Quick Answer: What to Do Right Now
Google’s alert means your saved passwords have appeared in known data breaches or credential dumps. Google itself was not hacked — the passwords were likely stolen from third-party websites or by infostealer malware on your device.
Immediate actions: 1) Go to passwords.google.com and run Password Checkup. 2) Change every compromised password. 3) Use unique passwords for every account. 4) Enable 2FA or passkeys everywhere. 5) Review your Google Account security activity for unfamiliar sign-ins.
Table of Contents
- What the Alert Actually Means
- How Did My Passwords Get Leaked?
- Was Google Hacked?
- 5 Immediate Steps to Take
- How to Use Google Password Checkup
- Changing Compromised Passwords
- Enable 2FA & Passkeys
- Review Your Account Security
- How to Prevent Future Breaches
- Can You Disable the Warning?
- Frequently Asked Questions
- TL;DR Summary
What Does “Some of Your Saved Passwords Were Found Online” Actually Mean?
If you’ve received a notification from Google saying “Some of your saved passwords were found online” or seen a red warning banner in Chrome, here’s what it means in plain English:
Google’s Password Checkup tool has scanned your saved passwords and found matches in known data breaches or credential dumps circulating on the dark web. This doesn’t mean someone is actively trying to hack your account right now — but it does mean your password is no longer secret and could be used in a credential stuffing attack.
Google checks your passwords against a database of over 4 billion leaked credentials that have been exposed in public data breaches. When a match is found, you get the alert.
Critical: This is not a drill. If Google says your password was found online, it has been compromised. Change it immediately.
How Did My Passwords Get Leaked?
There are several ways your passwords could have ended up in a breach database:
- Third-party website breach — A website or service you signed up for was hacked, and your password was stolen from their servers
- Infostealer malware — Malicious software on your device harvested passwords from your browser or password manager
- Phishing attack — You entered your password on a fake login page that looked real
- Credential stuffing — Attackers tried passwords from one breach on other sites, and yours matched
- Reused passwords — You used the same password on multiple sites; one site got breached, and now all accounts are at risk
Was Google Actually Hacked?
No. Google itself was not hacked. This is one of the most common misconceptions when people receive this alert. Google’s servers and your Google Account password were not compromised.
The 2025 data breach incidents involving Google credentials were caused by infostealer malware running on individual users’ devices — not a direct compromise of Google’s systems. Criminal groups harvested these stolen credentials and compiled them into large aggregated datasets. Google monitors these datasets and alerts you when your saved passwords appear in them.
That distinction matters for understanding the risk, but it does not make the exposed credentials any less real or dangerous. Your passwords are still compromised and need to be changed immediately.
Key Point: Google will not always notify you when credentials came from third-party malware rather than a direct compromise of its systems. You should proactively check your password security rather than waiting for an alert.
For more details on how data breaches work and how to protect yourself, visit Security.org’s Gmail Data Breach Guide.
5 Immediate Steps to Take Right Now
If you see the “Some of your saved passwords were found online” alert, follow these steps in order:
Step 1: Run Google Password Checkup
- Go to passwords.google.com
- Or open Chrome: Settings > Privacy and security > Password Manager > Checkup
- Review the list of compromised, reused, and weak passwords
- Google will show exactly which passwords were found in data breaches
Step 2: Change Every Compromised Password
- Click “Change password” next to each compromised entry
- Google will redirect you to the website’s password change page
- Use a unique, strong password for every account — never reuse passwords
- Consider using Google’s built-in password generator or a dedicated password manager
Step 3: Enable Two-Factor Authentication (2FA)
- Turn on 2FA or passkeys on every account that supports it
- Passkeys are significantly harder for attackers to bypass than standard passwords
- Use an authenticator app (Google Authenticator, Authy) instead of SMS when possible
- Go to myaccount.google.com/signinoptions/two-step-verification for your Google Account
Step 4: Review Your Account Security
- Check your Google Account’s recent security activity for unfamiliar sign-ins
- Review the list of devices currently signed in to your account
- Look through your Gmail settings for any forwarding rules or filters you didn’t set up
- Remove any apps or services with account access that you don’t recognise
Step 5: Scan for Malware
- Run a full antivirus scan on all your devices
- Check for suspicious browser extensions and remove any you don’t recognise
- Update your operating system and browser to the latest versions
- Consider using a dedicated anti-malware tool like Malwarebytes
How to Use Google Password Checkup
Google Password Checkup is a free tool built into Chrome and your Google Account. Here’s how to access and use it:
Changing Compromised Passwords: Best Practices
When changing compromised passwords, follow these security best practices:
- Use unique passwords — Never reuse a password across multiple accounts. One breach should not cascade into multiple account takeovers
- Make them long — Aim for at least 16 characters. Longer is better than complex
- Use a password manager — Google Password Manager, 1Password, Bitwarden, or Dashlane can generate and store strong passwords securely
- Don’t use personal information — Avoid birthdays, pet names, or addresses that attackers can find on social media
- Enable breach monitoring — Keep Google’s Password Checkup enabled so you’re alerted to future breaches
Pro Tip: If you have 50+ compromised passwords, prioritise your most critical accounts first: email, banking, social media, and any account with stored payment information.
Enable 2FA & Passkeys: Your Strongest Defence
Even if your password is compromised, two-factor authentication (2FA) and passkeys can prevent attackers from accessing your account.
Read our article on Keep.google.com: How to use Google Keep for Notes and Lists.
Review Your Google Account Security Activity
After changing your passwords, it’s critical to check whether anyone has already accessed your account using the leaked credentials:
- Recent security activity — Go to myaccount.google.com/security and check “Your devices” and “Security alerts”
- Unknown devices — Look for devices or locations you don’t recognise. Sign out of all devices if you’re unsure
- Gmail forwarding rules — Check Settings > Forwarding and POP/IMAP for any rules you didn’t create
- Filters and blocked addresses — Scammers sometimes set up filters to hide their activity from your inbox
- App passwords and third-party access — Review and revoke access for any apps you don’t use
- Recovery options — Ensure your recovery email and phone number are still yours
How to Prevent Future Password Breaches
Once you’ve cleaned up the current breach, take these steps to prevent it from happening again:
- Use a password manager — Generate and store unique, strong passwords for every account
- Enable 2FA everywhere — Make it mandatory for your email, banking, and social media accounts
- Switch to passkeys — Where available, use passkeys instead of passwords. They are phishing-proof
- Keep software updated — Enable automatic updates for your OS, browser, and antivirus
- Be wary of phishing — Never click links in unexpected emails. Always type URLs manually
- Monitor Have I Been Pwned — Check haveibeenpwned.com regularly to see if your email appears in new breaches
- Don’t ignore alerts — If Google, your bank, or any service warns you of suspicious activity, act immediately
Check if your email address has appeared in any known data breaches at Have I Been Pwned — the most reliable breach notification service.
Can You Disable the Google Password Breach Warning?
Yes, you can disable the warning in Chrome settings, but we strongly recommend against it. Here’s how to do it — and why you shouldn’t:
Warning: Disabling this feature does not fix the problem. It simply hides the warning. Your compromised passwords are still exposed and usable by attackers. We strongly recommend keeping this feature enabled.
Frequently Asked Questions
Does this mean Google was hacked?
No. Google itself was not hacked. The passwords were likely stolen from third-party websites you signed up for, or harvested by infostealer malware on your device. Google monitors public breach databases and alerts you when your saved credentials appear in them.
How does Google know my password was found online?
Google uses a privacy-preserving technique to check your passwords against a database of over 4 billion leaked credentials. Your passwords are hashed and compared locally on your device — Google does not see your plaintext passwords during the check.
What if I use a different password manager?
Most password managers (1Password, Bitwarden, Dashlane, LastPass) have similar breach monitoring features. If you use a third-party manager, run its security audit or breach report. You should also check Have I Been Pwned to see if your email appears in any breaches.
Can a hacker access my account if they only have my email?
An email address alone is not enough to access your account, but it gives attackers a starting point. With your address, they can attempt credential stuffing using passwords from other breaches, launch targeted phishing emails, or impersonate support to trick you into handing over a verification code. This is why 2FA is essential.
What is credential stuffing?
Credential stuffing is an automated attack where hackers use username/password pairs stolen from one breach to try logging into other websites. If you reused the same password across multiple sites, a single breach can compromise all of them. Using unique passwords for every account is the only defence.
TL;DR — Quick Summary
Key Takeaways: Google Password Breach Alert
- Google was NOT hacked — your passwords were likely stolen from third-party sites or by malware
- Go to passwords.google.com and run Password Checkup immediately
- Change every compromised password — use unique, strong passwords for every account
- Enable 2FA or passkeys on all accounts — this is your strongest defence
- Review your account security for unfamiliar sign-ins, devices, and forwarding rules
- Run a malware scan on all devices to check for infostealer infections
- Do NOT disable the warning — it hides the problem but doesn’t fix it
- Check Have I Been Pwned to see if your email appears in other breaches
- Use a password manager to generate and store unique passwords going forward
- Monitor your accounts regularly for suspicious activity
About the Author
Freddy John is a Tech Support Specialist with 8+ years of experience troubleshooting government digital services, authentication systems, and enterprise IT infrastructure. Passionate about making technology accessible and helping users resolve complex login issues quickly.
Sources & References
- Google Password Manager — passwords.google.com
- Security.org — Google Gmail Data Breach Guide
- Have I Been Pwned — Breach Notification Service
- Google Account Security — myaccount.google.com/security
- Google 2-Step Verification — Two-Step Verification Setup
- ACSC — Recognise and Report Scams

