Platform Have I Been Pwned identified a leak of at least 183 million credentials from Gmail, Outlook, and Yahoo accounts. The incident involves email addresses and passwords captured through Infostealers, malicious programs that infect devices. Initial discovery happened in April 2025, with a recent update adding 16.4 million records.
Google stated that the exposed accounts do not belong exclusively to Gmail. The company described the case as general malicious activity, not a targeted attack. Microsoft and Yahoo did not respond to inquiries at the time of publication.
- Infostealers extract data from infected browsers and apps.
- Leak contains email and plaintext password combinations.
- Users can check exposure on the Have I Been Pwned site.
Update uncovers additional compromised records
The platform’s team detected the 16.4 million new entries during recent analysis. These records remained unidentified in the April review. The 183 million total compiles data from multiple Infostealer incidents.
Have I Been Pwned creator Troy Hunt told the Daily Mail that other companies appear in the records. He did not name additional affected services. The theft method relies on device infections.
Steps to secure exposed accounts
Affected users must change passwords immediately on involved services. Experts recommend unique combinations for each platform. Password managers help store credentials securely.
Enabling two-factor authentication adds security layers. The feature requires extra codes for new device logins. Passkeys use biometrics to replace traditional passwords.
Google provides a built-in manager for Chrome and accounts. Free options include LastPass and KeePass. Paid tools like 1Password offer advanced features.
How Infostealers operate
Infostealers install through malicious downloads or fraudulent links. They access saved data in browsers like Chrome and Edge. Users often notice no immediate signs of infection.
Malware grabs passwords, cookies, and autofill information. Stolen data appears for sale on dark web forums. Attacks target Windows, macOS, and mobile devices.
Guidance against phishing attempts
Check URLs carefully before entering credentials. Suspicious emails request data without clear reasons. Avoid clicking links in unsolicited messages.
Passwords should include at least 12 characters with variations. Combine uppercase, lowercase, numbers, and symbols. Memorable phrases create strong bases.
Companies address the incident
Google denied any specific system breach. The firm promotes two-step verification and passkeys. Microsoft provided no comment by publication time.
Yahoo offered no official statement. Have I Been Pwned monitors ongoing leaks. Users receive email alerts after address registration.
Prevention using available tools
Enable passkeys on Google, WhatsApp, and Microsoft services. The method relies on fingerprints or device PINs. Companies adopt the technology to reduce password risks.
Managers encrypt data locally or in the cloud. Synchronization works across connected devices. Regular updates fix known vulnerabilities.