A fresh cybersecurity scare has emerged as 183 million email and password combinations have been leaked online, including confirmed Gmail logins.
The breach, traced back to April 2025, now forms part of the massive data trove added to the Have I Been Pwned (HIBP) database.
This revelation follows another major leak earlier this year, which affected over 184 million accounts linked to platforms like Apple, Facebook, and Instagram.
Cybersecurity expert and HIBP founder Troy Hunt has now confirmed that this new batch of compromised credentials is both significant and troubling.
“Someone logging into Gmail ends up with their email address and password captured against gmail.com, hence the three parts,” Hunt wrote
Massive Database Includes Gmail, Website URLs, And Passwords
According to Hunt, the newly added data includes website addresses, email addresses, and plaintext passwords. The source of this breach appears to be a combination of stealer logs and credential stuffing lists, methods widely used by cybercriminals to extract and exploit user login data.
As part of the investigation, Benjamin Brundage from Synthient shared that the data was collected by monitoring infostealer platforms over nearly 12 months.
- Size of data shared with HIBP: 3.5 terabytes
- Total entries: 23 billion rows
- New and previously unseen credentials: 16.4 million
HIBP conducted sample testing of 94,000 entries, finding that 8% (approximately 14 million) were entirely new, never appearing in any prior breach records.
One impacted user confirmed to HIBP: “An accurate password on my Gmail account.”
Here’s What You Should Do
Check your email and password combinations immediately on Have I Been Pwned. Whether you’re a Gmail user or not, this breach likely affects more than just one platform.
If your credentials are compromised:
- Change your passwords straight away.
- Avoid reusing the same password across multiple platforms.
- Enable two-factor authentication (2FA) wherever possible.
- Use a trusted password manager to generate strong, unique credentials.
Important Tip: Even if your email isn’t listed in this breach, you should still regularly monitor your accounts. Cybercriminals often hold data for months before using or selling it.
Why This Breach Matters
While the dataset isn’t limited to Gmail users, confirmed Gmail credentials raise particular concerns. Gmail serves as the login backbone for countless other services from cloud storage and YouTube to Google Pay and workspace tools.
This breach further highlights the dangers of:
- Credential reuse – one password leak can lead to multiple account takeovers.
- Phishing scams – criminals now armed with valid logins may target users with personalised attacks.
Unique Insight: How Are These Credentials Verified?
HIBP doesn’t just upload random data dumps. The platform verifies breaches by contacting affected subscribers to confirm the legitimacy of leaked credentials.
In this case, a user already suspicious about his Gmail account activity responded: “An accurate password on my Gmail account.”
This kind of confirmation adds weight to the credibility of the breach and underscores the need for vigilance.
Google’s Response
At the time of writing, Google has yet to issue a public statement regarding the confirmed Gmail credentials found within the breach. UK News Blog has reached out to Google for comment and will update readers once an official response is received.
With credential theft becoming more sophisticated and widespread, users must remain proactive. Use HIBP to check your email addresses, monitor any unusual activity, and adopt strict password hygiene.
As always, the best line of defence is awareness and prompt action.
UK News Blog recommends setting a recurring reminder to check your email addresses in HIBP every few months. Prevention is far easier than damage control.
