Login credentials, including usernames, passwords, of over 149 million accounts of internet firms, including Gmail, Instagram, Facebook, and Netflix, have allegedly been leaked, a report published by ExpressVPN said.
The report published by cybersecurity researcher Jeremiah Fowler claims that the publicly exposed data includes 48 million accounts on Gmail, 4 million on Yahoo, 17 million on Facebook, 6.5 million on Instagram, 3.4 million on Netflix, 1.5 million on Outlook, etc.
"The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totaling a massive 96 GB of raw credential data. In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts," Fowler said in the report.
Email queries to major firms named in the report did not elicit any immediate reply.
Fowler said the database was publicly accessible, allowing anyone who discovered it to potentially access the credentials of millions of individuals.
"The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable," he said.
Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records that the cybersecurity researcher claims to have reviewed.
He said a serious concern was the presence of credentials associated with '.gov' domains from numerous countries.
"While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user.
"Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks. This increases the potential of .gov credentials posing national security and public safety risks," he said.
Fowler said that the exposure of such a large number of unique logins and passwords presents a potentially serious security risk to a large number of individuals who may not know their information was stolen or exposed.
"Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts including email, financial services, social networks, enterprise systems, and more.
"This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services," he said.
Published on January 24, 2026