Cybersecurity researchers at Synthient uncovered a collection of 183 million email passwords, including millions from Gmail accounts, exposed via infostealer malware campaigns. The data appeared on the Have I Been Pwned database on October 21, 2025, due to monitoring of underground channels, marking one of the largest credential leaks of the year.
Google addressed the incident publicly, rejecting claims of a direct Gmail security breach. In a statement on social media, the company declared that “reports of a ‘Gmail security breach impacting millions of users’ are false.” Officials emphasized that the compromised credentials originated from malware infections on individual users’ devices, not from any vulnerability in Gmail’s server infrastructure. This distinction highlights how the data was gathered through persistent threats targeting end-user systems rather than centralized service failures.
The dataset stems from nearly a year of intensive monitoring by Synthient, a cybersecurity firm focused on tracking infostealer activities. Researchers observed credentials being shared and sold across platforms such as Telegram, various social media sites, and dark web forums. These underground networks serve as hubs where cybercriminals exchange stolen information obtained from infected machines worldwide. Troy Hunt, the creator and maintainer of the Have I Been Pwned service, analyzed the submission and confirmed its scale, noting that it comprises 3.5 terabytes of data encompassing 23 billion records in total.
To authenticate the contents, Hunt reached out to users listed in the leak. One affected subscriber responded affirmatively, stating that the leaked information matched “an accurate password for my Gmail account.” This verification process involved cross-checking details against known breaches and user reports, ensuring the dataset’s legitimacy. The records themselves consist of specific elements captured during user interactions: website URLs where logins occurred, associated email addresses, and the corresponding passwords entered on those sites. All this information was harvested automatically from devices already compromised by malware, often during routine online activities like checking email or accessing banking portals.
Analysis of the dataset reveals patterns in exposure history. Precisely 91 percent of the credentials had surfaced in previous data breaches documented elsewhere. In contrast, about 16.4 million email addresses represented entirely new entries, never before identified in any breach records. The inclusion of currently active passwords elevates the potential for credential-stuffing attacks, where attackers use these valid combinations to attempt unauthorized access on numerous platforms, exploiting the reuse of login details across services.
Infostealer malware has proliferated as a major threat vector. Researchers recorded an 800 percent surge in stolen credentials during the first six months of 2025 alone. These programs function covertly on infected systems, methodically extracting sensitive data including login credentials, stored browser information, and active session tokens without triggering obvious alerts. Benjamin Brundage, a researcher at Synthient, detailed how their surveillance tools captured peaks of up to 600 million stolen credentials processed in a single day during periods of heightened malware activity.
The malware disseminates primarily through deceptive channels. Common vectors include phishing emails that trick recipients into opening malicious attachments or links, downloads of seemingly legitimate software laced with harmful code, and browser extensions that have been tampered with to include backdoors. In many cases, infections persist undetected for extended periods, allowing prolonged data exfiltration as users continue normal device usage.
In response, Google recommends specific protective measures for at-risk users. Enabling two-step verification adds an additional layer of security beyond passwords, requiring a second form of authentication like a mobile code. The company also promotes passkeys as a robust alternative to conventional passwords, leveraging cryptographic standards for enhanced protection against phishing and theft. Individuals can verify if their email addresses or credentials are included in this leak by searching on the Have I Been Pwned website. Those finding matches should promptly update their passwords to unique, strong versions and enable multi-factor authentication on all relevant accounts to mitigate further risks.
