Some 48 million Gmail usernames and passwords have been leaked in a criminal database.
The full database contains 149 million compromised credentials, including 17 million Facebook accounts, 6.5 million Instagram accounts, and 4 million Yahoo usernames and passwords.
It was publicly available for one whole month before security researcher Jeremiah Fowler was able to get it taken down.
He said: ‘The publicly exposed database was not password-protected or encrypted.
‘I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts.’
The database most likely contains information from past breaches, rather than all the data being newly leaked.
According to Fowler, here is the total number of accounts leaked.
- Gmail – 48 million
- Facebook – 17 million
- Instagram – 6.5 million
- Yahoo – 4 million
- Netflix – 3.4 million
- Outlook – 1.5 million
Google told Forbes: ‘We are aware of reports regarding a dataset containing a wide range of credentials, including some from Gmail.
‘This data represents a compilation of ‘infostealer’ logs—credentials harvested from personal devices by third-party malware—that have been aggregated over time.
‘We continuously monitor for this type of external activity and have automated protections in place that lock accounts and force password resets when we identify exposed credentials.’
How to check if your Gmail account leaked
You can check whether the details for any accounts you might have were shared in the data breaches collated by Have I Been Pwned.
To do so, navigate to their website and enter your email address.
This will not only show whether the email account itself was compromised but also any website or app accounts created using that email address.
The compromised details can include email addresses, passwords and other details such as your name and locations linked to the account.
What to do if your username or password has been leaked
If your email address gives any hits, you should firstly check the date of the breach and what types of information were leaked.
If it says passwords were also leaked in that breach, and you have not changed your password since the breach occurred, then you should change your password as soon as possible.
When you go to change the password, you should also ensure that the account’s recovery email address remains your own.
Otherwise, a hacker may have changed it to an account which they have access to, allowing them to reset the password and gain access to the account again.
If a password you’ve used shows up on Pwned Passwords, their advice is to ‘change it immediately’.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.
MORE: Arc Raiders fans are review bombing an Italian hotel for the weirdest reason
MORE: Do you live in a heartbreak hotspot? The UK towns where residents are unluckiest in love
MORE: A ‘wonky holiday’ could save you serious cash — here’s how to book one
