Login credentials linked to more than 149 million online accounts were allegedly exposed after a large database was found publicly accessible, according to a report published by ExpressVPN. The data reportedly includes user accounts from major platforms such as Gmail, Instagram, Facebook and Netflix.
The data was found in a publicly accessible database that lacked even basic security safeguards. (Representative Image/Pexel)
The report, authored by cybersecurity researcher Jeremiah Fowler, states that the leaked data includes around 48 million Gmail accounts, 4 million Yahoo accounts, 17 million Facebook accounts, 6.5 million Instagram accounts, 3.4 million Netflix accounts and 1.5 million Outlook accounts, among others, according to PTI.
Also Read | Did an Instagram data breach expose 17 million accounts worldwide? Meta says ‘accounts remain secure’
Data found in public database
According to Fowler, the data was found in a publicly accessible database that lacked even basic security safeguards.
“The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totaling a massive 96 GB of raw credential data. In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” he said in the report.
Fowler said the database could be accessed by anyone who came across it, potentially exposing millions of users to misuse of their credentials.
“The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable,” he said.
Sensitive information leaked
The dataset reportedly also contained sensitive information linked to financial services, including crypto wallets, trading platforms, banking logins and credit card accounts, based on a limited review conducted by the researcher.
A particularly serious issue, Fowler noted, was the presence of credentials linked to government email addresses.
“While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user.
“Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks. This increases the potential of .gov credentials posing national security and public safety risks,” he said.
Fowler warned that the scale of the exposure poses a major threat to users who may be unaware that their information has been compromised.
“Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts including email, financial services, social networks, enterprise systems, and more.
“This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services,” he said.