Researchers publish aggregated infostealer data that exposed 183 Million email accounts and passwords
Take action: Time to go to haveibeenpwned.com and check if your email addresses are listed in this latest update. If they are there and the listing is not something you have already secured, change the password on every account using that email address right away. Use unique passwords for each site and enable two-factor authentication everywhere possible.
Learn More
During 2025, cybersecurity firm Synthient aggregated billions of records of threat data from various internet sources, ultimately identifying 183 million unique email addresses alongside the websites they were entered into and the passwords used.
The data was added to Have I Been Pwned (HIBP) on October 21, 2025.
The stolen data was gathered by Benjamin Brundage, a college student who works with cybersecurity company Synthient LLC in Seattle. The Synthient dataset comprises more than 3.5 terabytes of threat data containing 23 billion rows of information, derived from infostealer malware infections and credential stuffing lists.
Infostealers are Trojans installed on victims' computers or smartphones—often they end up there because the owners have installed supposedly cracked software, or because malware introduced through security vulnerabilities in the software used has managed to establish itself. They eavesdrop when victims log into services and send the credentials to their command-and-control servers.
Often, the data then ends up in publicly accessible cloud storage or in Telegram channels, where other criminals collect and reassemble it, as well as compare and merge it with data from older leaks.
Synthient monitored multiple sources including Telegram, which served as one of the primary data drivers within the stealer log ecosystem and contributed millions of unique credentials at its peak within a single day, as well as forums that included file-sharing links containing combolists, stealer logs, and database dumps.
The exposed information includes:
- Email addresses
- Passwords (in plaintext)
- Website addresses where credentials were entered
- Login credentials captured during active sessions
Because the information was stolen from infected computers, cybercriminals might also have obtained active session cookies (which let them log in without a password), credit card details (any bank or credit card numbers saved in web browsers), and cryptocurrency wallet information (logins and keys for digital currency wallets).
The breach affects 183 million unique email accounts. The majority of email addresses in the Synthient dataset had previously appeared in other breaches, approximately 16.4 million addresses were completely new to HIBP.
This means that 16.4 million individuals are learning about their credential compromise for the first time through this disclosure.
Individuals should check their email addresses on the Have I Been Pwned website to see if their credentials were compromised. If they are listed, they should change passwords immediately on all accounts associated with breached email addresses, use unique, complex passwords for each online account, not recycle passwords and activate two-factor authentication (2FA) on all accounts that support it.
Update - As of 27th of October, due to many portals claiming this is a Google breach, Google responded publicly: “Reports of a Gmail security ‘breach’ impacting millions of users are entirely inaccurate and incorrect. They stem from a misreading of ongoing updates to credential theft databases, known as infostealer activity, whereby attackers employ various tools to harvest credentials versus a single, specific attack aimed at any one person, tool or platform.”
“We encourage users to follow best practices to protect themselves from credential theft, such as turning on 2-step verification and adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are exposed in large batches like this.”
