The original headline on Hacker News is misleading. This is not a breach of 183 million Gmail account passwords. This is a collection of credentials, largely stolen by infostealer malware and circulating among cyber criminals, which was collected by a security researcher and passed on to Have I Been Pwned. Over 90% of the data has already been seen in previous releases.
Adding the details of website URLs, email addresses and passwords to the Have I Been Pwned database, owner Troy Hunt said the data consisted of both “stealer logs and credential stuffing lists” including confirmed Gmail login credentials.
The “confirmed Gmail login” bit comes from contacting one of the victims at random to verify the data and he confirmed the password was his Gmail password. It doesn’t appear to be a Gmail breach, just the results of credential stealing happened to include some people logging into Gmail.
Edit: Perhaps a more useful link is the original blog post from Have I Been Pwned’s Troy Hunt.
Guess it’s finally time to change my 25-year-old Gmail password
Wouldn’t you just start getting weird 2FA requests if they were being used? Could probably wait until then.
An analysis of a 94,000 sample revealed 92% were not, in fact, new (…) the final tally was 16.4 million previously unseen addresses in any data breach, not just stealer logs.
