set of stolen credentials — ~183 million unique username/password combinations — has been added to the free breach-checking service Have I Been Pwned (HIBP).
These credentials were harvested via infostealer malware (software that secretly steals data from infected machines).
From that set, ~16.4 million email addresses had never appeared in any prior leak.
The haul reportedly spans not just passwords but potentially session-cookies, saved credit-card details, and crypto-wallet info (since the malware infected endpoints and scraped broadly).
The data collection was facilitated by a group (Synthient LLC) who monitored underground trade channels, indexing huge volumes of Telegram posts and logs.
⚠️ Impact:
Individuals whose credentials are exposed now face elevated risk of account takeover, because the leak includes actual passwords, usernames, emails, and potentially session tokens.
The fact that many of these emails weren’t previously exposed means there’s new vulnerability—users may be unaware they’re compromised.
If saved credit‐card/crypto wallet details were indeed stolen, the financial risk is higher (beyond just login access).
From an organizational/security posture side: this reinforces that passwords alone are a weak defense, and large-scale credential trading is alive and kicking.
Trust erosion: the more widespread these leaks become, the more users might lose faith in digital systems, and the more costly mitigation becomes for businesses.
💡 Recommendations:
Check your exposure: Visit Have I Been Pwned and verify if your email appears in the leak. If so:
Immediately change passwords on any affected accounts (and anywhere else you reused the same password).
Enable multi-factor authentication (MFA) on critical services (email, banking, cloud).
Stop password reuse: Use a secure password manager (i.e. 1Password, NordPass, Bitwarden) so each account gets a unique strong password, rather than reusing one credential across services.
Consider moving away from passwords: Utilize more secure modern authentication methods (i.e. passkeys, push-based authentication, hardware security keys, etc) as ways to reduce exposure.
Scan and clean your endpoint(s): Because the malware affected actual machines and may have harvested more than credentials (sessions, cards, wallets), run a full antivirus/anti-malware scan, check for unusual devices connected, review saved credentials in browsers and clear them.
Adopt a zero-trust mindset: On an organizational scale, assume credentials may be compromised, enforce least privilege, frequent verification of access, and encryption of credentials/secrets storage.
Train end-users and encourage security best practices: Implement Privacy & Security Awareness Training for all end-users that incorporates practical online cyber hygiene and use of credentials. Enforce strong password and authentication policies for your organization.
🔗Read the full article HERE