Explained: How Millions Of Gmail Logins Got Leaked And What Users Should Do Immediately

A

massive database containing 149 million compromised login credentials, including passwords linked to 48 million Gmail accounts, has been exposed online without any protection, according to a cybersecurity researcher. The unprotected database, measuring 96GB in size, contained emails, usernames, passwords, and direct links to login pages for major services. Although the database has now been taken down, experts warned that the exposed data could still be used by cybercriminals, making it important for users to take action immediately.

How Gmail Data Got Leaked?

Veteran security researcher Jeremiah Fowler found the exposed database while investigating publicly accessible servers. He said that the database was not encrypted or password-protected and included 149,404,754 unique login and password combinations. The data appears to be a collection of stolen credentials gathered from previous data breaches and infostealer malware logs, rather than a new hack of any single company.According to Fowler, the largest number of exposed accounts belonged to Gmail users, followed by Facebook, Instagram, Yahoo, Netflix, and Outlook. The database also included logins linked to banking, government, and streaming services, making it especially valuable to criminals.The database remained accessible for weeks before it was finally removed after Fowler contacted the hosting provider multiple times. During that period, the number of stolen records continued to grow, suggesting that the malware responsible for stealing the data is still active. Security experts said the biggest danger comes from password reuse. Once stolen login details are exposed, criminals often use automated tools to try the same email and password on many other websites, a method known as credential stuffing.Cybersecurity professionals warned that even if your account was not directly targeted in a recent breach, reused passwords can allow attackers to break into multiple accounts. According to ExpressVPN report, this is especially concerning as password-related attacks are already increasing, with recent warnings involving services like LastPass and LinkedIn.Google confirmed it is aware of the exposed dataset and stated that it monitors for stolen credentials. When detected, Google automatically locks affected accounts and forces password resets to protect users.While the exposed database is no longer online, there is no way to know how many criminals accessed the data before it was taken down.

What Should Users Do Now?

Anyone who uses online accounts could be affected, especially users who reuse the same password across multiple services. Gmail users appear most impacted based on the data reviewed, but the exposed credentials span many platforms, including social media, email, streaming services, and financial accounts.Privacy advocates said users who are unaware their data was previously compromised face the greatest risk. Experts recommend checking trusted breach notification services to see if an email address has appeared in past leaks.READ ALSO | I Asked ChatGPT To Make Me More Productive, Here’s What It SaidIn the meantime, experts strongly advise users to change passwords, especially for important accounts like email and banking. Using unique passwords, enabling two-factor authentication, and switching to passkeys where available can greatly reduce risk.Users are also encouraged to install reliable antivirus software to protect against infostealer malware and to be cautious about clicking unknown links or downloading attachments. Closing unused online accounts can further limit exposure.