Chandigarh, Jan 24: Sensitive login credentials for millions of internet users worldwide were recently found in an unsecured database, sparking fears of a massive wave of identity theft and financial fraud. The leak, detailed by researcher Jeremiah Fowler, involves over 149 million unique accounts and includes high-profile targets like Gmail, Instagram, and various banking services.
The 96 GB of raw data was left entirely open to the public, allowing for the potential exploitation of millions of individuals who remain unaware that their information has been compromised. Fowler said the database was publicly accessible, allowing anyone who discovered it to potentially access the credentials of millions of individuals.
Beyond social media and personal email, the researcher found that the leak heavily impacted financial services. Logins for trading accounts and credit cards were visible in the data pool. The researcher also expressed grave concerns over the presence of government-related data.
“While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user,” Fowler said.
According to the report, the breakdown of the leak includes 48 million accounts from Gmail and 17 million from Facebook. It also lists 6.5 million Instagram accounts, 4 million from Yahoo, and significant numbers from Netflix and Outlook.
“In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler said.
The exposure is expected to fuel sophisticated phishing campaigns. By using real account details and specific login URLs, attackers can create highly convincing fraudulent messages. This method significantly raises the success rate of scams targeting both individuals and corporate systems.
Fowler said that the exposure of such a large number of unique logins and passwords presents a potentially serious security risk to a large number of individuals who may not know their information was stolen or exposed.
“Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts including email, financial services, social networks, enterprise systems, and more,” Fowler said.
