Millions of Gmail passwords exposed in massive data breach, experts urge users to act immediately

Gmail users worldwide are being urged to change their passwords immediately after cybersecurity experts confirmed a massive data breach that exposed the credentials of more than 183 million accounts. The stolen information, reportedly totaling about 3.5 terabytes of data, was recently added to the Have I Been Pwned database, which tracks global data breaches.

The breach, which surfaced earlier this year and is linked to widespread “infostealer” activity, contained email addresses, passwords, and the websites where the credentials were entered. According to Australian cybersecurity researcher Troy Hunt, who operates the Have I Been Pwned service, the exposed data involves all major email providers but features Gmail accounts most prominently.

“All the major providers have email addresses in there,” Hunt told the Daily Mail. “They’re from everywhere you could imagine, but Gmail always features heavily.”

The compromised data appears to have originated from multiple sources rather than a single attack on Google’s systems. Hunt described it as a mix of “stealer logs and credential stuffing lists” — data typically harvested from infected computers through malicious software that records login details entered into browsers and apps.

A Google spokesperson, responding to Forbes, said the company is aware of the circulating data and emphasized that users can significantly reduce their risk by using the tools already built into Gmail. “This report covers broad infostealer activity that targets many types of web activities,” the spokesperson said. “When it comes to email, users can help protect themselves by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords.”

Google also advised users who suspect unauthorized access to review their “account activity” page, which shows recent sign-ins and connected devices. Those unable to access their accounts are encouraged to use the “account recovery” process to regain control.

In addition, Google said it has a dedicated process for resetting passwords when large-scale credential dumps are detected. The company also offers a password checkup feature built into Google Chrome, accessible via the Password Manager under “Passwords and autofill,” allowing users to see if any saved credentials have been compromised in known breaches.