An extensive breach has resulted in the leak of data from 183 million email users, many of whom are Gmail users, including email addresses, passwords, and the websites where users entered the data.

Troy Hunt, the founder and CEO of Have I Been Pwned, recently announced that cybersecurity firm Synthient aggregated billions of records of “threat data” from various Internet sources in 2025.

Synthient collated information stealer and credential stuffing data from around the Internet and shared it with Have I Been Pwned.

“The data contained 183 million unique email addresses alongside the websites they were entered into and the passwords used,” Hunt wrote.

“After normalising and deduplicating the data, 183 million unique email addresses remained, each linked to the website where the credentials were captured, and the password used.”

He recommended that people change their email passwords and enable two-factor authentication to ensure their accounts aren’t compromised further.

Hunt’s blog provided additional details about Synthient’s data collection. He credits Synthient’s Benjamin Brundage with aggregating the data and sharing it with Have I Been Pwned.

Brundage’s data came from various sources, including social media, online forums, Tor, and Telegram. By the time he shared the data with Have I Been Pwned, the collection had reached 3.5TB.

“It’s a vast corpus,” said Hunt, adding that it is one of the most significant breaches in terms of size.

“Part of what makes the data so large is that we’re actually looking at both stealer logs and credential stuffing lists.”

He explained that stealer logs are the product of infostealers, or malware that runs on infected machines, capturing credentials entered into websites at input and relaying the data back to malware operators.

The output of stealer logs consists primarily of website addresses, email addresses, and passwords. For example, when someone logs into Gmail, their email address and password are captured against gmail.com.

Millions of breached email data on the dark web

Hunt explained that a challenge with stealer logs is that they are heavily recycled, and a lot of the data they contain may not be new.

He and Brundage ran a PowerShell script to gauge how much of the data had been seen before and found that 92% was already known compromised credentials.

“Having previously seen 92% of addresses also means we haven’t seen 8% of the addresses. That 8% is a considerable number, too: we found 183 million email addresses across the stealer log data,” said Hunt.

That means over 14 million addresses contained in the data had never been previously reported on Have I Been Pwned.

However, after running an in-depth analysis, they found that roughly 16.4 million of the addresses contained in the stealer logs were previously unseen in any data breach.

Therefore, the actual number of pre-existing addresses in the dataset was 91% — slightly less than the back-of-napkin PowerShell estimate indicated.

Hunt reached out to owners of some of the new addresses, who confirmed that it was their address and that the linked password was one of their past passwords.

Another respondent confirmed that the list of website addresses linked to his credentials were sites he’d visited, some of which he still uses.

Brundage’s data also contained credential stuffing lists. Unlike stealer logs, these aren’t the product of malware; they’re aggregated from other places where email addresses and passwords are obtained.

Hunt warned that credential stuffing lists can cause significant damage, considering they typically contain the keys to various services.

“Not only are they the gateway to so many takeovers of social media accounts, email addresses, and other valuable resources, they’re also responsible for many subsequent, very serious data breaches,” he said.

Have I Been Pwned has loaded the stealer logs on its website, enabling users to search their addresses to see if their data has been compromised.

“We intend to load the credential stuffing data as a separate corpus next week and call it Synthient Credential Stuffing Threat Data, assuming it’s sufficiently new and the accuracy is confirmed,” said Hunt.