A massive leak has exposed more than 183 million email passwords, including tens of millions linked to Gmail accounts, in what cybersecurity analysts are calling one of the biggest credential dumps ever uncovered.
The stolen trove containing 3.5 terabytes of data surfaced online this month, according to Troy Hunt, the Australian security researcher who runs the breach-notification site Have I Been Pwned.
Hunt stated that the information originated from a yearlong sweep of “infostealer” platforms — malware networks that secretly siphon usernames, passwords and website addresses from infected devices.
The data consists of both “stealer logs and credential stuffing lists,” Hunt wrote in a blog post.
“Someone logging into Gmail ends up with their email address and password captured against gmail.com.”
The new dataset contained 183 million unique accounts, including roughly 16.4 million addresses never seen before in any prior breach, Hunt wrote.
To find out if their credentials are among those compromised, users can visit HaveIBeenPwned.com and enter their email addresses. If flagged, the site provides the date and nature of the breach.
Security firm Synthient, which collected the logs, said the records were drawn from criminal marketplaces and underground Telegram channels where hackers share stolen credentials in bulk.
Analyst Benjamin Brundage of Synthient said the findings show the staggering reach of infostealer malware.
According to researchers, most of the entries are recycled from older breaches, but millions of newly compromised Gmail accounts were verified when affected users confirmed that exposed passwords still matched their active credentials.
The leak, first detected in April and made public last week, covers not only Gmail data, but also login information for Outlook, Yahoo and hundreds of other web services.
The cache, Hunt said, shows how stolen credentials often reappear across forums for years, giving criminals fresh opportunities to exploit reused passwords.
Hunt said the breaches did not involve a direct hack of Gmail; it employed malware on users’ computers that captured their logins.
Security experts said that’s why the impact of the breaches extends far beyond email.
Many victims reuse passwords across multiple sites — from cloud storage and banking to social media — enabling attackers to infiltrate victims’ entire digital lives through “credential stuffing,” the automated process of testing stolen username–password pairs on multiple platforms.
“Reports of a Gmail security ‘breach’ impacting millions of users are entirely inaccurate and incorrect,” a Google spokesperson told The Post.
“They stem from a misreading of ongoing updates to credential theft databases, known as infostealer activity, whereby attackers employ various tools to harvest credentials versus a single, specific attack aimed at any one person, tool or platform.”
“We encourage users to follow best practices to protect themselves from credential theft, such as turning on 2-step verification and adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are exposed in large batches like this.”
Cybersecurity experts worldwide urged Gmail users to act right away.
“If you’re one of the 183 million people affected, you need to change your email password immediately and enable two-factor authentication if you haven’t already,” Hunt said.
British security analyst Michael Tigges of Huntress told Yahoo News that while Gmail itself wasn’t directly breached, the attack should be a wake-up call for anyone who relies on their web browsers to store their credentials.
“The event here is not one of any specific data breach, but instead aggregated and uploaded data from millions of stealer malware logs,” Tigges said.
“This underscores the importance of avoiding shared credentials across services and highlights why it is important to have excellent visibility on both your personal email security, as well as business email security.”
Fellow security blogger Graham Cluley told the Daily Mail that people should “always use different passwords for different online accounts” and store them in encrypted password managers rather than browsers, which malware can easily scrape.
Google’s own Password Manager Checkup tool also scans saved logins in Chrome and warns of weak, reused or breached passwords. The company said it automatically prompts password resets when large credential dumps are detected.
Researchers noted that most of the stolen credentials were likely harvested through fake software downloads, phishing attachments, or browser extensions. Victims often have no idea their devices were infected.
The most important step is prevention, Tigges said.
“Make sure your anti-virus is up to date and that you’re downloading software from reputable sources,” he said.
“These credentials were obtained primarily through ‘stealer’ type malware; prevention is the chief mitigation.”
While the scale of the data dump appears to be unprecedented, Hunt emphasized that the real threat comes from complacency.
“Reusing passwords is a recipe for disaster,” he explained.
Experts warned that attackers could weaponize the database for months or years by selling verified Gmail logins to fraud networks.
[Notigroup Newsroom in collaboration with other media outlets, with information from the following sources]
