Massive Data Leak Exposes 149 Million Passwords for Gmail, Facebook, and Major Platforms
Unsecured Database Reveals Millions of Stolen Credentials
Cybersecurity researcher Jeremiah Fowler has identified a massive cache of stolen login credentials exposed on the open web, putting millions of users across the globe at risk. According to a report published by ExpressVPN, the exposed database contained 96GB of data, representing approximately 149.4 million unique username and password combinations.
Unlike a traditional corporate data breach where hackers penetrate a company’s internal servers, this incident appears to be an aggregation of data collected through “info-stealing” malware. The report indicates that the database was left unsecured, allowing public access without password protection until it was taken down.
Gmail and Social Media Giants Top the Victim List
The exposed dataset included credentials for some of the world’s most popular digital services. The stolen data specifically linked login information to the platforms they unlock, providing a roadmap for cybercriminals to execute credential-stuffing attacks.
Fowler’s analysis broke down the most affected services by volume of stolen records:
- Gmail: 48 million
- Facebook: 17 million
- Instagram: 6.5 million
- Yahoo: 4 million
- Netflix: 3.4 million
- Outlook: 1.5 million
- iCloud: 900,000
- TikTok: 780,000
The database also contained significant numbers of logins for platforms such as Binance, OnlyFans, HBO Max, Disney Plus, and X (formerly Twitter).
The Role of Info-Stealing Malware
The investigation suggests that the data originated from malware campaigns designed specifically to harvest user information. Unlike viruses that damage systems, info-stealers operate silently in the background. They record keystrokes, capture screenshots, and extract saved passwords from web browsers.
Once collected, this data is typically sent back to command-and-control servers operated by cybercriminals. In this specific case, the attackers aggregated the stolen data into a cloud storage container but failed to secure it.
“When a company leaves a database open online, they can be held accountable,” Fowler noted in the report. He added that when criminals make the same mistake, it allows other malicious actors to steal the data for their own phishing campaigns or financial fraud.
Remediation and Security Best Practices
Upon discovering the open database, Fowler contacted the hosting provider to report the abuse. The report confirms that the database remained exposed for an undetermined period before the host suspended the account and took the server offline.
Security experts advise that incidents like this serve as a critical reminder to practice robust digital hygiene. Because the data was stolen from user devices rather than the service providers themselves, changing passwords is the most effective immediate defense.
Recommended Security Steps:
- Eliminate Password Reuse: Ensure every account has a unique, complex password.
- Use a Password Manager: These tools generate strong encryption keys and prevent credential reuse.
- Enable Multi-Factor Authentication (MFA): MFA adds a layer of protection that prevents access even if a password is stolen.
- Scan for Malware: Run reputable antivirus software to detect and remove any potential info-stealers lurking on personal devices.
