Gmail: 48 Million Logins Found in Infostealer Dump

Every few months a headline announces that tens of millions of Gmail passwords have leaked, and every few months the reality is more complicated and more useful to understand. The latest disclosure is real and large: an open, unsecured database containing about 149 million credential sets, with around 48 million tied to Gmail addresses, sitting on the internet with no encryption at all. The important detail is where those credentials came from, because it tells you whether you are actually at risk and what to do about it.

Key Takeaways

• Researcher Jeremiah Fowler found an open, unencrypted database with 149,404,754 credential sets, including about 48 million Gmail accounts.
• Gmail's own systems were not breached. The data is a compilation of infostealer logs pulled from individually infected devices and older leaks.
• Malware families such as RedLine and Vidar harvested these credentials from victim computers over months before they were aggregated and resold.
• The real danger is credential stuffing: attackers replay these username and password pairs against Gmail and every other service where you reused them.
• You can check exposure in minutes, and a unique password plus a passkey or MFA neutralizes almost the entire risk.

What Was Actually Exposed?

What was exposed is a giant, searchable list of usernames and passwords, stored in plain text with no protection, that anyone who found the database could read. Of the roughly 149 million credential pairs, about 48 million were for Gmail addresses, with the rest spread across services like Facebook, Netflix, and many others. The records are not limited to one company because they were never taken from one company.

This is the pattern behind almost every viral "Gmail breach" of the last two years. The number is genuinely huge, the exposure is genuinely careless, and yet Google's infrastructure was never touched. Understanding that distinction is the difference between panic and an effective response.

Was Gmail Itself Hacked?

No. Gmail was not directly breached. The credentials are a compilation drawn from infostealer malware logs and older, resurfaced data leaks, aggregated over time and dumped into a single unprotected database. When you see a headline about millions of Gmail passwords, it almost always refers to reused credentials and malware harvested logins rather than a compromise of Google's servers.

That matters because the fix is on your side, not Google's. If your password leaked because malware scraped it off your own machine or because you reused it on a site that got breached, then changing it and adding a second factor closes the hole immediately.

How Did Infostealers Grab These Passwords?

Infostealers grabbed these passwords directly from infected devices. Malware families such as RedLine and Vidar install on a victim's computer, usually through a malicious download, a cracked program, or a phishing lure, and then quietly copy saved browser passwords, session cookies, and autofill data. The stolen bundles, called logs, are sold and traded in bulk on criminal markets, then aggregated into the kind of mega compilation that surfaced here.

Because infostealers also grab session cookies, a strong password alone is not always enough, which is why moving to passkeys and revoking old sessions matters. The initial infection very often starts with email, the same channel exploited by the AI generated lures we cover in our report on AI written phishing now dominating inboxes.

How Do You Check and Protect Your Account?

• Check exposure. Run your email through a reputable breach notification service to see whether your address appears in known leaks.
• Change reused passwords. If you used the same password anywhere else, change it everywhere, and never reuse one again.
• Turn on a passkey or MFA. A hardware backed second factor or passkey defeats credential stuffing even when the password is known.
• Revoke old sessions. In your Google account, sign out unfamiliar devices to invalidate any stolen session cookies.
• Run a malware scan. If credentials leaked from your own device, the infostealer may still be there.

Where Do Tracking Pixels Fit In?

Tracking pixels fit in at the targeting stage. Once an address is in a list like this, attackers want to know which accounts are live and actively read before they invest effort. A tracking pixel inside a probing email answers that for free: open the message and the sender learns your address works, you read mail, and roughly when. Blocking remote images and pixels keeps a leaked address quieter and less attractive as a follow up target. Our guide on how to block email tracking in Gmail covers the practical steps.

The Bottom Line

Forty eight million Gmail logins in an open database sounds like Google fell over. It did not. This is the steady drip of infostealer malware and password reuse, pooled into one careless bucket. The response is unglamorous and effective: unique passwords, a passkey or MFA, revoked old sessions, a clean device, and an inbox that does not quietly broadcast that your address is live. Do those things and a leaked password becomes a non event. And remember that a stolen password is not the only way in: see how Russian hackers bypassed Gmail MFA with app passwords.