A database containing 150 million usernames and passwords for popular services has been discovered publicly available.
Nearly 150 million usernames and passwords were exposed online, according to independent cybersecurity researcher Jeremy Fowler. The massive database was neither password-protected nor encrypted and was essentially publicly accessible, allowing anyone to access the credentials of millions of people worldwide.
The total volume of leaked data was approximately 96 GB. It contained 149,404,754 unique login and password records, including email addresses, usernames, passwords, and links to account login pages. According to the researcher, this was not just a collection of random data, but a structured repository of information collected by infostealers .
The leaked accounts included users of the most popular services. The database included data from Facebook *, Instagram*, TikTok, and X**, accounts from streaming platforms like Netflix, DisneyPlus, and HBO Max, Roblox and OnlyFans accounts, as well as access to banking services, crypto wallets, exchanges, and payment systems. The sample Fowler examined also included credentials associated with .gov domains from various countries, which potentially poses risks to government agencies and can be used for targeted phishing attacks and social engineering .
The scale of the leak is particularly alarming. The researcher estimates that the database contained approximately 48 million Gmail accounts, approximately 4 million Yahoo accounts, approximately 1.5 million Outlook accounts, and approximately 900,000 iCloud accounts. Millions of social media and online service accounts were also present, including 17 million Facebook accounts and over 3 million Netflix accounts.
The database contained no information about its owner. Fowler reported the discovery to the hosting provider via a complaint form, but the response process took nearly a month. Only after several requests was access to the server blocked and the data made inaccessible. During this time, the database's size even increased, indicating ongoing collection of stolen credentials. It is unknown who exactly managed this storage, nor how long it had been accessible before its discovery.
Based on the data structure, the researcher concluded that the database was used to store information collected by malware. In addition to logins and passwords, it contained technical data indicating infected devices and sources of information theft. This made it possible to organize the stolen data and conveniently use it for further attacks.
Experts warn that such data sets are particularly dangerous because they enable automated credential stuffing attacks. Attackers can massively check stolen logins and passwords on popular services, gaining access to email, bank accounts, social media, and corporate systems. This increases the risk of fraud, identity theft, financial crime, and phishing attacks , which appear highly credible because they rely on real user data.
This leak once again demonstrates that credential theft has long been a large-scale business. Even cybercriminals themselves often store stolen information in poorly configured cloud storage systems, which can be discovered through a simple internet scan. Once discovered, such databases are often copied and distributed further, making the consequences virtually irreversible.
Experts remind us that malware can infect devices through fake updates, malicious browser extensions, fake emails, and even ads. In such cases, simply changing your password won't help, as the new password can also be intercepted. For protection, it's recommended to use antivirus software, regularly update your operating system, avoid installing apps from untrusted sources, enable two-factor authentication , and avoid using the same password across multiple services.
Nearly 150 million usernames and passwords were exposed online, according to independent cybersecurity researcher Jeremy Fowler. The massive database was neither password-protected nor encrypted and was essentially publicly accessible, allowing anyone to access the credentials of millions of people worldwide.
The total volume of leaked data was approximately 96 GB. It contained 149,404,754 unique login and password records, including email addresses, usernames, passwords, and links to account login pages. According to the researcher, this was not just a collection of random data, but a structured repository of information collected by infostealers .
The leaked accounts included users of the most popular services. The database included data from Facebook *, Instagram*, TikTok, and X**, accounts from streaming platforms like Netflix, DisneyPlus, and HBO Max, Roblox and OnlyFans accounts, as well as access to banking services, crypto wallets, exchanges, and payment systems. The sample Fowler examined also included credentials associated with .gov domains from various countries, which potentially poses risks to government agencies and can be used for targeted phishing attacks and social engineering .
The scale of the leak is particularly alarming. The researcher estimates that the database contained approximately 48 million Gmail accounts, approximately 4 million Yahoo accounts, approximately 1.5 million Outlook accounts, and approximately 900,000 iCloud accounts. Millions of social media and online service accounts were also present, including 17 million Facebook accounts and over 3 million Netflix accounts.
The database contained no information about its owner. Fowler reported the discovery to the hosting provider via a complaint form, but the response process took nearly a month. Only after several requests was access to the server blocked and the data made inaccessible. During this time, the database's size even increased, indicating ongoing collection of stolen credentials. It is unknown who exactly managed this storage, nor how long it had been accessible before its discovery.
Based on the data structure, the researcher concluded that the database was used to store information collected by malware. In addition to logins and passwords, it contained technical data indicating infected devices and sources of information theft. This made it possible to organize the stolen data and conveniently use it for further attacks.
Experts warn that such data sets are particularly dangerous because they enable automated credential stuffing attacks. Attackers can massively check stolen logins and passwords on popular services, gaining access to email, bank accounts, social media, and corporate systems. This increases the risk of fraud, identity theft, financial crime, and phishing attacks , which appear highly credible because they rely on real user data.
This leak once again demonstrates that credential theft has long been a large-scale business. Even cybercriminals themselves often store stolen information in poorly configured cloud storage systems, which can be discovered through a simple internet scan. Once discovered, such databases are often copied and distributed further, making the consequences virtually irreversible.
Experts remind us that malware can infect devices through fake updates, malicious browser extensions, fake emails, and even ads. In such cases, simply changing your password won't help, as the new password can also be intercepted. For protection, it's recommended to use antivirus software, regularly update your operating system, avoid installing apps from untrusted sources, enable two-factor authentication , and avoid using the same password across multiple services.
