(Udaipur Kiran / Tech Desk) — In what cybersecurity experts are calling one of the largest data breaches in recent years, over 183 million email credentials — including active Gmail accounts and passwords — have been exposed online. The breach reportedly occurred in April 2025 and was made public recently, revealing a vast amount of stolen login data tied to malware and credential-stealing networks.
183 Million Email Credentials Exposed
According to cybersecurity researcher Troy Hunt, the leaked database was compiled by Benjamin Brundage from Synthient, a cybersecurity intelligence firm. The team gathered data from multiple sources, including criminal marketplaces, social media platforms, online forums, and Telegram groups, amounting to a staggering 3.5TB of raw data.
The largest single file within the dataset reportedly weighed 2.6TB and contained nearly 23 billion rows of information — putting this incident on par with the May 2025 leak that contained around 16 billion records.
Out of the 183 million unique accounts exposed, around 16.4 million were discovered to be completely new — never seen in any prior data breaches. Disturbingly, millions of Gmail accounts in the dataset were verified to have active passwords still in use.
How the Breach Happened
Investigations suggest that the breach is linked to a global “stealer malware” ecosystem. Attackers infect victims’ computers with malicious software designed to record login data — including website URLs, email IDs, and passwords — as users enter them online.
The stolen data is then compiled into massive “credential stuffing lists,” which combine multiple hacked databases. These lists are often sold or shared on the dark web and used by attackers to attempt logins across various platforms where users might reuse the same passwords.
Serious Threat of Credential Stuffing
Hunt warned that such credential lists pose a severe security risk, saying they serve as a “gateway” for hackers to hijack email, social media, and banking accounts, leading to further large-scale data breaches and identity theft.
These credentials are typically stored in plain text or weakly encrypted formats, making them easily accessible to cybercriminals. Once compromised, users face risks ranging from unauthorized transactions to identity fraud.
‘Have I Been Pwned’ Integration
The leaked dataset has now been uploaded to the “Have I Been Pwned” (HIBP) database, allowing users to check whether their email addresses have been affected. Individuals can visit haveibeenpwned.com and enter their email ID to verify if their credentials appear in the breach.
What Users Should Do
Cybersecurity experts strongly advise users to:
Change passwords immediately for all affected accounts.
Avoid reusing passwords across multiple services.
Enable two-factor authentication (2FA) wherever possible.
Regularly monitor their email accounts and financial transactions for unusual activity.
With 183 million credentials now publicly circulating, experts warn that this breach underlines the ongoing vulnerability of reused passwords — and the urgent need for stronger digital hygiene practices.
Bhupendra Singh Chundawat is a seasoned technology journalist with over 22 years of experience in the media industry. He specializes in covering the global technology landscape, with a deep focus on manufacturing trends and the geopolitical impact on tech companies. Currently serving as the Editor at Udaipur Kiran, his insights are shaped by decades of hands-on reporting and editorial leadership in the fast-evolving world of technology.
