A staggering 183 million email passwords have been leaked online, including tens of millions belonging to Gmail users, in what cybersecurity researchers are describing as one of the largest credential exposures ever recorded. The leaked trove, estimated at over 3.5 terabytes, was recently uncovered by Troy Hunt, the Australian cybersecurity expert who manages the breach-notification platform Have I Been Pwned (HIBP).
According to Hunt, the exposed data originated from a network of “infostealer” malware—programs that secretly collect usernames, passwords, and login details from infected devices. The dataset reportedly combines “stealer logs” and credential-stuffing lists, which are often used by cybercriminals to test stolen passwords across different online platforms.
Millions of Newly Exposed Accounts
The dataset contained 183 million unique accounts, with roughly 16.4 million email addresses not previously seen in any other known breach tracked by HIBP. Hunt explained that users infected by infostealer malware may have unknowingly shared their login credentials, such as Gmail addresses and passwords, with cybercriminals.
While many of the exposed records were recycled from past breaches, analysts found millions of Gmail credentials that were still valid. The leak, initially detected in April 2025 and made public last week, also included login information from services like Outlook, Yahoo, and hundreds of other websites, exposing a wide range of personal and business accounts.
Researchers warned that even though much of the data is old, the discovery of millions of still-active logins demonstrates how vulnerable users remain when they reuse passwords or fail to change them after previous breaches.
How Hackers Gathered the Data
Cybersecurity firm Synthient, which helped analyze the leaked information, said the records were pulled from dark web marketplaces and underground Telegram channels where stolen credentials are exchanged in bulk. According to Synthient analyst Benjamin Brundage, the leak highlights how extensive infostealer malware activity has become across the internet.
Most victims were unaware that malware on their computers or browsers had silently extracted login details. Experts believe the stolen information was largely gathered through phishing emails, fake software downloads, and malicious browser extensions that trick users into installing harmful programs.
Google Responds: No Breach of Gmail Systems
Following widespread speculation on social media about a potential Gmail breach, Google confirmed that its systems were not directly hacked. Instead, the company said the exposed Gmail passwords were the result of malware stealing data from users’ own devices — not from Google’s servers.
In a statement to the press, Google explained that this incident was related to “infostealer activity,” not a direct compromise of Gmail. The company advised users to take preventive steps by enabling two-step verification, using passkeys, and regularly updating passwords, especially after major leaks like this one.
Google’s Password Manager Checkup tool, built into Chrome, also alerts users if their saved logins are weak, reused, or compromised. When large dumps of stolen credentials are detected, Google automatically prompts affected users to reset their passwords.
Experts Warn Against Password Reuse and Browser Storage
Security analysts say the greatest danger comes not from the breach itself, but from the millions of people who reuse the same password across multiple accounts. This makes them easy targets for “credential stuffing”—a technique where attackers try stolen username-password combinations on various platforms, from email to banking apps.
British analyst Michael Tigges of Huntress noted that the exposed data was not from a single company hack but an aggregation of millions of logs collected by infostealer malware. He warned that storing passwords in browsers, while convenient, makes users more vulnerable to malware attacks.
Cybersecurity expert Graham Cluley also emphasized that users should rely on encrypted password managers instead of browsers, as malware can easily scrape stored credentials. “Having different passwords for every account remains one of the simplest yet most effective protections,” he said.
What Users Should Do Now
Security experts are urging everyone to check if their information has been compromised by visiting HaveIBeenPwned.com, where users can enter their email addresses to see if they appear in the breach.
If an account is flagged, experts recommend immediately taking the following steps:
- Change passwords across all major accounts, especially email and financial platforms.
- Enable two-factor authentication (2FA) for added protection.
- Avoid reusing passwords and store them securely in a password manager.
- Keep antivirus software updated to prevent malware infections.
- Be cautious with software downloads and browser extensions.




