183M Gmail Passwords Leaked

Updated Oct. 27 with an official statement from Google regarding the infostealer log dump and further advice from Gmail regarding compromised passwords.

I reported on a data leak earlier this year that included a whopping 184,162,718 passwords and logins affecting the likes of Apple, Facebook and Instagram users. That data leak was disclosed on May 22, and now, in a rather spooky seeming coincidence, news of 183 million passwords and login credentials from an April 2025 breach has emerged. Adding the details of website URLs, email addresses and passwords to the Have I Been Pwned database, owner Troy Hunt said the data consisted of both “stealer logs and credential stuffing lists” including confirmed Gmail login credentials. Here’s what we know and what you need to do.

ForbesPayPal Users Warned ‘Do Not Pay, Do Not Phone’ As Attackers StrikeBy Davey Winder

What We Know About The 183 Million Passwords Data Leak

Have I Been Pwned is something a staple resource for anyone who is genuinely concerned about their account login security. Why so? Because it’s the go-to for discovering when any of your email addresses, accounts or passwords are found in data leaks, dark web password breach lists and the like. Best of all, it’s entirely free to use. When a new entry appears with the number of affected accounts being 183 million, and the compromised data listed as email addresses and passwords, more than a few heads will pop up above the parapets and pay attention. Mine certainly did following the Oct. 21 addition.

Having done some digging for further information, I was drawn to a lengthy analysis by Hunt himself, which looked inside the Synthient threat data provided to HIBP. Benjamin Brundage from Synthient revealed in a blog posting that the data came from the results of monitoring infostealer platforms across the course of close to a year.

ForbesAct Now — Microsoft Issues Emergency Windows Update As Attacks BeginBy Davey Winder

The total amount of information sent to HIBP comprised 3.5 terabytes of data, 23 billion rows of it in all. The output of the stealer logs concerned, Hunt said, consisted primarily of three things: website address, email address and password. “Someone logging into Gmail,” Hunt wrote, “ends up with their email address and password captured against gmail.com, hence the three parts.” Of course, there’s a lot of recycling of credentials that goes on in the cybercriminal world, so Hunt initially wanted to check the freshness of the database he had in his hands.

An analysis of a 94,000 sample revealed 92% were not, in fact, new. “Most of what has been seen before was in the ALIEN TXTBASE stealer logs,” Hunt confirmed. However, the math wizards out there will have noted that this steal leaves 8% that is new and fresh, or more than 14 million credentials if you extrapolate it. Actually, the final tally was 16.4 million previously unseen addresses in any data breach, not just stealer logs.

HIBP also checks to see if the credentials are genuine by sending out some of the details to people on the subscriber base who are impacted. “One of the respondents was already concerned there could be something wrong with his Gmail account,” Hunt said, and that person was able to validate that the entry was “an accurate password on my Gmail account.”

ForbesLastPass Warns ‘Are You Dead?’ Master Password Hack Attacks OngoingBy Davey Winder

Check If Your Gmail Passwords Are Impacted Now

Of course, it is not just Gmail users who will be affected by this leak, so I would advise everyone to go and check at HIBP to see if their account credentials might be included.

I reached out to my contacts at Google for a statement, and a spokesperson told me: “This report covers broad infostealer activity that targets many types of web activities. When it comes to email, users can help protect themselves by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords."

Google also advised Gmail users that if they have any reason to believe that their accounts have been hacked, they should immediately sign in and review the account activity. If you can’t sign in, Google said, then head for the account recovery page and answer the questions that are presented to the best of your ability.

“Additionally, to help users, we have a process for resetting passwords when we come across large credential dumps such as this,” Google noted.

You can check if your Gmail password is exposed, weak or used in for multiple account logins if you are a user of the Chrome password manager by using the Google password checkup feature. On a computer, this is accessible from Chrome by selecting Passwords and autofill from the top right menu, and then Google Password Manager|Checkup.

This will reveal if you are using any passwords that are known to be compromised, as will most other password manager applications, as well as using the Have I Been Pwned? database check, as mentioned earlier, along with giving an indication of any weak passwords you may have in active use. “We’ll ask you to change your Google Account password if it might be unsafe, even if you don’t use Password Checkup,” Google said. And then, of course, there are those passwords that you reuse across multiple accounts and services, which Google will also inform you of. Speaking of which, please do not do that; it is a recipe for disaster, as this kind of password leak demonstrates all too well for Gmail users and everyone else, for that matter. As Google noted, in a clear case of necessarily stating the obvious: "We recommend that you change any compromised passwords as soon as you can"

ForbesX Issues November 10 ‘Account Will Be Locked’ Twitter Security WarningBy Davey Winder