SAN FRANCISCO – A vast stash of stolen logins has appeared on dark web markets, containing 183 million Gmail email addresses with matching passwords. Gmail users are the worst hit. Cybersecurity expert Troy Hunt first spotted the trove on 21 October and labelled it the Synthient Stealer Log Threat Data.
This is not a breach of Google’s servers. It is a giant mash-up of data taken from months of malware infections on people’s devices. With Alphabet set to report Q3 earnings tomorrow, the timing is awkward, and it highlights risky user habits rather than failed corporate security.
Inside the Gmail Dump: Not a Google Hack
This incident is a by-product of infostealer malware, not a single intrusion. Low-cost tools like RedLine and Vidar, sold on underground forums for roughly $100, have been siphoning credentials since at least April 2025.
They sit inside browsers and use keylogging, then pull saved passwords, autofill details, and session cookies from services ranging from Gmail to banking apps. The result is a 3.5 terabyte hoard of logs from compromised Windows machines across the globe, hitting major email providers, including Gmail, Outlook, and Yahoo.
Hunt, who runs Have I Been Pwned (HIBP), added the data to his service last week. He reports that 91% of the entries were already known from past leaks, but around 16.4 million are new and confirmed to work against active accounts.
Gmail features heavily due to its scale, with more than 1.8 billion users. That reach invites credential stuffing, where attackers try stolen email and password pairs in bulk. Early counts suggest Gmail accounts could make up 40 to 50 million of the pairs, enough to drive extensive phishing and identity fraud.
This trove eclipses the 184 million credential spill reported in May, and Synthient’s figures point to an 800% jump in stolen credentials in the first half of 2025. It is a blunt reminder that many compromises begin with a malware infection or a dodgy click.
Startups and scale-ups that rely on Gmail and Workspace integrations face knock-on risks, such as API misuse, exposure of customer data, and ransomware footholds. These are the issues that trigger headlines and board-level fallout.
Google’s Response and the Current Safeguards
Google pushed back on alarmist claims. A spokesperson told TechCrunch there was no Gmail-specific breach and no server compromise. The stolen credentials were taken from infected devices. Even so, Google continues to act on credential dumps. The company scans for exposed details, alerts users by email, and surfaces warnings in the Account Safety Checkup. If your password appears in a leak, you are prompted to change it.
Chrome’s Password Checkup can also flag weak, reused, or exposed passwords. Google says it runs more than two billion checks each year. For stronger protection, the company is urging users to adopt passkeys, a phishing-resistant option now supported across Android, iOS, and the web. Google reports a 50% drop in account takeovers among people who switch to passkeys.
Behind the scenes, Google is tightening suspicious login checks and offering Advanced Protection for high-risk users. It works with HIBP to index dumps quickly and uses machine learning to catch unusual behaviour, such as logins from rare IP ranges, in real time.
Critics point to one gap, asking why 2-Step Verification is not mandatory for all Workspace tenants. Google cites user friction today, though industry chatter suggests pilots for enforced MFA across enterprise tiers could arrive by early 2026.
Start with haveibeenpwned.com. Enter your Gmail address and see if it appears in the dump. If it does, change the password straight away. Use a unique 16-character password that you do not reuse on any other site. Turn on 2-Step Verification if it is off. Remove risky browser extensions and run a trusted malware scan, for example, with Malwarebytes.
The size of this cache is unsettling, but it shines a light on daily habits that keep accounts safe. As crime-as-a-service expands, plain passwords look weaker each year.
Startups should design security into their stack from day one, including sound OAuth flows, zero-trust principles, and ongoing user education. For everyone else, keep it simple. Use a password manager, switch on 2SV or, better yet, passkeys, and keep your devices clean. Your inbox often controls your online life, so treat it like a crown jewel.
