Full Report
In June 2025, headlines erupted over a "16 billion password" breach. In reality, the dataset was a compilation of publicly accessible stealer logs, mostly repurposed from older leaks, with only a small portion of genuinely new material. HIBP received 2.7B rows containing 109M unique email addresses, which was subsequently added to the service under the name "Data Troll". The websites the stealer logs were captured against are searchable via the HIBP dashboard.
Analysis Summary
# Incident Report: Publicly Sourced Stealer Log Compilation Added to HIBP
## Executive Summary
In June 2025, a large dataset purported to be 16 billion passwords was publicized. Upon investigation, this dataset was found to be a compilation of publicly accessible stealer logs, largely repurposed from older leaks, with a minority of genuinely new data. Have I Been Pwned (HIBP) added 2.7 billion rows, covering 109 million unique email addresses, to its service under the identifier "Data Troll."
## Incident Details
- Discovery Date: June 2025 (when headlines erupted regarding the 16 billion password breach)
- Incident Date: Compilation occurred around June 2025
- Affected Organization: Not applicable (This was a collection of data scraped from various sources/victims, compiled by a "Data Troll")
- Sector: Information Aggregation / Data Brokerage (Source of the leak) / General Public (Affected users)
- Geography: Global (Implied by the nature of the aggregated data)
## Timeline of Events
### Initial Access
- Date/Time: Prior to June 2025
- Vector: Compromise of various victim systems via malware (Stealer Logs)
- Details: Attacker(s) utilized information stealing malware to harvest credentials from numerous smaller victims globally. These logs were subsequently aggregated or sold.
### Lateral Movement
- N/A (This event concerns the *publication* and *aggregation* of already compromised data, not an active intrusion within a single entity's network.)
### Data Exfiltration/Impact
- Date/Time: Data published/compiled around June 2025. Added to HIBP on August 13, 2025.
- Details: 2.7 billion credential rows, including 109.5 million unique email addresses and associated passwords, were made publicly searchable via HIBP.
### Detection & Response
- Date/Time: Initial headlines in June 2025; HIBP processing complete Aug 13, 2025.
- Details: Troy Hunt/HIBP identified the dataset, analyzed its origin (publicly accessible stealer logs), and incorporated the unique entries into HIBP for public notification.
## Attack Methodology
- Initial Access: Credential theft via information-stealing malware on end-user devices.
- Persistence: N/A (Not an active campaign against a single target).
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: Automated harvesting via malware (infostealers).
- Discovery: N/A
- Lateral Movement: N/A
- Collection: Aggregation of existing, previously compromised data, supplemented by a small volume of new material.
- Exfiltration: Data was exfiltrated from individual victims to the malware operator's C2 infrastructure, and finally compiled for public dissemination.
- Impact: Exposure of 109.5 million unique emails and their associated passwords to a searchable platform (HIBP).
## Impact Assessment
- Financial: Not quantified, but users face risks including account takeover and financial fraud.
- Data Breach: 109.5 million unique email addresses; associated passwords (Total 2.7 billion rows).
- Operational: No operational impact on a single target organization. Impact is on individual user security posture globally.
- Reputational: Minor reputational impact on the "Data Troll" entity responsible for the compilation; HIBP's reputation remained focused on user security services.
## Indicators of Compromise
- Network indicators: N/A (Specific C2 infrastructure was not detailed, reflecting the distributed nature of the source logs).
- File indicators: N/A (Specific malware hashes not cited).
- Behavioral indicators: Use of login combinations across multiple services (credential stuffing risk).
## Response Actions
- Containment: N/A (Incident involved disseminated data, not an active network intrusion).
- Eradication: N/A
- Recovery: Security advice provided to affected users:
1. Immediately change passwords exposed in the breach.
2. Enable Two-Factor Authentication (2FA) where supported.
3. Utilize password managers for unique, strong credentials.
## Lessons Learned
- The volume of passwords publicized (16 billion) was significantly inflated compared to the unique, verifiable data added (109M emails).
- Dissemination of massive data dumps, even if partially recycled, continues to pose significant risks to end-users.
- The reliance on stealer logs remains a significant threat vector, combining older data with fresh, low-hanging fruit.
## Recommendations
- Users must adhere strictly to the security advice: change passwords and enable 2FA immediately if their email appears in the HIBP "Data Troll" listing.
- Organizations should educate users on the dangers of infostealer malware, especially concerning password managers and browser credential storage.
- Continue using advanced security solutions capable of spotting behavioral anomalies associated with credential stuffing attempts.