Peter A Clarke

When reports appear that Gmail suffers a data breach involving 183 million accounts the likelihood of panic is great and the reputational damage to Google is greater. Gmail is a now well established form of email communication. It is ubiquitous, easy to set up and maintain and, until recently, had the cache of being part of the Google Empire thereby being safe to use. But what happens when claims that mass theft of gmail passwords isn’t so so mass after all.  Google has to scramble to set the facts straight. It can and does get messy.  The Forbes article Gmail Passwords Confirmed Within 183 Million Account Infostealer Leak and the Sydney Morning Herald article Panic as breached details of 183m accounts, including Gmail, emerge report that the very significant data breach has occurred and part of the data stolen included gmail passwords.  Google has had to scramble to clarify.

The issue for businesses is to be as clear and transparent as possible.  Many statements in response to data breaches are models of obfuscation and confusion when they are not boilerplate about working with authorities and doing all they can etc..

The Forbes article provides:

I reported on a data leak earlier this year that included a whopping 184,162,718 passwords and logins affecting the likes of Apple, Facebook and Instagram users. That data leak was disclosed on May 22, and now, in what coukld, or could not be, a rather spooky seeming coincidence, news of 183 million passwords and login credentials from an April 2025 leak has emerged. Adding the details of website URLs, email addresses and passwords to the Have I Been Pwned database, owner Troy Hunt said the data consisted of both “stealer logs and credential stuffing lists” including confirmed Gmail login credentials. While confirming that all major email providers have credentials within the leak database, including Microsoft Outlook and Yahoo, Hunt has said that “they’re from everywhere you could imagine, but Gmail always features heavily.” Here’s what we know and what you need to do.

What We Know About The 183 Million Passwords Data Leak

Have I Been Pwned is something a staple resource for anyone who is genuinely concerned about their account login security. Why so? Because it’s the go-to for discovering when any of your email addresses, accounts or passwords are found in data leaks, dark web password breach lists and the like. Best of all, it’s entirely free to use. When a new entry appears with the number of affected accounts being 183 million, and the compromised data listed as email addresses and passwords, more than a few heads will pop up above the parapets and pay attention. Mine certainly did following the Oct. 21 addition.

Having done some digging for further information, I was drawn to a lengthy analysis by Hunt himself, which looked inside the Synthient threat data provided to HIBP. Benjamin Brundage from Synthient revealed in a blog posting that the data came from the results of monitoring infostealer platforms across the course of close to a year.

The total amount of information sent to HIBP comprised 3.5 terabytes of data, 23 billion rows of it in all. The output of the stealer logs concerned, Hunt said, consisted primarily of three things: website address, email address and password. “Someone logging into Gmail,” Hunt wrote, “ends up with their email address and password captured against gmail.com, hence the three parts.” Of course, there’s a lot of recycling of credentials that goes on in the cybercriminal world, so Hunt initially wanted to check the freshness of the database he had in his hands.

An analysis of a 94,000 sample revealed 92% were not, in fact, new. “Most of what has been seen before was in the ALIEN TXTBASE stealer logs,” Hunt confirmed. However, the math wizards out there will have noted that this steal leaves 8% that is new and fresh, or more than 14 million credentials if you extrapolate it. Actually, the final tally was 16.4 million previously unseen addresses in any data breach, not just stealer logs

HIBP also checks to see if the credentials are genuine by sending out some of the details to people on the subscriber base who are impacted. “One of the respondents was already concerned there could be something wrong with his Gmail account,” Hunt said, and that person was able to validate that the entry was “an accurate password on my Gmail account.”

I spoke to Sachin Jade, the chief product officer at Cyware, who said that this kind of incident shows how much compromised credential monitoring and management has become an essential component of any mature cybersecurity strategy. And although the incident itself is not a breach, it’s the result of breaches and leaks that have already occurred, “credential-based attacks remain a leading cause of breaches.” With 183 million pieces of ammunition just fed into the system, you can be sure that cybercriminals are already topping up their attack arsenals.

Google Issues Clarification Statement After Gmail Passwords Found In Data Leak Database

Google has taken to social media to try to stem the misreporting concerning this incident, which has been framed as 183 million Gmail accounts being breached, which is incorrect, as my article explains in some detail. I have reprinted the entire statement here in the hopes of adding even further clarification.

“Reports of a “Gmail security breach impacting millions of users” are false. Gmail’s defenses are strong, and users remain protected. The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform. Users can protect themselves from credential theft by turning on 2-step verification and adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are found in large batches like this. Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts.”

Check If Your Passwords Are Impacted Now

Of course, it is not just Gmail users who will be affected by this leak, so I would advise everyone to go and check at HIBP to see if their account credentials might be included.

I reached out to my contacts at Google for a statement, and a spokesperson told me: “This report covers broad infostealer activity that targets many types of web activities. When it comes to email, users can help protect themselves by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords.”

Google also advised Gmail users that if they have any reason to believe that their accounts have been hacked, they should immediately sign in and review the account activity. If you can’t sign in, Google said, then head for the account recovery page and answer the questions that are presented to the best of your ability.

“Additionally, to help users, we have a process for resetting passwords when we come across large credential dumps such as this,” Google noted.

You can check if your Gmail password is exposed, weak or used in for multiple account logins if you are a user of the Chrome password manager by using the Google password checkup feature. On a computer, this is accessible from Chrome by selecting Passwords and autofill from the top right menu, and then Google Password Manager|Checkup.

This will reveal if you are using any passwords that are known to be compromised, as will most other password manager applications, as well as using the Have I Been Pwned? database check, as mentioned earlier, along with giving an indication of any weak passwords you may have in active use. “We’ll ask you to change your Google Account password if it might be unsafe, even if you don’t use Password Checkup,” Google said. And then, of course, there are those passwords that you reuse across multiple accounts and services, which Google will also inform you of. Speaking of which, please do not do that; it is a recipe for disaster, as this kind of password leak demonstrates all too well for Gmail users and everyone else, for that matter. As Google noted, in a clear case of necessarily stating the obvious: “We recommend that you change any compromised passwords as soon as you can”

From a business perspective rather than purely a consumer one, Jade said that “aligning credential monitoring with a firm’s overall risk management framework helps organizations prioritize response based on contextual risk rather than isolated incidents.” Which is good advice, as such integration of passwords credential intelligence can help in-house security teams to dynamically adjust access controls, enforce adaptive authentication, and preempt lateral movement by attackers using stolen credentials. “Ultimately, this alignment transforms credential management from a reactive safeguard into a proactive risk governance mechanism,” Jade concluded, “and supporting the organization’s broader goal of reducing & managing attack surface exposure.”

The SMH article provides:

Google has called for calm amid a frenzy of sensational reports suggesting a Gmail security breach is affecting millions of accounts.

In fact, the source of the hubbub is a massive collection of breached credentials and data — comprising 183 million individual accounts — being uploaded to data breach information website Have I Been Pwned. Most of it is not newly breached information. Here’s what you need to know.

So Google hasn’t been hacked?

No, the data is not the result of a security breach at Google. And the overwhelming majority of it is not new in the sense that this is the first time it’s been posted online.

When crooks steal data or credentials, it tends to swirl around the internet, being copied to various massive collections that can be used to automate attacks or generate insights. In this case, a researcher at cybersecurity company Synthient has pulled a huge amount of data together from various sources and then shared the data with Australian cybersecurity expert Troy Hunt, who operates Have I Been Pwned.

Posting on X, Google said many online reports were false, and Gmail’s defences remained strong.

“The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web.

It’s not reflective of a new attack aimed at any one person, tool, or platform,” it said.

“Users can protect themselves from credential theft by turning on two-step verification, adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are found in large batches like this.”

Why was Google singled out in these stories?

The 183 million accounts represented in the data are not all from Gmail, so it’s singling out does appear to be the result of misunderstanding. Many articles, headlines and social media posts say explicitly that 183 million Gmail accounts have been breached, which is not the case.

In a post last week Hunt described his process of verifying the breached data, which included reaching out to people through the emails listed. Some articles have used this to say that the 183 million accounts have been verified, which is also not the case.

While Synthient and Hunt posted discussing the data last week, the online frenzy of articles and search traffic appeared to begin late on Monday, and may have been triggered by an accurate report on Forbes.com.

What exactly does the data contain?

Hunt received 2.6 terabytes of data, comprising 23 billion rows of credentials. But despite these huge numbers, the exposure of the data isn’t necessarily catastrophic.

Some of the data comes from stealer logs, which is the output of malware that has infected computers to report back web addresses, emails and passwords. There’s a large amount of repetition in these logs, so it takes some analysis to decide if anything is new or current.

Hunt said that from a sample of 94,000 entries, 92 per cent had been found in stealer logs previously. From 183 million accounts, that does mean there are millions of email addresses in this data that haven’t previously been marked as compromised.

Other data comes from credential stuffing lists, which criminals use to attack services where users may have re-used passwords. So for example they could take a password associated with your Vietnam Airlines account, and try it with your PayPal account.

What is Have I Been Pwned?

The data breach information website has been around for years and has become a go-to resource for finding out if your credentials have ended up in the hands of criminals. Hunt collates huge amounts of data taken from breaches into the system, allowing users to search through it without further exposing the damaging info. You can enter your email address or password to check if it’s listed in any breaches.

Have I Been Pwned also offers a service that will alert you if your email address appears in any data breaches, and an API businesses can use. Several providers of password management software use this API to automatically check user passwords against breached data.

What should I do to stay safe?

Just because you have a Gmail address, it doesn’t mean you’re at risk from this data breach, since there are billions of Gmail users. But it doesn’t hurt to check your address at Have I Been Pwned.

It will let you know if it’s found in any breach collections (the latest one is called “Synthient Stealer Log Threat Data”), so you can see what other types of data might also have been stolen.

It’s a good idea to change your password at any service your email is found, and activate multi-factor authentication (MFA) if possible.

As always, it’s poor digital hygiene to re-use the same password twice, and important services like email and banking in particular should have unique strong passwords, or be moved to passkeys or other MFA