149 Million Logins & Passwords Exposed in Massive Data Leak

A massive database containing nearly 149 million usernames and passwords, including credentials for financial services, social media platforms and government linked accounts, was found openly accessible online, raising fresh concerns about the scale of global cybercrime and the ongoing threat posed by credential stealing malware.

https://public.uk.com/149-million-logins-exposed-in-massive-data-leak/ — Image Source – Google | Image by – tech.co

The exposure was uncovered by cybersecurity researcher Jeremiah Fowler, who shared his findings with ExpressVPN as part of an effort to alert the public to significant digital security risks. The database was neither password protected nor encrypted and could be accessed by anyone who discovered it.

In total, the dataset contained 149,404,754 unique login and password combinations, amounting to roughly 96 gigabytes of raw credential data. In a limited sample review, Fowler identified thousands of files listing email addresses, usernames, passwords and direct login or authorisation URLs for affected accounts.

“This is not the first dataset of this kind I have discovered,” Fowler said. “It only highlights the global threat posed by credential stealing malware. Even cybercriminals are not immune to data breaches.”

Accounts spanning the digital economy

The exposed credentials originated from victims worldwide and covered almost every type of online service imaginable. Social media platforms such as Facebook, Instagram, TikTok and X were included, alongside dating apps and adult content services, including OnlyFans, showing login paths for both creators and customers.

Streaming and entertainment accounts featured heavily, with logins for services such as Netflix, HBO Max, Disney Plus and Roblox appearing in the records. Fowler also identified credentials linked to banking services, credit cards, cryptocurrency wallets and trading platforms.

One of the most serious concerns was the presence of credentials associated with government email domains from multiple countries. While not all government accounts provide access to sensitive systems, even limited access could enable impersonation, spear phishing or serve as an entry point into official networks.

“Exposed government credentials can pose national security and public safety risks, depending on the permissions of the compromised user,” Fowler warned.

A database without an owner

The database did not contain any information identifying its owner. Fowler reported the exposure directly to the hosting provider using its abuse reporting process. Several days later, he was informed that the IP address was operated by a subsidiary company. It took nearly a month and multiple follow ups before the hosting was suspended and the credentials were no longer publicly accessible.

The hosting provider declined to share further details. It remains unclear who collected the data, whether it was actively used for criminal purposes, or how long it had been exposed before discovery. One troubling detail is that the number of records increased between the time Fowler first found the database and when it was finally taken offline.

Estimated breakdown of affected accounts

Based on Fowler’s analysis, the dataset included credentials from major email and online platforms, including:

48 million Gmail accounts
4 million Yahoo accounts
1.5 million Outlook accounts
900,000 iCloud accounts
1.4 million .edu addresses

Other notable services included:

17 million Facebook accounts
6.5 million Instagram accounts
780,000 TikTok accounts
3.4 million Netflix accounts
100,000 OnlyFans accounts
420,000 Binance accounts

Linked to infostealer malware

The structure of the files strongly suggests the data was collected using infostealer malware and keyloggers, malicious software designed to silently harvest credentials from infected devices. Unlike similar datasets Fowler has encountered before, this one logged additional technical details, including a reversed hostname path formatted as com.example.user.machine.

This method helps organise stolen data by victim and source, while also reducing detection by simple security filters. Each record was indexed using a unique line hash, with no duplicates found in the sampled data.

Why this exposure matters

The sheer volume of exposed credentials presents a serious risk to individuals who may not know their information was compromised. Because the dataset includes emails, passwords and exact login URLs, criminals could automate credential stuffing attacks against email accounts, banks, social networks and enterprise systems.

That significantly increases the risk of fraud, identity theft and phishing campaigns that appear convincing because they reference real services and accounts.

From a privacy perspective, exposed email addresses and service associations allow criminals to build detailed personal profiles. Access to email accounts alone could reveal sensitive documents, personal conversations and years of private data. Takeovers of dating or adult content accounts could also lead to harassment or extortion long after the original breach.

How users can protect themselves

Malware that steals credentials is commonly spread through malicious email attachments, fake software updates, compromised browser extensions and deceptive advertisements. Once installed, it can run silently in the background.

Simply changing passwords is not enough if a device remains infected, as new credentials can be captured again. Antivirus software remains one of the most effective first lines of defence, yet a report published in October found that only about 66 percent of US adults used antivirus tools in 2025.

Anyone who suspects malware infection should act immediately. On mobile devices, update the operating system and install reputable security software if it is not already present. Scan the device and remove anything flagged as malicious, and review app permissions, accessibility settings and device administrator access.

On computers, even non technical users can review installed programs, browser extensions and running processes to identify suspicious activity. As a general rule, software should only be installed from official app stores or trusted sources.

Password managers help, but are not foolproof

Password managers can reduce exposure to basic keyloggers by autofilling credentials rather than typing them, and they encourage strong, unique passwords and multi factor authentication. However, they are not immune to advanced malware.

Infostealers can capture clipboard contents, scrape browser memory, steal session cookies or intercept form data before encryption. Password managers are most effective when combined with antivirus software, endpoint protection and regular operating system updates.

What to do after a breach

After any suspected exposure, users should review account security settings, enable two factor authentication or biometric protections where available, and check login histories for unfamiliar devices or locations. Passwords should never be reused across different services.

While it may seem ironic that cybercriminals left such a valuable dataset unsecured, researchers say this is common. Criminal operations often prioritise speed and scale over security, storing data in misconfigured cloud servers that are easily discovered through internet scanning. Once exposed, such data is frequently copied and redistributed, making the damage hard to undo.

A growing global threat

The discovery of this database is another reminder that credential theft has become a large scale industry. As attackers continue to refine their tools, basic cyber hygiene remains essential. Strong authentication, unique passwords, antivirus protection and timely updates are no longer optional.

Fowler stressed that he does not download or retain exposed data, limiting his actions to confirming the exposure and responsibly notifying the relevant parties. He makes no allegations against the hosting provider or claims that internal systems were breached, noting that all risk scenarios discussed are hypothetical and intended purely for education and awareness.

As cybercrime continues to expand, this incident underlines a simple reality. Even when no single company has been hacked, millions of people can still be placed at risk by the silent spread of malware and the careless storage of stolen data.