Were nearly a tenth of the world’s Gmail passwords stolen? Stories circulating on social media in recent weeks claiming the theft of 183 million account credentials began turning into mainstream media stories, prompting Google to issue a statement that its mail service has not suffered a data breach and that the collection of credentials appears to be an underground forum collection made up of previously leaked data from numerous other sources.
Google: No new passwords stolen, alleged breach material is collection of old information
Google issued an explanatory series of posts on X outlining that there were no new passwords stolen, and that any legitimate credentials came from an assortment of prior data breaches stretching back years that have been circulating on underground forums. Much of the collection was built via infostealer malware installed on assorted individual systems and networks during compromises.
Had the data breach claims been legitimate, it would have impacted nearly a tenth of what is thought to be about 2.5 billion global Gmail users. However, numerous of the impacted parties have already likely had these compromised passwords detected by Google’s security and been prompted to change their Gmail passwords. Some are also likely for long since abandoned accounts.
A technical breakdown of the collection by Have I Been Pwned finds that of the reported 183 million passwords stolen, only about 16.4 million accounts had not previously been seen by the data breach aggregation website. There is likely some amount of junk data amidst this collection, but confirmed valid credentials included on these new rolls very likely came from infostealer logs from various sources that had not yet surfaced publicly. Google indicates that there is not one known point of failure or new data breach responsible for any kind of comparably large-scale theft.
The data set also has passwords stolen from Yahoo and Outlook as well as other email and web services, about 100 in total.
3.5 terabyte trove assembled from prior data breaches
Part of the big misunderstanding is also a follow-on effect from multiple campaigns against Salesforce and Salesloft clients that unfolded over the summer and involved different threat actors. Google was impacted (along with many other companies) both via a downstream attack from a breach of the Salesloft Drift AI chatbot’s GitHub account, and as part of the ShinyHunters / Scattered Spider campaign of social engineering against isolated Salesforce installations. In both cases Google reported limited impact from the data breach and no theft of Gmail or other service credentials outside of a “limited amount” of Google Workspace accounts. However, some speculative headlines in the early going of these breaches used the global total of 2.5 billion Gmail users as the theoretical ceiling of attack damage without necessarily adequately clarifying that these accounts were not in fact known to be compromised. This in turn led to a rash of misinformed posts across social media claiming that Gmail was fully compromised and that user passwords had been exposed.
The incident does put a spotlight on how many stolen credentials are quietly circulating among criminals without being reported in the news or to sources like Have I Been Pwned, however. There are potentially tens of millions at any given time being traded around via private Telegram channels and Discord servers before they surface, sometimes years later, in publicly posted combination files dropped to underground forums. These files often come together and grow to massive size as hacking groups combine them to ask for more money in private sales; they often do not make it to public attention until they are determined to have little to no real value left other than dumping them to a forum for clout. And beyond an initial login attempt to verify their functionality, credentials stolen in a data breach may not actually be maliciously used until weeks or months later as they are sold around to various threat actors.
Though Google is not prompting all Gmail users to reset their passwords, as it sometimes does when large password leaks appear, it might be a good time to review Have I Been Pwned and proactively switch things up if the account appears in their lists. The company also recommends enabling two-step verification and switching from passwords to passkeys as an alternative. For those that use the Chrome browser, the Password Manager Checkup tool will automatically scan saved credentials and provide a warning if any have been flagged as part of a data breach or are considered insufficiently strong (or if one is simply using the same password for two or more different accounts).
Erich Kron, CISO Advisor at KnowBe4, notes that those that have passwords stolen often fall into a number of predictable buckets: “The significant volume of passwords that are compromised annually should be a very motivating factor in enabling Multi-Factor Authentication (MFA) and should drive people to consider the importance of securing accounts, especially email accounts. Email accounts are the nexus of our digital identity, allowing us to sign up for accounts and to reset passwords for accounts that we may already have. For a bad actor, the ability to reset passwords to retail and banking accounts is the ultimate prize, and for the victim, a nightmare. In addition to giving bad actors the ability to reset passwords, they also know that people have the bad habit of reusing passwords across a myriad of services including their banking and financial services. The theft of these credentials can allow cybercriminals to easily empty bank and retirement accounts, and fund some extreme shopping sprees. People should be very careful about protecting their accounts by keeping them unique and applying MFA whenever possible. Tools such as password vaults can be instrumental in securing accounts and being able to remember even the most obscure password when needed.”
Sachin Jade, Chief Product Officer at Cyware, provides some advice for security professionals: “Compromised credential monitoring and management have become essential components of any mature cybersecurity strategy, especially as credential-based attacks remain a leading cause of breaches. Within a unified threat management paradigm, real-time visibility into compromised credentials enables organizations to correlate identity-related risks with broader attack vectors such as network and endpoint threat indicators. This holistic approach not only allows faster detection of credential misuse but also strengthens response coordination across layers of defense—network, application, and identity—creating a more resilient security posture. In addition, aligning credential monitoring with a firm’s overall risk management framework helps organizations prioritize response based on contextual risk rather than isolated incidents. By integrating credential intelligence, security teams can dynamically adjust access controls, enforce adaptive authentication, and preempt lateral movement by attackers using stolen credentials. Ultimately, this alignment transforms credential management from a reactive safeguard into a proactive risk governance mechanism and supporting the organization’s broader goal of reducing & managing attack surface exposure.”
Satnam Narang, Senior Staff Research Engineer at Tenable, adds some advice for end user security: “One of the most common challenges when it comes to stolen account credentials is the re-use of passwords. So when data like this is out there, the main challenge is, if users have re-used those passwords on other websites, an attacker could try to conduct ‘credential-stuffing’ attacks, where they attempt to stuff a bunch of email address/password pairs onto websites to see which ones return a successful login. The safety measures that users can utilise are to start by not re-using passwords, leveraging a password manager, whether it is built into their devices (e.g. Android or iOS), or a third-party (1Password, Bitwarden, etc), and utilising multi-factor authentication, where a second factor is required in order to log in. This includes SMS one-time passcodes, authenticator applications that generate a passcode every 60 seconds, as well as hardware tokens like a Yubikey or Titan Security Key. These are some of the security measures users can utilise to protect their accounts.”
