Try the Bcrypt Generator

Credential Breaches and Stuffing Attacks: What Leaked Password Databases Reveal and How HIBP Works

Have I Been Pwned has indexed 12+ billion breached accounts. Here's what a leaked credential database actually looks like, how attackers use credential stuffing at scale, the k-anonymity trick that lets HIBP check passwords without seeing them, and why bcrypt salting defeats rainbow tables.

By sadiqbd Β· June 12, 2026

Share:
Credential Breaches and Stuffing Attacks: What Leaked Password Databases Reveal and How HIBP Works

Have I Been Pwned has indexed over 12 billion leaked accounts β€” and the structure of those databases reveals exactly how attackers work

Troy Hunt's Have I Been Pwned (HIBP) aggregates data from thousands of credential breach disclosures. When you enter your email address, it searches across leaked datasets and tells you whether it appears in any known breach. Behind this service is an understanding of how credential databases are structured, what attackers do with them, and why even "just" a hashed password database is valuable to someone with the right hardware.

What a leaked credential database looks like

When a company is breached and user data stolen, the attacker typically obtains:

Plain-text password databases (worst case):

user@example.com:password123
admin@company.com:letmein
john.smith@gmail.com:CompanyName2020!

This occurs when passwords are stored unhashed β€” still surprisingly common in smaller applications. The attacker can use these credentials immediately.

Hashed password databases (MD5 without salt β€” bad practice):

user@example.com:5f4dcc3b5aa765d61d8327deb882cf99
admin@company.com:0d107d09f5bbe40cade3de5c71e9e9b7

MD5 without salt. The second hash decodes to "letmein" β€” a lookup in any rainbow table immediately reveals it. The first is "password". At billions of MD5 hashes per second on modern GPUs, an entire leaked database is cracked in hours.

Properly hashed databases (bcrypt):

user@example.com:$2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36

At bcrypt cost factor 12, a modern GPU might attempt 10,000–25,000 hashes per second. An 8-character password space still takes years to exhaust.

The credential stuffing attack chain

Attackers don't just want to crack your specific account. They want scale. Credential stuffing attacks are the industrialisation of stolen credentials:

  1. Breach occurs: attacker obtains email/password database from a compromised service (a forum, a small e-commerce site, a gaming platform)
  2. Crack what can be cracked: weak hashes fall quickly; bcrypt takes too long to crack at scale
  3. Build a stuffing list: email:password pairs (cracked plaintext or original if stored badly)
  4. Stuff credentials: automated tools (Sentry MBA, BlackBullet, OpenBullet) test the pairs against high-value targets β€” banks, PayPal, Amazon, streaming services
  5. Monetise: successful logins are sold (Netflix accounts: $3–5), used for fraud, or mined for payment details

Scale: the 2022 breach of Neopets exposed approximately 69 million accounts. The 2021 Facebook breach leaked 533 million phone numbers. These feed into public credential databases that fuel stuffing campaigns.

The "k-anonymity" API behind Have I Been Pwned

HIBP's password checking API uses a clever approach called k-anonymity to let you check whether a password is in a breach database without sending the actual password to the server:

  1. Hash the password with SHA-1 locally: sha1("password123") = cbfdac6008f9cab4083784cbd1874f76618d2a97
  2. Send only the first 5 characters of the hash to the API: GET https://api.pwnedpasswords.com/range/CBFDA
  3. The API returns all hashes beginning with CBFDA (there are typically hundreds)
  4. Locally check whether your full hash is in the returned list

Why this is clever: the server never sees the full hash (only 5 of 40 hex characters), which is insufficient to identify the password. But you can still check if your specific password hash appears in the breached list. The k-anonymity model ensures that any individual query reveals nothing about which specific password was checked.

This API is used by password managers, browsers (Chrome's Password Checkup), and applications to warn users about compromised passwords without exposing the passwords themselves.

What salting actually prevents

Salting adds a unique random value to each password before hashing:

import bcrypt

password = b"password123"
# bcrypt automatically generates and embeds a random salt
hashed = bcrypt.hashpw(password, bcrypt.gensalt(rounds=12))
# Result: $2b$12$[22 chars of salt][31 chars of hash]

Without salt: all users with password "password123" have identical hashes. Crack one, crack all instances of that password in the database simultaneously. Rainbow tables pre-compute all common passwords' hashes.

With bcrypt's built-in salt: every "password123" produces a completely different hash. Cracking one user's password reveals nothing about other users with the same password. Rainbow tables are useless because they'd need to be computed for every unique salt.

Credential breach monitoring for organisations

For businesses, monitoring whether employee or customer credentials are circulating in breach databases is a genuine security operation:

SpyCloud: commercial product that ingests breach data and alerts enterprises when their users' credentials appear DeHashed: aggregated breach database with API access Intelligence feeds: threat intelligence platforms (Recorded Future, Flashpoint) monitor dark web credential markets

What to do when credentials are found:

  1. Force password reset for affected accounts
  2. Invalidate existing sessions
  3. Check for suspicious account activity between breach date and discovery date
  4. Notify affected users

How to use the Bcrypt Generator on sadiqbd.com

  1. Enter any password and generate a bcrypt hash for storage
  2. Verify β€” paste an existing bcrypt hash and candidate password to check whether they match
  3. Adjust cost factor β€” higher cost = harder to crack but slower to verify
  4. Use for testing β€” generate sample hashes to verify your application's password verification logic

Frequently Asked Questions

Should I check my own passwords against HIBP? Yes β€” it's designed to be safe. The k-anonymity approach means even the HIBP server doesn't know which password you're checking. haveibeenpwned.com/passwords is the safe direct interface; many password managers integrate the API automatically.

How often should organisations rotate compromised passwords? Force immediate rotation when a specific credential is confirmed compromised (appeared in a breach or confirmed phishing). Regular forced rotation on a schedule (every 90 days) is no longer recommended by NIST (SP 800-63B, 2017) β€” forced rotation produces predictable patterns (Password1! β†’ Password2!) that reduce effective security.

Is the Bcrypt Generator free? Yes β€” completely free, no sign-up required.

Try the Bcrypt Generator free at sadiqbd.com β€” generate and verify bcrypt password hashes with any cost factor.

Share:
Try the related tool:
Open Bcrypt Generator

More Bcrypt Generator articles

Bcrypt Generator β€” How to Hash & Verify Passwords Correctly Bcrypt Generator β€” How to Hash & Verify Passwords Correctly Bcrypt Generator β€” Hash & Verify Passwords the Right Way Bcrypt Generator β€” Hash & Verify Passwords the Right Way Why bcrypt: The History of Password Hashing, Cost Factors, and When Argon2 Is Better Why bcrypt: The History of Password Hashing, Cost Factors, and When Argon2 Is Better Bcrypt's 72-Byte Limit: Why Two Different Passwords Can Hash to the Same Value Bcrypt's 72-Byte Limit: Why Two Different Passwords Can Hash to the Same Value