In October 2025, a single dataset added 183 million unique credentials to Have I Been Pwned, the long-running breach-notification service run by security researcher Troy Hunt. The collection, named after the firm that surfaced it, Synthient, was not stolen from one company in one dramatic hack. It was assembled over roughly a year from the underground markets where criminals trade the output of infostealer malware, the kind of program that silently harvests saved passwords from an infected computer. Around 91% of those credentials had already appeared in earlier breaches; about 16.4 million addresses were entirely new.
That nuance matters, because the story was widely and wrongly reported as a "Gmail breach." Google had to issue a public correction stating that reports of a Gmail breach "impacting millions of users" were false: the credentials came from malware on individual devices, not from any flaw in Gmail's servers. The distinction between a service being breached and your own machine being robbed is one of the most useful things you can internalise about modern security, and we will come back to it.
A few months earlier, in June 2025, researchers at Cybernews described roughly 16 billion login pairs exposed across about thirty unsecured datasets. The number is staggering and was breathlessly covered, but here too the careful reading is important: this was not one new mega-hack. It was a compilation, much of it recycled and re-recycled infostealer output, briefly left readable on misconfigured cloud storage. The lesson of 2025 was not that any single breach was apocalyptic. It was that leaked credentials have become a vast, continuously replenished commodity, and that the same passwords keep showing up again and again.
Leak, breach, hack: three words people use interchangeably and shouldn't
Precision here saves you from both panic and complacency.
A breach is when an attacker gets into a company's systems and extracts data, your account record among millions of others. The 2013 Adobe breach (153 million records) and the 2016 disclosure of Yahoo's breaches (eventually revised to all 3 billion accounts) are textbook cases. You did nothing wrong; the service was compromised.
A leak is broader. It includes breaches, but also data exposed through misconfiguration, an unsecured database left open to the internet, a backup bucket made public by mistake, or a compilation of older breaches re-published. The "16 billion" story was a leak of compilations, not a fresh break-in.
Infostealer theft is the third and now dominant category. Malware on your device reads the passwords your browser saved and exfiltrates them. No company was breached. The weak point was an infected laptop, often compromised through a pirated app, a malicious browser extension, or a booby-trapped download. The Synthient data was overwhelmingly this kind.
Why does the taxonomy matter? Because your response differs. After a service breach, you change the password for that service. After infostealer theft, changing one password is not enough: the malware likely grabbed everything saved in the browser, so the device must be cleaned and every stored credential rotated. And in all three cases, the single factor that decides whether a leak is a minor annoyance or a cascading disaster is the same: whether you reused the password.
Credential stuffing: why reuse is the actual weapon
Suppose your password from a hobby forum leaks. On its own, an attacker gaining access to your account on a defunct forum is close to worthless. The danger is what comes next, and it has a name: credential stuffing.
Attackers take the enormous lists of leaked email:password pairs and feed them into automated tools that try each pair against hundreds of popular services, banks, email providers, retailers, social networks, at a rate of thousands of attempts per minute through botnets. They are not guessing. They are betting that a meaningful fraction of people used the same email and password on the forum as on their bank or their primary inbox. That bet pays off often enough to be enormously profitable. Success rates for credential-stuffing campaigns are typically low in percentage terms, but against billions of credentials, even a fraction of a percent yields a flood of compromised accounts.
This is the crux of the entire subject. A unique password contains the blast radius of a leak to a single account. A reused password turns one leak into a master key. The 183-million and 16-billion figures are alarming precisely because they are the ammunition for credential stuffing, and because password reuse remains widespread enough to make that ammunition effective.
It also explains a counter-intuitive truth: a password's strength against brute-force guessing barely matters once it has leaked. A 20-character random password that appears in a breach corpus is, for credential-stuffing purposes, just as compromised as 123456. Length protects you against guessing. Only uniqueness and prompt rotation protect you against a leak.
How a service is supposed to store your password
To understand why a leak checker can work without endangering you, it helps to know what a well-run service stores in the first place. A competent service never keeps your password as plain text. Instead it stores a hash: the output of a one-way function that turns correct horse battery staple into a fixed-length string from which the original cannot practically be recovered. When you log in, the service hashes what you typed and compares the result to the stored hash.
Two refinements make this robust. A salt is a unique random value mixed into each password before hashing, so two users with the same password get different hashes and pre-computed "rainbow tables" become useless. And modern services use deliberately slow hashing algorithms, bcrypt, scrypt, or Argon2, designed to be expensive to compute, so that even after a breach an attacker can only test a few thousand guesses per second rather than billions. When you read that a breach exposed "hashed and salted" passwords with a strong algorithm, the practical risk is far lower than when passwords were stored badly, as Adobe's 2013 breach infamously demonstrated.
Of course, salting and slow hashing protect against guessing the original password from a stolen hash. They do nothing once the plaintext is already circulating, which is exactly the situation infostealers and old plaintext leaks create. That is the gap a leak checker addresses: it tells you whether your specific password is already out there, in the clear, in a known corpus.
The clever part: checking a secret without revealing it
Here is the apparent paradox. To find out whether your password is in a 900-million-entry list of leaked passwords, you seemingly have to either download the entire list (tens of gigabytes) or send your password to a server, the very act you are trying to avoid. The elegant way out is a technique called k-anonymity, proposed for this use by Junade Ali at Cloudflare and built into Have I Been Pwned's Pwned Passwords service. Our own password leak checker uses exactly this model, entirely in your browser.
It works in four steps:
Hash locally. Your browser computes the SHA-1 hash of the password you typed. SHA-1 is cryptographically retired for signatures, but here it is used only as a stable fingerprint, and its choice is deliberate: it matches the format of the Pwned Passwords corpus. The hash is a 40-character hex string such as 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8.
Send only a prefix. The browser sends just the first five characters of that hash, 5BAA6, to the API. That prefix is all that ever leaves your device.
Receive a haystack. The server replies with every leaked-hash suffix that begins with those five characters, each followed by how many times it has been seen. Because there are only 165 = 1,048,576 possible prefixes, any prefix matches a crowd of unrelated hashes, on the order of several hundred. The server cannot tell which one, if any, is yours.
Compare locally. Your browser scans that returned list for the suffix of your full hash. If it finds a match, your password is in the corpus, and the count tells you how many times. If not, it is not known to have leaked. The match happens on your machine; the answer is never sent back.
This is what "privacy-preserving" means in concrete terms. The server sees a five-character prefix shared by hundreds of passwords and learns nothing about which account, person, or full password is being checked. The service handles this at extraordinary scale, on the order of 18 billion such range queries every month, without ever needing the underlying secret. For our tool the property is even stronger: because the comparison is pure client-side JavaScript, your password never touches our servers at all.
What to do the moment a password comes back compromised
A positive result is not a catastrophe; it is actionable information. Work through it calmly.
Change it everywhere you used it, starting with the keys to the kingdom. Email first, because a compromised inbox lets an attacker reset every other account through "forgot password" links. Then banking, then anything tied to payment.
Make every replacement unique. A new password reused across three sites is three future problems. Generate a distinct one per account; our password generator produces long random strings on the spot.
Adopt a password manager. This is the only realistic way to hold dozens of unique passwords. It creates, stores, and fills them, leaving you one master passphrase to remember. Our guide to password managers walks through choosing and setting one up.
Turn on a second factor. Two-factor authentication (2FA) means a leaked password alone is not enough to log in. Prefer an authenticator app or a hardware key over SMS, which is vulnerable to SIM-swapping.
Use a passkey where offered. Passkeys, built on the WebAuthn standard (a W3C Recommendation since 2018) and FIDO2, replace the password with a cryptographic key pair bound to the site's real domain. A passkey for your bank physically cannot be used on a look-alike phishing site, which makes the entire category of phishing and credential stuffing inapplicable. Major platforms from Apple, Google and Microsoft now support them widely.
One honest limitation worth stating: a privacy-preserving tool like ours checks passwords, not email addresses. To find out whether your email address has appeared in named breaches, and which ones, go to haveibeenpwned.com directly. Checking an address requires an authenticated API that cannot be safely run inside a web page, and an address is directly identifying in a way a password prefix is not.
What the standards bodies now actually recommend
The official advice has quietly converged, and it overturns a generation of bad habits. The US National Institute of Standards and Technology, in its Digital Identity Guidelines (SP 800-63B), now tells organisations to check new passwords against breach corpuses and reject any that appear, to stop forcing periodic password changes unless there is evidence of compromise, and to drop mandatory composition rules (the "must contain an uppercase, a digit and a symbol" requirements that merely pushed people toward predictable patterns like Password1!). Length and uniqueness matter; arbitrary complexity and rotation do not.
In France, the guidance is consistent and freely available. Cybermalveillance.gouv.fr, the state platform for assisting victims, and the CNIL, the data-protection authority, both advise the same core habits after a leak: change the affected password quickly and everywhere it was reused, never share a password across services, store them in a password manager, and enable multi-factor authentication on important accounts. For a deeper look at what makes an individual password resistant in the first place, our anatomy of a strong password covers the mechanics.
None of this is exotic. The entire defence reduces to three sentences. Use a unique password per account. Let a manager remember them. Add a second factor, or a passkey, wherever you can. A leak checker is simply the diagnostic that tells you where to start.
Is it safe to type my real password into an online leak checker?
It depends entirely on how the checker works. A tool built on the Pwned Passwords k-anonymity model never transmits your password or its full hash. Your browser hashes the password locally with SHA-1, sends only the first five characters of that hash, and downloads a list of matching suffixes to compare on your own machine. The full password and full hash never leave your device. Avoid any checker that asks you to submit the password to a server in clear text, because that is precisely the behaviour you are trying to defend against.
My password shows up in a breach database. Does that mean my account was hacked?
Not necessarily. It means that exact string of characters has appeared in at least one leaked dataset somewhere, attached to some account, not necessarily yours. But if you reuse that password anywhere, treat it as burned: attackers feed leaked credentials into automated credential-stuffing tools that try them across thousands of sites. Stop using the password everywhere you have it, starting with email and banking, and replace each instance with a unique one.
Why does the tool only check passwords and not email addresses?
Checking a password privately is possible because the k-anonymity range query reveals almost nothing: a five-character hash prefix matches hundreds of unrelated passwords. Checking an email address is different. The Have I Been Pwned breach API requires an authenticated key that cannot be safely embedded in a web page, and an email address is directly identifying. To check an address, go to haveibeenpwned.com directly and enter it there.
If I should not reuse passwords, how am I supposed to remember dozens of unique ones?
You are not. The accepted answer for over a decade is a password manager: it generates a long random password per site, stores it encrypted behind one strong master passphrase, and fills it in for you. You memorise exactly one secret. Where a site offers passkeys, you can often skip the password entirely. Memorising sixty unique passwords is not a realistic security model, and no guidance asks you to.
Is a long password still useful if passkeys and two-factor authentication exist?
Yes. Passkeys are spreading but are not yet available everywhere, and many accounts will rely on passwords for years. A long, unique, never-reused password combined with a second factor remains a strong defence. The priority order is straightforward: stop reusing passwords, turn on two-factor authentication or a passkey where you can, and let a manager handle the rest.
