Breached: Since December 2013, the "Have I Been Pwned?" website has provided internet users with a quick and convenient way to check whether their accounts have been exposed in data breaches. The service now covers a wide range of incidents, including a big one that was added only a few days ago.
Have I Been Pwned (HIBP) recently added a new, massive database to its ever-growing collection of data breaches and compromised accounts. The dataset contains 183 million unique email addresses, along with the websites they were used on and the passwords associated with them. Troy Hunt, the expert who created HIBP, confirmed that the data can now be searched on the website. Users can simply enter an email address, password, or domain to find out if it has appeared in a known breach.
The breach responsible for the 183 million affected accounts occurred in April 2025 and was added to HIBP on October 21. The information originated from Synthient, a new platform created to collect threat data from multiple online sources. Synthient aggregated billions of records, adding up to several terabytes of storage, mostly provided as a large CSV file and a few accompanying text files.
Hunt cleaned and normalized the data by removing duplicate entries and other inconsistencies. The resulting database of 183 million email addresses has now been added to HIBP, which currently lists 916 compromised websites and more than 15.3 billion affected accounts.

Much of the new threat data comes from infostealer malware such as the notorious Lumma Stealer. These malicious programs infect computers to harvest valuable personal information. Infostealers can extract documents and user credentials, and are usually designed to pack their "loot" before sending it back to cyber-criminals.
Data breach incidents can quickly become a contentious issue. Security experts and analysts are now racing to see who will discover the mother of all breaches, although the definition is usually applied to aggregated data with billions of duplicated accounts. Invalid mailboxes that don't exist anymore can inflate the data as well.
HIBP has long been regarded as a trusted and carefully curated resource for improving online privacy and security. But because the service has been around for so many years, some of the listed accounts may no longer be at risk or are now well protected.
To put it in different words, finding your email address in one of the breaches included in the HIBP database doesn't necessarily have to spell doom for the safety of that account. For example, my main Gmail address can now be found in seven different data breaches, which means that one of the services I used in the past was compromised by cybercriminals. However, I never recycle passwords and I follow many of Google's recommended security practices, so I'm confident my opsec will keep my Gmail account safe and sound for the foreseeable future.