Media outlets have reported a massive email data leak allegedly involving 183 million compromised accounts. According to the breach-notification platform Have I Been Pwned, the leaked database includes email addresses paired with their corresponding passwords, while the breach dates back to April.
The reports indicate that the exposed credentials were likely collected through malware infections rather than a direct breach of Google’s servers.
The Anatomy of the Leak
Recently, “Have I Been Pwned” acknowledged they added a new dataset containing around 183 million email addresses and their matching passwords. According to media reports citing HIBP, the data came from logs of infostealer malware infections, not a direct breach of servers. The dataset reportedly comprised 3.5 terabytes of data and 23 billion rows, according to Troy Hunt, owner of HIBP.
Troy Hunt said that this dataset can be searched by email, password, or domain, noting that a large portion relates to Gmail account credentials. He added that the passwords were saved in plaintext alongside information about the websites where they were used.
A Heise Online blog explained how the dataset was collected via infected devices and cybercrime channels. According to the leading German-language high-tech news outlet, the credentials were exfiltrated by infostealers that are Trojans installed on the targeted users' devices, supposedly originating from cracked software installed by the user or through some security vulnerabilities in the software they used.
Such a breach occurs when victims log into services, sending the data to command-and-control servers, where it ends up in accessible cloud storage or Telegram channels, allowing it to be reassembled or merged with other datasets.
According to Heise Online, Troy Hunt received the dataset in April 2025 and cleaned it to identify 183 million “unique credentials,” including the website where they were entered, along with the username and password. The data is now searchable via the site using these credentials. Other experts added that the data came from monitoring infostealer platforms over the course of nearly a year.
The HIBP site originally focuses on collecting known or organizational data leaks and adding them to its database. However, Troy Hunt decided this time to also include publicly surfaced data stolen by infostealers.
To protect victims’ privacy, Troy explained that direct searches using email addresses do not reveal infostealer data. For example, the dataset includes the websites where the credentials were collected, and such information could potentially harm victims if it involves sensitive domains.
Troy further clarified that the data includes domains with words like “Porn,” “Adult,” or “xxx.” He added that users interested in checking their information can have it sent to their email via HIBP’s “Notify Me” service, which requires registration and email confirmation through a link sent directly to the user’s inbox.
However, other reports suggest that infostealers often capture more than just credentials. They may also harvest browser cookies and bypass two-factor authentication to access accounts without needing a password.
Were Google Systems Breached?
According to Forbes, nothing proves a breach of the Google systems. It indicates the data was collected from malware-infected personal devices where the users logged in with their credentials.
Davey Winder, journalist at Forbes, reached out to Google for a statement. The Google spokesperson told him the report “covers broad infostealer activity that targets many types of web activities. When it comes to email, users can help protect themselves by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords.
Additionally, the company advised users, through the statement, to immediately sign in and review their account activity in case of a doubt and cited that “to help users, we have a process for resetting passwords when we come across large credential dumps such as this.”
Google further clarified on X (formerly Twitter) (@NewsFromGoogle) that “Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail’s defenses are strong, and users remain protected.”
“The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform,” the Google thread added.
Google acknowledged that Gmail takes action when it “spots large batches of exposed credentials, helping users reset passwords and resecure accounts.”
Following Google’s publication, Troy Hunt reposted the publication, clarifying “this ‘is not’ a Gmail leak, it simply has the credentials of victims infected with malware, and Gmail is the dominant email provider.”
“There is every imaginable type of email address in this corpus: Outlook, Yahoo, corporate, government, military and yes, Gmail. This is typical of a corpus of data like this and there is nothing Google specific about it,” Troy explained.
Commenting on Google’s statement, Troy says: “It sucks that our friends at Google have to invest time clarifying their position on this. If only I’d written a detailed blog post explaining exactly where this data came from and how it’s obtained.”
What’s the Cost of a Sensitive Data Leak?
It’s important to remember that usernames, email addresses, and passwords are not just random bits of data. However, they are personal keys that unlock parts of users’ digital lives. Once exposed, they can give access to much more than an inbox and emails, including cloud storage, banking details, private photos, location data, or even intimate conversations.
This kind of information, when leaked, does not just threaten users’ online security, it can put their families at risk too, eroding trust and privacy.
Beyond digital theft, exposed sensitive information can also be weaponized into social engineering, turning a data breach into real-world harm, manipulation, blackmail, fraud and imposture, or emotional distress for victims.
Read More
2016 Video of Child Beheading in Syria Shared in Relation to Operation Al-Aqsa Flood
Read More
Most Read
Report a Claim
Alert the Misbar team about false news, rumors or stories that need verification, or request clarification.
Follow us on social media
