Overview
- Security researcher Jeremiah Fowler uncovered a 96 GB database holding 149,404,754 records on an unprotected server, including emails, usernames, passwords and direct login URLs.
- The repository stayed publicly accessible for roughly a month before removal by the host, and who compiled it or whether others copied the data remains unresolved.
- Service counts cited include about 48 million Gmail, 17 million Facebook, 6.5 million Instagram, 4 million Yahoo, 3.4 million Netflix, 1.5 million Outlook and 900,000 iCloud accounts, plus .edu and .gov addresses.
- Google said the trove reflects credentials aggregated over time by infostealer malware rather than a new Gmail breach, noting it monitors such activity and forces resets or locks accounts when exposure is detected.
- Experts and security bodies warn that weak, reused passwords remain widespread and urge unique long passwords, 2FA, password managers or passkeys, with exposure checks available via HPI’s Identity Leak Checker and Have I Been Pwned.