Gmail and Netflix data from 149 million accounts leaked
According to a report, login credentials, including usernames and passwords, for over 149 million accounts from various internet firms such as Gmail, Instagram, Facebook, and Netflix have reportedly been leaked. Jeremiah Fowler asserts that the publicly exposed data encompasses 48 million accounts on Gmail, 4 million on Yahoo, 17 million on Facebook, 6.5 million on Instagram, 3.4 million on Netflix, 1.5 million on Outlook, among others. The database that was made publicly accessible lacked both password protection and encryption. The dataset comprised 149,404,754 unique logins and passwords, amounting to an extensive 96 GB of raw credential data. “In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler said in the report.
Emails sent to major firms identified in the report did not receive any immediate response. Fowler stated that the database was publicly accessible, enabling anyone who found it to potentially access the credentials of millions of individuals. “The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable,” he said. In the limited sample of records reviewed by the cybersecurity researcher, financial services accounts, crypto wallets, trading accounts, banking, and credit card logins were also present.
He expressed a serious concern regarding the presence of credentials linked to ‘.gov’ domains from various countries. While not every government-linked account provides access to sensitive systems, even limited access can have serious implications based on the role and permissions of the compromised user. Revealed government credentials may serve as a tool for targeted spear-phishing, impersonation, or act as an entry point into government networks. “This increases the potential of .gov credentials posing national security and public safety risks,” he stated.
Fowler stated that the revelation of such a significant number of unique logins and passwords poses a potentially serious security threat to many individuals who may be unaware that their information has been compromised or exposed. Due to the inclusion of emails, usernames, passwords, and precise login URLs, there exists the potential for criminals to automate credential-stuffing attacks on exposed accounts across various platforms, including email, financial services, social networks, enterprise systems, and beyond. “This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services,” he said.
