Google says reports of a Gmail breach are false; researcher Troy Hunt flagged a 183-million credential dump. Enable 2-step verification, check Have I Been Pwned, and reset reused passwords.
Google Refutes Reports of Massive Gmail Password Leak
Google on Tuesday pushed back against reports of a fresh Gmail breach after security researcher Troy Hunt flagged a 3.5-terabyte credential collection that appears to include about 183 million email credentials, some of which may reference Gmail accounts. The company said the dataset represents a compilation of previously stolen credentials — not a new hack targeting Gmail — and reiterated that its systems continuously detect and block large credential dumps.
The controversy began when Hunt, the founder of the breach notification service Have I Been Pwned, posted details of the massive file that surfaced online. The New York Times and other outlets amplified the finding, prompting public concern that Gmail itself had been compromised. Google’s official account clarified the situation, saying the “reports of a ‘Gmail security breach’ impacting millions of users are false” and stressing that credential collections are frequently re-circulated by threat actors.
Security experts say such credential dumps remain dangerous because many people reuse passwords across multiple sites. Even old or previously exposed passwords can be abused in credential-stuffing attacks, where automated tools attempt logins across services. To reduce risk, Google urged users to enable two-step verification, adopt passkeys where available, and immediately reset passwords that appear in public breach databases.
