A massive data leak containing 183 million passwords and login credentials has been added to the Have I Been Pwned (HIBP) database, with Gmail accounts heavily featured. This leak stems from infostealer malware that captured credentials across multiple platforms from April 2025, including Gmail, Outlook, and Yahoo accounts. While not a direct Gmail breach, 16.4 million previously unseen credentials were confirmed as legitimate, with users validating their actual Gmail passwords were included. You should immediately check if your email is compromised at HaveIBeenPwned.com, enable 2-factor authentication, and change any affected passwords. Example: One user discovered their active Gmail password was accurately listed in the leak after receiving notification from HIBP.
What Happened: The 183 Million Password Leak Explained
On October 21, 2025, cybersecurity expert Troy Hunt added 183 million passwords and login credentials to the Have I Been Pwned database. The data originated from infostealer malware monitoring conducted by Synthient over nearly a year, capturing credentials from April 2025.
The leak contains:
- 3.5 terabytes of data with 23 billion rows
- Email addresses, passwords, and associated website URLs
- Credentials from Gmail, Microsoft Outlook, Yahoo, and numerous other platforms
- 16.4 million previously unseen email addresses never before found in any data breach
Hunt’s analysis of 94,000 samples revealed that while 92% were recycled from previous breaches (notably the ALIEN TXTBASE stealer logs), 8% represented fresh compromises. One user confirmed the leak contained their “accurate password on my Gmail account” after being notified by HIBP.
How Infostealer Malware Captured These Credentials
According to Synthient’s analysis, infostealer platforms operate by infecting devices with malware that captures login credentials in real-time. When users log into Gmail or any website, the malware records three key pieces of information:
- Website address (e.g., gmail.com)
- Email address
- Password
This data is then compiled into logs and sold or traded on cybercriminal platforms. Sachin Jade, Chief Product Officer at Cyware, emphasized that “with 183 million pieces of ammunition just fed into the system, you can be sure that cybercriminals are already topping up their attack arsenals.”
Google’s Official Response
Google issued a clarification statement addressing widespread misreporting that framed this as a Gmail breach:
“Reports of a Gmail security breach impacting millions of users are false. Gmail’s defenses are strong, and users remain protected. The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web.”
Google confirmed they have “a process for resetting passwords when we come across large credential dumps such as this” and emphasized that their security systems take action when large batches of compromised credentials are detected.
A Google spokesperson told Forbes: “Users can help protect themselves by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords.”
How to Check If Your Password Was Leaked Using HIBP
- Step 1: Visit HaveIBeenPwned.com
- Step 2: Enter your email address in the search field
- Step 3: Review the results
- If compromised, you’ll see which breaches included your email
- The site shows what data was exposed (email, password, etc.)
- Check the date of each breach
- Step 4: If using Chrome, run Google Password Checkup:
- Open Chrome browser
- Click the three-dot menu (top right)
- Select Passwords and autofill → Google Password Manager
- Click Checkup
- Review compromised, weak, and reused passwords
HIBP is completely free and does not store or misuse your email address. The service checks against billions of leaked credentials from confirmed data breaches.
How to Change Your Gmail Password
- If you can still access your account:
- Go to myaccount.google.com
- Click Security in the left navigation
- Select Password under “How you sign in to Google”
- Enter your current password
- Create a strong new password (minimum 12 characters, mix of letters, numbers, symbols)
- Click Change Password
- If you cannot access your account:
- Visit the Account Recovery page
- Enter your email address
- Answer security questions accurately
- Follow Google’s verification steps (phone number, recovery email, etc.)
- Password best practices:
- Never reuse passwords across accounts
- Use a password manager to generate and store unique passwords
- Avoid personal information (names, birthdays, common words)
Essential Security Steps to Protect Your Account
Immediate actions:
- Enable 2-Step Verification (2FA)
- Go to Google Account Security
- Select 2-Step Verification and follow setup instructions
- Use authenticator apps rather than SMS when possible
- Review Account Activity
- Check recent security activity
- Look for unfamiliar sign-ins or device access
- Remove any unknown devices
- Adopt Passkeys
- Passkeys eliminate password vulnerabilities entirely
- Set up at g.co/passkeys
- Run Security Checkup
- Visit Google Security Checkup
- Address all recommended actions
Long-term protection:
- Never click suspicious links in emails claiming to be from Google
- Install reputable antivirus software to detect infostealer malware
- Keep operating systems and browsers updated
- Use a password manager with breach monitoring
- Regularly audit third-party app permissions