48M Gmail, 6.5M Instagram Exposed Online From Unprotected Database

[Brownie2019]

Content source

https://cybersecuritynews.com/48m-gmail-6-5m-instagram-exposed-online/

A massive database containing 149 million stolen login credentials was discovered exposed online without password protection or encryption.
Posing serious security risks to users of Gmail, Instagram, Facebook, Netflix, and thousands of other platforms worldwide.
The publicly accessible database contained 149,404,754 unique logins and passwords harvested through infostealer malware and keylogging software.
Each record included email addresses, usernames, passwords, and the exact URL links for account authorization.

More on:

48M Gmail, 6.5M Instagram Exposed Online From Unprotected Database

A huge unsecured database exposing 149 million stolen logins was discovered online, endangering users across major platforms.

cybersecuritynews.com

 

[Bot]

More on:

48M Gmail, 6.5M Instagram Exposed Online From Unprotected Database

A huge unsecured database exposing 149 million stolen logins was discovered online, endangering users across major platforms.

cybersecuritynews.com

This report (dated January 26, 2026) is describing an exposed database of credentials collected by infostealer/keylogger malware and then left publicly accessible due to misconfiguration (no authentication / no encryption). ([cybersecuritynews.com](https://cybersecuritynews.com/48m-gmail-6-5m-instagram-exposed-online/))

What this likely means (and what it doesn’t)

• It does NOT automatically mean “Gmail/Instagram/Facebook/Netflix were breached.” It’s consistent with credentials stolen from infected endpoints (PCs/phones) and then aggregated/stored by criminals. ([expressvpn.com](https://www.expressvpn.com/blog/149m-infostealer-data-exposed/))
• If your password was reused across sites, credential-stuffing becomes the main risk (attackers try the same email+password everywhere). ([cisa.gov](https://www.cisa.gov/eviction-strategies-tool/info-attack/T1110.004?utm_source=openai))
• Even if the exposed server was taken down, copies of such datasets often continue circulating, so the safe response is the same. ([expressvpn.com](https://www.expressvpn.com/blog/149m-infostealer-data-exposed/))

Practical steps for members (in safe order)

1. Assume “password-only” accounts are at risk if you reuse passwords. Change reused passwords starting with: email accounts first (Gmail/Outlook/iCloud), then banking/crypto, then everything else.
2. If you suspect an infostealer infection, clean the device BEFORE changing important passwords. Otherwise the new passwords can be captured again. The ExpressVPN/Jeremiah Fowler report explicitly warns about this. ([expressvpn.com](https://www.expressvpn.com/blog/149m-infostealer-data-exposed/))
3. Enable strong 2FA / MFA everywhere (prefer authenticator app or security key over SMS when possible). This reduces the impact of leaked passwords. ([facebook.com](https://www.facebook.com/help/instagram/566810106808145?utm_source=openai))
4. Review active sessions/devices and sign out anything unfamiliar.
   • Google: review “Your devices” and sign out of unknown sessions. ([support.google.com](https://support.google.com/accounts/answer/3067630?hl=en&utm_source=openai))
   • Netflix: change password and sign out of devices you don’t recognize. ([help.netflix.com](https://help.netflix.com/en/node/18?utm_source=openai))
5. Use built-in “compromised password” checks.
   • Google Password Checkup can flag exposed/weak/reused passwords. ([support.google.com](https://support.google.com/accounts/answer/9457609?hl=en&ref_topic=7189123))
   • HIBP “Pwned Passwords” helps identify passwords already seen in breaches (useful for deciding what must never be reused). ([preview.haveibeenpwned.com](https://preview.haveibeenpwned.com/pages/passwords.html?utm_source=openai))
6. Harden going forward: unique passwords via a reputable password manager, and passkeys where available.

If you think you were hit by an infostealer
Do not “guess-clean” with random tools. Run a reputable AV scan (and ideally a second-opinion scanner), update the OS/browser, remove suspicious extensions, and only then rotate passwords. If there are ongoing signs of compromise, the safest next step on MalwareTips is to open a topic in the malware removal section and follow the forum’s standard log-collection process so trained helpers can review it.

Bottom line
Treat this as an infostealer/credential-stuffing warning: secure devices first (if needed), then rotate reused passwords, enable MFA, and review sessions/devices to prevent account takeovers.

Sources

• 48M Gmail, 6.5M Instagram Exposed Online From Unprotected Database
• 149M Logins and Passwords Exposed Online Including Financial Accounts, Instagram, Facebook, Roblox, Dating Sites, and More.
• | CISA
• See devices with account access - Google Account Help
• Change compromised passwords in your Google Account - Computer - Google Account Help
• How to stop someone from using your account
• Using Security Checkup to add security to your Facebook account | Facebook Help Center
• Securing your Instagram account with two-factor authentication | Instagram Help Center
• Have I Been Pwned: Check if your email address has been exposed in a data breach
• NIST Special Publication 800-63B

 

[ForgottenSeer 123960]

Compromise Breakdown

Email
48 million Gmail, 4 million Yahoo, 1.5 million Outlook, and 900,000 iCloud accounts.

Social Media
17 million Facebook, 6.5 million Instagram, and 780,000 TikTok accounts.

High Value/Sensitive
420,000 Binance accounts, 100,000 OnlyFans credentials, and various .gov and .edu domain logins.

Exposure Timeline
The database was reported to the hosting provider but remained accessible for nearly one month before suspension, during which time the record count continued to increase, indicating ongoing malware exfiltration.

Recommendation / Remediation​

Based on NIST SP 800-63B and SANS Institute remediation standards, users should take the following actions.

Immediate Credential Rotation
Change passwords for all major accounts, prioritizing email, financial, and social media platforms. Use a unique, complex passphrase for every service.

Enforce Multi-Factor Authentication (MFA)
Enable non-SMS based MFA (e.g., TOTP apps like Google Authenticator or hardware keys like Yubikey) to mitigate the risk of credential-stuffing.

Malware Remediation
Since the data originated from infostealers, simply changing passwords may be ineffective if the device remains infected.

Perform a full system scan using reputable EDR/AV software.

Review and remove suspicious browser extensions, as these are common vectors for modern infostealers.

Monitor Login Activity
Review "Active Sessions" or login history on platforms like Gmail and Facebook to identify unauthorized access.

References​

NIST SP 800-63B
Guidelines for Digital Identity and Authentication.

MITRE ATT&CK T1539
Steal Web Session Cookie.

MITRE ATT&CK T1056.001
Input Capture: Keylogging.