Google was once again forced to announce that it had not suffered a data breach after numerous news outlets published sensational stories about a fake breach that purportedly exposed 183 million accounts.
This claim began over the weekend and into today, with news stories claiming that millions of Gmail accounts were breached, with some outlets saying it affected the full 183 million accounts.
However, as the company explained in a series of posts on Monday, Gmail did not suffer a breach, and the compromised accounts were actually from a compilation of credentials stolen by information-stealing malware and other attacks over the years.
“Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail’s defenses are strong, and users remain protected,” reads a post on X.
“The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform.”
“Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false,” Google added.
This is just the latest such story that numerous news websites and cybersecurity companies have reported without verification in recent years.
This particular story stems from Have I Been Pwned (HIBP) creator Troy Hunt announcing he recently added a massive collection of 183 million compromised credentials to the data breach notification platform shared by the threat intelligence platform Synthient.
These credentials were not stolen in a single data breach, but rather through information-stealing malware, data breaches, credential stuffing, and phishing. Furthermore, these accounts are not for a single platform but for thousands, if not millions, of sites.
Threat actors commonly collect exposed credentials and combine them into massive collections, which are then shared among the cybercrime community on Telegram channels, Discord servers, and hacking forums.
After loading the data into HIBP, Hunt says 91% of the 183 million credentials had previously been seen, illustrating that many of them have been circulating for years.
“The final number once the entire data set was loaded into HIBP was 91% pre-existing, with 16.4M previously unseen addresses inanydata breach, not just stealer logs,” explained Hunt.
Companies, including Google, commonly use collections like these to warn customers ofexposed passwords and to force password resets to protect accounts.
“Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts,” explained Google.
While the claims of a Gmail data breach are false, that does not mean exposed credentials are harmless or should be ignored, as threat actors commonly use them to breach corporate networks and carry out devastating attacks.
For example, the UnitedHealth Change Healthcare ransomware attack was caused by exposed Citrix credentials that enabled threat actors to gain initial network access.
However, reports of unfounded data breaches do not help anyone and only cause undue stress and extra work for a platform’s users and business customers.
Just last month, Google had to state that it did not suffer a data breach after the same news sites claimed that 2.5 billion Gmail accounts had been compromised.
While that claim stemmed from a Salesloft breach that impacted a small number of Google Workspace accounts, the story was quickly sensationalized into a much larger breach.
If you are concerned that your credentials may have been part of theSynthient collection, you can register an account at Have I Been Pwned, open the dashboard, and click Stealer Logs to see if your account was compromised in the past by information-stealing malware.
If you have accounts listed, perform an antivirus scan on your computer, then immediately change the passwords for all of your accounts.
