Quick Read
- Nearly 150 million unique logins and passwords were found exposed in an unsecured online database.
- The leaked data includes 48 million Gmail accounts, 17 million Facebook accounts, and 6.5 million Instagram accounts.
- Credentials were collected by ‘infostealer’ malware from victims’ devices, not from breaches of service providers like Google.
- The database also contained logins for financial services, streaming platforms, dating sites, and even government (.gov) domains.
- Cybersecurity researcher Jeremiah Fowler discovered the leak, which took nearly a month for the hosting provider to suspend.
SAN FRANCISCO (Azat TV) – Nearly 150 million online logins and passwords, including a staggering 48 million Gmail accounts, were discovered exposed in an unsecured, publicly accessible online database, cybersecurity researcher Jeremiah Fowler confirmed this week. The massive leak, which also encompasses credentials for financial services, social media, and government domains, underscores the escalating global threat posed by sophisticated ‘infostealer’ malware that harvests user data directly from infected devices.
The discovery, initially shared with ExpressVPN and published on Friday, January 23, 2026, revealed a 96 GB trove of raw credential data. This database was neither password-protected nor encrypted, making millions of individuals’ sensitive information vulnerable to potential access by anyone who stumbled upon it. Fowler’s report emphasizes that these credentials were not stolen through a breach of major service providers like Google or Meta, but rather collected over time by malware residing on victims’ computers and mobile devices.
The Scope of the Exposure
The publicly exposed database contained precisely 149,404,754 unique logins and passwords. A limited sampling of the records reviewed by Fowler revealed a wide array of compromised accounts, including emails, usernames, passwords, and direct login links for various services. Among the most significantly impacted were:
- Gmail: 48 million accounts
- Facebook: 17 million accounts
- Instagram: 6.5 million accounts
- Yahoo: 4 million accounts
- Netflix: 3.4 million accounts
- Outlook: 1.5 million accounts
- iCloud: 900,000 accounts
- TikTok: 780,000 accounts
- Binance: 420,000 accounts
- OnlyFans: 100,000 accounts
Other notable services affected included HBOmax, DisneyPlus, Roblox, and X (formerly Twitter). Of particular concern was the presence of credentials associated with .gov domains from numerous countries. While access to government-linked accounts may vary in sensitivity, even limited entry points could facilitate spear-phishing, impersonation, or serve as a gateway into government networks, posing potential national security and public safety risks, as reported by Dimsumdaily HK.
How Credentials Were Compromised
The exposed data was amassed by ‘infostealer’ malware, a type of malicious software designed to covertly collect credentials from infected devices. Unlike traditional data breaches that target service providers, this incident highlights a growing threat where user data is siphoned off directly from personal devices. The database appeared to store keylogging data and information harvested by these infostealer programs, including additional details such as a ‘host_reversed path’ structure, which helps organize stolen data by victim and source.
Fowler, an ethical security researcher, reported the vulnerability directly to the hosting provider via their online abuse form. Despite initial delays and a response indicating the IP was hosted by an independently operating subsidiary, it took nearly a month and multiple attempts before action was finally taken to suspend the hosting. During this period, the number of records in the database continued to increase, according to ExpressVPN, indicating ongoing collection even after discovery. The hosting provider did not disclose information regarding who managed the database, and it remains unclear how long the data was exposed or whether it was used for criminal activity.
Urgent Security Measures for Users
The exposure of such a vast number of credentials presents a serious risk of credential-stuffing attacks, identity theft, financial fraud, and sophisticated phishing campaigns. Cybercriminals can automate attempts to log into various accounts using the stolen email, username, and password combinations, which could appear legitimate due to their reference to real accounts and services, as Swikblog noted.
Users whose devices may be infected with infostealer malware face a particularly challenging situation, as simply changing passwords may be insufficient if the malware continues to capture new credentials. Experts, including those at Tom’s Guide, recommend immediate action:
- Install and regularly update antivirus software on all devices. An estimated 66% of U.S. adults used antivirus software in 2025, leaving a significant portion vulnerable.
- Update operating systems and security software to patch known vulnerabilities.
- Review app permissions, keyboard settings, and device admin access, installing apps only from official stores.
- Utilize unique, strong passwords for every online account.
- Enable two-factor authentication (2FA) or multi-factor authentication (MFA) wherever possible. While not entirely foolproof against advanced malware, it significantly reduces the risk of unauthorized access.
- Consider switching to passkeys, which offer a more secure login method where available.
- Use a reputable password manager, which can help generate and securely store unique passwords, though they are not immune to advanced malware that captures session cookies or clipboard contents.
- Regularly review login history, locations, and devices associated with your accounts.
Broader Implications and Expert Advice
The breach of email addresses and associated account information allows criminals to build detailed profiles of individuals, potentially increasing the success rate of social engineering and phishing attempts. Unauthorized access to email histories, dating profiles, or adult entertainment accounts could lead to long-term privacy concerns, including harassment or extortion. The irony that cybercriminals themselves would leave such a valuable cache of stolen data unsecured is not uncommon, as criminal operations often prioritize speed and scale over operational security, leaving data in misconfigured cloud servers.
This incident serves as a stark reminder that credential theft remains a large-scale, evolving threat. Responsible disclosure by security researchers like Fowler is crucial, but hosting providers also bear a responsibility to offer effective abuse reporting channels reviewed by humans. Failure to act on such reports enables malicious infrastructure to persist, continuously exposing individuals to serious risks.
The persistent threat of infostealer malware and the sheer volume of compromised credentials underscore a critical need for both individual vigilance and improved industry-wide security practices. While users must adopt robust cyber hygiene, the incident also highlights the responsibility of hosting providers to swiftly address reports of exposed data, ensuring that malicious infrastructure is not inadvertently enabled.