What should i do about Synthient Credential Stuffing Threat Data

DorsetDave3

I have received an email from Have I been Pawnd which I am signed up to to say that 2 billion email addresses have been compromised. Do i  need to change my password ?

NB I have been a member of this Forum for at least 10 years [DorsetDave, 1,2,3] but it says I can't post a link ! ]

Neil_Jones

DorsetDave3 said:

I have received an email from Have I been Pawnd which I am signed up to to say that 2 billion email addresses have been compromised. Do i  need to change my password ?

Read the linked article in the email.  This is a combination of previous data hacks all shoved together to make one new one (effectively).  the attacker just used the previous data sets from different data breach sources from eons ago And hence you just can't pinpoint the exact organisation that got breached.

Pawnd has a search option to see if a password you've used has been featured in a breach and if you use that password anywhere, go and change it.

TL;DR - if you've been regularly changing passwords then you should be okay.

victor2

DorsetDave3 said:

...

NB I have been a member of this Forum for at least 10 years [DorsetDave, 1,2,3] but it says I can't post a link ! ]

Your current profile says you've been a member since 2020, but have only made 3 posts, so that may be why you can't post a link yet. The system won't link 3 to 1 and 2

Eyeful

I hope you are now using a good quality Password Manager to generate & store your passwords,
Two good free PWM's are (a) Bitwarden (b) Proton PWM.

I suggest:
 
1.For the email address you have been notified of, just generate and change the password for a long and complex one (say 20 characters at lest) then store it in the PWM.

2. Make sure you use a different password of each website you sign into.

3. If you what extra security, also use some form of 2FA.

DorsetDave3

Thanks for the answers so far. Much appreciated

I should say I am in my 85th year alive on this planet. I am self taught with computers. As I said I have been using this Forum for a long time. Initially I signed up as DorsetDave. But I recall there was some sort of upgrade with the Forum and I had to re-register. But it wouldnt let me register with my original handle. So I became DorsetDave1. It happened several times and eventually I became DorsetDave3, which it says on the header I have been for 5 years. I tried to get help from this site but its so big now it was difficult to find someone to sort out the problem. I gave up posting because of this but several posts by others since have been useful to look at.

I used to read on the internet that you shouldnt have the same password for all your accounts. I am housebound now apart from using taxis and a mobility scooter so I do buy just about everything I need with lots of different accounts and passwords online. I got so many I had to buy an A to Z book to put them all in. Having to change all these accounts with firms etc would be a huge challenge.

I am wary of the internet and dont know how a password manager works and feel you are very open to abuse if you put yourself about too much. So I have no social media accounts. I see big companies like Land Rover, M&S etc getting into trouble so little old me doesnt have a chance I feel.

So getting an email to say my email address has been 'Pawnd' is very worrying

Regards to All - David 

Vitor

The email you received is a notification from Have I Been Pwned, which is a legitimate service. It’s letting you know that your email address appeared in a large data breach somewhere on the internet. That sounds dramatic, but it doesn’t mean your computer has been hacked and it doesn’t mean someone has access to your accounts.

An important distinction is whether the breach included a password. Many big leaks only contain lists of email addresses. In those cases, you don’t need to change anything.

You only need to update a password if:

• the breach included a password, and

• you still use that same password on any accounts today.

If the breach only shows your email address, there’s no action required. It’s extremely common for old mailing lists or customer databases to leak years later.

If you want to check the details of the breach, you can type your email address into the Have I Been Pwned website and it will show you exactly what information was involved.

No need to reset dozens of passwords. Just focus on any account where the same password may have appeared in a breach, and update those ones only.

victor2

If you have different passwords for all your online accounts (in your A-Z) then you have little to worry about if one password gets compromised, as only that account will be exposed.

Most banks, and many institutions handling financial transactions, use two factor authentivation (2FA), where you get a verification through something like your mobile phone when you log in. That gives you extra security should the account get compromised.

Password managers are pretty robust these days. Something like Bitwarden, which is free to use and means you only have one master password to remember. All other login details are then picked up by that, generally through your browser, so that everything else is filled in automatically for you. It works.   

Just make sure you know your master password and that it is suitably complicated, as they cannot help you if you lose it. 

ByteOneGetOneFree

To get an email from "Have I been Pawnd" you or a friend will have registered for their (free) service in the past.

They are emailing you with details of the breach so you can decide what to do.

I was also worried by this email notification at first, and it took me a few days to decide what to do about it, and I'm an IT professional so I understand all the details.

The first confusing part of this breach is, you likely don't have a relationship with Synthient and have never heard of them.  Synthient in this story are 'one of the good guys'.  They didn't hack this data or get hacked, they have found this data being sold on various criminal forums and have done the work to collect the stolen data and email the original owners out of the goodness of their heart (or a more cynical read would be they've done it for the publicity)

The haveibeenpwned website has a good summary (I'm not allowed to post links either)

I'll bold the key bits and cut out irrelevant details

During 2025, [...] Synthient aggregated 2 billion unique email addresses [...] found across multiple malicious internet sources. 

Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. 

The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords. 

[...] Synthient partnered with [HaveIBeenPwned] to help victims of cybercrime understand their exposure.

Next steps for you, @DorsetDave3 would be to work out if any of the passwords in your A-Z book are one of the 1.3 billion that Synthient found being sold, and if so change them.

This is one of the tasks a password manager software can usually do for you which is why people often recommend them.  Without a password manager, there is a way to do this manually on the HIBP website but before you go down this route be very sure it's the real HIBP website and I wouldn't be surprised if you don't want to trust a stranger on the internet asking you to type passwords into a website.

Personally I recommend that it might be simplest to change your most important passwords that would be attractive to a hacker like bank/email/amazon and be reassured that all the other random ecommerce accounts are 'small fry' for what these hackers are usually targeting.

By the way, the above advice stands if your passwords are strong and random, if there is any pattern to your passwords, it really does warrant changing as many as you can face.   For example if hacker finds out your amazon password is 'FluffyTheD0gAmazon' they may be motivated to try 'FluffyTheD0gGoogle' on your gmail account.

If you'd be sad if a hacker stole the account or accessed your data, it's worth changing the password.  And if not, it might be worth asking the company to delete your account so you don't have to worry about that particular account being featured in any future breaches.

PRAISETHESUN

It never hurts to change your password if you're even the slightest bit concerned that it has been breached. That said, this particular breach seems to be a compliation of older breaches, so if you've changed your password in the past because of a previous breach then it's "probably" okay.

PRAISETHESUN

DorsetDave3 said:

Thanks for the answers so far. Much appreciated

I should say I am in my 85th year alive on this planet. I am self taught with computers. As I said I have been using this Forum for a long time. Initially I signed up as DorsetDave. But I recall there was some sort of upgrade with the Forum and I had to re-register. But it wouldnt let me register with my original handle. So I became DorsetDave1. It happened several times and eventually I became DorsetDave3, which it says on the header I have been for 5 years. I tried to get help from this site but its so big now it was difficult to find someone to sort out the problem. I gave up posting because of this but several posts by others since have been useful to look at.

I used to read on the internet that you shouldnt have the same password for all your accounts. I am housebound now apart from using taxis and a mobility scooter so I do buy just about everything I need with lots of different accounts and passwords online. I got so many I had to buy an A to Z book to put them all in. Having to change all these accounts with firms etc would be a huge challenge.

I am wary of the internet and dont know how a password manager works and feel you are very open to abuse if you put yourself about too much. So I have no social media accounts. I see big companies like Land Rover, M&S etc getting into trouble so little old me doesnt have a chance I feel.

So getting an email to say my email address has been 'Pawnd' is very worrying

Regards to All - David 

A password manager is more or less a digital version of the A-to-Z book you describe. You need to create and memorise and very strong "master password" (think a very strong password, usually 20-30+ characters) which then protects an encrypted digital book containing all your other passwords. It allows you to set ridiculously strong and unique passwords for every online service you use that you otherwise would never remember. The password manager remembers them for you, and although yes it is a honeypot if hackers ever get into it, if you set it up securely, it is infinitely better than using weak passwords, or reusing them across sites.

For example, I use 99-128 character, fully random alpha-numeric + symbols for every site that supports it. Some sites have upper limits on password length, meaning I need to reduce the length/complexity, but even then the goal is to use the absolutely strongest password you possibly can for every site. To access my vault, I've memorised a single password, very strong, which then means I don't need to memorise anything else.

Also, make sure to add MFA to absolutely every service that accepts it. Passkeys are also something worth looking into for the sites that support them as well.