Google has denied reports of a massive Gmail data breach after online claims suggested that millions of users’ email credentials had been leaked. The tech giant clarified that the allegations were based on a misinterpretation of old, recycled data circulating across the internet rather than any new compromise of Gmail’s security systems.
On Tuesday, Google addressed the rumors through its official News from Google account on X, saying, “Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail’s defences are strong, and users remain protected.” The company explained that the misleading reports stemmed from “a misunderstanding of infostealer databases” — large repositories of credentials collected from unrelated data theft incidents across various platforms. These databases, Google said, do not indicate a fresh attack on Gmail or any other specific service.
Google further assured users that it continuously monitors for large-scale credential leaks and assists affected users in securing their accounts by initiating password resets and implementing additional security checks.
The controversy began when Troy Hunt, an Australian cybersecurity researcher and founder of the data breach alert platform Have I Been Pwned, reported the discovery of a 3.5-terabyte database containing approximately 183 million email credentials. According to Hunt, the dataset appeared to combine information from numerous historical breaches and could include Gmail accounts among other providers. The leak gained global attention after being reported by The New York Times, which cited Hunt’s recommendation for users to verify whether their data had been exposed by visiting HaveIBeenPwned.com — a platform that allows individuals to check if their email addresses appear in any known data breaches.
While Google maintains that Gmail itself has not been compromised, the company reiterated its commitment to user safety, advising individuals to enhance their account protection measures. It encouraged users to enable two-step verification, adopt passkeys as a safer alternative to traditional passwords, and reset credentials if they appear in public databases.
The company emphasized that its automated security systems proactively detect and neutralize threats stemming from large credential dumps to ensure timely account protection. Cybersecurity experts also advised users to practice digital hygiene by changing passwords regularly, avoiding reuse across platforms, and activating multi-factor authentication to strengthen overall account security.
