Urgent alert for gmail users after 183 million password leak

A colossal database containing 183 million email addresses and passwords has been added to the “Have I been pwned” (HIBP) breach-tracking service, with confirmed login credentials for Gmail, Outlook, Yahoo, and other major services.

The data was disclosed by HIBP owner Troy Hunt on October 21 and is stemmed from “infostealer” malware infections over the past years.

While it is not a direct breach of email providers like Google, it may provide a direct link for cybercriminals to conduct malicious attacks with stolen usernames and passwords to break into other accounts.

What was leaked and where did it come from?

The threat intelligence company Synthient provided the 3.5 terabyte data to HIBP that consists of “stealer logs,” which are records harvested by malware installed on victims’ computers.

The logs mainly target three pieces of information from a user log including the URL, email address, and a password.

Hunt explained that the hacker can access users’ “email address and password captured against gmail.”

According to the preliminary reports, 92% of the credentials originate from previous breaches while 8% (around 16.4 million email addresses) are newly leaked and previously unseen in any known breach.

Additionally, the authenticity of the data has been verified. Hunt reported that one HIBP subscriber confirmed the leaked credentials were, in fact, the accurate password for their Gmail account.

Google’s response and user action steps

Google issued a clarification statement stating, “Reports of a ‘Gmail security breach impacting millions of users’ are false.”

“Gmail’s defenses are strong, and users remain protected. The inaccurate reports are stemming from a misunderstanding of infostealer databases,” the statement added.

However, in order to stay protected from the credential theft, the company recommends users to take following measures:

• Use free HIBP website to see if your email is in this or any other breach
• Enable two-factor authentication to add a second layer of security
• Use strong and unique passwords. Additionally, stop reusing passwords across different sites.
• Google recommends to use passkeys instead of passwords.
• Change password immediately if your email is found in any breach