Overview
- Security firm Synthient compiled the cache from criminal marketplaces and Telegram channels over roughly a year, and it was indexed on Have I Been Pwned around October 21.
- Google says its infrastructure was not hacked and urges users to enable 2‑step verification or passkeys, noting it prompts password resets when large credential dumps are detected.
- Analyses indicate about 91% of entries had appeared in prior breaches, yet many credentials still work and span Gmail, Outlook, Yahoo and other services, heightening credential‑stuffing risks.
- Users can check exposure at HaveIBeenPwned.com and, if flagged, should change passwords, enable multi‑factor authentication, review account activity, and consider malware scans and password managers.
- Researchers attribute the haul to infostealer malware delivered via phishing, fake downloads and compromised browser extensions, with reported surges in credential theft activity in 2025.