Earlier this week, reports came out claiming that 183 million Gmail passwords were exposed in a data leak. Google has since come out to dispute this claim (via its X account), attributing "inaccurate reports" to "stemming from a misunderstanding of infostealer databases."
As spotted by Bleeping Computer, this report was picked up by major outlets, but it seems to have come from a database that compiled "various credential theft activity occurring across the web". Effectively, the data appears to be a broader database, rather than the result of a single new attack, and crucially, doesn't represent "any one person, tool, or platform."
This all stems from a new update made to Have I Been Pwned (HIBP), a website where you can check if your data has been breached. Last week, HIBP owner Troy Hunt posted to his blog, announcing that they had added 183 million unique email addresses to the site, with over 14 million being addresses that were never before present on the site.
HIBP was sent 3.5 terrabytes of data through a new source, which compiles data taken from stealer logs (like phishing scams and malware) and credential stuffing (data breaches where data is easily crackable). These data will have been taken from any number of sites, and though Gmail will comprise part of that, we don't know to what level or where exactly that breach is from specifically.
This is to say that while more breaches have been found, those breaches aren't necessarily new and can't be attributed to Gmail. Google does state in the last of its tweet on the matter, "Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts."
Reports of a “Gmail security breach impacting millions of users” are false. Gmail’s defenses are strong, and users remain protected. 🧵👇October 27, 2025
Hunt reflects on these data breaches in his most recent blog and claims that treating them as a more singular breach is "not an accurate representation of how these things work". He goes on to compare the breaches in the larger data file to that of a hose, spraying data everywhere at all times. "The data itself is still on point, but I'd like to see HIBP better reflect that firehose analogy and provide a constant stream of new data."
It's still a pretty good reminder to set up 2-step verification if you haven't. Even if your password is leaked, bad actors would need access to your authenticator to get into your account. Now, excuse me for a moment while I check I've enabled mine.
