Security researchers at “Have I Been Pwned” have uncovered a massive amount of stolen login details that contain over 183 million email and passwords. Many those logins are for Gmail accounts.
What needs to be made clear is that Google did not get hacked and Google are saying their systems were not breached. Usernames and passwords are being stolen directly from people’s devices using malware and phishing scams.
The data of those that have had credentials compromised, now appear in the “Have I Been Pwned” website, which means you can check if your email is in it.
What happened?
Cybercriminals used “infostealer” malware. That’s software that quietly sits on an infected PC and captures whatever you log in to.
Those stolen credentials were then added into a giant database. It is being reported that roughly 183 million email/password combinations, totalling around 3.5TB of data.
They found millions of Gmail logins, including tens of millions of credentials that had not appeared in any previous leak. In other words, this isn’t just recycled old breaches, it is all, new data.
Google itself was not breached. The issue is that attackers are logging in with real usernames and real passwords that users leaked.
This is credential theft at scale, not a direct hack of Google’s servers.
Why this matters for your organisation
If an attacker has a working email and password for one of your staff, they don’t need to “hack” you. They just log in and behave like that staff member.
Once this has been done, it can lead to:
One – Business Email Compromise (fake invoices / bank detail changes sent from a “real” account)
Two – Data theft (care records, client info, internal documents)
Three – Password reuse pivoting (if someone uses the same password for email, Teams, SharePoint, case notes system, finance system… it’s all open)
This is especially serious in environments that handle safeguarding, HR records, medication notes, incident reports, or finance approvals.
We have also written an article on the common email attacks that are methods leading to this type of data breach.
Check out the article – Understanding the Main Types of Email Attacks
How to check if you’ve been exposed
• Step 1. Go to Have I Been Pwned and enter your email address. This will tell you if that address appears in known leaked datasets, including this newly discovered batch. Have I Been Pwned
• Step 2. If it comes back as “pwned,” you can assume that both the email and the password have been leaked.
What you should do right now (today)
If you are concerned or you can see your Gmail address on the list, then there are many areas you need to address, right now.
Change the password – Use something unique and long. Stop reusing the same password across different systems. We highly advise using a password manager, from there you can generate a new password.
Turn on 2-Step Verification / MFA – This is the main blocker. Even if an attacker has the password, they still can’t get in without the second factor. The main email providers, Google and Microsoft 365 all support this.
Review mailbox rules – If criminals did get in before you changed the password, they often leave behind forwarding rules, check those mailbox rules!
Check for unknown logins – In Gmail / Microsoft 365 you can see recent sign-ins and devices but you also receive notifications when new logins have been successful . If you see logins from locations or times that don’t make sense, that account was already being used.
Scan the device – Remember how this data was stolen. If the device you use is infected, changing the password without cleaning the device is useless.
What Can We Learn From This?
This “183 million accounts” leak is proof that nobody is safe from password breaches.
If staff at your organisation have been affected, be wary of any emails anybody receives from them, asking for sensitive information, as it may not be them and remind them to:
One – Turn on MFA
Two – Change the password
Three – Check login activity
If you want us to run an exposure check on your domain, lock down MFA, or audit forwarding rules, speak to QLine.
We’d rather close the door now than write the report later.
