In one of the most extensive credential exposures in recent memory, login usernames and passwords of approximately 149 million online accounts — spanning email, social media, streaming services and even financial portals — were discovered in an unsecured database accessible on the internet, cybersecurity researchers have revealed. The exposed data, estimated to be around 96 GB in size, was found without any encryption or password protection, leaving sensitive credentials vulnerable to misuse.
The massive trove of login information was uncovered by cybersecurity expert Jeremiah Fowler, who shared his findings with security platforms after discovering that the database was publicly reachable. According to Fowler’s report, the exposed credentials included login details for a wide range of services, such as Gmail, Facebook, Instagram, Netflix, Yahoo, Outlook and various financial and government systems.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Unprotected data accessible to anyone online
The data repository — hosted on a cloud platform — was found to contain 149,404,754 unique login and password combinations, along with URLs directly linked to the login or authorization pages of affected services. In many cases, the exposed credentials included both email addresses or usernames and their corresponding passwords, creating a significant security threat for the account holders.
Security analysts noted that the database appeared to have no password protection or encryption, effectively making it an open repository that could be accessed by anyone with knowledge of its web location. Such unprotected storage of sensitive authentication information has raised alarms about basic cybersecurity oversight and lax data handling practices.
Wide range of affected platforms
In the detailed breakdown of compromised accounts, the leak reportedly included:
- Around 48 million Gmail accounts
- Approximately 17 million Facebook logins
- About 6.5 million Instagram accounts
- Roughly 3.4 million Netflix credentials
- Some 4 million Yahoo accounts
- Nearly 1.5 million Microsoft Outlook logins
Additional records also contained details associated with other services, such as banking and crypto platforms, dating and entertainment sites, and even accounts linked to government and .gov domains across multiple countries.
Infostealer malware suspected as underlying cause
Experts suspect that the leaked database may have been assembled through infostealer malware — malicious software that silently captures login credentials from infected devices — and then aggregates them into a central repository. Once collected, such data can be highly prized by criminal groups for further exploitation, including automated attacks and credential stuffing campaigns.
“Infostealer malware is often used to harvest credentials as users type them, before sending that data back to operators,” cybersecurity analysts explain. Though it is not yet clear where or when exactly the data was harvested, the size and variety of services affected have underscored the scale of the threat.
Database taken offline after researcher alerts provider
After discovering the unsecured database, Fowler reported it to the hosting provider, which eventually removed the repository from public access. However, security experts warn that even temporary exposure of unprotected credentials can have lasting impacts, as cybercriminals often scrape such datasets quickly before they are taken down.
Risks and user advice
Security professionals highlight that exposed usernames and passwords pose a high risk of account takeover, especially when users reuse the same credentials across multiple platforms. Once obtained by malicious actors, these credentials can be used to attempt logins on other services — a practice known as credential stuffing — which has been behind numerous breaches in the past.
Users are strongly advised to:
- Change passwords immediately if they suspect exposure
- Enable two-factor authentication (2FA) wherever possible
- Use unique, strong passwords for different services
- Monitor bank accounts and email activity for signs of unauthorised access
Broader implications
The incident has ignited fresh debate over cybersecurity practices, data protection and the need for stricter enforcement of secure storage standards. With cyber threats continuing to evolve, experts urge both individuals and organisations to adopt proactive security measures to safeguard personal and sensitive information online.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
