this post was submitted on 23 Jan 2026

151 points (89.9% liked)

World News

52363 readers

2373 users here now

A community for discussing events around the World

Rules:

Rule 1: posts have the following requirements:
- Post news articles only
- Video links are NOT articles and will be removed.
- Title must match the article headline
- Not United States Internal News
- Recent (Past 30 Days)
- Screenshots/links to other social media sites (Twitter/X/Facebook/Youtube/reddit, etc.) are explicitly forbidden, as are link shorteners.
Rule 2: Do not copy the entire article into your post. The key points in 1-2 paragraphs is allowed (even encouraged!), but large segments of articles posted in the body will result in the post being removed. If you have to stop and think "Is this fair use?", it probably isn't. Archive links, especially the ones created on link submission, are absolutely allowed but those that avoid paywalls are not.
Rule 3: Opinions articles, or Articles based on misinformation/propaganda may be removed.
Rule 4: Posts or comments that are homophobic, transphobic, racist, sexist, anti-religious, or ableist will be removed. “Ironic” prejudice is just prejudiced.
Posts and comments must abide by the lemmy.world terms of service UPDATED AS OF OCTOBER 19 2025
Rule 5: Keep it civil. It's OK to say the subject of an article is behaving like a (pejorative, pejorative). It's NOT OK to say another USER is (pejorative). Strong language is fine, just not directed at other members. Engage in good-faith and with respect! This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban.

Similarly, if you see posts along these lines, do not engage. Report them, block them, and live a happier life than they do. We see too many slapfights that boil down to "Mom! He's bugging me!" and "I'm not touching you!" Going forward, slapfights will result in removed comments and temp bans to cool off.

Rule 6: Memes, spam, other low effort posting, reposts, misinformation, advocating violence, off-topic, trolling, offensive, regarding the moderators or meta in content may be removed at any time.
Rule 7: We didn't USED to need a rule about how many posts one could make in a day, then someone posted NINETEEN articles in a single day. Not comments, FULL ARTICLES. If you're posting more than say, 10 or so, consider going outside and touching grass. We reserve the right to limit over-posting so a single user does not dominate the front page.

We ask that the users report any comment or post that violate the rules, to use critical thinking when reading, posting or commenting. Users that post off-topic spam, advocate violence, have multiple comments or posts removed, weaponize reports or violate the code of conduct will be banned.

All posts and comments will be reviewed on a case-by-case basis. This means that some content that violates the rules may be allowed, while other content that does not violate the rules may be removed. The moderators retain the right to remove any content and ban users.

Lemmy World Partners

News !news@lemmy.world

Politics !politics@lemmy.world

World Politics !globalpolitics@lemmy.world

Recommendations

How to spot Misinformation and Propaganda

For Firefox users, there is media bias / propaganda / fact check plugin.

https://addons.mozilla.org/en-US/firefox/addon/media-bias-fact-check/

Consider including the article’s mediabiasfactcheck.com/ link

founded 2 years ago

MODERATORS

NewsAutoMod@lemmy.world

Tenthrow@lemmy.world

little_cow@lemmy.world

lemmyAtom@lemmy.world

jordanlund@lemmy.world

151

48 Million Gmail Usernames and Passwords Leaked Online (digital-escape-tools-phi.vercel.app)

submitted 1 day ago by hellnuh@lemmy.world to c/world@lemmy.world

32 comments fedilink hide all child comments

top 32 comments

sorted by: hot top controversial new old

[–] BarneyPiccolo@lemmy.today 2 points 25 minutes ago

I got almost that many Gmail addresses from trying to game Reddit's permabans. They really got it in for me over there, just because I took their commitment to free speech seriously. Turns out they were just kidding.

[–] answersplease77@lemmy.world 1 points 11 hours ago (1 children)

google stores passwords unhashed ???

[–] bastion@feddit.nl 1 points 4 minutes ago

I mean, if you get the hash and salt (which must be stored if present), then getting a very large subset of the passwords from that isn't too hard.

[–] Strawberry@sh.itjust.works 7 points 1 day ago (1 children)

That ai banner does not inspire trust at all :( The actual content reads well & they link other articles though. Weird.

[–] WhyJiffie@sh.itjust.works 2 points 12 hours ago

neither does the something.vercel.app domain

[–] MightyPez@fedia.io 68 points 1 day ago (1 children)

Are we sure someone just didn't ask Gemini for 48 million Gmail credentials and immediately get them?

I'm holding a grudge because I was arranging a Craiglist sale and when I sent the buyer my phone number to text my account was suddenly disabled for "unusual activity" signing me out of everything. I was able to re-enable it right away, but I'm pretty sure whatever AI-trash system is in place to monitor accounts did it.

[–] x00z@lemmy.world 25 points 1 day ago (3 children)

Are we sure someone just didn’t ask Gemini for 48 million Gmail credentials and immediately get them?

It looks like they come from infostealers:

[–] MightyPez@fedia.io 4 points 1 day ago

It looks like they come from infostealers

I get it, it was Gemini, we can stop repeating ourselves

[–] Akh@lemmy.world 2 points 1 day ago

100k onlyfans can get spicy

[–] a_non_monotonic_function@lemmy.world 2 points 1 day ago (1 children)

Shit, am I on the list?

[–] x00z@lemmy.world 5 points 1 day ago

I think the security researcher didn't download the data.

But be sure to check out https://haveibeenpwned.com/ to check if your data is in other lists.

[–] FlashMobOfOne@lemmy.world 34 points 1 day ago (1 children)

This is why we have MFA.

[–] themeatbridge@lemmy.world 20 points 1 day ago (1 children)

Hey want to play a game? Your bank is gonna text you a number, and I'm going to guess it. Tell me if my guesses need to be higher or lower.

[–] orclev@lemmy.world 14 points 1 day ago (2 children)

This is why you never enable SMS based MFA. TOTP is well established and just works. If you need even more security FIDO2 devices like YubiKey are a thing.

[–] ultranaut@lemmy.world 26 points 1 day ago (1 children)

It would be nice if that was a choice but SMS is unavoidable.

[–] DacoTaco@lemmy.world 2 points 2 hours ago* (last edited 2 hours ago)

It is avoidable. On this side of the world the only companies and sites that use sms mfa are american companies that are clearly not european based or focused.

Last and only site i would only do sms mfa was gofundme, and they banned me because of fake information so go figure

[–] codenamekino@lemmy.world 22 points 1 day ago (1 children)

For the love of God, someone inform Citibank and Chase of this. My dinky little local credit union allows me to use TOTP, but Citi and Chase still only seem to support SMS.

[–] naticus@lemmy.world 10 points 1 day ago (1 children)

Chase supports push notifications via their app now, so at least they're moving forward toward something a bit more secure. But yes, I'm so pissed that so many banks use SMS when it's known to be easily spoofed.

[–] codenamekino@lemmy.world 6 points 22 hours ago (1 children)

Requiring the use of their own app is only marginally better than not supporting it at all. I try to minimize the number of apps pn my phone, and banking apps are prime examples of a use case that can be completely fulfilled in a browser. Even if I used the app, I would prefer to be prompted for non-biomotric MFA each time I sign in anyway.

[–] naticus@lemmy.world 2 points 20 hours ago

Yeah I can respect that, I have one bank where the only account I have there is a credit card now that I paid off my loan. Their app is terrible and half the time it doesn't load on my home network because of all my ad and tracking blocking on my DNS server. I just want to check balances, you assholes. So yeah that one is strictly browser only for me.

[–] HowRu68@lemmy.world 28 points 1 day ago (2 children)

hellnuh, that your own website you keep posting?

[–] INeedMana@piefed.zip 20 points 1 day ago (1 children)

Yeah, address looks sus af

[–] HowRu68@lemmy.world 15 points 1 day ago (1 children)

Check Op's username and the community it mods, and you'll know what I mean.

[–] INeedMana@piefed.zip 5 points 1 day ago (1 children)

I seem to be missing some context. Now, after seeing another post with a link there, I know this probably is not some one-time scam site. But then, if you had the info that domain matches the name of their community, WDYM?

[–] HowRu68@lemmy.world 0 points 1 day ago (1 children)

You asking me or OP, wdym?

[–] INeedMana@piefed.zip 2 points 14 hours ago* (last edited 14 hours ago) (1 children)

hellnuh, that your own website you keep posting?

Check Op’s username and the community it mods, and you’ll know what I mean.

I checked and I don't get it

Your point is only asking if that's their page?

[–] HowRu68@lemmy.world 2 points 12 hours ago* (last edited 12 hours ago)

Your point is only asking if that's their page?

Yes, that was my question to him. I was hoping he reacted. But then you did react me saying

Yeah, address looks sus af.

So I thought you got it. So I said: check the username ..

So yes it IS their own webpage. According to rule 1 , posts need to be news articles, not this. He's been posting daily. Self promotion is also a no go.

So I'm not sure you are missing something.

[–] theherk@lemmy.world 10 points 1 day ago

It is, but it doesn’t seem nefarious. Just somebody trying to carve out a little corner to help individuals find some tools to get away from Google and such. Maybe they make money via some affiliate links, but is that a bad thing?

[–] sirico@feddit.uk 13 points 1 day ago (1 children)

Brought to you by proton

[–] ThePantser@sh.itjust.works 14 points 1 day ago

Analysis indicates the data was aggregated over time from multiple sources, including malware infections, phishing campaigns, and older third-party breaches. There is no indication of a direct compromise of Google’s internal infrastructure.

Everything is vulnerable to that, including proton.

[–] tserts@lemmy.tserts.com 0 points 1 day ago (1 children)

Start setting up passkeys where available, that is the safest and easiest way, I store mine on my selfhosted vaultwarden but you could use other ways. As long as the devices you use are secure, no passwd leaks, spoofing attempts or phishing can threaten you.

[–] bastion@feddit.nl 1 points 1 minute ago

Nah.. 2fa is better, and generally passkey is stored on other peoples' servers.

We need something like anon blockchain passkey.