A massive data leak has exposed more than 183 million email passwords for Gmail and other web services over the past several months after cybercriminals stole the sensitive information from web forums.

How did cybercriminals obtain the information in the data leak?

The cybercriminals used malicious malware called “infostealers,” which collects website addresses, usernames, email addresses, and passwords stored after users visit these websites, according to Troy Hunt, the Australian security researcher who founded the data-breach notification website Have I Been Pwned, in a blog post.

Researchers at the security firm Synthient and Have I Been Pwned reviewed 3.5 terabytes of 23 million stealer logs and credential stuffing lists that surfaced online earlier this month, Hunt wrote in the blog post. Among the 183 million data accounts detected, 16.4 million addresses were new to HIBP and had never been seen before, according to Hunt.

The attackers also used a list of credentials collected from previous breaches, along with plaintext or easily guessable passwords, per the blog post. They used these to access other accounts where passwords had been reused.

What to do if your account is exposed

Anyone concerned that their email address may have been breached can use the Have I Been Pwned website to check. If it appears in a leak, the site shows how many times it occurred and provides details about the incident.

The site can also provide information about how many times passwords have been used in online breaches, including the most recent one on Synthient, according to Yahoo! News. While this doesn’t necessarily mean the password was leaked, it could be linked to using the same credentials on other devices. Some passwords are easier to guess than others, and updating them can help reduce the risk. Additionally, having other security measures, such as multi-factor authentication, can be helpful.

“Many password managers also offer breach/disclosure detection, which will automatically notify you if your password has appeared in a data breach/dump,” Michael Tigges, senior security operations analyst at Huntress, told Yahoo! News.

Recent password breaches

In June, Blavity reported that a massive data breach had exposed more than 16 billion passwords for social media, VPN and user information for services like Apple, Gmail and more.

“This is not just a leak — it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing,” researchers at Cybernews said at the time.

According to experts, this data breach was the largest cyberattack in history.