Chandigarh, Jan 24: A massive cache of raw credential data totaling 96 GB has been discovered online, allegedly exposing the login details of more than 149 million users across major platforms such as Gmail, Facebook, and Netflix. Cybersecurity researcher Jeremiah Fowler, in a report published by ExpressVPN, revealed that the publicly accessible database was neither encrypted nor protected by a password, leaving sensitive information vulnerable to anyone who stumbled upon it.
The breach includes a staggering variety of accounts, with approximately 48 million Gmail records and 17 million Facebook logins identified. Other affected platforms include Instagram with 6.5 million accounts, Yahoo with 4 million, and Netflix with 3.4 million. Outlook also saw 1.5 million logins exposed in the leak.
“The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords,” Fowler said in the report. During a limited sampling of the documents, the researcher noted thousands of files containing emails, usernames, and direct URL links to login authorizations.
The data appears to span the globe, targeting a wide range of everyday online services and financial tools. Fowler said the exposed records included usernames and passwords collected from victims around the world, spanning about any type of account imaginable. The sample reviewed by the researcher even contained logins for banking, credit cards, and cryptocurrency wallets.
Major technology firms named in the report have not yet provided comments regarding the breach following email inquiries.
A particularly alarming discovery within the database was the inclusion of credentials linked to “.gov” domains from various nations. Fowler mentioned that while not every government account provides entry to sensitive systems, even restricted access carries heavy risks.
“Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks,” Fowler said. He further noted that this increases the potential of .gov credentials posing national security and public safety risks.
The scale of the leak presents an immediate threat of automated cyberattacks. Because the data includes exact login URLs alongside passwords, criminals could facilitate credential-stuffing attacks across financial and enterprise systems.
“This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services,” Fowler said.
