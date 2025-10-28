Google has disputed recent news reports saying its popular Gmail email service suffered a security breach that impacted millions of users.

In an X post, the official News from Google account stated that these reports were false. “Gmail defences are strong, and users remain protected,” it said.

“The inaccurate reports are stemming from a misunderstanding of infostealer databases.”

Google said these databases routinely compile various credential theft activities occurring across the web. “It’s not reflective of a new attack aimed at any one person, tool, or platform,” the company stated.

“Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts.”

The company’s response comes after prominent cybersecurity expert Troy Hunt published an analysis of compromised online credentials provided by Synthient that included previously unknown records.

The HaveIBeenPwned founder explained that Synthient’s Benjamin Brundage had aggregated 3.5TB of compromised credential data from social media, Telegram, online forums, Tor, and other sources.

These include data from infostealer malware attacks and credential stuffing lists. An analysis revealed several accounts that HaveIBeenPwned had not seen in past leaks, breaches, and credential lists.

“The data contained 183 million unique email addresses alongside the websites they were entered into and the passwords used,” Hunt said.

About 16.4 million addresses were previously unknown to have been compromised. That is a substantial proportion — 9% — of the addresses in the data Brundage had aggregated.

Infostealer logs come from malware that infects a machine and captures credentials typed into websites. Typically, the malware would capture the website address, email address, and password.

For example, Hunt said that someone who had infostealer malware on their PC and logged into their Gmail account would have the website portion of the data logged as Gmail.com.

He went on to explain that this is precisely what happened to one user whom he had contacted to verify the legitimacy of Synthient’s database.

Several publications misinterpreted this to mean that the Gmail service itself had been compromised when infostealer malware had stolen that user’s data.

Infostealers would not only capture information on Gmail.com but also on any other websites that a user with an infected machine visited.

Why reusing passwords is a bad idea

Have I Been Pwned

The other source of compromised credentials in Synthient’s analysis was credential stuffing lists. These lists are aggregated from different places where threat actors obtained username-password pairs.

That includes data breaches of other services or platforms where improper cybersecurity practices may have occurred, such as storing user names or passwords in plain text format.

Attackers often use this information to try and guess a user’s login on other platforms where they may have reused the same username and password combination.

By “stuffing” the credentials into multiple websites or platforms, they may gain access to a user’s other accounts.

This is why it is critical not to reuse the same password on different online accounts or services, especially primary email accounts that act as the

“Credential stuffing lists can be enormously damaging because they contain the keys to so many different services,” Hunt said.

“Not only are they the gateway to so many takeovers of social media accounts, email addresses and other valuable personal resources, they’re also responsible for many subsequent very serious data breaches.”

The HaveIBeenPwned website allows people to enter their email address to see if it was part of any previously known data breaches and see which data was exposed in that incident.

Its sister service, Pwned Passwords, allows users to check if their password has been compromised, which is particularly useful in the case of the recently published Synthient stealer log threat data.

It is highly recommended that you change your password on any affected website or service and on any other platforms where the same or a similar password was used.

Google also advised that users turn on two-factor authentication (2FA) and adopt passkeys as a stronger and safer alternative to passwords to protect themselves against credential theft.

Another option to consider is a password manager like Bitwarden and 1Password. These services store passwords using strong encryption in a single vault, which can be accessed across devices.

By eliminating the need to remember all but your master manager password, you can select complex passwords for all your services.

To make this option as secure as possible, the master password should be strong and complex, and additional verification methods like 2FA or passkeys should be enabled.