Share and Follow
Gmail users are being urged to take immediate action following the alarming revelation that over 183 million passwords have been compromised in a recent data breach.
Australian cybersecurity expert Troy Hunt has brought this incident to light, indicating that the breach has exposed both email addresses and their corresponding passwords, putting countless accounts at risk.
Describing it as a ‘vast corpus’ of breached data, Hunt notes that the total size of this compromised information is a staggering 3.5 terabytes. To illustrate the magnitude, this data volume is comparable to storing 875 full-length HD movies.
Hunt also highlights that this breach affects all major email service providers, not just Gmail. This means that users of Outlook, Yahoo, and other popular services are also potentially vulnerable.
According to Mr Hunt, ‘all the major providers have email addresses in there’ – so not just Gmail, but Outlook, Yahoo and others too.
‘They’re from everywhere you could imagine, but Gmail always features heavily,’ Hunt told the Daily Mail.
So have you been caught up in the incident?
Here’s how to check if your email data has been compromised.
It’s the email provider of choice for around 2 billion people worldwide. But Gmail has been involved in a huge data breach affecting more than 183 million user accounts
The incident occurred in April 2025 but has only just been disclosed on Mr Hunt’s Have I Been Pwned (HIBP) website.
According to the expert, breached data contained 183 million unique email addresses alongside the websites they were entered into and the passwords used.
To check if you’ve been compromised, head to the Have I Been Pwned website and enter your email address in the search bar.
Next, tap on the button marked ‘Check’ and the site will show you the list of data breaches affecting your email address.
Even if not included in the new Gmail breach, your email address may have been involved in past breaches going back over a decade.
If you are one of the 183 million people affected in this latest incident, you need to change your email password as soon as possible.
Once this is done, enable two-factor authentication (2FA) if you haven’t already – which sends a code to your smartphone to get into your online accounts.
According to Mr Hunt, this incident is not a single breach but a collection of ‘stealer logs’ – a series of data files generated and compiled by ‘malware’ (malicious software).
To check if you’ve been compromised, head to the Have I Been Pwned website and enter your email address in the search bar
‘Stealer logs are more of a firehose of data that’s just constantly spewing personal info all over the place,’ Mr Hunt explained in his blog post.
‘Once the bad guys have your data, it often replicates over and over again via numerous channels and platforms.’
As yet, there’s no word on the identify of the criminals responsible for the malware, however.
The expert stressed that it’s not just the password associated with your email account that has been potentially compromised.
Also at risk are the unique passwords associated with your email address that you use on other websites too, such as Amazon, eBay and Netflix.
He added: ‘Stealer logs expose the credentials you enter into websites you visit then login to.’
Therefore, if you find your email address under Have I Been Pwned it would be worth changing your password on any platform that uses it.
Generally, people put themselves at greater risk by using the same single password across all their various online accounts.
Graham Cluley, a computer expert and security blogger, said people should ‘always use different passwords’ for different online accounts.
‘You won’t be able to remember them by yourself, so use a password manager to do it for you,’ Mr Cluley told the Daily Mail.
‘Always enable multi-factor authentication when available for a higher level of protection.
‘We’re not talking about one company getting hacked, but millions of people unknowingly having their passwords stolen through malware.
‘With 183 million email addresses exposed, it’s possible that many people could be caught up in this without even realising their computers have been compromised.’
Benjamin Brundage at cybersecurity platform Synthient, which ‘detects and blocks bad actors’, was the one that discovered the breached data and sent it to HIBP.
Mr Brundage – who is in his final year of college in the US – advised users not to assume they are safe simply because they use strong passwords, which are considered the first line of defence against cyber incidents.
A strong password is at least 16 characters long and includes a mix of capital and lowercase letters as well as numbers and symbols.
