Google Explains That There Was No Leak of 183 Million Gmail Accounts

For the second time in recent months, Google has been forced to debunk reports of a massive Gmail breach. The latest claims about "183 million compromised accounts" spread rapidly online despite no breach or incident involving Google's servers.

Old Data, Not a New Breach

Company representatives clarified that the circulating database doesn't represent a new attack. Instead, it contains old usernames and passwords collected by attackers through info-stealers and other methods over several years.

"Reports of a 'Gmail hack affecting millions of users' are false. Gmail and its users are securely protected," Google stated. The company emphasized that the source of the breach rumors was a database containing info-stealer logs and credentials stolen through phishing and similar attacks.

How the Confusion Started

The database recently became publicly accessible through threat analysis platform Synthient and was subsequently added to breach notification service Have I Been Pwned (HIBP), triggering widespread alarm.

HIBP creator Troy Hunt confirmed the Synthient database contains approximately 183 million credentials—including usernames, passwords, and associated website addresses. However, Hunt emphasized this isn't a single data breach. The information was aggregated over years from Telegram channels, forums, the dark web, and other sources, spanning thousands or potentially millions of different websites and services—not just Gmail.

Notably, 91% of the records had already appeared in previous breaches and were already in HIBP's database. Only 16.4 million email addresses were new additions.

The Real Source: Info-Stealer Malware

Synthient representatives confirmed that most data in the database came not from organizational breaches but from individual users' systems infected with malware. The researchers compiled 3.5 terabytes of information totaling 23 billion lines, including exposed email addresses, passwords, and the websites where the compromised credentials were used.

What Google Is Doing About It

Google regularly discovers and analyzes such databases for security purposes, using them to help users reset leaked passwords and re-secure their accounts.

While Gmail itself wasn't breached, the company acknowledged that old credentials circulating in leak databases still pose risks. To mitigate these threats, Google recommends enabling multi-factor authentication or switching to passkeys, which offer stronger protection than traditional passwords.

Not the First False Alarm

This marks the second time Google has debunked Gmail breach rumors in recent months. In September 2024, media reports falsely claimed Google was mass-notifying all Gmail users—approximately 2.5 billion people—about the urgent need to change passwords and enable two-factor authentication. Google representatives confirmed those reports were also inaccurate.