Usernames, passwords for 149 million Facebook, Gmail accounts leaked

Concerns over online security have been renewed globally after login details for over 149 million accounts, including those for Facebook and Gmail, were found in an open online database, putting the personal information of millions of users at risk.

However, this is not a direct, large-scale hack of Google or Meta's servers. Cybersecurity experts state that this data was collected over a long period through "infostealer" type malware that infected users' devices.

How the data was leaked?
Cybersecurity researcher Jeremiah Fowler identified a database, nearly 96 GB in size, which was openly accessible without any password or encryption. Anyone with an internet connection could access it. He said a serious concern was the presence of credentials associated with '.gov' domains from numerous countries, which could pose national security and public safety risks. Financial services accounts, crypto wallets, and banking logins also appeared in a limited sample of the exposed records.

The database contained email addresses, usernames, plaintext passwords, and the associated website login links—effectively a ready-made list for cybercriminals. Fowler warned that criminals could automate credential-stuffing attacks, dramatically increasing the likelihood of fraud, identity theft, and highly convincing phishing campaigns.

Which services were most affected?
Research indicates the most data was for email accounts. Rough estimates show: Gmail: 48 million, Facebook: 17 million, Instagram: 6.5 million, Yahoo Mail: 4 million, Netflix: 3.4 million, Outlook: 1.5 million, iCloud Mail: 900,000, and TikTok: 780,000.

Why email accounts are most vulnerable?
Experts say that if a hacker gains control of an email account, they can easily take over other accounts because password reset links for most services—be it banking, social media, or healthcare—are sent via email. This puts sensitive data like personal documents, bills, and travel information at risk.

How the malware spreads?
This data was not stolen in a day. Malware infects devices through fake software updates, suspicious email attachments, malicious browser extensions, or deceptive online ads. It steals credentials when users type or save passwords in their browsers.

Although the researcher notified the hosting company about the database, it remained openly accessible for nearly a month.

Expert warnings
Cybersecurity experts warn that while major tech company servers are relatively secure, the risk persists if users' own devices are vulnerable. Therefore, personal cybersecurity awareness is now more critical than ever before. The exposure of such a large volume of credentials presents a serious security risk to individuals who may not know their information was stolen.