Supposed 183 Million Gmail Passwords Stolen in Data Breach Is Old News, According to Google

Anyone still concerned about wild claims of 2.5 billion or 183 million Gmail passwords stolen that have appeared in recent weeks can relax and breathe easy. Google has confirmed that it has not suffered any kind of mass data breach, and that the rumor mill started up because of a large collection of mostly old information that appeared in underground forums.

Google had small summer data breach, but no loss of Gmail credentials

Google did have a bit of hacking trouble this summer, both with Salesloft and Salesforce installations (each heavily targeted by different threat actors and involving numerous other companies). The Salesloft breach did cause exposure of what it says is a small amount of Google Workspace accounts. But the company has confirmed no passwords stolen or data breach for Gmail.

So what started the rumors on social media? Let’s address the bigger number first. 2.5 billion is the estimated total number of Gmail accounts in the world, so those stories were simply assuming the maximum possible damage from a data breach based on vague reporting about what had happened. As it turns out, the number of accounts involved is nowhere near that.

The 183 million number has a lot more basis in fact, though it comes from a collection of mostly old information. That is the number of Gmail accounts listed with the passwords stolen next to them in a new massive “combination file” added to the Have I Been Pwned records. However, this is the typical sort of file traded around by criminal hackers that collects information gathered from other data breaches and infostealer malware logs.

That would still be a very concerning number, given it’s nearly a tenth of all Gmail accounts, were it all new credential sets that had not been seen before. However, only about a tenth of the 183 million are new to Have I Been Pwned and Google is confirming that they are merely previously undisclosed credentials from assorted data breaches rather than something from a single new hack. Passwords stolen from Outlook, Yahoo and a number of other email services are also included in this set.

No new passwords stolen directly from Google

So there is no pressing need for all Gmail users to go out and reset passwords or take further security measures. However, the incident serves as a good reminder that passwords stolen in data breaches may not be flagged for months or even years after the fact. There are also likely tens of millions of compromised credentials floating around in private Telegram and Discord channels at any given time that are not yet flagged by sources like Have I Been Pwned.

Google’s general recommendation to avoid a data breach is to enable two-step verification and change over from passwords to passkeys, advice echoed by numerous other sources and security experts. For Chrome users the Password Manager Checkup tool should automatically flag anything uploaded to Have I Been Pwned, and additionally should provide warnings about weak or re-used passwords. When people have passwords stolen, it is just as commonly due to re-use and successful credential stuffing rather than getting hit with an infostealer.