Full Report
During 2025, Synthient aggregated billions of records of "threat data" from various internet sources. The data contained 183M unique email addresses alongside the websites they were entered into and the passwords used. After normalising and deduplicating the data, 183 million unique email addresses remained, each linked to the website where the credentials were captured, and the password used. This dataset is now searchable in HIBP by email address, password, domain, and the site on which the credentials were entered.
Analysis Summary
# Incident Report: Synthient Stealer Log Threat Data Aggregation
## Executive Summary
A large volume of threat data, collected during 2025 from various internet sources via stealer logs, was aggregated by Synthient. This dataset included 183 million unique email addresses linked to the websites they were used on and the corresponding passwords. The incident was surfaced when this aggregated, de-duplicated data was added to Have I Been Pwned (HIBP) for public verification. The primary impact is widespread credential exposure affecting numerous unrelated services.
## Incident Details
- Discovery Date: October 21, 2025 (Date added to HIBP)
- Incident Date: Aggregation occurred throughout 2025; Breach occurred starting April 2025 (based on breach occurrence date provided for affected accounts)
- Affected Organization: Synthient (Collector/Aggregator)
- Sector: Threat Intelligence/Data Aggregation
- Geography: Not explicitly specified, but data is global.
## Timeline of Events
### Initial Access
- Date/Time: Throughout 2025 (Collection period)
- Vector: Stealer Logs (Malware/Infostealers running on end-user machines)
- Details: Synthient aggregated billions of records containing credentials collected by malware/infostealers from various internet sources.
### Lateral Movement
* Not applicable. This was a data collection/aggregation event originating from compromised endpoints, not a network intrusion into Synthient's internal environment to pivot.
### Data Exfiltration/Impact
- Date/Time: Prior to Oct 2025 disclosure.
- Details: 183 million unique email addresses, associated passwords, and the specific website domain where the credentials were captured were finalized.
### Detection & Response
- Date/Time: October 21, 2025
- Details: The integrity and scale of the aggregated dataset were validated, leading to its inclusion in the HIBP database, effectively serving as the public disclosure mechanism.
## Attack Methodology
- Initial Access: Stealer Logs (Malware installed on end-user devices harvesting credentials from browsers/applications).
- Persistence: N/A for the primary victim environment; the persistence mechanism was within the infected user machines.
- Privilege Escalation: N/A (Data collected directly from user sessions/storage).
- Defense Evasion: Utilized existing malware infrastructure (stealers) to avoid network-level detection.
- Credential Access: Directly captured credentials (email/password pairs) from local machine storage or active sessions.
- Discovery: N/A (Automated collection via existing stealer configurations).
- Lateral Movement: N/A.
- Collection: Automated harvesting and aggregation into the Synthient database.
- Exfiltration: Uploaded from infected endpoints to the aggregator infrastructure (Synthient).
- Impact: Mass exposure of user credentials across potentially thousands of downstream websites.
## Impact Assessment
- Financial: Not disclosed, but high due to potential for account takeover and remediation costs for affected users/organizations.
- Data Breach: 183 million unique email addresses, corresponding passwords, and associated website domains.
- Operational: Major operational disruption for end-users requiring mass password resets across multiple services.
- Reputational: Significant reputational damage to Synthient as the aggregator of compromised credentials.
## Indicators of Compromise
- *Note: Since this is a log aggregation/disclosure, specific IOCs related to the initial attack vector (stealers) are context-dependent and were not provided for Synthient's systems.*
- Behavioral indicators: Large-scale data ingestion and normalization of credentials from unknown/suspicious sources.
## Response Actions
- Containment: The primary response action was the public disclosure via HIBP to notify affected users.
- Eradication: Not applicable to Synthient's aggregation platform itself, but eradication requires users to change passwords.
- Recovery: Users are strongly advised to change passwords for services impacted since April 2025 and enable 2FA.
## Lessons Learned
- The aggregation of threat data harvested by malware (stealer logs) presents a massive, decentralized credential risk that is difficult to attribute to a single source breach.
- Data normalization and centralization of widely distributed credential harvesting logs magnify the impact when exposed.
## Recommendations
- Users whose credentials appeared in the dataset must immediately change passwords corresponding to the affected domains.
- Enable Multi-Factor Authentication (MFA/2FA) on all critical accounts.
- Utilize password managers to ensure unique, strong passwords for every online service.