Credential Stuffing at Scale: 2 Billion Email Addresses and 1.3 Billion Passwords Exposed in 2025
Executive Summary
In late 2025, a massive credential stuffing incident came to light when nearly 2 billion email addresses and 1.3 billion unique passwords – sourced over years from various cybercriminal forums and compromised stealer logs – were aggregated and indexed by Synthient, then processed by Have I Been Pwned (HIBP) for user notification. The dataset included credentials from countless breaches, consolidated into one of the largest exposures of its kind to date. While the original leaks stemmed from malware infections, phishing, and prior breaches, the impact was compounded by password reuse and the easy redistribution of these records in the criminal underground. HIBP took technical and privacy-preserving steps to verify and notify affected users while preventing further risk of data linkage.
This incident illustrates the ongoing risks posed by credential stuffing and highlights the long lifecycle of exposed data as threat actors continuously recycle and combine compromised information. The event underscores the importance of password hygiene, multi-factor authentication, and proactive notification as recycled data fuels ongoing cyberattacks across industries.
Why This Matters Now
The aggregation of billions of exposed credentials amplifies the risk of widespread account takeover, especially as attackers lean into automation and credential stuffing at scale. Organizations and individuals must recognize that even years-old data can be weaponized in new attacks, making regular password updates, strong authentication, and real-time breach monitoring a top security priority.
Attack Path Analysis
Attackers initially compromised endpoints via malware to harvest credentials, likely exploiting weak or reused passwords. With stolen credential sets in hand, they escalated privileges or accessed additional accounts due to password reuse. Adversaries moved laterally across multiple services by utilizing the same credentials on various platforms. Command and control stages involved exfiltrating harvested data to attacker infrastructure. Massive volumes of email addresses and passwords were exfiltrated and compiled for further criminal use. The breach enabled wide-scale credential stuffing, impersonation, and potential secondary attacks leveraging the exposed data.
Kill Chain Progression
Initial Compromise
Description
Attackers deployed stealer malware on user endpoints to harvest email addresses and passwords, likely exploiting weak credentials and lack of endpoint controls.
MITRE ATT&CK® Techniques
Credentials from Password Stores
Brute Force
Valid Accounts
Data from Local System
Masquerading
Exfiltration Over Web Service
Gather Victim Identity Information
User Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication Credentials
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Credential Hygiene and Management
Control ID: Identity Pillar: Credentials Protection
NIS2 Directive – Technical and Organizational Measures for Access Control
Control ID: Article 21(2)(d)
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Massive credential stuffing exposure threatens banking authentication systems, requiring enhanced zero trust segmentation and east-west traffic monitoring for customer account protection.
Information Technology/IT
Two billion exposed credentials create critical infrastructure vulnerabilities, demanding encrypted traffic solutions and threat detection capabilities to prevent lateral movement attacks.
Health Care / Life Sciences
HIPAA compliance at risk from credential reuse patterns, necessitating multicloud visibility controls and egress security enforcement to protect patient data integrity.
Higher Education/Acadamia
Academic institutions face elevated risks from password recycling behaviors, requiring Kubernetes security implementations and anomaly detection for campus network protection.
Sources
- 2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwnedhttps://www.troyhunt.com/2-billion-email-addresses-were-exposed-and-we-indexed-them-all-in-have-i-been-pwned/Verified
- Have I Been Pwned adds 1.96 billion accounts from Synthient Credential Stuffing Threat Datahttps://www.scworld.com/brief/cybersecurity-alert-have-i-been-pwned-adds-1-96-billion-accounts-from-synthient-credential-stuffing-threat-dataVerified
- Credential Stuffing Attacks: How to prevent it?https://prelude.so/blog/credential-stuffing-attacksVerified
- Credential Stuffing: How To Prevent Ithttps://www.splunk.com/en_us/blog/learn/credential-stuffing.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, encrypted traffic, egress policy enforcement, and comprehensive visibility would have restricted lateral movement, exposed threats, and blocked or detected the data exfiltration paths exploited by the attack. CNSF controls could have isolated workloads, monitored for anomalous behavior, and prevented ungoverned egress of sensitive credential data.
Control: Encrypted Traffic (HPE)
Mitigation: Intercepted and prevented credential collection via unencrypted network flows.
Control: Zero Trust Segmentation
Mitigation: Limited blast radius of compromised credentials across cloud workloads and services.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized lateral movement among internal workloads.
Control: Threat Detection & Anomaly Response
Mitigation: Detected anomalous traffic consistent with malware C2 activity.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented or alerted on unauthorized outbound transfers of sensitive data.
Expedited breach response and restricted further exposure.
Impact at a Glance
Affected Business Functions
- Customer Account Management
- E-commerce Transactions
- Customer Support Services
Estimated downtime: 7 days
Estimated loss: $6,000,000
The incident involved the exposure of approximately 1.96 billion unique email addresses and 1.3 billion passwords, many of which were previously unseen. This extensive dataset increases the risk of credential stuffing attacks, potentially leading to unauthorized access to user accounts, financial fraud, and identity theft.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce microsegmentation and least privilege access controls to minimize credential-based lateral movement in cloud environments.
- • Mandate encrypted traffic (HPE/MACsec/IPsec) for all sensitive workloads and user endpoints to prevent credential harvesting via unprotected network flows.
- • Deploy strong egress filtering and outbound policy enforcement to block and detect data exfiltration attempts.
- • Leverage real-time threat detection and anomaly response to identify and respond to suspicious command and control or data transfer activity.
- • Centralize visibility, audit, and incident response workflows across multicloud environments to ensure rapid containment and minimize downstream impact from breaches.
