A massive credential leak exposed **183 million email passwords**, including millions from Gmail accounts, via **infostealer malware campaigns** monitored over nearly a year. The breach, surfacing on *Have I Been Pwned* (October 2025), stems from malware-infected user devices—not a direct Gmail server compromise—though **16.4 million email addresses** were newly exposed. The dataset (3.5TB, 23 billion records) includes **active passwords, URLs, and login credentials** harvested from infected machines, heightening risks of **credential stuffing attacks** across platforms. While Google denied a 'Gmail breach,' the leaked data—validated by affected users—originated from malware like **RedLine, Vidar, and Racoon**, spread via phishing, malicious downloads, or compromised extensions. Researchers warn of an **800% surge in stolen credentials** in early 2025, with peak daily thefts reaching **600 million records**. Users were urged to enable **two-step verification and passkeys** to mitigate risks.
Source: https://www.harlemworldmagazine.com/gmail-passwords-exposed-in-183-million-account-data-breach/
TPRM report: https://www.rankiteo.com/company/googlecloudsecurity
"id": "goo0502305103125",
"linkid": "googlecloudsecurity",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '183 million email passwords '
'(including millions of Gmail '
'accounts)',
'industry': 'Internet Services',
'location': 'Global',
'name': 'Google (Gmail Users)',
'type': 'Technology Company'},
{'customers_affected': '23 billion records (including '
'16.4 million previously unseen '
'email addresses)',
'industry': 'Multiple',
'location': 'Global',
'name': 'General Internet Users',
'type': 'Individuals/Organizations'}],
'attack_vector': ['Infostealer Malware',
'Phishing Emails',
'Malicious Software Downloads',
'Compromised Browser Extensions'],
'customer_advisories': 'Users advised to change passwords, enable MFA, and '
'monitor for suspicious activity.',
'data_breach': {'data_exfiltration': 'Yes (via infostealer malware to '
'underground channels)',
'number_of_records_exposed': '23 billion records (183 million '
'unique email passwords, '
'including 16.4 million '
'previously unseen)',
'personally_identifiable_information': 'Yes (Email addresses '
'linked to passwords '
'and service logins)',
'sensitivity_of_data': 'High (Active credentials for multiple '
'services)',
'type_of_data_compromised': ['Email Addresses',
'Passwords',
'Website URLs',
'Browser Data',
'Session Tokens']},
'date_detected': '2025-10-21',
'date_publicly_disclosed': '2025-10-21',
'description': 'A massive collection of 183 million email passwords, '
'including millions from Gmail accounts, was exposed through '
'infostealer malware campaigns. The breach, surfacing on the '
'Have I Been Pwned database on October 21, 2025, represents '
'one of the largest credential leaks of the year. The '
'compromised accounts stem from malware infections on users’ '
'devices rather than a security failure of Gmail’s servers. '
'The dataset, monitored by cybersecurity firm Synthient, '
'includes 3.5 terabytes of information spanning 23 billion '
'records, with 16.4 million email addresses appearing for the '
'first time in breach records. The incident heightens risks '
'for credential stuffing attacks across multiple platforms.',
'impact': {'brand_reputation_impact': 'Moderate (Google disputed claims of a '
"'Gmail breach' but acknowledged user "
'device infections)',
'data_compromised': ['Email Addresses',
'Passwords',
'Website URLs',
'Browser Data',
'Session Tokens'],
'identity_theft_risk': 'High (Active passwords exposed increase '
'risk of credential stuffing)',
'systems_affected': 'User Devices (Infected with Infostealer '
'Malware)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (via Telegram, social '
'media, and dark web '
'forums)',
'entry_point': ['Phishing Emails',
'Malicious Software Downloads',
'Compromised Browser Extensions'],
'high_value_targets': ['Email Credentials',
'Browser Session Tokens',
'Service Logins'],
'reconnaissance_period': 'Nearly one year '
'(monitored by Synthient)'},
'investigation_status': 'Ongoing (Monitoring by Synthient and Have I Been '
'Pwned; user remediation advised)',
'lessons_learned': ['Infostealer malware poses a rapidly growing threat, with '
'an 800% increase in stolen credentials in early 2025.',
'User device security is critical; malware infections can '
'bypass service-level protections (e.g., Gmail servers).',
'Credential stuffing risks escalate when active passwords '
'are exposed across multiple platforms.',
'Proactive monitoring of dark web/underground channels '
'can help mitigate large-scale credential leaks.'],
'motivation': ['Financial Gain',
'Credential Theft',
'Data Exfiltration for Dark Web Sales'],
'post_incident_analysis': {'corrective_actions': ['Enhanced user education on '
'malware prevention.',
'Promotion of password '
'managers and passkeys.',
'Collaboration between tech '
'companies and '
'cybersecurity firms to '
'disrupt malware networks.',
'Expansion of dark web '
'monitoring for leaked '
'credentials.'],
'root_causes': ['Widespread infostealer malware '
'infections on user devices.',
'Lack of user awareness about '
'malware distribution vectors '
'(e.g., phishing, malicious '
'extensions).',
'Reuse of passwords across '
'multiple services (enabling '
'credential stuffing).']},
'recommendations': ['Enable two-step verification and adopt passkeys for all '
'critical accounts.',
'Regularly monitor credentials via services like Have I '
'Been Pwned.',
'Implement multi-factor authentication (MFA) universally.',
'Educate users on recognizing phishing attempts and '
'malicious downloads.',
'Deploy endpoint protection to detect and block '
'infostealer malware.',
'Assume breach mindset: Encourage password managers and '
'unique passwords per service.'],
'references': [{'date_accessed': '2025-10-21',
'source': 'Have I Been Pwned',
'url': 'https://haveibeenpwned.com'},
{'source': 'Synthient Research Report'},
{'source': 'Troy Hunt (Creator of Have I Been Pwned)'},
{'date_accessed': '2025-10-21',
'source': 'Google Security Advisory (Social Media)'},
{'source': 'Perplexity Article'}],
'response': {'communication_strategy': ["Google disputed 'Gmail breach' "
'claims via social media',
'Public advisories via Have I Been '
'Pwned and media outlets'],
'remediation_measures': ['Google advised users to enable '
'two-step verification',
'Adopt passkeys',
'Change compromised passwords',
'Activate multi-factor authentication'],
'third_party_assistance': ['Have I Been Pwned',
'Synthient',
'Troy Hunt']},
'stakeholder_advisories': 'Google and cybersecurity firms urge users to check '
'exposure via Have I Been Pwned and secure '
'accounts.',
'title': 'Massive Exposure of 183 Million Email Passwords via Infostealer '
'Malware Campaigns',
'type': ['Data Breach', 'Credential Theft', 'Malware Attack'],
'vulnerability_exploited': 'User Device Infections (Malware)'}