Massive leak of data exposes 149 Million accounts without warning

Most people won’t get an alert. No email. No email. Yet, 149 millions logins and passwords are available online for anyone to see.

Jeremiah Fowler is a cybersecurity researcher who made the discovery. He found a huge database that was left unprotected. No password protection. No encryption. There.

Fowler shared with Fowler his findings ExpressVPNThe report was published to alert the public to the widespread nature of credential theft.

Open database of everyday accounts

The database held 149.404.754 unique logins. That’s 96GB worth of raw data. A quick glance at the files revealed that there were thousands of entries containing email addresses, usernames and passwords as well as direct login URLs.

It wasn’t just obscure platforms. The credentials exposed covered many services people use on a daily basis: Facebook and Instagram, TikTok or X, dating apps like OnlyFans, streaming platforms Netflix, Disney+ or HBO Max, as well as streaming apps such as Netflix. Roblox accounts and others were found.

Even more concerning, the sample contained financial accounts, crypto-wallets, trading platforms and logins to banking systems.

Fowler identified credentials associated with.gov emails from multiple countries. Even limited access to government systems can be valuable in impersonation or targeted fraud.

The data that ended up there

Based on how the files were organised, the database appears to have been built using infostealer malware – software designed to quietly collect credentials from infected devices.

This was not a random dump. The records were well-structured, using unique hashes to index and organise the data. The setup strongly indicates a large-scale, not an isolated incident.

Fowler did not know who owned the database when he discovered it. The hosting provider was slow to respond when Fowler reported the database. After several weeks of repeated contacts, the database was finally restricted.

The situation worsened during that period. Between the time it was discovered, and when it was taken off-line, more records were added. Fowler has not revealed how long the records had been exposed before he found them.

The hosting company did not reveal who managed the database nor whether it had been accessed or copied before.

Why ordinary users should be concerned

The ease of misuse makes this leak a risky one.

The database contained not only passwords but also emails and login links. This could be used for automated attacks on multiple platforms. A compromised password can open up email accounts, social media profiles and financial services.

Email access can be particularly dangerous. Inboxes are full of personal documents, messages for account recovery and private conversations.

Privacy is also an issue that will persist for a long time. Knowing which platforms someone uses – including dating sites or adult services – could later be exploited for fraud, harassment or blackmail.

Fowler brings up another unpleasant truth: changing your account password won’t be enough if you have an infected device. Malware will continue to collect credentials until it is properly removed.

A familiar pattern in cybercrime

You might be surprised that such an important cache of stolen data has been left unprotected. Researchers say that this type of theft is not rare.

Cybercriminals prioritize speed over security by storing data on poorly configured cloud services that are easily discovered via routine internet scans. Once these datasets have been exposed, they are frequently copied and re-distributed. This makes it difficult to stop the damage.

Credential theft has now reached industrial scale, as the exposed database shows. It happens constantly and without the victims knowing.

Fowler says that the basics still matter, including unique passwords, 2-factor authentication, current security software, and regular system upgrades. These are not foolproof measures, but they can reduce the likelihood of being a target.

In cases like these, it’s not the size of a breach that’s the most disturbing. It’s not the breach itself that is disturbing, but rather the silence.