Google Issues Warning After Report Reveals 149 Million Passwords Were Exposed, Including Gmail

Over the weekend, a bombshell report from ExpressVPN sent shockwaves across the cybersecurity world. The report claimed that a massive, publicly accessible database included login credentials of users on some of the world’s most-used digital platforms. Apparently, those were left exposed online for months. Not to mention, the findings quickly gained traction and were picked up by multiple global news outlets.

An unprotected cloud database exposed 149 million login credentials

The cloud-hosted database reportedly included more than 149 million unique login records, weighing nearly 96GB. The cache included usernames, passwords, and direct login links related to platforms like Gmail, Facebook, Instagram, Netflix, TikTok, and even financial services. What makes the situation more alarming is that encryption, passwords, or access restrictions did not protect the database. In fact, anyone with the link could browse it freely.

Cybersecurity researcher Jeremiah Fowler uncovered the exposed database in late 2025 and shared his findings via ExpressVPN. According to Fowler, the data was not the result of a single breach at a major tech company. Instead, it was collected through infostealer malware. For those unaware, that’s malicious software designed to harvest login data from infected personal devices over time quietly. These malware strains often spread through phishing emails, fake browser updates, compromised plugins, or deceptive online ads.

Google issues statement

Gmail accounts made up the largest portion of the exposed records, followed by Facebook and Instagram credentials. That’s worrying, given how often Gmail accounts act as a gateway to other services. Speaking with the Daily Mail, a Google spokesperson confirmed the authenticity of the dataset but stressed that Google’s systems were not breached.

“This data represents a compilation of infostealer logs harvested from personal devices by third-party malware,” the spokesperson said. They added that Google has automated protections to lock affected accounts and trigger password resets when compromised credentials are detected.

The dataset also reportedly included email addresses linked to government domains, prompting concerns about phishing, account takeovers, and broader chain-reaction risks. While the database has since been taken offline, experts warn that password changes alone won’t help if devices remain infected.