FBI Confirms 630 Million Stolen Passwords — How To Check Yours Now - Forbes
FBI confirms 630 million stolen passwords: how to check and protect yourself
The FBI has handed a massive trove of 630 million compromised passwords to Have I Been Pwned’s Pwned Passwords service after seizing multiple devices from a single hacker. While many credentials came from existing dumps traded on the open web, dark web markets, Telegram channels, and infostealer malware logs, 7.4% were new to HIBP — about 46 million previously unseen passwords now blocked by the service.
Key takeaways
- 630 million stolen passwords provided to Have I Been Pwned by the FBI
- Data originated from a single suspect’s seized devices
- 7.4% (≈46 million) are brand-new to HIBP’s database
- Sources include dark web markets, Telegram, and infostealer logs
How to check if your passwords are compromised
- Go to Pwned Passwords (part of Have I Been Pwned).
- Enter a password you use to see if it appears in the dataset. It’s safe: passwords are checked using hashed values and are not tied to personal identifiers.
- If a password appears, change it immediately everywhere it’s used.
What to do now
- Stop reuse: give every account a unique, strong password.
- Use a password manager: a trusted standalone manager or built-in options like Apple Passwords can generate and store complex credentials you won’t need to memorize.
- Turn on passkeys where supported for phishing-resistant sign-ins.
- Enable two-factor authentication (2FA) on all important accounts.
- Monitor accounts for suspicious logins to thwart credential-stuffing attacks.
Are password managers safe?
Yes. Security incidents make headlines, but the everyday risks of weak and reused passwords are far greater. A reputable password manager lets you create truly random, long passwords that are impossible to remember on your own, dramatically reducing the blast radius if one service is breached. The recommendation: choose a trusted vendor, prefer a dedicated app over a browser-only solution if you want separation, and secure your vault with a long, unique master password.
Why this matters
Even if many of the 630 million credentials are recycled from older leaks, attackers rely on credential stuffing at scale. Discovering your password in Pwned Passwords — and changing it everywhere you used it — can break that attack chain.
Update note
This guidance follows fresh reporting around a LastPass-related breach and Google’s confirmation of a ‘no password required’ attack vector, underscoring the urgency of moving to strong, unique passwords, passkeys, and 2FA now.