A new analysis of the Have I Been Pwned platform has revealed that at least 183 million email account credentials, spanning services such as Gmail, This data was compromised through malicious programs known as infostealers, which infect devices and capture sensitive information from users. The initial discovery, dated April 2025, was recently updated with the addition of 16.4 million new records, raising the total number of affected accounts.
Google, one of the services mentioned in the leak, clarified that the exposed accounts are not restricted exclusively to Gmail. The company stressed that the incident is the result of general malicious activities, and not a direct attack on its systems. Até At the moment, Microsoft and Yahoo did not issue official positions on the case, remaining silent in the face of the repercussions.
Malicious programs, such as infostealers, represent a constant threat to online privacy and security, operating stealthily to steal valuable information.
Increase in the volume of compromised credentials
The team responsible for the Have I Been Pwned platform identified 16.4 million new records in a recent check, which had not been detected in the initial analysis carried out in April. Este addition brings the total amount to 183 million credentials, reflecting the compilation of multiple incidents involving the action of infostealers. Tais Malicious programs are designed to collect data directly from infected devices, without the user being aware of the activity.
Troy Hunt, creator of Have I Been Pwned, reported that other companies also had their data included in the compiled records. In a statement, he chose not to specify additional names, but highlighted the invasive nature of the theft technique, which manifests itself through infections on computers and cell phones. The spread of this malware occurs through various means, often exploiting vulnerabilities or user mistakes.
Protection to prevent data compromise
Users whose accounts have been exposed need to act immediately to protect their information. Changing passwords on all services involved is the first and most crucial measure. It is highly recommended that each platform has a unique and complex password combination, avoiding reuse that could increase the risk in the event of new leaks.
Using password managers is an efficient practice for creating and storing secure credentials. Essas tools, such as LastPass and 1Password, encrypt data, requiring only a master password for access. Além Additionally, activating two-step authentication (2FA) adds a robust layer of security, requesting an additional code, usually via app or SMS, to confirm access on new devices.
Mechanisms of action of infostealers
Infostealer programs, which cause data exposure, often install themselves on devices through malicious downloads or fraudulent links. Once active, they are able to access and extract information saved in browsers such as Chrome and Edge, collecting passwords, cookies and autofill data. Este process occurs confidentially, without the user noticing the invasion in progress.
Malware operates by capturing this sensitive data and, in many cases, trading it on clandestine forums on the dark web, where cyber criminals use it for financial fraud, identity theft and other attacks. Victims can be from any operating system, including Windows, macOS and various mobile devices.
Tips for staying safe online
Carefully checking URLs before entering any credentials on websites is an essential measure to avoid falling into phishing traps. Suspicious emails and messages often request personal data for no apparent reason or have grammatical and visual errors that betray fraud. It is crucial to avoid clicking on links contained in unsolicited messages or from unknown senders.
To strengthen defense against unauthorized access, passwords must be at least 12 characters long, combining upper and lower case letters, numbers and symbols. Creating memorable phrases that are easy for the user to remember but difficult for others to crack serves as a robust foundation for stronger password combinations.
Positioning of affected companies
Google, one of the companies whose users were indirectly affected, reiterated that there was no specific breach of its own security systems. The company continues to actively encourage the use of two-step verification and the adoption of passkeys, which are more modern and secure authentication methods. Microsoft, in turn, did not comment on the incident until the publication of this news, maintaining silence in the face of the revelations.
Yahoo also did not issue any official position on the exposure of its users’ credentials. Enquanto this, the Have I Been Pwned platform continues to actively monitor new leaks and security incidents, offering a vital service so that users can check if their data has been compromised and receive email alerts when registering their addresses.
Tools to reinforce prevention
Activating access keys (passkeys) on services such as Google, WhatsApp and Microsoft offers a secure alternative to traditional passwords. Este method uses biometrics, such as fingerprint or facial recognition, or the device’s PIN for authentication, eliminating the need to memorize and enter complex combinations. Empresas technology companies have implemented this technology to mitigate the risks associated with the use of passwords.
Password managers, in turn, encrypt credentials, storing them securely locally or in the cloud, allowing synchronization between multiple connected devices. Maintaining software and operating systems with the latest updates is critical, as these updates often patch known vulnerabilities that could be exploited by infostealers and other malware.
