After a series of sensational stories claiming that a Gmail data breach had impacted hundreds of millions of accounts began appearing online, Google was pushed to publicly deny the reports.
Claims that a data breach had occurred began circulating over the weekend, with Daily Mail typically stating that “183 MILLION passwords” were stolen. Most clickbaity headlines urged Gmail users to check the health of their accounts immediately.
But that’s simply not true, Google soon said. After seeing that the reports weren’t simply going away, the tech giant had to explain in a series of posts on X that Gmail didn’t actually suffer a breach.
The compromised accounts were actually from a compilation of credentials stolen by information-stealing malware and other attacks over the years.
“Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail's defenses are strong, and users remain protected,” reads a post on X.
“The inaccurate reports stem from a misunderstanding of infostealer databases, which routinely compile various credential theft activities occurring across the web. It's not reflective of a new attack aimed at any one person, tool, or platform.”
Reports of a “Gmail security breach impacting millions of users” are false. Gmail’s defenses are strong, and users remain protected. 🧵👇
undefined News from Google (@NewsFromGoogle) October 27, 2025
The company also assured that Gmail always takes action “when we spot large batches of open credentials, helping users reset passwords and resecure accounts.” Since Gmail didn’t move to act this time, no new breach was presumably detected.
Cybernews researchers concur. Aras Nazarovas, Cybernews Senior Information Security Researcher, said that claims of the credential breach are inaccurate since the data came from a combination of stealer logs and credential stuffing lists collected by threat intelligence platform Synthient, and analysed and uploaded to Have I Been Pwned by Australian cyber expert Troy Hunt.
The claims of a “Google data breach” are inaccurate since Google was not breached in order to access the credentials,” said Nazarovas. “Individual users were compromised. It’s safe to say that only a small portion of the 183 million credentials in this dataset pertains to Google accounts.”
In this particular case, Hunt himself said after loading the data into Have I Been Pwned that 91% of the 183 million credentials had previously been seen. This means that they’ve been circulating online for years anyway.
Exposed credentials are far from harmless, of course. Threat actors use them to breach corporate networks and carry out attacks.
The Cybernews community is talking about this. Be a part of the conversation.
However, misleading data breach reports aren’t helpful and only cause undue stress and extra work for a platform’s users and business customers.
In September, Google also had to deny that it suffered a data breach after claims that 2.5 billion Gmail accounts had been compromised surfaced online.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked