A massive unsecured database containing 149 million usernames and passwords has been discovered online and taken offline by cybersecurity researcher Jeremiah Fowler. The 96 GB database included credentials from nearly every major online platform, with Gmail accounting for 48 million of the exposed accounts.
Scope of the Breach
The leaked credentials span across multiple service categories:
Email Providers: Gmail (48M), Yahoo (4M), Outlook (1.5M), iCloud (900k), and 1.4M .edu accounts
Social Media: Facebook (17M), Instagram (6.5M), TikTok (780k), X, and OnlyFans (100k)
Financial & Crypto: Binance (420k), banking accounts, credit card logins, and crypto wallets
Streaming Services: Netflix (3.4M), HBO Max, Disney Plus, and Roblox
The database also contained login credentials for government systems from multiple countries and consumer bank accounts.
How the Data Was Compromised
The credentials were not stolen through direct breaches of these platforms’ systems. Instead, the database consisted of stolen data accumulated by infostealer malware—malicious software designed to silently harvest login credentials from infected devices through keystroke recording. The stolen records included emails, usernames, passwords, and the exact login URLs associated with each account, making them valuable for automated attacks.
Security Concerns
Researchers warn that criminals could use this data for:
- Credential-stuffing attacks across multiple platforms
- Identity theft and fraud
- Phishing campaigns appearing legitimate
- Financial crimes targeting exposed accounts
Notably, the database continued to grow with new credentials even while Fowler was attempting to get it taken offline, indicating ongoing malware collection efforts.
Response and Timeline
The exposed database was publicly accessible via web browser without any password protection or encryption. After discovering it, Fowler contacted the Canadian hosting provider through abuse reporting forms. It took approximately one month and multiple attempts before the hosting company suspended the database for violating its terms of service.
