Full Report
During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords.
Analysis Summary
# Incident Report: Aggregation of Credential Stuffing Lists (Synthient Data)
## Executive Summary
During 2025, the threat intelligence firm Synthient aggregated 2 billion unique email addresses and 1.3 billion unique passwords from credential-stuffing lists sourced from malicious internet locations. This aggregation represents data previously compromised in other breaches, designed to facilitate further account takeovers via password reuse. The resulting dataset was indexed for searching against indicators of compromise.
## Incident Details
- **Discovery Date:** November 5, 2025 (Date added to HIBP index)
- **Incident Date:** Throughout 2025 (Aggregation period/Breach Occurred: April 2025)
- **Affected Organization:** Synthient (Threat Intelligence Firm/Data Aggregator)
- **Sector:** Threat Intelligence / Cybersecurity Data Aggregation
- **Geography:** Not specified (Data sourced from multiple malicious internet sources globally)
## Timeline of Events
### Initial Access
- **Date/Time:** April 2025 (Breach Occurred)
- **Vector:** Compilation/Acquisition of existing credential lists from malicious internet sources.
- **Details:** The incident is not a traditional data breach of a single entity, but rather the aggregation of *existing* compromised credentials used for credential stuffing campaigns.
### Lateral Movement
- **Date/Time:** During 2025 (Aggregation period)
- **Vector:** N/A (Data collection/aggregation, not network intrusion)
- **Details:** Attackers (or the aggregating firm in the context of security awareness) compiled lists used for mass credential stuffing efforts.
### Data Exfiltration/Impact
- **Date/Time:** Consistent throughout 2025
- **Vector:** N/A (Data already exfiltrated from prior breaches)
- **Details:** 2 billion unique email addresses and 1.3 billion unique passwords were compiled.
### Detection & Response
- **Date/Time:** November 5, 2025
- **Vector:** Indexing the aggregated public data by the Have I Been Pwned (HIBP) service.
- **Details:** The indexed data became searchable, effectively exposing the scale of the aggregated credentials being used for stuffing attacks.
## Attack Methodology
This summary describes the aggregation and intended use of existing breach data, not a specific intrusion against Synthient.
- **Initial Access:** N/A (Data aggregated from external malicious sources)
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** Acquisition of credential pairs (email/password) resulting from prior, unlisted data breaches.
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** Aggregation of 2 billion emails and 1.3 billion passwords.
- **Exfiltration:** N/A (Focus is on data aggregation for subsequent misuse)
- **Impact:** Facilitation of credential stuffing attacks against unrelated services due to widespread password reuse.
## Impact Assessment
- **Financial:** No direct financial cost disclosed for the aggregation event, but the resulting credential stuffing campaigns cause financial loss to victim organizations.
- **Data Breach:** **2 billion unique email addresses** and **1.3 billion unique passwords** indexed. The data consists of credentials previously compromised in *other* data breaches.
- **Operational:** No operational impact mentioned on Synthient or HIBP (as data providers/indexers). High potential for operational disruption for downstream organizations targeted by credential stuffing.
- **Reputational:** Primarily affects victims of credential stuffing whose data is now highly searchable.
## Indicators of Compromise
*Note: As this is an aggregation of historical data, active IoCs are related only to the *use* of this data.*
- **Network Indicators:** N/A (The data itself is static lists, not active C2)
- **File Indicators:** N/A
- **Behavioral Indicators:** Mass login attempts originating from disparate geographical locations using known password pairs against unrelated service login portals (i.e., credential stuffing).
## Response Actions
The primary response action detailed is data processing and transparency:
- **Containment measures:** None explicitly mentioned for preventing the initial gathering of the lists.
- **Eradication steps:** N/A
- **Recovery actions:** Victims are strongly advised to:
1. Change passwords immediately if credentials match the indexed data.
2. Enable Two-Factor Authentication (2FA) on all relevant accounts.
## Lessons Learned
- **Password Reuse is a catastrophic multiplier:** The existence and utility of these large credential stuffing lists underscore the severe risk associated with users reusing passwords across multiple services.
- **Data Aggregation Risk:** Even when gathering data derived from *other* breaches, making such large datasets searchable immediately amplifies the threat landscape for those affected by prior compromises.
## Recommendations
- Mandate the use of unique, strong passwords for all online services, preferably managed via a password manager.
- Universal adoption and enforcement of Multi-Factor Authentication (MFA/2FA) across all user accounts to neutralize credential stuffing attempts.
- Organizations should invest in proactive credential monitoring services to identify when their users' credentials appear in known breach lists.