Massive 183 Million Credential Leak Exposes Millions of Gmail Accounts in One of the Largest Data Dumps Ever

A huge data breach has made public more than 183 million email passwords, of which tens of millions are associated with Gmail accounts. Cybersecurity experts refer to this incident as one of the largest credential dumps ever found. This month, the stolen loot of 3.5 terabytes of data was released onto the internet, as per the report by Troy Hunt, an Australian security expert who operates the breach-notification website Have I Been Pwned. Hunt revealed that the data was collected during a year-long operation against "infostealer" platforms — malware networks that invisibly gather usernames, passwords, and website addresses from the devices they infect. The trove of data is a combination of "stealer logs and credential stuffing lists,"

The new dataset contained 183 million unique accounts, including roughly 16.4 million addresses never seen before in any prior breach, Hunt wrote.

To find out if their credentials are among those compromised, users can visit HaveIBeenPwned.com and enter their email addresses. If flagged, the site provides the date and nature of the breach.

Security firm Synthient, which collected the logs, said the records were drawn from criminal marketplaces and underground Telegram channels where hackers share stolen credentials in bulk.

Analyst Benjamin Brundage of Synthient said the findings show the staggering reach of infostealer malware.

According to researchers, most of the entries are recycled from older breaches, but millions of newly compromised Gmail accounts were verified when affected users confirmed that exposed passwords still matched their active credentials.

The data breach that was first noticed in April and disclosed last week includes not just Gmail data but also credentials for Outlook, Yahoo, and many other web-based services.

According to Hunt, the heap of data indicates that stolen credentials frequently resurface in forums for years, thereby giving the criminals new chances to misuse the reused passwords.

As per Hunt, the violations did not contain an attack on Gmail; it was through malware installed on users’ devices that the logins were captured.

Cybersecurity experts pointed out that this is the reason why the breaches’ effects are not limited to email only but extend much wider.

A large number of people reuse the same passwords on different sites, ranging from cloud storage and banking to social networking, making it easier for the attackers to access the whole digital life of the victims through “credential stuffing,” the automated process of probing stolen username-password pairs on several platforms.

A Google representative informed The Post that the news of a Gmail security ‘breach’ affecting millions of users is completely inaccurate and wrong.

The representative added that they result from a misunderstanding of the updates on a continuous basis to the databases of credential theft, infostealer activity, in which the attackers use a variety of tools to collect credentials rather than a single, specific attack aimed at any one person, tool, or platform.

“We recommend users to implement the best practices in order to avoid being victims of credential theft, like enabling 2-step verification, and using passkeys as a stronger and safer alternative to passwords, and changing passwords every time they become exposed in large batches like this.”

Experts in cybersecurity have called upon Gmail users all over the globe to take immediate actions.

If you’re one of the 183 million people affected, according to Hunt, your email password must be changed without any delay and two-factor authentication must be enabled if it has not been done already.

Michael Tigges, a British security analyst at Huntress, stated to Yahoo News that the situation should be taken as a warning sign for all who use web browsers to keep their passwords when the attack was not directed to Gmail itself.

“This event does not represent any specific data breach but rather aggregated and uploaded data from millions of stealer malware logs,” Tigges said.

“It is clear that companies must keep users' accounts secure by not allowing shared logins across services and that they also need to have excellent visibility over both personal and business email security.”

Another security blogger, Graham Cluley, suggested in an interview with the Daily Mail that users should “always use different passwords for different online accounts” and store them in encrypted password managers instead of browsers that malware can easily scrape from.

Google's own Password Manager Checkup tool is also capable of scanning saved logins in Chrome and alerting about weak, reused or breached passwords. It was reported by the company that it automatically prompts password resets when large credential dumps are detected.

The researchers have mentioned that most of the stolen credentials were probably collected through fake software downloads, phishing attachments, or browser extensions. Victims are often unaware that their devices have been infected.

According to Tigges, the most crucial step is prevention.

“Keep your antivirus software updated and make sure you are downloading programs from trusted sources,” he suggested.

“The credentials were mainly collected via ‘stealer’ type malware; prevention is the utmost mitigation.”

Hunt, however, advocated that the huge volume of the data leak, though it seemed to be the first of its kind, was a factor of the underlying threat—complacency.

He pointed out, “Reusing passwords is like asking for trouble.”

Nevertheless, the experts foresaw that the hackers could exploit the database for a long time or even years if they sold authenticated Gmail accounts to online fraudsters.