Cybersecurity firm Tenable Inc. has refuted claims circulating online that 183 million Gmail passwords were stolen in a massive breach, calling the reports ‘grossly misrepresentative’ of the real situation.
Satnam Narang, Senior Staff Research Engineer at Tenable, clarified that Google itself was not affected by any breach. Instead, he explained that the dataset being discussed was an aggregation of previously leaked credentials sourced from various unrelated incidents and malware activity.
‘These claims grossly misrepresent the reality of the situation. Google itself has not been impacted by a breach,’ Narang said. ‘Researchers aggregated threat data from a variety of sources, which included 183 million unique credentials tied to various websites, including Gmail.’
According to Narang, much of the information came from infostealers, which are malicious software designed to collect data from infected computers. These programs capture login credentials and other personal details whenever users sign into their email, social media, or financial accounts, which are then compiled into what cybersecurity researchers call ‘stealer logs.’
The aggregated dataset was shared with Troy Hunt, founder of Have I Been Pwned, a website that allows users to check if their personal information has appeared in a known breach.
Hunt’s analysis found that 91 percent of the credentials had already been exposed in previous incidents, while around 16.4 million addresses appeared for the first time.
Narang noted, however, that not all of these entries may be valid, suggesting the actual number of new exposures could be smaller.
He emphasized that the greater issue lies in the widespread reuse of passwords across different online services. When users recycle passwords, he said, they become vulnerable to credential-stuffing attacks, where hackers test email and password combinations across multiple platforms in hopes of gaining unauthorized access.
Narang said that users can protect themselves by avoiding password reuse, relying on password managers available on their devices or through trusted third-party apps, and enabling multi-factor authentication, which requires a secondary verification method before granting account access. This can come in the form of a one-time passcode, an authenticator app, or a hardware security key.
Tenable’s clarification comes amid a wave of reports about data leaks that have been proven to be fake. Closer to home, a supposed dark web listing alleging the sale of new GCash user data was later proven to be fake following investigations by the Cybercrime Investigation and Coordinating Center.