Cybersecurity experts are sounding the alarm after discovering that more than 183 million passwords have been stolen in a massive data breach affecting users across multiple email platforms.
The incident, which occurred in April but was only recently disclosed, has exposed a staggering 3.5 terabytes of user data.
To put that figure in perspective, the stolen information would be equivalent to approximately 875 full-length high-definition movies.
Troy Hunt, an Australian cybersecurity expert who brought the breach to public attention, described the incident as a “vast corpus” of compromised data.
Hunt revealed the details through his Have I Been Pwned website, a service that allows users to check whether their personal information has been exposed in known data breaches.
The breach affects users across all major email providers, not just Gmail.
Accounts from Outlook, Yahoo, and numerous other email services were included in the stolen data, according to Hunt.
“They’re from everywhere you could imagine, but Gmail always features heavily,” Hunt stated when discussing the scope of the breach.
The compromised data includes 183 million unique email addresses, along with the websites where those addresses were entered and the corresponding passwords used on those sites.
This means the breach extends far beyond just email account credentials.
Users concerned about their data can visit the Have I Been Pwned website to determine if their email address was included in the breach.
The site allows individuals to enter their email address in a search bar and check against a database of known breaches dating back over a decade.
For those who discover their information was compromised, immediate action is required. Cybersecurity experts recommend changing email passwords immediately and enabling two-factor authentication if it has not already been activated.
Two-factor authentication adds an extra layer of security by sending a verification code to a user’s smartphone when accessing online accounts.
Hunt explained that this incident differs from a traditional single-source data breach.
Instead, the stolen information represents a collection of “stealer logs,” which are data files generated and compiled by malicious software, commonly referred to as malware.
“Stealer logs are more of a firehose of data that’s just constantly spewing personal info all over the place,” Hunt wrote in a blog post explaining the nature of the breach.
He added that once criminals obtain personal data, it often replicates repeatedly through various channels and platforms.
The identity of the criminals responsible for deploying the malware remains unknown at this time.
Authorities have not yet announced any suspects or made arrests in connection with the breach.
The danger extends beyond compromised email passwords.
The breach also potentially exposed unique passwords associated with users’ email addresses on other platforms, including popular websites like Amazon, eBay and Netflix.
“Stealer logs expose the credentials you enter into websites you visit then login to,” Hunt explained, emphasizing the far-reaching implications of the breach.
Users who find their email address listed on Have I Been Pwned should consider changing passwords on any platform associated with that email address.
The risk increases significantly for individuals who use the same password across multiple online accounts.
Graham Cluley, a computer security expert and blogger, emphasized the importance of password diversity.
“You won’t be able to remember them by yourself, so use a password manager to do it for you,” Cluley advised.
He also recommended enabling multi-factor authentication whenever available for enhanced protection.
“We’re not talking about one company getting hacked, but millions of people unknowingly having their passwords stolen through malware,” Cluley said.
“With 183 million email addresses exposed, it’s possible that many people could be caught up in this without even realising their computers have been compromised.”
Benjamin Brundage, a researcher at cybersecurity platform Synthient, discovered the breached data and reported it to Have I Been Pwned.
Synthient specializes in detecting and blocking malicious actors online.
Brundage, who is completing his final year of college in the United States, cautioned users against assuming they are protected simply because they use strong passwords.
While strong passwords remain an important first line of defense, they are not foolproof against sophisticated malware attacks.
Cybersecurity experts typically define a strong password as containing at least 16 characters with a combination of uppercase and lowercase letters, numbers and symbols.
The Daily Mail reported that a Google spokesperson addressed the breach in a statement, clarifying that the incident involves known infostealer malware that targets various types of internet activity.
“There is not a new, Gmail-specific attack at play,” the spokesperson said.
The company noted that Google protects users through multiple defensive layers, including resetting passwords when credential theft is detected.
The spokesperson encouraged users to strengthen their own security by enabling two-step verification and adopting passkeys as an alternative to traditional passwords.
