This is aggregated data from info stealers not from compromising Google or FB systems.

So I just searched my email on HIBP again. Most of the leaks I see there were from old websites I hardly cared about securing from many years ago. But, in general, how do I find out what has actually been leaked (if it's not website specific)?

I'm not going to change all of my passwords every time a random website that I used briefly ten years ago leaks my low effort password.

Is this even new? Or is this the same bunch of stealer logs that has been floating around repackaged? This 149M is meaningless without removing the already seen entries and getting rid of duplicates.

It should be a standard practice to have a unique email and password for every service you use out there, plus the usual like 2FA. I have been doing this for years and never had any issue, but also you can tell if the service got compromised even if they never announced it. For example, I have an account on a service called Shakepay, and recently I have been getting a lot of phishing attempts on that specific unique email that's never been used anywhere else. I can tell for certain that their email database got leaked/they sold it.

Time to change our passwords

I have just heard celebrations from millions of AI agents living in data centers cheering on yet another data leak full of unique login data ready to train on.

Now these AI agents are going to use this to get to know about us humans even more.

IMHO, any password shared with google and/or Facebook is instantly "leaked". I trust them less with my passwords than I do randos.