Millions of Gmail passwords exposed in massive 183-million-account data breach

Monday, 27 October 2025 at 10:39

More than 183 million passwords have been leaked online. This is one of the largest data breaches of 2025. The stolen data have now been added to the Have I Been Pwned (HIBP) database. It includes, but is not restricted to, Gmail login details, along with email addresses and website info.

Update

Google reached out to clarify that the situation involves ongoing infostealer activity that targets multiple online services, not a Gmail-specific breach. The company said it’s important for users to stay aware of this type of malicious activity, but confirmed there has been no Gmail breach.

“Reports of a Gmail security “breach” impacting millions of users are entirely inaccurate and incorrect. They stem from a misreading of ongoing updates to credential theft databases, known as infostealer activity, whereby attackers employ various tools to harvest credentials versus a single, specific attack aimed at any one person, tool or platform...," a Google spokesperson said

Cybersecurity researcher Troy Hunt confirmed this report. The new breach combines “stealer logs and credential stuffing lists” gathered from infostealer platforms over the past year.

A closer look at the breach

According to Hunt, the data came from Synthient, a cybersecurity firm that monitors threat activity. Synthient’s Benjamin Brundage said the leak was collected over many months from multiple infostealer platforms. In total, the data amounted to a staggering 3.5 terabytes and 23 billion records.

Hunt explained that the stolen info typically includes three key items. This consists of a website URL, an email address, and a password. For example, if a user logs into Gmail, their email and password may be captured and linked to Gmail.com. Hunt also checked whether the data was new or recycled from previous leaks.

Millions of fresh Gmail credentials confirmed

After reviewing a 94,000-record sample, Hunt found that about 92% of the data had appeared before in older leaks. However, 8% of the credentials were entirely new. This represents around 16.4 million previously unseen email addresses.

Some of those credentials were confirmed to be accurate by HIBP users. One affected Gmail user verified that the leaked password was indeed correct for their account. This confirms the authenticity of the new data.

What Gmail users should do now

Gmail users are among those affected. However, the breach also includes accounts linked to other major platforms. The likes of Apple and Facebook are not left out.

Security experts urge everyone to check their emails. Users need to check if their email address is on the breach list using Have I Been Pwned.

Do the following immediately

Go to the website: Visit haveibeenpwned.com. It’s completely free to use.

Enter your email: Type your email address in the search box and click “pwned?”.

Review the results: If your email appears in any breaches, you’ll see a list of affected websites and the type of data exposed (such as passwords or phone numbers).

Check your passwords: If the breach involves passwords, change them immediately.

Use a password manager: Create strong, unique passwords for every site. A manager can help you remember them all safely.

Enable two-factor authentication (2FA): This adds a second layer of protection even if your password gets leaked.

Sign up for alerts: You can subscribe to HIBP’s free notification service to get alerts if your email appears in future leaks.

Reusing passwords across different services can expose multiple accounts once a single password is compromised.

Update: In addition to 2-step verification, Google recommends the adoption of passkeys, which is a safer and stronger alternative to passwords.

A growing reminder to stay alert

This leak underscores how widespread and ongoing credential theft has become. Even if you have not been affected, regular password checks and updates are essential for staying secure online.

Hunt’s investigation highlights that stolen data often circulates for years, resurfacing in new combinations. The best defense is vigilance — monitor your accounts, use password managers, and never assume your information is safe just because you haven’t seen signs of trouble yet.