A massive database containing nearly 149 million compromised login credentials — including those tied to an estimated 48 million Gmail accounts — was publicly exposed online, cybersecurity researchers confirmed, underscoring the growing risks posed by credential theft and password reuse worldwide.
The dataset, discovered by veteran security researcher Jeremiah Fowler, was not protected by any form of encryption or password security and was openly accessible on the internet. Fowler said the exposed database totaled approximately 96 gigabytes of raw data and included email addresses, usernames, passwords, and links to login portals for a wide range of online services.
While the exposure does not appear to stem from a new breach of Google or other major platforms, experts say the incident highlights how previously stolen credentials continue to circulate and accumulate, creating ongoing risks for consumers, businesses, and governments alike.
A Compilation of Past Breaches and Malware Logs
According to Fowler’s report, the database contained 149,404,754 unique credential records. He said the data was likely compiled from past breaches and so-called “infostealer” malware logs — malicious software designed to harvest credentials directly from infected devices.
“I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler said. He added that the dataset appeared to be actively growing at the time of discovery, suggesting the malware responsible for collecting the data may still be in circulation.
The largest number of exposed credentials appeared to be associated with Gmail accounts, followed by several major consumer platforms.
Estimated totals provided by Fowler include:
- Gmail: 48 million
- Facebook: 17 million
- Instagram: 6.5 million
- Yahoo: 4 million
- Netflix: 3.4 million
- Outlook: 1.5 million
Security experts caution that the true impact of the exposure remains unclear, as there is no way to determine how many malicious actors may have accessed or copied the data before it was taken offline.
Database Taken Down After Lengthy Reporting Process
Fowler said it took more than a month to have the database removed. He reported the exposure directly to the hosting provider after finding no ownership or identifying information linked to the server.
“The database had no associated ownership information,” Fowler said. “I reported it directly to the hosting provider via their online abuse form.”
According to Fowler, the provider later responded that the database was operated by a subsidiary using the parent company’s infrastructure, but declined to provide further details about who controlled the data. The database is no longer publicly accessible.
Cybersecurity Experts Warn of Widespread Abuse Risks
Cybersecurity and privacy experts described the exposed database as a highly valuable resource for cybercriminals.
According to Forbes, Matt Conlon, chief executive of cybersecurity firm Cytidel, said the dataset represents “a treasure trove” for attackers. “Info-stealing malware has increased significantly in recent years, and incidents like this show just how widespread the problem has become,” he said.
Boris Cipot, a senior security engineer at Black Duck, warned that the database included credentials for more than just consumer services. “The dataset also contained logins for government, banking, and streaming platforms, making it an especially attractive target for criminals,” he said.
Cipot added that the continued growth of the database during Fowler’s investigation suggests that the malware responsible for collecting the credentials remains active.
Password Reuse Fuels Credential-Stuffing Attacks
Security specialists say the greatest danger lies not only in stolen credentials, but in how frequently users reuse the same passwords across multiple services.
Mayur Upadhyaya, chief executive of APIContext, said exposed credentials often become “fuel for credential-stuffing attacks,” in which automated tools test stolen username-password pairs across hundreds of websites.
“Once credentials are exposed — even from criminal infrastructure — attackers attempt to reuse them elsewhere,” Upadhyaya said. “That’s where the real damage happens.”
Consumer privacy advocates echoed those concerns, urging users to take proactive steps to secure their accounts.
Chris Hauk of Pixel Privacy recommended that users check whether their email addresses appear in known breaches using services such as Have I Been Pwned, and adopt password managers that alert users to reused or compromised passwords.
Similar Security Responses Emerging Worldwide
Governments and regulators in major economies have taken steps to address the growing threat of credential theft.
In the United States, federal agencies have issued repeated warnings about infostealer malware and credential-stuffing attacks, urging organizations to adopt multi-factor authentication and zero-trust security models.
In October 2025, around 60 countries signed a landmark treaty in Hanoi under the United Nations banner aimed at strengthening international cooperation against cybercrime that costs the global economy trillions of dollars annually. The agreement will come into effect once 40 countries ratify it.
The European Union has also introduced stricter digital security requirements for online platforms, while the United Kingdom’s National Cyber Security Centre has expanded guidance for both consumers and enterprises on password hygiene and phishing prevention.
In Asia-Pacific countries, including Japan and Singapore, regulators have increased public awareness campaigns and encouraged businesses to adopt passkeys and hardware-based authentication to reduce reliance on passwords.
Credential Theft Seen as a Persistent Internet Condition
Shane Barney, chief information security officer at Keeper Security, said the exposure illustrates a broader reality of today’s digital ecosystem.
“Credential compromise is now a background condition of the internet,” Barney said. “The size of this dataset matters less than what it represents — continuous harvesting of credentials over time.”
Mark McClain, chief executive of identity security firm SailPoint, warned that attackers increasingly rely on stolen credentials rather than technical exploits. “Hackers don’t need to break in anymore,” he said. “They can simply log in.”
Google Confirms Automated Protections in Place
Google said it is aware of reports about the exposed dataset and confirmed that it monitors for compromised credentials linked to Gmail accounts.
“This data represents a compilation of infostealer logs — credentials harvested from personal devices by third-party malware,” a Google spokesperson said. “We have automated protections that lock affected accounts and force password resets when exposed credentials are identified.”
Google emphasized that the exposure does not represent a new breach of its systems, but advised users to adopt stronger authentication methods, including passkeys, and avoid password reuse.
What Users Should Do Now
Security experts recommend that users immediately:
- Stop reusing passwords across services
- Enable two-factor or multi-factor authentication
- Switch to passkeys where available
- Use password managers with breach alerts
- Never approve login prompts they did not initiate
The incident, researchers say, serves as another reminder that password security remains a shared responsibility — and that complacency can have long-lasting consequences.
For more news and reports on emerging technologies, including AI, robotics, cybersecurity, blockchain, gaming and the evolving gig economy, visit the home page of The Gignomist.