A massive database containing 149 million compromised login credentials, including those linked to an estimated 48 million Gmail accounts, has been exposed online, raising fresh concerns about password reuse, infostealer malware, and the growing risks facing internet users worldwide.
The exposure was confirmed by veteran cybersecurity researcher Jeremiah Fowler, who discovered the database publicly accessible and neither password-protected nor encrypted. According to Fowler, the dataset contained 149,404,754 unique usernames and passwords, amounting to 96GB of raw credential data.
Not a New Breach — But a Dangerous Compilation
Importantly, security experts stress that this incident does not represent a new breach of services such as Google, Meta, or Netflix. Instead, the database appears to be a compilation of credentials stolen in previous breaches and collected through infostealer malware, also known as keyloggers.
“I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler said, noting that even cybercriminal infrastructure itself is not immune to exposure.
Gmail Most Affected, But Many Platforms Impacted
Based on Fowler’s analysis, the credentials in the database were linked to a wide range of major online services. Estimated account volumes include:
- Gmail – 48 million
- Facebook – 17 million
- Instagram – 6.5 million
- Yahoo – 4 million
- Netflix – 3.4 million
- Outlook – 1.5 million
Although the database has since been taken offline, Fowler said it took more than a month to get it removed, leaving uncertainty about how many malicious actors may have accessed the data during that period.
Why This Leak Is Especially Concerning
Cybersecurity experts say the real danger lies not in the age of the data, but in how it can be reused.
Matt Conlon, CEO of Cytidel, described the exposed database as “a treasure trove for anyone with malicious intent,” noting the sharp rise in infostealer malware in recent years. Boris Cipot, a senior security engineer at Black Duck, warned that there is no way to know how much damage occurred before the database was removed.
Even more troubling, Fowler confirmed that the exposed credentials included financial services accounts, banking logins, crypto wallets, streaming services, and enterprise systems. He also identified credentials associated with “.gov” domains from multiple countries, raising potential national security concerns.
“Even limited access could be used for spear-phishing, impersonation, or as an entry point into government networks,” Fowler warned.
Credential Stuffing: The Real Risk
Security professionals emphasise that exposed credentials often fuel credential-stuffing attacks, where attackers automatically test stolen username–password combinations across multiple platforms.
Mayur Upadhyaya, CEO of APIContext, described this as the most dangerous aspect of the leak. “Once login pairs are exposed, they become fuel for automated attacks across other services,” he said, increasing the risk of fraud, identity theft, and account takeover.
Google Responds
Google confirmed that it is aware of reports involving Gmail credentials. A company spokesperson said the dataset represents aggregated infostealer logs collected from infected personal devices, not a breach of Google’s systems.
“We continuously monitor for this type of activity and have automated protections in place that lock accounts and force password resets when we identify exposed credentials,” the spokesperson said.
What Users Should Do Now
Security experts advise users to:
- Change passwords, especially if reused across services
- Enable multi-factor authentication (MFA)
- Use a reputable password manager
- Check breach-notification services like Have I Been Pwned
- Adopt passkeys where available
While the exposure may not be new, experts agree it serves as a stark reminder: password reuse remains one of the biggest security risks on the internet today.
