A massive database containing 149 million stolen usernames and passwords surfaced online, raising fresh concerns over global digital security.
Cybersecurity researcher Jeremiah Fowler discovered and verified the exposed data. He confirmed that the database remained publicly accessible, with no password protection.
According to Forbes, the dataset includes an estimated 48 million Gmail credentials, along with millions of logins linked to Facebook, Instagram, Yahoo, Netflix, and several financial platforms.
The exposed database measured 96GB and stored raw credential records. Infostealer malware harvested the information from an infected personal device, researchers said.
Investigators stressed that the incident does not stem from a single new breach. Instead, attackers compiled data from previous security compromises, packaging it into a single searchable dataset.
Are your Gmail login credentials amongst the 48 million exposed in this massive leak? Here's what you need to know and do. https://t.co/pInCOWddgX
— Forbes (@Forbes) January 23, 2026Fowler said he found thousands of files listing email addresses, usernames, passwords, and direct login URLs. He also identified credentials linked to .gov domains, which raised additional national security concerns.
Google acknowledged the dataset and confirmed it contained aggregated infostealer logs rather than evidence of a fresh breach of its systems.
Google said it actively monitors for exposed credentials and automatically locks affected accounts when it detects compromised login data. The company also forces password resets to reduce the risk of unauthorised access.
Security experts warned that reused passwords remain one of the biggest threats to online safety. Once attackers obtain credentials from one service, they often attempt to access other platforms using the same login details.
