A security expert has uncovered a huge data leak. Some of the millions of logins with passwords originate from Switzerland.

Martin Abgottspon

Around 149 million login details for services such as Gmail, Facebook and Netflix were freely accessible online.

The cause is not a direct hack of the platforms, but presumably malware on user devices and the reuse of passwords.

The incident shows the fundamental weakness of password-based security systems. Show more

The American IT security expert Jeremiah Fowler recently came across an openly accessible database containing almost 150 million data records. It contained combinations of e-mail addresses, user names and passwords that had apparently been systematically collected. He wrote about this on the "ExpressVPN" website.

The bandwidth of the affected services is particularly explosive. Around 48 million login details originate from Gmail accounts and a further 17 million from Facebook. There are also millions of log-ins for Instagram, Netflix, Yahoo, iCloud and the OnlyFans platform. Even the education sector is affected. Around 1.4 million data records end in the .edu domain.

What you can do now Change passwords immediately - especially for email accounts and all services where the same or a similar password was used.

Use unique passwords - a separate password for each service that is as long and random as possible, ideally with a password manager.

Activate two-factor authentication - wherever available, to provide additional protection against unauthorized access.

Check devices for malware - with up-to-date security software, as the data is likely to have been accessed via malware.

Monitor accounts for unusual activity - such as suspicious log-ins, password changes or unknown transactions. Show more

Switzerland also in focus

It is not yet clear which countries are affected overall. However, there are concrete indications for Switzerland. Fowler confirmed to 20 Minuten that numerous data records with the country extension .ch were contained in the database. These include access to well-known platforms and service providers such as Zalando, Ricardo, Bluewin, MediaMarkt and Ticketcorner.

The discovery of a URL referring to Raiffeisenbank's e-banking service attracted particular attention. However, the bank reacted immediately and explained that the address had not been used for years. In addition, active accounts are secured by multi-factor authentication. So far, there are no indications of compromised bank accounts.

Not a hack, but a structural problem

In contrast to many major leaks, the expert does not believe that the IT systems of the aforementioned companies were broken into. The access data was apparently obtained via so-called Infostealer malware - malicious programs that read passwords, cookies or browser data on users' devices.

This shifts some of the responsibility away from the platform operators to the users' end devices. Security vulnerabilities do not necessarily arise where data is stored, but where it is entered.

The greatest risk lies less in the individual compromised account than in the further use of the data. Experts refer to this as "credential stuffing". Criminals automatically test stolen access data on other services. As many users use identical or only slightly modified passwords, a single leak can trigger a cascade of further accesses.

Such scenarios are not exceptional. As recently as November, a database containing around 1.3 billion compromised passwords was reported. The latest discovery fits seamlessly into a series of ever-larger data breaches that regularly appear online.