An unsecured database containing more than 149 million login credentials was discovered online in late 2025. The information included usernames, passwords and specific access links to various digital platforms used around the world.
The leak mainly affected Gmail accounts, with around 48 million records compromised. The data was collected over time using malware known as infostealers, which operate silently on infected devices.
The exposure took place without any encryption or password protection, allowing free access via browser. The bank was removed after notifications, but remained available for an indefinite period.
Origin of stolen data
The records did not result from a direct invasion of servers from companies such as Google or Meta. Instead, they were accumulated by malware installed on global users’ personal computers and devices.
These infostealers capture typed information, including login credentials, through techniques such as keylogging and browser session extraction. Distribution often occurs via fake emails, fraudulent updates or malicious advertisements.
Distribution of affected credentials
The dataset revealed significant concentration in email and social media services. Gmail led the way with 48 million entries, followed by other providers.
- 48 million accounts
- 17 million accounts Facebook
- 6.5 million accounts Instagram
- 4 million accounts Yahoo Mail
- 3.4 million accounts Netflix
- 1.5 million accounts Outlook
- 900 thousand iCloud accounts
- 780 thousand TikTok accounts
- 420 thousand accounts Binance
This variety demonstrates the broad reach of malware, reaching everything from entertainment services to financial platforms and cryptocurrencies.
How infostealers work
Infostealers represent a growing category of cyber threats that prioritize silent information theft. Eles install without visible alert and begin automatic collection of sensitive data.
Once active, they record everything typed in login fields and capture session cookies for later access. The collected data is sent to servers controlled by attackers.
These malware have evolved to avoid detection by common security tools. Muitos include mechanisms that prevent duplication of records, facilitating organization in large banks.
The infection persists even after changing passwords, as the malicious code continues to capture new credentials entered.
Risks associated with Gmail
Gmail accounts often serve as a basis for recovery of other online services. Comprometimento of them allows chain access attempts to linked platforms.
Affected users face the possibility of intrusions into personal emails, bank accounts or professional profiles. High volume increases the likelihood of automated attacks.
Presence of government domains
The bank contained credentials linked to .gov domains from several countries. Embora not all grant privileged access, they represent a potential entry point.
Attackers can use this information for targeted phishing campaigns against public institutions. The exhibition highlights vulnerabilities in government sector networks.
Presence of educational accounts (.edu) was also recorded in around 1.4 million entries. Essas can expose data from students and researchers.
Response from the platforms involved
Google confirmed that the data is a compilation of records from external infostealers. The company has enabled automatic locks and password resets on detected accounts.
Continuous monitoring occurs to identify suspicious activity related to the leak. Outras platforms have adopted similar reactive protection measures.
Exposure and removal time
The bank remained accessible for an unknown period of time before discovery. Notificações multiple times were required for the hosting provider to take action.
During the alert process, the number of records continued to grow, indicating active collection of new data. The final removal occurred after terms of service violations were identified.
Recommended protective measures
Users must check the display of their credentials in specialized query tools. Immediate Troca of passwords is essential on potentially affected accounts.
Enabling multi-factor authentication adds an extra layer of security across all possible services. Atualização Regular use of devices and use of antivirus help detect infections.
- Check active sessions and disconnect unknown devices
- Avoid reusing passwords between different platforms
- Install updated security software
- Monitor financial transactions and unusual activities
- Use trusted password managers
Growth of threats from infostealers
Recent reports indicate a significant increase in attacks involving this type of malware. Cibercriminosos prioritize collecting credentials for resale or direct use.
The ease of distribution via common channels expands the global reach of these threats. Dispositivos without adequate protection remain especially vulnerable.
Impact on financial services
Credentials from platforms such as Binance and banking portals were present in the leak. Elas allow direct attempts to access funds or sensitive information.
Cryptocurrency users face high risk due to the irreversibility of transactions. Monitoramento portfolio constant is recommended.
The set also included administrative logins for WordPress sites and various interfaces. Essa diversity facilitates exploration in multiple contexts.
Prevention on personal devices
Maintaining up-to-date operating systems reduces common infection vectors. Downloads only from official sources to avoid accidental installation of malware.
Browser extensions should be periodically reviewed for excessive permissions. Unknown email Anexos should never be opened.
Evolution of collection techniques
The files had an optimized structure with unique identifiers and reverse host paths. Isso facilitates indexing and avoids redundancies in large volumes.
Additional metadata suggests planned effort for continued information accumulation. Técnicas Advanced obfuscation makes detection more challenging.