By: CMAA
While there’s no confirmed mass breach of Gmail itself, Australians should still be alert.
Media reports have flagged a huge trove of stolen credentials – according to one estimate, more than 183 million email passwords (including “tens of millions” tied to Gmail addresses) were exposed in a malware-driven credential dump.
Cyber-criminals use exposed credentials for account take-over, identity theft, phishing, and to target older family members who may have simpler or reused passwords
What’s Happened
The New York Post reported that Australian security researcher Troy Hunt flagged a dataset built from infostealer malware: credentials such as usernames, passwords and website addresses siphoned from infected devices, not from a direct hack of Google or Gmail.
Earlier this year researchers also uncovered a massive leak of 16 billion login credentials (across many services including Google, Apple and Facebook) compiled from multiple smaller incidents or malware infections.
Google’s Official Statement
“Gmail’s protections are strong and effective, and claims of a major Gmail security warning are false,” the statement reads.
“We want to reassure our users that Gmail’s protections are strong and effective. Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false.
“While it’s always the case that phishers are looking for ways to infiltrate inboxes, our protections continue to block more than 99.9% of phishing and malware attempts from reaching users.
“Security is such an important item for all companies, all customers, all users – we take this work incredibly seriously. Our teams invest heavily, innovate constantly, and communicate clearly about the risks and protections we have in place. It’s crucial that conversation in this space is accurate and factual.
“As best practices for additional protection, we encourage users to use a secure password alternative like Passkeys, and to follow these best practices to spot and report phishing attacks.”
What You Should Do Right Now
Here’s a checklist you can follow – as well as help parents or grandparents follow.
1. Check if your email has been exposed
Go to the free service Have I Been Pwned and enter your Gmail and other email addresses. It will show if they have appeared in known leaks.
2. Change and strengthen your passwords
- Use a unique password for your Gmail account (and all major services). Never reuse it elsewhere.
- Make it long, include upper- and lower-case letters, numbers and symbols.
- Consider a trusted password manager if you struggle to remember.
3. Enable two-factor (or multi-factor) authentication (2FA/MFA)
This adds a second step (code, device prompt or security key) when logging in. Many reports show credentials stolen from device malware still allow access unless 2FA is turned on.
4. Update recovery details and review account access
Check that your recovery email and phone number are current. In Gmail go to Security – Your devices & recent activity. Look for anything unfamiliar.
5. Be alert to phishing and vishing (voice-phishing)
Criminals are now using data (even basic business or contact data) to craft realistic scams: phone calls impersonating tech support, spoofed numbers, fake “account breach” alerts. Google warns it will not phone you out of the blue to ask for your password.
Helping Older Family Members
- Sit with them and check their account exposure together using Have I Been Pwned.
- Go through their password list (or password manager) and identify if they’ve reused passwords or kept simple ones like “123456”.
- Show them how to enable 2FA on their Gmail/Apple/other major accounts.
- Warn them of the “I’m calling from tech support” trick – tell them never to give passwords or codes to anyone who rings claiming to be from Google/Apple/your bank.
- Remove old apps they no longer use and ensure their device software (phone, tablet, computer) is up to date with security patches.
Think of your digital identity like your home front door key
Even though Google says there’s no broad Gmail breach, the credential-dump risk is very real for Australians. If your email or password turns up in a database, or insecure habits are in play (weak/reused passwords, no 2FA), you’re exposed. Think of your digital identity like a front door key: strong, unique keys plus a dead-bolt (2FA) make all the difference.
Stay safe online.
This article was prepared with AI assistance and carefully reviewed by the Hope 103.2 Digital team.
Article supplied with thanks to Hope 103.2
Feature image: Canva
