183M Gmail Passwords Leaked(forbes.com)
forbes.com
183M Gmail Passwords Leaked
https://www.forbes.com/sites/daveywinder/2025/10/27/gmail-passwords-confirmed-as-part-of-183-million-account-data-breach/
14 comments
The title of the article makes it clear that these are not 183M Gmail passwords, but that Gmail passwords are a part of the leak.
"Gmail Passwords Confirmed As Part Of 183 Million Account Data Leak"
"Gmail Passwords Confirmed As Part Of 183 Million Account Data Leak"
By the article's logic, I just exhaled 5 * 10^18 kg of carbon dioxide into the earth's atmosphere.
Some apps reset your password automatically (send you a password reset email) if they detect it has been leaked.
But email services appear to have a harder problem due to the catch 22 where you can't log in to reach the password reset email if they were to reset your password.
What do they do?
But email services appear to have a harder problem due to the catch 22 where you can't log in to reach the password reset email if they were to reset your password.
What do they do?
Maybe recovery email. Gmail once in a while asks me to set one up.
Ignoring the backup email case as the other commentor left. In practice accounts are not immediately compromised so there is enough time to send a reset to the original user.
You could also do things like having the reset require the user to have a token that was issued before the compromise to prove you were able to authenticate before the leak happened.
You could also do things like having the reset require the user to have a token that was issued before the compromise to prove you were able to authenticate before the leak happened.
I skimmed the article. I skimmed several of the linked articles. No one says the source of the credentials, other than where people are buying and selling them. Where are google login credentials coming from? Malware I assume and nothing to do with a problem at google?
Uh oh. For a long time I've been giving myself the excuse that the only reason why I keep using Gmail is security - Google has never had these kind of breaches.
The argument is no longer valid, time to move off Gmail.
The argument is no longer valid, time to move off Gmail.
There was no breach, which is clear from the first sentence of the article.
If I understood the follow up blogpost right, it states that there is a lot of email adresses where the only hit is the email domain so they are filtering away that as false positives. Not all stolen credentials are properly aligned and encoded with ; on the correct place I guess :-)
There might be a lot less gmail adresses showing up as pwned now.
There might be a lot less gmail adresses showing up as pwned now.
sex, love, secret, and god
Those are mine
Those are mine
Please be careful when typing in the name of God. It could have devastating consequences.
I hope you're using a site that requires at least 6 (but no more than 10) uppercase, lowercase, numeric, and special characters.
https://archive.org/details/ninebillionnames00clar
I hope you're using a site that requires at least 6 (but no more than 10) uppercase, lowercase, numeric, and special characters.
https://archive.org/details/ninebillionnames00clar
Scott Alexander, that you?
Primary article instead of shitty forbes blog spam.