2 Billion Passwords Exposed: Why Credential Reuse Is an Overlooked Threat MEA Organisations Face

On November 6, 2025, Troy Hunt's Have I Been Pwned reported the largest credential dataset ever indexed: 1.95 billion unique email addresses and 1.3 billion unique passwords aggregated from credential-stuffing lists discovered across malicious internet sources.

The data itself isn't new breaches. Instead, it's a collection of email and password pairs from previous data breaches, aggregated by threat intelligence firm Synthient and shared with HIBP to notify victims.

Yet this seemingly routine update represents a fundamental threat that MEA organisations systematically overlook: How old passwords from old breaches become master keys to current accounts through credential reuse.

The Scale: Understanding What 2 Billion Credentials Means

To contextualise the breach:

• 1.95 billion unique email addresses (rounded from 1,957,476,021)
• 1.3 billion unique passwords (625 million never before seen in Pwned Passwords)
• 32 million different email domains represented in the dataset

To put this in perspective: The previous largest dataset HIBP loaded, Collection #1 in 2019, contained approximately 773 million unique records. This new dataset is 2.5 times larger.

The technical infrastructure required to process this volume was extraordinary. Troy Hunt's team had to:

• Max out Azure SQL Hyperscale at 80 cores for almost two weeks
• Rewrite database processes multiple times as standard update queries crashed
• Implement novel batching strategies to process 1 million records at a time
• Redesign email notification delivery to avoid overwhelming mail servers

The Critical Distinction: This Isn't a "Gmail Breach"

Initial media coverage created confusion: "Gmail Leaked 2 Billion Passwords." This is misleading.

Of the 32 million domains in the dataset, Gmail accounts for approximately 394 million unique email addresses, roughly 20% of the total. The remaining 80% spans every other email provider globally, plus corporate domains, educational institutions, and countless services.

Gmail itself didn’t suffer a security breach. Gmail users appeared in this dataset because their credentials were compromised in other, unrelated breaches, then aggregated into credential-stuffing lists specifically designed to test if those credentials work on completely different services.

This is a crucial distinction because it reveals the actual threat mechanism.

The Real Threat: Password Reuse Across Unrelated Accounts

Here's how credential-stuffing attacks work and why this breach represents an existential threat to organisations relying on password-based authentication:

1. A small forum gets breached. User credentials (email + password) are exposed.
2. Attackers acquire these credentials and create a "stuffing list" — a file containing thousands or millions of email-password pairs.
3. Attackers attempt to log into completely unrelated services using these same credentials: Gmail, banking platforms, corporate VPNs, shopping sites, SaaS tools.
4. If users reused passwords, the attack succeeds. The attacker gains access to accounts unrelated to the original breach.

Troy Hunt verified this threat with HIBP subscribers:

“Yes, these are familiar. I used them almost 10 years ago... and cannot recall the last time I used them.”

But here's the alarming part: they were still active on accounts.

The pattern was consistent across respondents: old passwords from old breaches still protecting current accounts — because organizations haven't addressed the fundamental problem: credential reuse.

Why Credential Reuse Is an Overlooked Epidemic

The statistics reveal the scale of the problem:

• 78% of individuals reuse passwords across multiple accounts
• 70% of Fortune 1000 employees reuse passwords across corporate systems
• Employees maintain an average of 16 workplace accounts, driving exponential reuse
• 49% of IT security professionals share passwords with coworkers to access business accounts
• 46% of IT security leaders store passwords in shared documents

MEA organizations are particularly vulnerable because:

• Limited Authentication Infrastructure: Many MEA organisations still rely primarily on passwords without robust multi-factor authentication.
• Shadow IT and Legacy Systems: Hybrid environments mix modern cloud services with legacy systems that don't support advanced authentication.
• Skill Shortage: MEA accounts for 12% of the global cybersecurity talent deficit (4.8 million unfilled roles globally).
• User Friction: Employees manage credentials for 89 different applications on average, making password reuse inevitable.

The Numbers: How This Breach Impacts MEA Organisations

While the dataset was aggregated globally, MEA organizations face particular exposure.

Direct Breach Impact

• If 3% of the 2 billion addresses are MEA-based (conservative estimate), that's 60 million MEA credentials now in credential-stuffing lists.
• Each credential represents a potential entry point into unrelated MEA business accounts.
• Attackers are already testing these credentials against MEA banking, government, and enterprise systems.

Credential Reuse Amplification

• 67% of MEA breaches involved compromised credentials.
• When reused passwords match current accounts, breach costs in MEA average $8.75 million.
• Organisations with unfilled cybersecurity positions experience breaches costing $1.76 million more on average.

Cascading Risk

• A single employee’s reused password becomes an entry point.
• Attackers exploit that access to move laterally.
• A password leaked 10+ years ago can still enable today’s compromises.

What The Kernel Learned From This Breach

At The Kernel, we've prevented hundreds of attacks across MEA. The pattern is almost always the same:

1. Initial compromise involves credential theft or phishing.
2. Stolen credentials come from previous breaches or social engineering.
3. Credential reuse allows one password to unlock multiple systems.
4. Lateral movement follows authenticated access to high-value targets.

This isn’t a failure of any single organisation — it’s a failure of the password-based authentication model itself.

The Solution: Moving Beyond Passwords

Troy Hunt’s recommendations for individuals include:

• Check haveibeenpwned.com
• Change affected passwords everywhere
• Enable two-factor authentication
• Use password managers for unique passwords

These are essential, but they don’t solve the systemic issue.

Hardware-Based Authentication

Hardware keys (e.g. YubiKey) eliminate password reuse entirely:

• Stolen passwords alone can’t grant access
• Phishing cannot redirect authentication
• Account takeover becomes nearly impossible

Even if an attacker obtains a password from the 2B dataset, hardware-based authentication blocks them.

Integrated Identity Management

Tools like 1Password reduce reuse by:

• Generating unique, complex passwords
• Eliminating memory burden
• Encrypting password vaults
• Monitoring for compromise

Zero Trust Architecture

EgoMind's Zero Trust framework replaces password-based authorization with:

• Continuous verification
• Context-aware authentication
• Behavioral anomaly detection
• Automatic session termination

Practical Steps for MEA Organizations

Immediate Actions (This Week)

• Check Exposure: Have key employees check haveibeenpwned.com
• Identify Reuse: Map reused credentials
• Change Passwords: Especially for email, VPN, admin, and finance systems
• Inform Stakeholders: Notify and initiate change management

Short-Term Actions (This Month)

• Assess Infrastructure: Identify password-only systems
• Prioritise MFA: Deploy to admin, email, finance, and cloud accounts
• Deploy Password Manager: Enforce unique passwords and monitor reuse

Medium-Term Actions (This Quarter)

• Implement Hardware Auth: Pilot then expand organization-wide
• Adopt Zero Trust: Begin rollout starting with high-risk systems
• Integrate Solutions: Connect identity and privilege management systems

The Kernel’s Role in Your Response

At The Kernel, we help MEA organisations shift from reactive response to architectural prevention.

Our approach:

• Assessment: Identify password reliance and reuse
• Strategy: Build a roadmap for immediate, medium, and long-term improvements
• Implementation: Deploy solutions with partners (Yubico, 1Password, EgoMind, Fudo Security)
• Management: Continuously optimize and adapt as threats evolve

From Incident Response to Prevention

The 2 billion credentials exposed represent a decade of breaches and credential-stuffing attacks.
They remind us that breaches are interconnected — each one enabling the next through password reuse.

MEA organisations can reactively check exposure and enable MFA.
But true security comes when we recognise:
Passwords are the common thread. Eliminating passwords eliminates that threat.

We believe MEA organisations deserve trust architectures stronger than passwords.

After 30 years of experience, The Kernel understands that now is the moment to accelerate the transition.

Ready to move beyond passwords?
Discover how The Kernel’s authentication and identity solutions eliminate password reuse vulnerability at www.thekernel.com.

‍