149 Million Login Credentials Exposed in Massive Unsecured Database

A publicly accessible, unsecured database was uncovered containing 149 million login credentials, exposing usernames and passwords tied to major services like Gmail, Facebook, Yahoo, Outlook, and more.

 

According to a report by ExpressVPN, cybersecurity researcher Jeremiah Fowler discovered a publicly exposed database that lacked both password protection and encryption. The database contained 149,404,754 unique usernames and passwords, amounting to roughly 96 GB of raw credential data.

 

The report notes that the exposed dataset included 48 million Gmail accounts, 4 million Yahoo accounts, 17 million Facebook accounts, 6.5 million Instagram accounts, 3.4 million Netflix accounts, 1.5 million Outlook accounts, 1.4 million .edu accounts, along with many others.

 

“The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable. 

 

“These ranged from social media platforms such as Facebook, Instagram, Tiktok and X (formerly Twitter), as well as dating sites or apps, and OnlyFans accounts indicating login paths of both creators and customers. I also saw a large number of streaming and entertainment accounts, including Netflix, HBOmax, DisneyPlus, Roblox, and more,” Fowler said.

 

He further noted that the sample of records he reviewed also contained credentials linked to financial services, crypto wallets or trading platforms, as well as banking and credit card accounts.

 

Fowler also identified credentials linked to .gov domains from multiple countries, which could potentially be exploited for targeted spear-phishing, impersonation, or as an entry point into government networks.

 

Because the database lacked any ownership details, Fowler reported it directly to the hosting provider, who later clarified it was run by an independent subsidiary using the parent company’s name. After nearly a month of follow-ups, the database was taken offline, the hosting suspended, and the stolen credentials were no longer accessible.

 

Fowler said the hosting provider shared no details about who controlled the database, whether it was used for criminal activity or legitimate research, or how and why it was publicly exposed. It also remains unclear how long the data was accessible before discovery, though the number of records continued to grow until the database was finally restricted.