Google dismisses Gmail data breach claims, says reports based on old stolen data
The tech giant said the allegations were “false” and stemmed from a misinterpretation of old, stolen data.
ADVERTISEMENT
Google has refuted claims of a major Gmail data breach, following widespread reports that millions of users’ passwords had been leaked online. The tech giant said the allegations were “false” and stemmed from a misinterpretation of old, stolen data circulating on the internet, rather than evidence of a new attack targeting Gmail.
In a statement issued on its official X account, News from Google, the company said: “Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail’s defences are strong, and users remain protected.”
Reports of a “Gmail security breach impacting millions of users” are false. Gmail’s defenses are strong, and users remain protected. ????????
— News from Google (@NewsFromGoogle) October 27, 2025
Google clarified that the reports were based on “a misunderstanding of infostealer databases” — repositories that compile credentials stolen in various past breaches. These collections, the company said, do not signify a fresh compromise of Gmail or any other Google service.
The company added that it routinely monitors for large batches of exposed credentials and helps affected users secure their accounts by prompting password resets and recommending 2-Step Verification.
The controversy began after cybersecurity expert Troy Hunt, founder of the breach notification platform Have I Been Pwned, disclosed the discovery of a 3.5-terabyte database containing roughly 183 million email credentials. Hunt said the dataset, which appeared online recently, included information from multiple historical breaches and might contain some Gmail addresses among other providers.
The leak gained international attention after being reported by The New York Times, which cited Hunt’s advice for users to check whether their details had been compromised. He encouraged users to visit HaveIBeenPwned.com, where they can enter their email addresses to determine if they appear in any known breaches and learn when and where the exposure occurred.
