New Delhi: Login credentials, including usernames and passwords, of over 149 million accounts across multiple internet platforms, including Gmail, Instagram, Facebook, and Netflix, have allegedly been leaked, according to a report published by ExpressVPN.
Cybersecurity researcher Jeremiah Fowler, who authored the report, said the publicly exposed database included 48 million Gmail accounts, 17 million Facebook accounts, 6.5 million Instagram accounts, 3.4 million Netflix accounts, 4 million Yahoo accounts, and 1.5 million Outlook accounts, among others.
“The publicly exposed database was neither password-protected nor encrypted. It contained 149,404,754 unique logins and passwords, totaling 96 GB of raw credential data. In a limited sample of the exposed documents, I observed thousands of files including emails, usernames, passwords, and the URL links to the login or authorisation pages for the accounts,” Fowler said.
Email queries to major companies named in the report did not receive immediate responses.
According to Fowler, the database was publicly accessible, meaning anyone who discovered it could potentially access credentials of millions of individuals.
“The exposed records included usernames and passwords collected from victims worldwide, spanning a wide range of commonly used online services and almost any type of account imaginable,” he said.
The report also revealed that credentials for financial services accounts, crypto wallets, trading platforms, banking, and credit card logins were included in the sample examined by the researcher.
A particularly serious concern, Fowler noted, was the presence of credentials associated with “.gov” domains from multiple countries.
“While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the user’s role and permissions. Exposed government credentials could potentially be used for targeted spear-phishing, impersonation, or as entry points into government networks, posing national security and public safety risks,” he said.
Fowler warned that the exposure of such a massive number of logins and passwords presents a significant security risk to individuals who may not be aware their information was stolen or exposed.
“Because the data includes emails, usernames, passwords, and exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts, including email, financial services, social networks, enterprise systems, and more. This dramatically increases the likelihood of fraud, identity theft, financial crimes, and phishing campaigns appearing legitimate because they reference real accounts and services,” he added.
With PTI inputs