A cybersecurity researcher has uncovered one of the largest unsecured credential dumps in recent memory, exposing 149,404,754 unique usernames and passwords totaling 96 GB of raw data. The database, publicly accessible without encryption or protection, included logins for Gmail, Facebook, Instagram, Netflix, and hundreds of other services, from banking portals to government systems worldwide. Discovered by Jeremiah Fowler, the trove highlights the rampant threat of infostealer malware that silently harvests credentials from infected devices.
Fowler, a veteran security analyst with over a decade tracking breaches, stumbled upon the database hosted by a global provider’s Canadian affiliate. “The publicly exposed database was not password-protected or encrypted,” he detailed in a report published by ExpressVPN.
Key victims included an estimated 48 million Gmail accounts, 17 million Facebook entries, 6.5 million Instagram logins, 4 million Yahoo credentials, 1.5 million Outlook accounts, 900,000 Apple iCloud combinations, and 1.4 million .edu institutional access points, according to Fowler’s analysis shared with Wired. Streaming services fared poorly too, with 3.4 million Netflix, 780,000 TikTok, and 100,000 OnlyFans records. Financial services, crypto wallets, trading platforms, and credit card portals rounded out the perilously diverse haul.
Unprotected Gateway to Global Credentials
The database’s structure screamed infostealer origins: files organized by reversed host paths like ‘com.example.user.machine’ for indexing, unique line hashes as IDs to prevent duplicates, and evidence of keylogging. “This is like a dream wish list for criminals, because you have so many different types of credentials,” Fowler told Wired. “An infostealer would make the most sense. The database was in a format made for indexing large logs as if whoever set it up was expecting to gather a lot of data.”
Allan Liska, threat intelligence analyst at Recorded Future, explained the malware’s appeal: “Infostealers create a very low barrier of entry for new criminals,” he said in the Wired report. “Renting one popular infrastructure, we’ve seen costs somewhere between $200 to $300 a month, so for less than a car payment, criminals could potentially gain access to hundreds of thousands of new usernames and passwords a month.” This low cost fuels a cycle where stolen data gets repackaged and resold on dark web forums.
Fowler reported the exposure to the hosting provider, but action lagged. “It took nearly a month and multiple attempts for the hosting to be suspended,” he noted in the ExpressVPN report. During that time, records swelled, underscoring how even cybercriminals’ repositories can backfire. The provider cited terms-of-service violations but withheld ownership details, leaving questions about prior access by malicious actors.
Corporate Silence Amid Credential Chaos
Major platforms have yet to issue detailed statements, though Google addressed the fallout. A spokesperson told Daily Mail: “We are aware of reports regarding a dataset containing a wide range of credentials, including some from Gmail. This data represents a compilation of ‘infostealer’ logs, credentials harvested from personal devices by third-party malware, that have been aggregated over time. We continuously monitor for this type of external activity and have automated protections in place that lock accounts and force password resets when we identify exposed credentials.” No immediate responses came from Meta, Microsoft, Apple, or Netflix despite queries, per multiple reports including Android Police.
This incident echoes prior Fowler discoveries, like a 184 million-record dump in 2025 affecting similar services, as covered by Wired. Infostealers like RedLine thrive by exploiting unpatched devices, browser autofill, and weak app permissions, turning personal computers into credential farms. Recent X posts from users like @iamJc amplified the alert: “NOT a Google/Gmail breach—it’s malware scraping saved creds from hacked personal devices.”
The implications extend beyond individuals. “Exposed government credentials could potentially be used for targeted spear-phishing, impersonation, or as entry points into government networks, posing national security and public safety risks,” Fowler warned in ExpressVPN. Dating apps and OnlyFans entries risk extortion via private chats and images, while banking logins invite direct fraud. Credential-stuffing attacks, automated logins using leaked pairs, loom large given the included URLs.
Malware Mechanics Fueling the Fire
Infostealer operations automate theft via keyloggers, screenshot captures, and form-grabbing from browsers. Devices remain infected post-password changes, perpetuating vulnerability. Fowler emphasized: “Even cybercriminals are not immune to data breaches,” in his ExpressVPN analysis. Only 66% of U.S. adults used antivirus in 2025, per cited stats, leaving billions exposed.
Recent web coverage, including Mint and Hindustan Times, urged immediate scans. X chatter from outlets like @FinancialXpress and @ZeeNewsEnglish echoed: check devices, revoke sessions, freeze credit. Hosting providers face calls for human-reviewed abuse reports to stem such leaks faster.
Fowler’s ethical approach—no data downloads—sets a standard, focusing on awareness. “The publication of these findings is intended only to promote awareness around data protection and privacy risks,” he stated. As platforms like Google deploy auto-locks, the onus falls on users: unique passwords via managers, 2FA/biometrics, official app sources, and vigilant permission reviews.
Defensive Imperatives for a Leaky Digital Realm
Password reuse remains rampant, amplifying damage. Services must enhance monitoring, but individuals drive change. Install antivirus, patch OS, audit logins—Fowler’s playbook from ExpressVPN. This dump, while offline, circulates inevitably on underground markets, per experts like Matt Conlon of Cytidel in Forbes: “Info stealers have seen a significant rise… a treasure trove for anyone with malicious intent.”
Regulators push encryption mandates, yet malware evolves. The breach, first flagged by Android Police, demands industry reckoning: better device hygiene, AI-driven anomaly detection, and zero-trust architectures. For insiders, it’s a stark reminder—assume breach, layer defenses relentlessly.
Infostealer Trove: 149 Million Logins Exposed in Open Database Nightmare first appeared on Web and IT News.