Login credentials, including usernames and passwords, of more than 149 million user accounts from major internet services such as Gmail, Instagram, Facebook, and Netflix have allegedly been leaked, according to a report published by ExpressVPN.
The report is based on findings by cybersecurity researcher Jeremiah Fowler, who claimed that a massive database containing sensitive login details was publicly exposed online.
Millions of accounts from popular platforms affected
According to Fowler’s report, the exposed data reportedly includes login credentials from several widely used platforms. The affected accounts allegedly include:
- 48 million Gmail accounts
- 4 million Yahoo accounts
- 17 million Facebook accounts
- 6.5 million Instagram accounts
- 3.4 million Netflix accounts
- 1.5 million Outlook accounts
In total, the dataset allegedly contains 149,404,754 unique logins and passwords, amounting to nearly 96GB of raw credential data.
Database was not password-protected or encrypted
Fowler stated that the exposed database was neither password-protected nor encrypted, making it accessible to anyone who discovered it.
“The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totaling a massive 96GB of raw credential data,” Fowler said.
In a limited review of the files, he reportedly found emails, usernames, passwords, and direct login or authorisation URLs linked to the compromised accounts.
Companies named have not responded yet
Fowler said that he contacted the major firms named in the report via email. However, no immediate response was received from the companies at the time of publication.
Credentials collected from users worldwide
The researcher further noted that the exposed records appeared to include credentials from victims across the globe, covering nearly every type of commonly used online account.
“The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable,” Fowler said.
Financial, Crypto, and banking accounts also found
In the limited sample of data reviewed, Fowler claimed to have identified credentials linked to financial services, cryptocurrency wallets and trading platforms, as well as banking and credit card accounts.
This significantly increases the potential risk for financial fraud and identity theft.
Government (.gov) accounts raise serious concerns
One of the most alarming findings highlighted in the report was the presence of login credentials associated with “.gov” domains from multiple countries.
“While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user,” Fowler said.
He warned that exposed government credentials could be misused for targeted spear-phishing attacks, impersonation, or as an entry point into government networks, posing potential national security and public safety risks.
Major risk of credential-stuffing and cybercrime
Fowler stressed that the exposure of such a vast number of login credentials presents a serious security threat, particularly for users who may be unaware that their data was compromised.
“Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks,” he said.
Such attacks could target email services, financial platforms, social networks, and enterprise systems, significantly increasing the likelihood of fraud, identity theft, financial crimes, and phishing campaigns that appear legitimate.
