Processing 630 Million More Pwned Passwords, Courtesy of the FBI

The recent FBI feed marks a significant milestone for Have I Been Pwned, a cornerstone of global password hygiene. By integrating 630 million newly seized credentials, HIBP not only enlarges its public database but also enriches the threat intelligence ecosystem. Security teams rely on this open‑source resource to flag weak or previously compromised passwords before they become entry points for attackers. The addition of 46 million previously unknown passwords tightens the net around credential reuse, a primary vector in credential‑stuffing attacks that fuel billions in fraud losses each year.

Beyond the API’s real‑time checks—averaging 7,000 requests per second—many enterprises download the entire corpus for offline validation. This approach reduces latency, preserves privacy, and enables integration with internal authentication systems, SIEMs, and password‑policy enforcement tools. The Pwned Passwords Downloader, for instance, initiates roughly one million API calls during its initial sync, after which the data can be queried millions of times without further external traffic. Such scalability empowers organizations of all sizes to embed proactive password screening directly into login flows, dramatically cutting the window of opportunity for account takeover attempts.

Cloudflare’s edge‑caching partnership underpins the service’s global responsiveness. By distributing the password hash list across a worldwide network of edge nodes, lookup latency drops to a few milliseconds regardless of geographic location. This low‑latency access is crucial for high‑traffic applications where authentication speed directly impacts user experience. As cybercriminals continue to harvest credentials from both surface‑web breaches and dark‑web marketplaces, the open, continuously updated nature of HIBP’s dataset serves as a public‑good defense, encouraging broader adoption of credential hygiene best practices across the industry.