This year hasn’t started off well for password security. A massive database with around 149 million stolen logins and passwords has been found publicly available online.
The database includes credentials tied to roughly 48 million Gmail accounts, alongside millions more from various other popular platforms. Jeremiah Fowler, a cybersecurity researcher who stumbled upon this trove, pointed out that the data wasn’t password-protected or encrypted—meaning anyone who discovered it could easily access it.
Here’s a rundown of the situation and what actions to consider moving forward.
What Was Found in the Database?
The database comprises about 149,404,754 unique usernames and passwords, totaling around 96 GB of raw credential data. Fowler noted that the leaked files contained various details such as email addresses, usernames, passwords, and direct login URLs from countless accounts. Some records indicate the presence of information-stealing malware designed to silently capture credentials from infected devices.
Critically, this isn’t a recent breach originating from Google, Meta, or any comparable company. Rather, it seems to be a collection of credentials lifted over time from earlier breaches and malware incidents. While that distinction is significant, it still poses a notable risk to users.
Which Accounts Were Most Common?
According to Fowler’s estimates, the following services had the highest number of exposed credentials in this database:
- 48 million – Gmail
- 17 million – Facebook
- 6.5 million – Instagram
- 4 million – Yahoo Mail
- 3.4 million – Netflix
- 1.5 million – Outlook
- 1.4 million – .edu email accounts
- 900,000 – iCloud Mail
- 780,000 – TikTok
- 420,000 – Binance
- 100,000 – Fans Only
This matters because email accounts predominate the dataset. Gaining access to an email account can often unlock others. If someone’s email is compromised, it opens the door for password resets, access to private documents, and more. The extensive appearance of Gmail in this database raises worries that extend beyond just one service.
Why Exposing Databases Poses Serious Risks
This public database isn’t some relic of the past—it’s actively being used. Fowler noted that the number of records grew during his investigation, indicating that the malware offering the data was still operational. And, crucially, there was no ownership information attached to the database. After multiple attempts, he reported it to the hosting provider, but it took almost a month to take the database offline. In that window, anyone with internet access could have potentially searched for it, increasing the risk for everyday users.
This Wasn’t a Regular Hack
Importantly, the hackers didn’t breach Google or Meta. Instead, malware infiltrated individual devices and gathered login details as users entered or saved them. This kind of malware frequently spreads through fake updates, malicious email attachments, compromised browser extensions, or misleading ads. Simply changing passwords won’t resolve the issue unless the malware itself is eradicated.
How to Protect Yourself
Even if everything seems fine, consider these steps—because credential breaches often pop up weeks or months later.
1) Stop Reusing Passwords
Reusing passwords is a major risk highlighted by this database. Once hackers gain one valid login, they frequently attempt it across various sites. Make it a priority to change any reused passwords, starting with email, financial, and cloud accounts. Each of these should have its unique password. A password manager can help generate and securely store complex passwords.
Check if your email has been part of past breaches by using a password manager that offers a breach scanner. If it flags any issues, change those reused passwords immediately.
2) Switch to Passkeys if Available
Using passkeys, which tie authentication to device-based biometrics, can eliminate risks since it removes the need for traditional passwords, which malware often seeks to steal. Many major platforms now support passkeys.
3) Enable Two-Factor Authentication
Implementing two-factor authentication (2FA) provides an additional layer of protection even if your password is compromised. If possible, use an authenticator app or a hardware key rather than SMS for this second checkpoint.
4) Scan Your Device for Malware
Changing passwords won’t help if malware persists. Use robust antivirus software to scan for and remove any suspicious items before updating your security settings.
5) Monitor Account Activity
Most major services allow you to check your recent login locations and devices. Be alert for unusual activity, particularly logins from unfamiliar countries or devices. Logging out of all sessions and resetting your credentials is recommended if any anomalies arise.
6) Use Data Deletion Services
Stolen credentials can often be combined with other personal details captured from data brokers. Employing a data deletion service can help reduce the amount of personal data out there, making it harder for scammers to successfully carry out phishing attempts.
7) Close Inactive Accounts
Old accounts can become easy targets. Consider closing services you no longer use and deleting accounts associated with outdated subscriptions or trials. Fewer accounts mean fewer possible entry points for attackers.
Key Takeaways
This database leak serves as yet another illustration of the industrial-scale nature of credential theft. The pace at which cybercriminals operate can often outstrip security measures. However, implementing practices like unique passwords, strong authentication, and basic cyber hygiene goes a long way. No need to panic, but ignoring the situation isn’t wise, either.
If your email account got compromised, think about how many other accounts could be at risk.
