Several news outlets have been reporting a story about a massive leak of 183 million passwords allegedly from “Gmail” and other providers. Unfortunately, headlines don’t always make it clear what people actually need to know about this new credential dataset.

At first glance, one might think this file contains passwords to access email accounts — or even that email providers like Google and Microsoft suffered a cyberattack that put their users’ data at risk.

However, neither assumption is true. Google has even issued a statement to the press denying any breach of its systems.

So, let’s clarify the key points that explain this incident: its origin, what was stolen, and the real context behind these credentials.

The Origin of the Data: Stealers

The passwords weren’t exposed through a database breach or system intrusion. Technically, this isn’t a “leak,” though the term is often used in these situations.

Instead, the file is a collection of credentials exposed through the infostealer ecosystem. We’ve previously explained in detail how this type of malware can collect a wide range of information once executed on a device.

Because there’s a large criminal infrastructure behind stealers, thousands of credentials are captured from compromised systems and leaked every day. However, many of these credentials are initially shared only through restricted or private channels.

Over time, these stolen credentials circulate across various cybercrime spaces. Eventually, they end up in public compilations created by criminals seeking reputation or notoriety.

That said, the risk for someone exposed by a stealer began the moment their credentials were first stolen. By the time the data appears in one of these public compilations, the passwords are usually outdated.

What Was Stolen?

Stealers collect all kinds of credentials. Therefore, the leaked credentials aren’t limited to email accounts — they include access data for a wide range of websites and platforms that use email addresses as usernames.

In other words, the scope is much broader than just email accounts.

On one hand, that’s good news. Email accounts can often be used to reset other passwords, which means they could indirectly unlock access to many additional services.

On the other hand, there’s a downside: attackers can gain direct access to many other types of systems, including environments that might contain corporate data, even indirectly.

In any case, it’s important to understand that changing your email password preemptively won’t solve the problem. 

Data Still Being Counted

Besides stealer data, this compilation also includes credentials obtained through credential stuffing. We’ve explained this technique before in depth.

In short, criminals try to reuse credentials from one service on another. For example, a username and password leaked from one social network might be tested on another platform.

Because many users reuse passwords, this method allows criminals to find new valid logins and extend the usefulness of stolen credentials.

Credential stuffing increases the total number of “valid” credentials — but since it relies on already-exposed data, multiple groups often find the same repeated passwords, generating large volumes of duplicate records.

Around 90% of the data originating from stealers isn’t new. So it’s reasonable to assume that this additional set of credentials also includes a high percentage of duplicates. Still, some credentials might be linked to new websites, meaning there’s residual risk to mitigate.

It’s also worth noting that all these credentials have been in criminals’ hands since at least April. The risk isn’t in the future — it’s already been present for months.

Credential Exposures in 2025

At Axur, we monitor numerous channels where cybercriminals share exposed credentials. Knowing whether a credential has been leaked is valuable — it can help clarify cases of unauthorized access and trigger preventive actions.

Over the past year, we detected more than 177 billion exposed credentials, of which 6 billion were new. The rest had already been previously disclosed when they were found.

This kind of “republication” doesn’t mean criminals have revalidated the credentials or confirmed their usefulness. The explanation is simpler: repackaging old data is a common habit among cybercriminals and part of the process that eventually pushes new stolen data into more public spaces.

That said, we shouldn’t assume that reposted credentials pose no new risks. While the greatest danger may have passed, it’s still possible for criminals to find new ways to exploit these datasets — or for new vulnerabilities to make them relevant again.

Axur’s Annual Report will feature these and other insights about the global threat landscape. To be among the first to access it, join the Axur Community and sign up for updates on its release.

If you’d like to learn more about credential compilations and the risks they pose, check out our ebook on the topic.