Another leak with 183 million email addresses and passwords has been posted. It consists of verified Gmail accounts. The breach was verified by a cybersecurity expert named Troy Hunt of Have I Been Pwned (HIBP).
Site URLs, email addresses and plain-text passwords are found in the dump. It is based on infostealer malware and credential stuffing lists generated in April 2025. According to Hunt, the database is 3.5 TB, and it contains approximately 23 billion records of logins.
HIBP confirmed the breach to be true by confirming that one Gmail password had been used. That is a major cause of concern, since the acquisition of a Gmail account could give attackers the authority over other related services.
Of 94,000 records, Hunt discovered an approximation of 92% had been present in older leaks. This amounted to more than 14 million fresh credentials in the entire dataset, with an approximate number of 8% of them new.
The information does not affect only Gmail, but numerous other worldwide sites. Attackers can still target the appropriate sites with the use of automated credential-stuffing attacks since every record contains a service URL.
Users have been advised by experts to:
This infringement demonstrates the persistence of the threat of credit reuse and the increasing popularity of combo lists with cybercriminals. Professionals anticipate further attacks of credential-stuffing on large email providers.
Users should be on the lookout as firms shift to passwordless authentication. The most effective immediate protection is switching passwords and using 2FA.