A massive online data leak has recently exposed over 183 million stolen email passwords, making it one of the largest compilations of compromised credentials ever discovered. This extensive trove of sensitive information, amounting to a staggering 3.5 terabytes of data, was uncovered by cybersecurity expert Troy Hunt, who runs the well-known website Have I Been Pwned. The dataset contains credentials gathered over several years from various sources, including malware infections, phishing campaigns, and older data breaches.
The leaked credentials were primarily collected through infostealer malware—malicious software that secretly infiltrates devices to harvest usernames, passwords, and website logins. These infostealers operate covertly, often hidden within fake downloads or malicious email attachments. The stolen data also includes information from credential stuffing lists, which cybercriminals use to test username and password pairs across multiple platforms in an attempt to gain unauthorized access.
While the majority of the information in this leak is not new—91% of the credentials had already appeared in previous breaches—about 16.4 million email addresses were completely new to any known dataset, indicating ongoing and active theft. This finding underscores the persistent threat that cybercriminals pose to internet users worldwide.
The sheer volume of leaked credentials presents a significant risk for millions of users. Hackers often aggregate stolen logins from numerous breaches and compile them into massive databases. These collections then circulate widely on the dark web, as well as on popular platforms such as Telegram channels and Discord servers, where cybercriminals trade and sell the information. The availability of such large datasets increases the chances that an individual’s credentials are included, especially if they have reused passwords across different sites.
Credential stuffing attacks are particularly dangerous because they exploit password reuse. If someone uses the same password for multiple accounts—say, their email, social media, and banking—then a single compromised password can provide attackers with access to all those accounts. This makes it critical for users to employ unique, strong passwords for every online service they use.
In response to this leak, Google issued a statement clarifying that there was no new breach affecting Gmail accounts. The company emphasized that reports suggesting Gmail users were compromised were false and reassured users that Gmail’s security measures remain robust. Google explained that the leaked data originated from infostealer databases that aggregate stolen credentials from various sources over many years, rather than from a single, recent attack on their platform.
Troy Hunt confirmed that the leaked data was sourced from a collection maintained by Synthient, a group known for compiling infostealer logs. This means the leak is a continuation of ongoing theft activities rather than a new breach of a specific company or service. Despite this, the exposed credentials still pose a danger, as cybercriminals frequently reuse stolen information in future attacks.
To help users determine if their email addresses were affected, Have I Been Pwned has added this new dataset to its searchable database. By entering their email addresses on the site, individuals can find out whether their information appears in the Synthient leak. Many password managers also incorporate breach scanning features that draw on these data sources, although they may not yet have updated to include this latest leak.
If you discover that your email is part of the leaked data, it’s essential to take immediate action. Changing your passwords and enabling stronger security settings, such as two-factor authentication (2FA), can help protect your accounts from being accessed by unauthorized users. 2FA adds an extra security layer by requiring a second verification step—usually a code sent via text message or generated by an authentication app—making it significantly harder for attackers to gain access even if they have your password.
Protecting your online identity requires consistent and proactive measures. Start by focusing on your most important accounts, such as email and banking, which often serve as gateways to other services. Use strong passwords that combine letters, numbers, and symbols, and avoid using easily guessable information like names or birthdates. Never reuse passwords across different sites, as doing so can expose multiple accounts if just one password is compromised.
Password managers are invaluable tools that make it easy to create and store complex, unique passwords securely. Many also include breach detection features that alert you if any of your stored credentials have appeared in known leaks. For example, the top-rated password manager recommended by cybersecurity experts includes a built-in Breach Scanner that checks trusted databases, including the newly added Synthient data.
Beyond passwords, consider enrolling in identity theft protection services. These companies monitor your personal