Highlights
- Over 149 million usernames and passwords linked to Gmail, Facebook, Instagram, Netflix, and other services were found in an unsecured, unencrypted 96GB database.
- The leak includes credentials from financial services, crypto wallets, banking accounts, and even government emails.
- Experts warn of credential-stuffing attacks, identity theft, fraud, and phishing campaigns.
Login details of more than 149 million online accounts linked to major platforms such as Gmail, Instagram, Facebook, and Netflix have reportedly been exposed online. According to a report published by ExpressVPN, the leak was uncovered by cybersecurity researcher Jeremiah Fowler.
The report claims that the publicly accessible data set includes credentials like usernames and passwords from multiple internet services. This reportedly covers 48 million Gmail accounts, 4 million Yahoo accounts, 17 million Facebook accounts, 6.5 million Instagram accounts, 3.4 million Netflix accounts, 1.5 million Outlook accounts, and several others.
According to Fowler, the exposed database was left unsecured and unencrypted. “The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totalling a massive 96 GB of raw credential data. In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorisation for the accounts,” he said in the report.
Emails sent to the companies named in the report reportedly did not receive any immediate response.
Database Reportedly Accessible to Anyone
Fowler stated that the database was openly accessible, meaning anyone who came across it could potentially access login credentials belonging to millions of users worldwide.
“The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable,” he added.
The limited sample of data reviewed by the researcher is said to include credentials linked to financial services, cryptocurrency wallets, trading platforms, banking accounts, and credit card logins.
A particularly serious concern highlighted in the report is the presence of credentials associated with government email addresses. Fowler said he found multiple accounts linked to “.gov” domains from several countries.
While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user.
“Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks. This increases the potential of .gov credentials posing national security and public safety risks,” he said.
Potential Risks for Users
Fowler warned that the exposure of such a large number of unique usernames and passwords could pose a significant security threat, especially for individuals who may be unaware that their information has been compromised.
“Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts, including email, financial services, social networks, enterprise systems, and more.”
“This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services,” he added.
FAQS
Q1. How many accounts were affected in the data leak?
Answer. The exposed database contained 149,404,754 unique logins and passwords, totaling 96GB of raw credential data.
Q2. Which platforms’ credentials were included in the leak?
Answer. The leak reportedly covered 48M Gmail, 17M Facebook, 6.5M Instagram, 3.4M Netflix, plus Yahoo, Outlook, and more.
Q3. Why is this leak considered a serious risk?
Answer. The exposed records included financial services, crypto wallets, and government (.gov) accounts, raising risks of fraud, identity theft, and national security threats.
Also Read –