Cybersecurity firm Synthient uncovered a staggering trove of leaked credentials lurking on the web, compiling a large database containing 183 million unique email addresses. This massive collection of data was aggregated from various cybercriminal platforms, including Telegram channels, forums, social media sites, and the Tor network. The company clarified that the vast majority of these credentials originated from information stealer infections, meaning they were harvested from users’ infected devices rather than through direct hacks on major organizations, with most being shared via Telegram.
Focused on mapping adversary infrastructure, Synthient built a dedicated system to collect and meticulously parse the leaked information, which primary sellers, aggregators, and miscreants shared across their networks. This effort culminated in a 3.5 terabyte database that included not only email addresses and passwords but also the specific websites where the credentials were used. Synthient subsequently compiled this comprehensive data set, encompassing 23 billion rows of data, and sent it to the data breach notification service, Have I Been Pwned (HIBP), for verification and public use.
HIBP maintainer Troy Hunt confirmed the data’s authenticity, noting that while many of the aggregated credentials were already present in the service’s database, the Synthient compilation was still highly valuable. Specifically, only 9% of the emails, representing 16.4 million unique addresses, were not in any previously added data breaches, a significant contribution to the service. Hunt also observed that the data contained credential stuffing lists alongside the core infostealer logs. Following verification, these new email addresses and associated websites were added and made searchable on the Have I Been Pwned platform.
The discovery unfortunately led to widespread and inaccurate news reports claiming a “Gmail security breach impacting millions of users,” which prompted an immediate and firm response from Google. The company stated that these reports were false and stemmed from a fundamental misunderstanding of how infostealer databases are compiled. Google clarified that the data is simply an aggregation of various credential theft activities occurring across the web and does not reflect a new or single attack aimed at a specific platform, such as Gmail.
In light of the significant volume of compromised credentials, both Google and cybersecurity experts emphasized the critical need for users to secure their accounts. Google’s top recommendation for protection against credential theft is adopting multi-factor authentication (MFA) or switching to the safer alternative of passkeys. Furthermore, experts like KnowBe4 CISO advisor Erich Kron stress that the sheer scale of annually compromised passwords should be a strong motivator to enable MFA and drive users to promptly reset their passwords, particularly those for vital services like email.
Reference:
