A cybersecurity breach has left approximately 149 million unique usernames and passwords exposed online, including credentials for major platforms such as Gmail, Instagram, OnlyFans, Facebook, Netflix, and various financial and government accounts. The unsecured database, weighing 96 GB and containing raw credential data harvested by infostealer malware, was discovered completely unprotected — without encryption or password safeguards — allowing anyone to access the information freely.
Cybersecurity researcher Jeremiah Fowler uncovered the massive leak and shared details via ExpressVPN. The database, hosted on a cloud repository, remained publicly accessible for about a month before the hosting provider suspended it following Fowler’s report. During that exposure window, the record count grew, indicating that active infostealer malware continued feeding fresh stolen credentials into the collection.
Major data breach: Affected services at a glance
The compromised data spans a wide range of services:
Email: Around 48 million Gmail accounts, 4 million Yahoo accounts, and 1.5 million Outlook/Hotmail accounts.
Social Media: Approximately 17 million Facebook logins, 6.5 million Instagram accounts, 780,000 TikTok credentials, plus numerous X (Twitter) entries.
Entertainment & Gaming: About 3.4 million Netflix accounts, along with HBO Max, Disney+, Roblox, and others.
Financial & Crypto: Roughly 420,000 Binance accounts, various banking logins, and crypto wallet credentials.
Other Categories: OnlyFans accounts, dating sites, streaming services, and even government domains (.gov) from multiple countries.
Fowler explained that infostealer malware, i.e., malicious software that silently infects devices via phishing emails, fake updates, malicious browser extensions, or deceptive ads, steals credentials and uploads them to cloud storage for later use by cybercriminals. “When data is collected, stolen, or harvested it must be stored somewhere and a cloud-based repository is usually the best solution,” Fowler noted. “This discovery also shows that even cybercriminals are not immune to data breaches.”
Why simple password change won’t save you
The breach poses severe risks such as unauthorised account access, identity theft, financial fraud, and exploitation of personal data. Since the credentials come from malware infections on users’ devices, changing passwords alone may not suffice. New passwords could also be captured if the malware remains active.
How to protect your data
Jeremiah Fowler and cybersecurity experts urge immediate action with these key steps:
Scan for malware: Install reputable antivirus software (if not already in place) and run a full system scan to detect and remove threats. On mobile devices, update your OS and security apps promptly, and review app permissions (especially keyboard, accessibility, and device admin access).
Use a Password Manager: Adopt a trusted password manager to generate and store strong, unique passwords. It encrypts credentials and helps thwart keyloggers that capture typed information.
Enable Two-Factor Authentication (2FA): Activate 2FA or biometric verification (e.g., fingerprint/face ID) on all important accounts. This adds a critical extra layer—even if passwords are compromised, attackers need the second factor.
Avoid password reuse: Never use the same password across multiple sites or services. Unique passwords per account significantly limit damage from any single breach.
Users should also monitor accounts for suspicious activity, revoke unrecognised logins, and consider freezing credit if financial data is involved.
