Cybersecurity researcher Troy Hunt has added 183 million stolen email addresses and passwords to the Have I Been Pwned database, revealing the staggering scale of credential theft perpetrated by infostealer malware throughout 2025. The massive dataset, originating from Synthient's year-long monitoring of underground criminal marketplaces, contains verified active passwords for Gmail, Microsoft Outlook, Yahoo, and countless other services—with Gmail credentials featuring prominently throughout the collection.
The 3.5 terabyte data cache comprises 23 billion rows of stolen information collected from infostealer malware logs, Telegram channels, Tor-based dark web forums, and credential stuffing lists circulating across underground marketplaces. Benjamin Brundage from Synthient, who compiled the data through nearly a year of threat intelligence monitoring, revealed that the dataset represents the output of sophisticated information-stealing malware designed to silently capture usernames, passwords, and website URLs as victims log into various online services.
Unlike traditional data breaches that result from direct attacks on service providers, infostealer malware operates by infecting individual computers and harvesting credentials as users enter them into web browsers. Once collected, these credentials flow into an underground digital supply chain where they're aggregated, merged with other stolen data, and resold across multiple platforms—creating a self-perpetuating cycle of exploitation.
When analyzing the stolen credentials, Hunt noted that while all major email providers appeared in the dataset, "Gmail always features heavily." The prevalence of Gmail credentials reflects both the service's massive user base of 1.8 billion active users worldwide and its central role as an authentication hub for countless online services and applications.
Hunt's analysis of a 94,000-record sample revealed that 92% of the credentials had appeared in previous breaches, primarily in the ALIEN TXTBASE stealer logs disclosed earlier in 2025. However, the remaining 8%—representing more than 16.4 million previously unseen email addresses—constitutes fresh ammunition for cybercriminals conducting credential stuffing attacks.
To verify the dataset's authenticity, Hunt contacted affected subscribers in the Have I Been Pwned database. One respondent, already suspicious about potential Gmail account compromise, confirmed that the leaked password was "an accurate password on my Gmail account," validating the immediate threat posed by this data exposure.
Security experts warn that the true danger extends far beyond the compromised accounts themselves. Cybercriminals exploit widespread password reuse through "credential stuffing" attacks, using stolen email-password combinations to systematically test access across banking services, e-commerce platforms, cloud storage, corporate networks, and other high-value targets.
"An underground market that began as isolated data leaks has evolved into a sophisticated network where billions of usernames and passwords are traded on the dark web and reused across countless platforms," said Darren Guccione, CEO at Keeper Security. "Each exposed credential fuels a cycle of exploitation that weakens digital trust and prolongs the impact of every breach."
Gary Orenstein, chief customer officer at Bitwarden, emphasized that the Synthient dataset's significance lies in its aggregation methodology. "This reflects the industrial scale of credential theft, where stolen information moves through a digital supply chain of resale and recombination," Orenstein explained. "Exposure rarely stems from a singular breach. It's often the result of password reuse across multiple services and devices."
Google issued a clarification statement addressing widespread misreporting that framed the incident as a direct Gmail breach. "Reports of a 'Gmail security breach impacting millions of users' are false," Google stated. "Gmail's defenses are strong, and users remain protected. The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web."
The company confirmed that it maintains processes for resetting passwords when large credential dumps surface, and urged users to activate two-step verification and adopt passkeys as stronger alternatives to traditional passwords. Google also advised concerned users to review their account activity by checking the "Last account activity" link at the bottom of Gmail pages, which displays recent sign-in sessions including IP addresses, access types, and geographical locations.
For users of Chrome's password manager, Google provides a Password Checkup feature accessible through the browser's settings menu. This tool identifies compromised passwords appearing in known data breaches, flags weak passwords, and alerts users to password reuse across multiple accounts.
Cybersecurity professionals recommend several critical steps for anyone potentially affected:
Check Exposure: Visit Have I Been Pwned (haveibeenpwned.com) and enter your email addresses to determine if your credentials appear in the database.
Change Passwords Immediately: If your account appears in the breach, change passwords immediately—not just for the compromised service, but for any other accounts using the same password.
Enable Multi-Factor Authentication: Activate 2FA across all accounts that support it, creating an additional security layer that blocks access even when passwords are stolen.
Adopt Password Managers: Use dedicated password management applications like 1Password, LastPass, or Bitwarden to generate and store unique, complex passwords for every account.
Monitor Account Activity: Regularly review login histories and account activity logs for unauthorized access attempts.
Predatory Sparrow's operations represent a concerning trend in state-sponsored cyber conflict where destructive attacks replace traditional espionage objectives. Unlike typical cybercriminal groups motivated by financial gain or nation-state actors focused on intelligence collection, Predatory Sparrow's explicit goal is maximum disruption and permanent damage to adversary infrastructure.
Antony Parks, threat intelligence researcher at Rapid7, noted that underground marketplaces now enable incredibly specific targeting, with buyers able to search by domain or individual email address. "This makes credential-based attacks an effective way for experienced threat actors to diversify their approach and for new attackers to find early success," Parks explained.
The incident underscores a fundamental shift in cybersecurity threats: passwords alone no longer provide adequate protection in an era where industrial-scale credential theft has become normalized. As Sachin Jade, chief product officer at Cyware, observed, "With 183 million pieces of ammunition just fed into the system, you can be sure that cybercriminals are already topping up their attack arsenals."
The revelation serves as an urgent reminder that in today's threat landscape, password hygiene, unique credentials for every service, and multi-factor authentication aren't optional security enhancements—they're essential survival strategies.