Google Refutes Gmail Data Breach Claims, Says Reports Based on Old Leaked Data; Urges Users to Enable 2-Step Verification

After numerous online posts suggested that the passwords of millions of emails were exposed, Google has rebuffed the reports of a serious Gmail data breach. The company posted an official statement on X (formerly known as Twitter), stating that the reports relied on outdated and stolen data and were not related to any fresh cyberattack against Gmail users.

Google Denies Gmail Breach Claims

In its post from the handle News from Google, the company stated,

“Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail’s defences are strong, and users remain protected.”

Google further explained that the misleading claims originated from “a misunderstanding of infostealer databases” — collections of credentials stolen in past cyber incidents and later compiled into large datasets circulating online.

The company emphasized that no new compromise of Gmail’s security systems had occurred. It also reassured users that it actively monitors for credential leaks and helps affected users reset their passwords as a preventive measure.

How the Rumours Started

The argument was sparked when Australian digital security expert Troy Hunt, creator of the Have I Been Pwned breach alert service, revealed that a huge 3.5-terabyte database with about 183 million email passwords had been published on the internet.

Hunt suggested the exposed data to be the result of an old breaches amalgamation that could be taking Gmail and other email accounts into account. The reporting by The New York Times made the revelation extremely popular.

Users were recommended to verify their email accounts on HaveIBeenPwned.com to find out if their passwords had been included in any of the identified data breaches.

Google’s Security Advisory

While reaffirming that Gmail remains secure, Google advised users to take proactive steps to safeguard their accounts. The company urged all Gmail users to:

Enable 2-Step Verification for added security.

Adopt passkeys — a safer alternative to traditional passwords.

Reset credentials if their information appears in public data sets.

Avoid password reuse across multiple websites.

Google also noted that its security systems automatically detect and mitigate threats from large-scale credential dumps, ensuring that affected accounts are promptly secured.

Cybersecurity Experts’ Advice

Experts recommend that users concerned about potential exposure should:

• Check their email on Have I Been Pwned to see if it appears in any breach.
• Regularly update passwords and use strong, unique credentials.
• Enable multi-factor authentication (MFA) wherever possible.