A. M. 
A massive collection of 183 million email passwords, including millions of Gmail, accounts, has been exposed through infostealer malware campaigns, cybersecurity researchers revealed this week. The breach, which emerged in the Have I Been Pwned database on october 21, represents one of the largest credential leaks recorded in 2025.
Google has strongly refuted characterizations of the incident as a Gmail breach, clarifying on social media that “reports of a ‘Gmail security breach affecting millions of users’ are false”. The company explained that the compromised accounts stem from malware infections on users’ devices rather than a security breach of Gmail’s servers.
Mass data collection from malware networks
The exposed data represents nearly a year of monitoring of infostealer malware activity by cybersecurity firm Synthient, which tracked credentials circulating through clandestine channels on Telegram, social media platforms, and dark web forums. Troy Hunt, creator of Have I Been Pwned, confirmed that the dataset contains 3.5 terabytes of information spanning 23 billion records.
Hunt verified the authenticity of the credentials by contacting affected users, with one subscriber confirming that the leaked information matched “an exact password for my Gmail account”. The dataset includes website URLs, email addresses, and passwords captured when users logged into various services on infected devices.
Although 91% of the exposed credentials had been previously identified in other data breaches, approximately 16.4 million email addresses had never appeared in any previous data breach records. Security researchers warn that the inclusion of active passwords significantly increases the risk of credential stuffing attacks across multiple platforms.
You may also read:
