A highly respected veteran security researcher has confirmed that a database of 149 million compromised credentials, including those for an estimated 48 million Gmail accounts, has been leaked online. “The publicly exposed database was not password-protected or encrypted,” Jeremiah Fowler said, adding that the database of unique logins and passwords totalled “a massive 96 GB of raw credential data.” Here’s what we know so far, and what action you need to take.
149 Million Login Credentials Exposed In Leak — Including An Estimated 48 Million Gmail Accounts
It’s not been the greatest start to a new year when it comes to password security. The LastPass password manager has issued a warning for millions of users as attacks have been confirmed as underway, LinkedIn users are alsoon alert as policy violation scammers target account passwords, and now comes the breaking news that a whopping great 149 million compromised credentials have been exposed online in an unprotected database.
According to cybersecurity researcher Jeremiah Fowler, who uncovered the leaked database and has published a report sharing his findings, the database contained a total of 149,404,754 unique logins and password.
It should be noted that this is not a new breach of the services involved, and most likely is a database made up of data from past breaches and infostealer logs.
“I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler has confirmed, adding that the database illustrates that cybercriminals themselves are “not immune to data breaches.”
Fowler has estimated the number of accounts for major services that had their compromised credentials included in the leaked database, with the most, by a long chalk, seemingly belonging to Gmail users.
Here are the totals provided by Fowler, in order of volume:
- Gmail – 48 million
- Facebook – 17 million
- Instagram – 6.5 million
- Yahoo – 4 million
- Netflix – 3.4 million
- Outlook – 1.5 million
The good news is that the database is no longer available online, although it took more than a month for Fowler to get it taken down.
Matt Conlon, CEO of Cytidel, has called it a treasure trove for anyone with malicious intent. “Info stealers have seen a significant rise in prevalence over the past few years,” Conlon said, “and a data breach like this highlights just how widespread this issue is.”
Meanwhile, Boris Cipot, a senior security engineer at Black Duck, said that “there is no way to know how much damage or data leakage occurred before it was removed,” adding that “the database also contained logins for government, banking, and streaming services, making it a highly valuable target for cybercriminals.”
I reached out to my contacts at Google and Gmail for a statement and a spokesperson told me: “We are aware of reports regarding a dataset containing a wide range of credentials, including some from Gmail. This data represents a compilation of ‘infostealer’ logs—credentials harvested from personal devices by third-party malware—that have been aggregated over time. We continuously monitor for this type of external activity and have automated protections in place that lock accounts and force password resets when we identify exposed credentials.”
So, to reiterate, this is not a new breach, it impacts multiple services, and is most likely a compilation of existing compromised credentials. Gmail just happens to be the one that is featured most, by some margin, within it. So don’t panic, but do ensure you have unique passwords and ideally make use of the Google passkey function instead.
