
The information was disclosed three weeks ago as part of Google's freely accessible anti-phishing blacklist.
Google said in a written statement that the problem has since been fixed, and that procedures have been put in place to strip login information from future submissions.
The information was collected when users submitted suspected phishing sites through the Google Toolbar browser extension. Several of the URLs that were submitted also contained login and password information.
Security firm Finjan said that it first notified Google of the problem on 3 January, and confirmed that the list has since been cleaned of any sensitive user information.
A Google spokesman told vnunet.com that all users who had information disclosed had been notified "weeks ago".
The disclosure of usernames and passwords on the internet can be especially dangerous because many people use the same password for every site they visit, explained Finjan.
An attacker who obtained the password for one site could access more sensitive information on other sites, such as credit card numbers or bank account information.
Finjan advised users to avoid using the same password for several accounts, and to install security software and disable URL sharing in their browsers in order to avoid having sensitive data from URLs recorded.