A massive dataset containing 183 million email and password pairs has surfaced online, prompting fresh warnings for Gmail users and anyone who reuses credentials.
The trove, totaling 3.5 terabytes, was added to ‘Have I Been Pwned’ (HIBP) and includes website URLs, email addresses, and passwords collected from “infostealer” malware and credential stuffing lists.
Security researcher Troy Hunt, who runs HIBP, said the logs were amassed across nearly a year from criminal marketplaces and Telegram channels.
The cache also includes Outlook, Yahoo and other providers, Gmail features heavily because of its global scale.
Importantly, experts stress this is not a direct hack of Gmail, but a mass harvest of credentials from infected devices and past breaches.
Google said there is no new Gmail specific attack.
The company uses layered defenses and triggers password resets when it detects credential theft.
They recommend enabling two step verification and adopting passkeys, which replace passwords with device based cryptographic login.
Infostealer malware quietly scrapes everything a victim types or saves in the browser including emails, cloud services, shopping accounts.
Then the data is recycled for years. Attackers test these username password pairs across many sites (“credential stuffing”), turning one exposure into many compromises.
Protection mechanism to secure your Gmail account
According to Forbes, visit HaveIBeenPwned.com and enter your email to see if it appears in the new dataset.
If it does or if you reuse passwords anywhere, change your email password immediately.
Generate unique passwords for every site with a reputable password manager, and turn on two factor authentication everywhere. Prefer passkeys where supported.
Reduce future risk by scanning devices for malware, updating antivirus, avoiding pirated or “cracked” software, and removing risky browser extensions.
Never store bank or email credentials in plain text, and beware of malware attachments.
Even strong passwords can be stolen on infected machines; unique credentials, 2FA, and passkeys sharply limit the malware radius.
