Nearly two billion stolen email logins have surfaced on the dark web, exposing the staggering scale of a global password crisis.

A cybersecurity firm called Synthient has uncovered the collection of stolen login details circulating on the dark web, having gathered compromised credentials from various breaches.

Their findings show that hackers have access to nearly two billion email addresses alongside 1.3 billion passwords. These aren’t from a single security incident but represent accumulated data from numerous breaches over time.

Passwords remain the frontline defence protecting everything from bank balances to private messages and photo libraries. Yet despite their importance, millions of Britons continue to rely on weak or reused passwords—leaving their digital lives dangerously exposed. In fact, it was only recently that Britons finally ditched the word “password” as the most popular choice.

Switch to 1Password for free

The award-winning 1Password is designed to generate and store unguessable passwords, passkeys, credit card numbers, national insurance numbers, and much more. Its built-in WatchTower feature evaluates password strength and warns about data breaches that impact you. 1Password is currently free to test for 14 days with no obligation to subscribe

1Password Password Manager

Troy Hunt, who operates the password protection service Have I Been Pwned and serves as a Microsoft regional director, has verified the large number of email addresses and passwords stolen.

He states, “I hate hyperbolic news headlines about data breaches, but for the ‘2 Billion Email Addresses’ headline to be hyperbolic, it’d need to be exaggerated or overstated, and it isn’t.”

The exact count from the recent hack stands at 1,957,476,021 individual email addresses. Mr Hunt revealed that the dataset includes “1.3 billion unique passwords, 625 million of which we’d never seen before either.”

woman typing on laptop

Using a password manager can help generate and store passwords, passkeys, credit card numbers, national insurance numbers, and much more

|

PEXELS

He also described the collection as “the most extensive corpus of data we’ve ever processed, by a significant margin.”

These stolen credentials appear in what cybercriminals call credential-stuffing lists. When hackers acquire login details from one breach, they systematically test those same combinations across numerous other platforms.

a mouse cursor moves over the Login box as someone has typed in a password into the text field

A single reused password can compromise dozens of accounts, turning one breach into multiple security failures across a person’s entire digital life

| GETTY IMAGES

This automated process exploits a common security weakness: people’s tendency to recycle passwords across different services. Criminals understand that someone using the same password for their email might also use it for banking, shopping or social media accounts. A single reused password can compromise dozens of accounts, turning one breach into multiple security failures across a person’s entire digital life.

Security experts recommend establishing distinct passwords for every online account, beginning with critical services such as banking platforms, financial applications, Apple ID and Google accounts. Less important websites can be updated afterwards, but the priority should be protecting accounts containing sensitive financial or personal information.