Not for the first time this year, Google has been forced to reassure its users that it has not suffered a large-scale data breach that could affect their Gmail accounts. A few months ago the company released an unusual statement intended to put to bed allegations that its email service had been hit with a serious security issue. And it did so again this week, after numerous news outlets published stories suggesting that 183 million passwords may have been compromised in a new breach.
Google has since claimed that this isn’t true in posts on X. It says the listed accounts are likely not fresh victims of an attack, but instead recent additions to the Have I Been Pwned data breach search engine’s database. The website is a free resource that can quickly tell users if their personal data has been hacked. As noted by Bleeping Computer, HIBP’s creator, Troy Hunt, has said in a blog post that over 90 percent of the millions of stolen credentials have been seen before, so are in no way new (16.4 million of addresses were however showing up for the first time in a data breach, according to Hunt).
“Reports of a ‘Gmail security breach impacting millions of users’ are false,” Google said in a statement. “Gmail’s defenses are strong, and users remain protected. The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform.”
Google does use compilations of open credentials like the one recently uploaded to HIBP to alert its users of possible breaches, and has advised users that turning on 2-step verification and adopting passkeys is more secure than relying on passwords alone, which it notes should always be reset immediately if compromised.
