Changing Gmail Password Might Not Be Enough
Experts confirmed Gmail’s servers weren’t hacked — the data came from infected personal devices. Mika Baumeister/Unsplash

A vast cache of about 183 million email addresses and passwords has been added to the breach-monitoring site Have I Been Pwned (HIBP) in one of the largest credential leaks reported to date.

The data, believed to have been collected through infostealer malware rather than a direct breach of Gmail's servers, includes millions of Gmail accounts. Cybersecurity experts say the scale of the exposure presents a serious risk of account takeovers and identity theft.

Analysts are urging users to review their account security, reset passwords and activate two-step verification while investigations continue into how the credentials were obtained and distributed.

Breach Was Discovered

A dataset of approximately 183 million unique email addresses and associated passwords was added to HIBP on 21 October 2025. The collection, referred to as the 'Synthient Stealer Log Threat Data', was compiled by Synthient LLC and stems from infostealer malware logs, rather than from a breach of a single platform.

HIBP founder Troy Hunt confirmed the dataset is searchable by email, password and domain. Among the exposed credentials are Gmail addresses, and a significant portion were stored in plaintext alongside the website they were used on. Analysts warn that the inclusion of plaintext passwords greatly increases the risk of credential-stuffing attacks.

A blog post by Hunt and Heise Online describes how the data was aggregated from infected systems and underground channels. This highlighted the shift from single-site hacks to steady streams of malware-derived credentials.

Why Gmail Users Are at Risk

A large number of Gmail users appear in the Synthient dataset, which contains email-and-password pairs exposed in plaintext. Security experts warn that people who reused those passwords on other services could face secondary breaches through credential-stuffing attacks.

Cybersecurity analysts note that logs gathered by info-stealer malware often include more than just login details. In some cases, they capture browser session cookies or authentication tokens that allow criminals to bypass two-factor prompts. However, there is no evidence that Gmail's own servers were compromised.

According to Cyber Insider and Forbes, the credentials were harvested from personal devices infected with malware, not from Google's infrastructure.

What Users and Organisations Should Do

Cybersecurity experts recommend that Gmail users change their passwords immediately and avoid reusing them across multiple sites. Google's Security Check-up tool can identify unfamiliar devices or connected apps that should be removed. Two-step verification should also be enabled, ideally using a hardware key or passkey rather than an SMS code, to prevent unauthorised access even if credentials are leaked.

For organisations, specialists advise treating the Synthient incident as a credential exposure event. IT teams should audit employee email addresses through HIBP, enforce password resets, and revoke old session tokens that could still grant access. According to TechSpot, companies using Gmail or Google Workspace should pair stronger password policies with mandatory multi-factor authentication and renewed anti-malware measures to guard against similar leaks in the future.

Warning for Cybersecurity

The exposure of 183 million credentials highlights how infostealer malware, rather than direct platform breaches, has become a leading source of data theft worldwide.

While Gmail's own systems do not appear to have been compromised, cybersecurity analysts say the incident underscores persistent risks linked to password reuse and weak device protection. Investigations into the source and scope of the leak are continuing.

Writer's pick