All products and promotions are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more
Gmail users have been urged to check their accounts now after it was revealed that 183 million passwords were gobbled up by malicious software. The Google-owned email service is one of the most popular on the planet, with an incredible 1.8 billion active users worldwide across more than 105 languages.
Cybersecurity expert Troy Hunt says the treasure trove of data dates back to April 2025, but only recently came to light. It compromised 183 million unique email addresses, passwords, and data on the websites where those passwords were entered. That's about as bad as it can get.
Of the 3.5TB of data — that's enough data to store 875,000 songs or 875 feature-length movies in HD — Mr Hunt estimates that around 183 million Gmail passwords were included in the stolen data. Gmail was one of the largest categories of any websites included in the bundle of data.
If you regularly reuse the same password across multiple accounts, there's a chance that your stolen details could be used to break into other profiles, like online banking, cloud storage for photos, retailers, and more.
Australian cybersecurity expert Troy Hunt established HaveIBeenPwned after what was, at the time, the largest ever single breach of customer accounts — Adobe. It now checks your email address, password, or phone number against a behemoth database of leaked credentials
|HAVEIBEENPWNED
This technique is called "credential stuffing," and is the reason security experts warn to always use a unique combination of email address and password for every account.
According to Hunt, the data from the 3.5TB data breach originated from Synthient, a threat intelligence firm that had been monitoring infostealer platforms for nearly a year.
For those who don't know, infostealers are a strain of nasty software designed to siphon sensitive information, like usernames and passwords, financial information, and more.
Switch to 1Password for FREE
The award-winning 1Password is designed to generate and store unguessable passwords, passkeys, credit card numbers, national insurance numbers, and much more. This encrypted vault is available across all of your favourite devices, including iPhone and Android, Windows and Mac computers, iPad and other tablets. It's built-in WatchTower feature evaluates password strength and warns about data breaches that impact you. 1Password is currently free to test for 14 days with no obligation to subscribe
Get 52% off NordPass and an extra three months for free
NordPass is a secure password manager that works across your favourite devices, including iPhone and Android, Windows and Mac computers, iPad and other tablets ...it will evaluate your password strength, autofill login details for you, and warn about any data breaches on the Dark Web that impact you. It's a one-stop-shop to improve your online security and fightback against hackers from the team behind the award-winning NordVPN
Speaking to the Daily Mail, Troy Hunt said: "Stealer logs are more of a firehose of data that's just constantly spewing personal info all over the place.
"Once the bad guys have your data, it often replicates over and over again via numerous channels and platforms. Stealer logs expose the credentials you enter into websites you visit, then login to."
LATEST DEVELOPMENTS
How will you know if your Gmail account was included in the data breach?
Australian web security consultant Troy Hunt is perhaps best known for establishing the website Have I Been Pwned, a free online tool that lets you check whether your email address or phone number appears in its vast database of compromised accounts from hundreds of data dumps.
Mr Hunt has added the 183 million passwords compromised from Gmail into the database. If you enter your Gmail address, hit the "Check" button, and nothing is returned, you've escaped the latest breach.
If you've been impacted by this Gmail data breach, it's important to change your password at once and set up two-factor authentication (2FA) to protect your data.
As the name suggests, two-factor authentication helps to prevent data breaches by requiring a second form of verification, like a unique code sent to a mobile number or a fingerprint, in addition to a password.
It means that, even if attackers can steal your username and password combination, they still won't be able to break into your account with the secondary check, like access to the phone number, for example.
Speaking to GBN Tech, a spokesperson for Google said: "This report covers known infostealer activity that targets many different types of Internet activity. There is not a new, Gmail-specific attack at play.
"We protect users from these attacks with layers of defences, including resetting passwords when we come across credential theft like this. We encourage users to boost their own defences by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords."
If you're worried about who has access to your Gmail, sign in to the online inbox and check the Account Activity. This reveals a timeline of recent sign-in sessions, including IP addresses, access types, and locations. On its support pages, Google describes the feature like this: "Check the recent activity of your Gmail account.
"By checking the activity of your account, you can get useful information regarding your account activity. We'll list the IP addresses that accessed your mail, the associated locations, as well as the corresponding times and dates.
"To see your account activity, click the Details link next to the Last account activity line at the bottom of any Gmail page."
If your details match a record found on Have I Been Pwned, then it's smart to immediately change that password — this could mean a new password for multiple profiles if you regularly reuse them — as soon as possible.
Use a password manager to generate an unmemorable jumble of letters, numbers, and symbols for each account, with everything encrypted and stored across your devices in an app, like 1Password, LastPass, or Apple Passwords.