A massive leak has exposed over 183 million email passwords, including tens of millions connected to Gmail accounts, in what cybersecurity experts describe as one of the largest credential dumps ever recorded.
According to reports, the stolen cache — about 3.5 terabytes of data — surfaced online earlier this month.
Troy Hunt, founder of the breach-notification platform Have I Been Pwned, revealed that the data was gathered from a yearlong sweep of “infostealer” malware platforms that covertly collect usernames and passwords from infected devices.
The dataset contains 183 million unique accounts, including around 16.4 million email addresses not previously linked to known breaches. Users can check whether their data was compromised by visiting HaveIBeenPwned.com and entering their email addresses.
Security firm Synthient, which analysed the logs, said the records originated from criminal marketplaces and underground Telegram channels where hackers exchange stolen credentials.
While most of the entries were recycled from older leaks, millions of newly compromised Gmail accounts were confirmed when affected users verified that the exposed passwords still worked.
Experts warn that the implications extend far beyond email, as many victims reuse passwords across multiple platforms — from financial apps to social media — making them vulnerable to full account takeovers through credential stuffing.
Google, however, clarified that Gmail’s systems were not breached, noting that reports suggesting otherwise were misleading.
“Reports of a Gmail security breach impacting millions of users are inaccurate,” a Google spokesperson said. “These credentials stem from infostealer activity, not a direct attack on Gmail. We encourage users to enable 2-step verification and use passkeys as safer alternatives to passwords.”
Cybersecurity experts globally have advised users to change their passwords immediately and activate two-factor authentication.
British security analyst Michael Tigges explained that the incident was not tied to a single data breach but rather to accumulated malware logs collected over time.
“This highlights why users should avoid reusing passwords and rely on encrypted password managers instead of browser-based storage,” Tigges said.
Researchers believe most stolen credentials were obtained through phishing schemes, fake software downloads, or malicious browser extensions, often without victims realizing their devices were infected.
“The real danger isn’t just the leak, it’s complacency,” Hunt warned. “Reusing passwords is a recipe for disaster.”
Google’s Password Manager and Security Checkup tools can help users identify weak or compromised passwords and prompt them to reset automatically.
Experts further recommend keeping antivirus software updated and downloading apps only from verified and trusted sources.
