Act Now 48 Million Gmail Usernames And Passwords Leaked Online

Updated January 25 with even more analysis of the publicly exposed database, which included 48 million Gmail username and passwords, from…

Moni

Predict

· ~6 min read · January 28, 2026 (Updated: January 28, 2026) · Free: No

Updated January 25 with even more analysis of the publicly exposed database, which included 48 million Gmail username and passwords, from cybersecurity and privacy experts as well as security researcher Jeremiah Fowler, responsible for discovering the massive leak, totalling 149 million login credentials across a multitude of online services and platforms.

A highly respected veteran security researcher has confirmed that a database of 149 million compromised credentials, including those for an estimated 48 million Gmail accounts, has been leaked online. "The publicly exposed database was not password-protected or encrypted," Jeremiah Fowler said, adding that the database of unique logins and passwords totalled "a massive 96 GB of raw credential data." Here's what we know so far, and what action you need to take.

149 Million Login Credentials Exposed In Leak Including An Estimated 48 Million Gmail Accounts

It's not been the greatest start to a new year when it comes to password security. The LastPass password manager has issued a warning for millions of users as attacks have been confirmed as underway, LinkedIn users are alsoon alert as policy violation scammers target account passwords, and now comes the breaking news that a whopping great 149 million compromised credentials have been exposed online in an unprotected database.

According to cybersecurity researcher Jeremiah Fowler, who uncovered the leaked database and has published a report sharing his findings, the database contained a total of 149,404,754 unique logins and password.

It should be noted that this is not a new breach of the services involved, and most likely is a database made up of data from past breaches and infostealer logs. Nonetheless, all Gmail users, along with those of any online service, as this database has made it clear that this is not just a Google account problem, should take the following action right now: ensure you are not reusing any passwords, switch to passkeys if possible and enable secure two-factor authentication to protect your account. Do not wait, check your accounts and take your login security seriously.

"I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts," Fowler has confirmed, adding that the database illustrates that cybercriminals themselves are "not immune to data breaches."

Fowler has estimated the number of accounts for major services that had their compromised credentials included in the leaked database, with the most, by a long chalk, seemingly belonging to Gmail users.

Here are the totals provided by Fowler, in order of volume:

Gmail - 48 million Facebook - 17 million Instagram - 6.5 million Yahoo - 4 million Netflix - 3.4 million Outlook - 1.5 million Although it's not known for sure that this was a database used by cybercriminals, that would seem the most likely reason for it to exist. There is a chance that it was assembled for "legitimate research" purposes, but the ridiculously lax security around access makes me think otherwise. What is certain, however, is that "the number of records increased from the time I discovered the database until it was restricted and no longer available," Fowler said, so this was not some long-abandoned project but rather a live and active one.

The good news, therefore, is that the database is no longer available online, although it took more than a month for Fowler to get it taken down. "The database had no associated ownership information," Fowler has confirmed, "so I reported it directly to the hosting provider via their online report abuse form. I received a reply several days later stating that they do not host the IP, and it is a subsidiary that operates independently while still using the parent organization's name." That hosting provider would not disclose any additional information regarding who managed the database," Fowler added.

Cybersecurity And Privacy Experts Speak Out On Credentials Database Exposure Impacting Gmail And Other Platforms

Matt Conlon, CEO of Cytidel, has called it a treasure trove for anyone with malicious intent. "Info stealers have seen a significant rise in prevalence over the past few years," Conlon said, "and a data breach like this highlights just how widespread this issue is."

Meanwhile, Boris Cipot, a senior security engineer at Black Duck, said that "there is no way to know how much damage or data leakage occurred before it was removed," adding that "the database also contained logins for government, banking, and streaming services, making it a highly valuable target for cybercriminals."

"Fowler believes the data was collected by infostealing malware, also known as a keylogger, which infects user devices and records their inputs," Cipot said. "Because the database was still growing during his investigation, this strongly suggests the malware is still active."

Mayur Upadhyaya, CEO at APIContext, told me that the exposed database is a "stark reminder" that credentials don't just get stolen, but they also get reused. "And that's where the real risk lies," Upadhyaya said, "once login and password pairs are exposed, even from criminal infrastructure, they become fuel for credential stuffing: automated attempts to reuse those same credentials across other applications and services."

Consumer privacy advocates, such as Chris Hauk from Pixel Privacy, said that "the exposure of such a huge number of credentials poses a significant risk to users who are not aware of the breach and to what extent they are exposed." Although once again, I should state that this does not appear to be a new breach of anything, per se, rather a compilation of previously compromised credentials. "While it may be too soon to have this information included in the HaveIBeenPwned website's extensive database," Hauk said, "I still strongly recommend that users visit the site and enter their email address to determine whether their information has been exposed in previous data breaches."

Hauk also recommended that consumers make use of a password manager that can provide "warnings about password reuse or if a login has been exposed in a breach," in order to "make it easy to guard against password reuse, and to update passwords when they need to be changed."

That So Many Gmail Logins Can Be Leaked Is Evidence That Credential Compromise Is Now A Background Condition Of The Internet

The takeaway from this latest exposure of compromised login data is, Shane Barney, chief information security officer at Keeper Security, told me, is "it is the byproduct of an ecosystem that continuously harvests credentials from endpoints and quietly accumulates access over time." The 149 million-record dataset matters less because of its size, Barney said, and more because of what it represents: "Credential compromise is now a background condition of the internet."

Mark McClain, CEO at SailPoint, meanwhile, warned that "hackers today don't need to break your system to get in — they can simply walk through the front door with legitimate credentials." Which is why it is so critical to take identity security more seriously than ever, and ensure that your organization is able to monitor, grant and manage access dynamically based upon policy and context. Anything less and the result will be seen in the next database leak to be uncovered, no doubt. "Every access decision is driven by who or what the identity is, the context of the data they touch, and the security signals surrounding them," McClain concluded.

Taking the security basics seriously, and I mean really seriously, should also be on your agenda, whether corporate or consumer-oriented. Morey Haber, chief security advisor at BeyondTrust, recommended that my readers must always take note of the following: "unique passwords for every site, never reusing passwords, enabling MFA or at least 2FA for website, using a monitoring service like LegalShield, LifeLock, etc. or even the built in password security detection built into Apple IOS to determine if credentials are exposed on the dark web so users can change their passwords – and lastly, never accepting 2FA/MFA notifications unless you have initiated them."

Google Says It Will Force Password Resets When Exposed Gmail Credentials Are Identiifed

I reached out to my contacts at Google and Gmail for a statement and a spokesperson told me: "We are aware of reports regarding a dataset containing a wide range of credentials, including some from Gmail. This data represents a compilation of 'infostealer' logs credentials harvested from personal devices by third-party malware that have been aggregated over time. We continuously monitor for this type of external activity and have automated protections in place that lock accounts and force password resets when we identify exposed credentials."

So, to reiterate, this is not a new breach; it impacts multiple services, and is most likely a compilation of existing compromised credentials. Gmail just happens to be the one that is featured most, by some margin, within it. So don't panic, but do ensure you have unique passwords and ideally make use of the Google passkey function instead.