48 million Gmail login credentials exposed in massive leak.
SOPA Images/LightRocket via Getty Images
Updated January 24 with further analysis from cybersecurity and privacy experts following the news that 48 million Gmail usernames and passwords have been found within a publicly exposed criminal database of some 149 million compromised credentials.
A highly respected veteran security researcher has confirmed that a database of 149 million compromised credentials, including those for an estimated 48 million Gmail accounts, has been leaked online. “The publicly exposed database was not password-protected or encrypted,” Jeremiah Fowler said, adding that the database of unique logins and passwords totalled “a massive 96 GB of raw credential data.” Here’s what we know so far, and what action you need to take.
ForbesLastPass Issues Critical Warning For Users — Password Attacks UnderwayBy Davey Winder149 Million Login Credentials Exposed In Leak — Including An Estimated 48 Million Gmail Accounts
It’s not been the greatest start to a new year when it comes to password security. The LastPass password manager has issued a warning for millions of users as attacks have been confirmed as underway, LinkedIn users are alsoon alert as policy violation scammers target account passwords, and now comes the breaking news that a whopping great 149 million compromised credentials have been exposed online in an unprotected database.
According to cybersecurity researcher Jeremiah Fowler, who uncovered the leaked database and has published a report sharing his findings, the database contained a total of 149,404,754 unique logins and password.
It should be noted that this is not a new breach of the services involved, and most likely is a database made up of data from past breaches and infostealer logs.
“I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler has confirmed, adding that the database illustrates that cybercriminals themselves are “not immune to data breaches.”
Fowler has estimated the number of accounts for major services that had their compromised credentials included in the leaked database, with the most, by a long chalk, seemingly belonging to Gmail users.
Here are the totals provided by Fowler, in order of volume:
- Gmail – 48 million
- Facebook – 17 million
- Instagram – 6.5 million
- Yahoo – 4 million
- Netflix – 3.4 million
- Outlook – 1.5 million
The good news is that the database is no longer available online, although it took more than a month for Fowler to get it taken down.
ForbesHas Your Gmail Password Been Hacked? Check Now, Here’s HowBy Davey WinderCybersecurity And Privacy Experts Speak Out On Credentials Database Exposure Impacting Gmail And Other Platforms
Matt Conlon, CEO of Cytidel, has called it a treasure trove for anyone with malicious intent. “Info stealers have seen a significant rise in prevalence over the past few years,” Conlon said, “and a data breach like this highlights just how widespread this issue is.”
Meanwhile, Boris Cipot, a senior security engineer at Black Duck, said that “there is no way to know how much damage or data leakage occurred before it was removed,” adding that “the database also contained logins for government, banking, and streaming services, making it a highly valuable target for cybercriminals.”
“Fowler believes the data was collected by infostealing malware, also known as a keylogger, which infects user devices and records their inputs,” Cipot said. “Because the database was still growing during his investigation, this strongly suggests the malware is still active.”
Mayur Upadhyaya, CEO at APIContext, told me that the exposed database is a “stark reminder” that credentials don’t just get stolen, but they also get reused. “And that’s where the real risk lies,” Upadhyaya said, “once login and password pairs are exposed, even from criminal infrastructure, they become fuel for credential stuffing: automated attempts to reuse those same credentials across other applications and services.”
Consumer privacy advocates, such as Chris Hauk from Pixel Privacy, said that “the exposure of such a huge number of credentials poses a significant risk to users who are not aware of the breach and to what extent they are exposed.” Although once again, I should state that this does not appear to be a new breach of anything, per se, rather a compilation of previously compromised credentials. “While it may be too soon to have this information included in the HaveIBeenPwned website’s extensive database,” Hauk said, “I still strongly recommend that users visit the site and enter their email address to determine whether their information has been exposed in previous data breaches.”
Hauk also recommended that consumers make use of a password manager that can provide “warnings about password reuse or if a login has been exposed in a breach,“ in order to “make it easy to guard against password reuse, and to update passwords when they need to be changed.”
ForbesThese 3 Passwords Can Get You Hacked: Michael, Football And SupermanBy Davey WinderGoogle Says It Will Force Password Resets When Exposed Gmail Credentials Are Identiifed
I reached out to my contacts at Google and Gmail for a statement and a spokesperson told me: “We are aware of reports regarding a dataset containing a wide range of credentials, including some from Gmail. This data represents a compilation of ‘infostealer’ logs—credentials harvested from personal devices by third-party malware—that have been aggregated over time. We continuously monitor for this type of external activity and have automated protections in place that lock accounts and force password resets when we identify exposed credentials.”
So, to reiterate, this is not a new breach; it impacts multiple services, and is most likely a compilation of existing compromised credentials. Gmail just happens to be the one that is featured most, by some margin, within it. So don’t panic, but do ensure you have unique passwords and ideally make use of the Google passkey function instead.