Operators behind a global phishing campaign inadvertently left thousands of stolen credentials accessible via Google Search.