Massive breach as login credentials of 149 million accounts leaked— Check which platforms were compromised

Login credentials of over 149 million accounts, including their usernames and passwords from online platforms have allegedly been leaked, according to a report published by ExpressVPN.

Cybersecurity researcher Jeremiah Fowler claimed in the report that he found a publicly accessible database containing leaked credentials, warning that it could have allowed anyone who discovered it to potentially access the accounts of millions of individuals.

“The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords…In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler said in the report.

Which apps may have been compromised?

The platforms that were reportedly compromised include major internet sites such as Gmail, Instagram, Facebook, and Netflix, Roblox, adult websites, and several dating apps.

According to the report, the publicly exposed database contains account details linked to millions of users across the world. The biggest platforms impacted include:

— Gmail: 48 million accounts

— Facebook: 17 million accounts

— Instagram: 6.5 million accounts

— Yahoo: 4 million accounts

— Netflix: 3.4 million accounts

— Outlook: 1.5 million accounts

— OnlyFans: Around 100,000 accounts

“The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable,” Fowler said in the report.

He further added that financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records that the cybersecurity researcher claims to have reviewed.

Were government sites also compromised? Fowler says so

Another major concern that Fowler highlighted in the report was the alleged presence of credentials linked to ‘.gov' domains from multiple countries. No nation has so far reported any such security breach.

“While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user,” he said.

Fowler also explained that exposed government credentials could be a major threat, as they could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks.

Risks associated with such leaks

Fowler said that the exposure of such a large number of unique logins and passwords presents a potentially serious security risk to a large number of individuals who may not know their information was stolen or exposed.

Since the database reportedly includes emails, usernames, passwords, and the exact login URLs, according to him, it is highly likely that criminals could potentially automate credential-stuffing attacks against exposed accounts.

“This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services,” he said.