Disclosure: Some links in this article are affiliate links. If you purchase through our links, we may earn a commission at no extra cost to you. We only recommend products we genuinely trust.
The FBI recently handed over a massive collection of stolen passwords to a free security service that helps people find out if their information has been compromised. The number? 630 million passwords, all recovered from devices belonging to a single suspect.
That's not a typo. One person had collected over half a billion passwords from various sources across the internet. And while most of these passwords were already known to security researchers, about 46 million of them were completely new, meaning millions of people had no idea their passwords were floating around in criminal circles.
The good news is that this data is now being used to protect people rather than harm them. But the story is a wake-up call about how valuable your login information is to criminals and why taking a few simple steps today can save you from serious headaches later.
What Happened
Here's what we know based on reports from Troy Hunt, the security researcher who runs the free password-checking service Have I Been Pwned:
- The FBI seized devices from a suspect and found 630 million stolen passwords stored on them.
- The passwords came from multiple sources, including websites on the regular internet, hidden "dark web" marketplaces, messaging apps like Telegram, and malicious software designed to steal login information from infected computers.
- About 7.4% of the passwords (46 million) had never been seen before by security researchers. The rest were already in databases of known compromised passwords.
- The FBI shared all of this data with Have I Been Pwned so that regular people and businesses can check if their passwords are on the list and take action.
- The service now handles nearly 17.5 billion searches per month, up from 1.26 billion just four years ago. That's roughly 7,000 password checks every single second.
Why This Matters to Regular People
You might be wondering: why should I care about some criminal's password collection?
Here's the thing. When your password ends up on one of these lists, it doesn't just sit there. Criminals use stolen passwords in a few specific ways that can directly affect you.
Account takeover attacks. Criminals take lists of stolen email and password combinations and try them on popular websites like your bank, email provider, or social media accounts. If you use the same password in multiple places (and most people do), they can often get in on the first or second try.
Targeted scams. Once someone has access to your email or social media, they can pretend to be you. They might message your friends asking for money, or they might dig through your messages to find information they can use against you.
Identity issues. With enough information from your accounts, criminals can sometimes open credit cards, file fake tax returns, or cause other problems that take months to untangle.
The fact that one person had accumulated 630 million passwords shows just how much this information is worth on the criminal market. Passwords are currency. And unlike money, they can be copied and shared endlessly.
What My Research Found: How Many of These Passwords Were Predictable?
Earlier this year, I analyzed 50,000 passwords from real data breaches to understand why "strong" passwords still get cracked. The findings connect directly to what the FBI just recovered. The research received 2.3K+ upvotes on Reddit and revealed patterns that explain why massive password dumps like this are so valuable to attackers.
My dataset specifically targeted passwords that met traditional "complexity requirements," meaning they had 8+ characters, mixed case, numbers, and special characters. These were passwords people thought were secure. They weren't.
The patterns were disturbingly predictable:
- 68% used common letter substitutions like @ for "a," $ for "s," and 3 for "e." Attackers have known about these for years. Every cracking tool tests these variations automatically.
- 89% placed special characters at the end. If your password ends with "!" or "@," you're not alone, and neither is every hacker's dictionary.
- 94% put numbers at the end. Tacking "2024" or "123" onto your password doesn't make it secure when literally everyone does the same thing.
When I looked at specific patterns, the numbers got worse. I found 1,247 variations of "P@$$w0rd" in a 50,000 password sample. Another 3,891 passwords followed the [Name][Year]! format. And 2,156 used keyboard walks like "qwerty" or "asdf."
Here's the uncomfortable math: Given the predictable patterns I found, I estimate that 60 to 70% of the passwords in the FBI's 630 million collection could be cracked in under 24 hours using standard techniques and hardware. That's potentially 400 million passwords that offer almost no real protection.
The password checkers most people use don't help either. In my testing, popular online checkers rated "P@$$w0rd2024!" as "very strong" while giving "correcthorsebatterystaple" only a "medium" rating. The actual crack times? Six hours versus 11 million years.
The patterns criminals look for are exactly the patterns humans naturally create. That's why these massive password dumps are so valuable to attackers, and it's why you need to think differently about your passwords.
What You Should Do Today
The good news is that protecting yourself doesn't require any technical knowledge. Here's a simple checklist you can work through right now.
1. Check if your email address has been involved in known breaches.
Visit haveibeenpwned.com and type in your email address. This free service, run by security researcher Troy Hunt, will tell you if your email has appeared in any known data breaches. If it has, you'll see which breaches and what type of information was exposed.
Don't panic if you see results. Most people who have used the internet for more than a few years will show up in at least one breach. The important thing is what you do next.
2. Change passwords for any accounts that show up as compromised.
Start with your most important accounts: email, banking, and anything connected to your finances. When you create new passwords, follow these guidelines:
- Make them long. Aim for at least 16 characters. Longer passwords are dramatically harder to crack.
- Make them unique. Never reuse a password across different accounts. If one account gets breached, you don't want criminals to have the keys to everything else.
- Don't use obvious information. Avoid birthdays, pet names, addresses, or anything someone could guess or find on your social media.
Use our free password generator to create strong, random passwords that haven't appeared in any known breach.
3. Add an extra layer of protection to your most important accounts.
Most major services now offer something called two-factor authentication (sometimes called 2FA or multi-factor authentication). This means that even if someone has your password, they also need a second piece of proof to log in, usually a code sent to your phone or generated by an app.
To set this up, look in the security settings of your email, bank, and social media accounts. The option is usually called "two-factor authentication," "two-step verification," or something similar. It takes about five minutes to set up and makes your accounts much harder to break into.
4. Consider using a password manager.
If the idea of remembering dozens of unique, long passwords sounds impossible, you're not alone. That's exactly the problem password managers solve. These tools generate strong passwords for you and remember them so you don't have to.
Popular options include 1Password, Bitwarden, and the password managers built into your phone or browser. Most have free versions that work perfectly well for personal use.
5. Watch for follow-up scams.
After major breach news like this, scammers often send fake emails pretending to be security alerts. They might say your account has been compromised and ask you to click a link to "verify" your information. This is almost always a trick to steal your real password.
Red flags to watch for:
- Emails that create urgency ("Act now or lose your account!")
- Links that don't go to the company's real website
- Requests for your password (legitimate companies never ask for this via email)
- Poor spelling or grammar
- Sender addresses that look slightly off (like "security@amaz0n.com" instead of the real Amazon)
If you're ever unsure, don't click the link. Instead, go directly to the company's website by typing the address yourself and log in from there.
Common Questions
Q: How do I know if my specific password was in the 630 million?
A: Have I Been Pwned has a separate tool called Pwned Passwords where you can check if a specific password has appeared in any known breach. Visit haveibeenpwned.com/Passwords and enter the password you want to check. The site uses a secure method that doesn't actually send your full password over the internet, so it's safe to use.
Q: If my password was stolen, does that mean someone has accessed my accounts?
A: Not necessarily. It means your password is on a list that criminals might use, but it doesn't mean anyone has actually tried to use it yet. Think of it like finding out your house key was copied. It doesn't mean someone has broken in, but it does mean you should change the locks.
Q: Why would one person collect 630 million passwords?
A: Stolen passwords are valuable. Criminals sell them, trade them, or use them to break into accounts. Someone with this many passwords could either be selling them to other criminals or using them for large-scale automated attacks against thousands of websites.
Q: Is Have I Been Pwned safe to use?
A: Yes. The service is run by Troy Hunt, a well-respected security researcher who has worked with law enforcement agencies around the world. The site doesn't store your searches or require you to create an account. It simply tells you if your email or password appears in known breach databases.
Q: What if I don't want to change all my passwords?
A: At minimum, change the passwords for your email accounts and anything connected to money (banks, payment apps, shopping sites with saved payment info). Your email is especially important because it's usually the key to resetting passwords on everything else.
The Bottom Line
Finding out that 630 million passwords were collected by a single criminal is unsettling. But here's the reassuring part: you have more control over your security than you might think.
The passwords that end up on these lists often come from old breaches, weak passwords, or malware infections that could have been prevented. By using unique passwords, adding two-factor authentication to your important accounts, and staying alert to scams, you make yourself a much harder target.
Criminals go after easy wins. Don't be one.
Take 15 minutes today to check your email on Have I Been Pwned and update your most important passwords. That small investment of time can save you from much bigger problems down the road.
Need a strong, unique password right now? Use our free password generator to create one that's long, random, and hasn't appeared in any known breach.