A Hacker Just Published 6.8 Billion Email Addresses in a Single Searchable Database

The Leak

A hacker operating under the alias "Addka72424" posted a 150 GB database on BreachForums containing 6,839,584,670 unique email addresses. The collection is not from a single breach. Instead, the threat actor spent approximately two months extracting and deduplicating email addresses from combo lists, ULP (username, login, password) collections, infostealer logs, and compromised databases.

The result is an aggregation of years of compromised data, stitched together into a searchable, weaponized database. Security researchers who analyzed the dump estimate that roughly 3 billion of the addresses are legitimate and usable, once invalid formats, duplicates, and disposable email addresses are filtered out.

The hacker's message to anyone worried about their data appearing in the collection was blunt: "Those to whom you entrusted the data did a poor job of protecting them and your data is public."

Why 3 Billion Usable Emails Matters

Three billion legitimate email addresses in a single, freely available database is a phishing operation's dream. Security researchers calculated that even a 0.001% click rate on malicious emails sent to this database would net attackers 30,000 potential victims. At real world click rates for targeted phishing, which typically range from 3% to 30%, the numbers become staggering.

But the database is not just a list of addresses. Because it was compiled from breach data and infostealer logs, many entries can be cross referenced with other leaked information: passwords, security questions, employer details, and browsing history. An email address alone is a starting point. An email address linked to a previously breached password and a known employer becomes the foundation for highly targeted spear phishing.

Where the Emails Came From

The database is not the product of a single hack. It represents the cumulative output of the cybercrime ecosystem over years:

• Combo lists: Collections of email and password pairs from previous breaches, traded and resold across hacking forums
• ULP collections: Structured dumps containing usernames, login URLs, and passwords harvested from phishing sites and credential stuffing operations
• Infostealer logs: Data captured by malware installed on victims' machines, which records every password saved in browsers, every session cookie, and every autofill credential
• Breached databases: Direct dumps from compromised companies, some never publicly reported

What makes this leak different from the thousands of individual breaches that preceded it is the aggregation. Previously, attackers had to hunt across dozens of forums and marketplaces to assemble a comprehensive target list. Now that work has been done for them.

What This Means for Your Inbox

If your email address appears in this database, and statistically it very likely does, you should expect an increase in targeted phishing attempts. Attackers who previously relied on spray and pray campaigns can now:

• Verify that your address is active and associated with real accounts
• Cross reference your address with other breach data to personalize attacks
• Use your email to launch credential stuffing attacks against services where you may have reused passwords
• Send tracking pixel laden emails to confirm your location, device, and reading habits before launching a follow up attack

The last point is particularly relevant. Phishing campaigns increasingly use invisible tracking pixels in their initial emails, not to steal data directly, but to profile which targets are active, engaged, and worth pursuing with more sophisticated attacks.

How to Protect Yourself

You cannot undo a leak, but you can reduce what attackers learn from it:

• Change passwords on any account where you have reused credentials, and enable two factor authentication everywhere it is available
• Check exposure using services like Have I Been Pwned to see which breaches include your email address
• Watch for phishing with heightened skepticism toward unexpected emails, especially those requesting credentials or containing urgent calls to action
• Block tracking pixels to prevent attackers from confirming your email is active and profiling your behavior. Tools like Gblock block spy pixels in Gmail before they fire

A database of 3 billion usable email addresses is now freely available to anyone who wants it. The question is no longer whether your email has been exposed, but whether you have taken steps to limit what can be done with it.