Troy Hunt, Founder and CEO of Have I Been Pwned (HIBP), revealed in a blog post that the FBI transferred to him a list of 630 million stolen credentials to add to HIBP’s database of compromised accounts. According to Hunt, “This latest corpus of data came to us as a result of the FBI seizing multiple devices belonging to a suspect.” 

A single suspect reportedly collected all 630 million stolen credentials. If it wasn’t already clear that credentials are valuable to malicious actors, the effort this solo actor put into cumulating this data underscores this reality. 

The silver lining in this scenario is that not all of the credentials were new. However, even if a small section of the 630 million credentials were new, that still represents a notable amount of new, exposed credentials. 

“We hadn’t seen about 7.4% of them in HIBP before, which might sound small, but that’s 46 million vulnerable passwords we weren’t giving people using the service the opportunity to block,” explains Hunt. “So, we’ve added those and bumped the prevalence count on the other 584 million we already had.” 

“What’s striking isn’t just the scale,” says Matt Mills, President at SailPoint. “It’s the reminder that compromised passwords continue to create risk long after the original breach. The fact that 630 million credentials were recovered from a single individual’s devices underscores how durable and reusable identity data has become in the hands of attackers.” 

The risk of compromised credentials can linger, making them a valuable target for malicious actors. This has been shown repeatedly, with various pieces of research from earlier this year revealing targeted attempts at stealing credentials — such as credential brute forcing campaigns and an 84% year-over-year rise in phishing emails featuring infostealers.

“This reinforces why organizations must treat identity as the primary control plane,” asserts Mills. “Least-privilege access, continuous access reviews, and reducing standing privileges are critical because breaches are no longer an ‘if,’ but a constant. When credentials inevitably leak, identity security determines whether attackers hit a dead end — or gain the keys to the vault.”

“Just as it’s hard to wrap your head around the scale of cybercrime, I find it hard to grasp that number fully,” remarks Hunt.