Processing 630 Million More Pwned Passwords, Courtesy of the FBI

AndyC 15 December 2025

13 December 2025

The sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day.

2025: The Year Cybersecurity Crossed the AI Rubicon

2025: The Year Cybersecurity Crossed the AI Rubicon

13 December 2025

The sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day. It’s not just the volume of data, but also the extent to which it replicates across criminal actors seeking to abuse it for their own gain, and to our detriment.

We were reminded of this recently when the FBI reached out and asked if they could send us 630 million more passwords. For the last four years, they’ve been sending over passwords found during the course of their investigations in the hope that we can help organisations block them from future use. Back then, we were supporting 1.26 billion searches of the service each month. Now, it’s… more:

Just as it’s hard to wrap your head around the scale of cybercrime, I find it hard to grasp that number fully. On average, that service is hit nearly 7 thousand times per second, and at peak, it’s many times more than that. Every one of those requests is a chance to stop an account takeover. But the real scale goes well beyond the API itself. Because the data model is open source and freely available, many organisations use the Pwned Passwords Downloader to take the entire corpus offline and query it directly within their own applications. That tool alone calls the API around a million times during download, but the resulting data is then queried… well, who knows how many times after that. Pretty cool, right?

This latest corpus of data came to us as a result of the FBI seizing multiple devices belonging to a suspect. The data appeared to have originated from both the open web and Tor-based marketplaces, Telegram channels and infostealer malware families. We hadn’t seen about 7.4% of them in HIBP before, which might sound small, but that’s 46 million vulnerable passwords we weren’t giving people using the service the opportunity to block. So, we’ve added those and bumped the prevalence count on the other 584 million we already had.

We’re thrilled to be able to provide this service to the community for free and want to also quickly thank Cloudflare for their support in providing us with the infrastructure to make this possible. Thanks to their edge caching tech, all those passwords are queryable from a location just a handful of milliseconds away from wherever you are on the globe.

If you’re hitting the API, then all the data is already searchable for you. If you’re downloading it all offline, go and grab the latest data now. Either way, go forth and put it to good use and help make a cybercriminal’s day just that much harder 😊

Have I Been Pwned
Tweet
Post
Update
Email
RSS

Hi, I’m Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Securing the Road Ahead: The Intersection of Cybersecurity and Intelligent Transportation

Securing the Road Ahead: The Intersection of Cybersecurity and Intelligent Transportation

AndyC 18 December 2025
Memory efficiency: Apple’s new competitive advantage

GNV ferry fantastic under cyberattack probe amid remote hijack fears

AndyC 18 December 2025
Askul data breach exposed over 700,000 records after ransomware attack

Askul data breach exposed over 700,000 records after ransomware attack

AndyC 18 December 2025
Russian state hackers targeted Western critical infrastructure for years, Amazon says

Russian state hackers targeted Western critical infrastructure for years, Amazon says

AndyC 18 December 2025
U.S. CISA adds a flaw in multiple Fortinet products to its Known Exploited Vulnerabilities catalog

U.S. CISA adds a flaw in multiple Fortinet products to its Known Exploited Vulnerabilities catalog

AndyC 18 December 2025
Security by Design: Why Multi-Factor Authentication Matters More Than Ever

Surveillance at sea: Cruise firm bans smart glasses to curb covert recording

AndyC 18 December 2025

You may have missed

Securing the Road Ahead: The Intersection of Cybersecurity and Intelligent Transportation

Securing the Road Ahead: The Intersection of Cybersecurity and Intelligent Transportation

AndyC 18 December 2025
Memory efficiency: Apple’s new competitive advantage

GNV ferry fantastic under cyberattack probe amid remote hijack fears

AndyC 18 December 2025
APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

AndyC 18 December 2025
New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails

New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails

AndyC 18 December 2025
Security by Design: Why Multi-Factor Authentication Matters More Than Ever

Google Chrome Extension is Intercepting Millions of Users’ AI Chats

AndyC 18 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.