Overview
- Security firm Synthient and Have I Been Pwned report the dataset aggregates stealer logs from infected devices rather than any compromise of Google servers.
- The collection spans roughly 23 billion records overall and includes about 183 million unique email–password pairs, with around 16.4 million addresses new to any known breach.
- Gmail addresses feature heavily, but Outlook, Yahoo and many other providers are also represented, increasing the risk of credential-stuffing across multiple services.
- Google says there is no Gmail infrastructure breach and notes it resets exposed passwords when detected, urging users to enable 2‑step verification or adopt passkeys.
- The logs were first detected in April and listed on Have I Been Pwned on October 21, with researchers verifying that some exposed passwords still matched active accounts.