A new data compilation containing 183 million email addresses and passwords has surfaced online, with confirmed Gmail credentials among the leaked information. Troy Hunt, a cybersecurity expert managing the Have I Been Pwned (HIBP) platform, verified the breach.
The leaked data includes site URLs, email addresses, and plaintext passwords, collected from infostealer malware and credential-stuffing lists compiled in April 2025. According to Hunt, the database spans 3.5 terabytes and holds about 23 billion rows of login records.
HIBP confirmed that at least one Gmail user validated their password from the dataset, proving the breach is authentic. This confirmation raises serious concerns, as Gmail access often leads to control over other linked accounts and services.
In a sample of 94,000 entries, Hunt found that about 92% of the credentials had appeared in older leaks. However, roughly 8% were previously unseen, translating to over 14 million new credentials in the complete dataset.
The dataset is global and impacts multiple online platforms, not just Gmail. Because each record includes the service URL, attackers can easily automate credential-stuffing attacks on the correct platforms.
What Users Should Do
Experts have advised users to:
- Check their exposure on Have I Been Pwned[1].
- Change reused passwords immediately, starting with Gmail.
- Enable two-factor authentication (2FA) for added protection.
- Use unique passwords for each service, preferably through a password manager.
- Consider passkeys or stronger authentication methods.
This breach highlights the ongoing risk of credential reuse and the growing use of combo lists by cybercriminals. Experts expect a rise in credential-stuffing attacks targeting major email providers.
As companies push toward passwordless authentication, users must remain vigilant. Changing passwords and enabling 2FA remain the best immediate defences.
References
- ^ Have I Been Pwned (haveibeenpwned.com)