1.3 Billion Passwords Leaked: What Australians Need to Know and Do Now
- Jason Riley
- Dec 4, 2025
- 3 min read
What Happened in the 1.3 Billion Password Leak?
A newly compiled collection of 1.3 billion unique passwords and 2 billion unique email addresses has been discovered online. (Tom's Guide)
This data wasn’t stolen in a single “big breach” of a company or service. Instead, it’s an aggregate, compiled by the threat intelligence firm Synthient, which scoured both the open and dark web to collect credentials from hundreds of past data breaches, lists used for “credential-stuffing,” and logs from malware-infected devices. (The Economic Times)
Because many people reuse passwords across multiple accounts, this “master list” gives criminals a powerful starting point to attempt access to other services, which is a tactic known as credential stuffing. (LogsTail)
The leak has been added to the database of Have I Been Pwned, where users can now check whether their email or password appears in the exposed data.
In short: even if you’ve never experienced a breach yourself, there’s a real chance your credentials, possibly from long forgotten accounts or past breaches, are in the mix.
Why This Matters for Australians
Your old accounts may still be vulnerable. If you used a password some years ago and haven’t changed it, it could now be compromised.
Credential reuse dramatically increases risk. One leaked password can give attackers access to many of your online accounts — email, banking, shopping, social media — if the same credentials were used.
Hackers may attempt targeted attacks or identity theft. With access to your email and password, criminals may impersonate you or launch phishing attacks.
For all these reasons, this leak should be treated seriously — and not ignored simply because “it happened elsewhere.”
Steps You Should Take Right Now
Step | Action |
1 | Check if your credentials were leaked |
Some experts recommend using Have I Been Pwned’s Pwned Passwords tool to check whether your email or password has been exposed. Call us paranoid if you like, but we believe it's safer to simply assume your passwords have been leaked and to take appropriate action from there. | |
2 | Change and strengthen your passwords |
Use a trusted password manager or password generator (many offer free tiers) to create strong, unique passwords for each account. If you use an Apple computer, iPhone or iPad, an excellent passwords manager is already installed and you should use it. | |
3 | Turn on multi-factor authentication |
We always advise people to, wherever possible, enable multi-factor authentication (MFA - sometimes referred to as 2FA). This adds an extra layer beyond just a password on important accounts (email, bank, financial services, social media, etc.). | |
4 | Be alert for scams and phishing attempts |
Be alert for suspicious emails, SMS or calls: phishing attempts frequently rise after large leaks, using your exposed details to craft convincing scams. In Australia, you can report suspicious activity or cybercrime to Australian Cyber Security Centre (ACSC) via its reporting service. (Cyber.gov.au) | |
5 | Clean up and Secure old Accounts |
Review old or unused accounts, especially those with weak, repeated or “easy” passwords, and either delete those accounts, or secure them properly. |
How to Stay Protected Long-Term
Because this is an aggregated leak, it’s not just new breaches that matter: credentials from old, forgotten, or even seemingly insignificant accounts may still be out there. As long as criminals have access, they can revive credential-stuffing attacks, hacking attempts or phishing campaigns targeting anybody.
Regularly auditing your digital “door locks” — especially after a mass leak like this — is critical to staying safe online.
Where You Can Get Help
The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), is the national lead for cyber-security.
Visit the ACSC website for guidance on securing your devices, enabling MFA, choosing strong passwords and avoiding scams. (Cyber.gov.au)
If you suspect your identity has been compromised — or you see suspicious activity — report it via the ACSC’s official reporting channels. (Cyber.gov.au)
Final thoughts
This recent leak is a stark reminder of how vulnerable our digital lives can be, especially when passwords are reused or left unchanged over time. But it’s not too late to act.
By regularly updating your credentials and passwords, using unique, strong passwords everywhere, enabling MFA, and staying alert to suspicious activity, you can significantly reduce your risk.
Think of this as a digital “spring clean,” and a chance to lock the doors properly.
Comments