Findings from Cybersecurity Researcher Jeremiah Fowler reveal a concerning data leak: more than 149 million unique logins and passwords were exposed, amounting to 96 GB of pure credential data.

In a sampling of the exposed records, Fowler discovered thousands of files containing emails, usernames, and passwords, as well as URL links to the login site for the corresponding data. 

“This is not the first dataset of this kind I have discovered and it only highlights the global threat posed by credential-stealing malware,” Fowler wrote in a blog post. “When data is collected, stolen, or harvested it must be stored somewhere and a cloud based repository is usually the best solution. This discovery also shows that even cybercriminals are not immune to data breaches. The database was publicly accessible, allowing anyone who discovered it to potentially access the credentials of millions of individuals.”

The exposed documents contained credential information collected from individuals around the world, ranging from a variety of online services and accounts. These include social media, financial services platforms, dating sites, entertainment accounts and more. In some instances, particularly with financial service platforms, trading accounts, or cryptocurrency wallets, credit card and banking logins were also accessible. 

Alarmingly, Fowler discovered credentials associated with .gov domains linked to several countries. 

“While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user,” Fowler warns. 

Leaked government credentials could be exploited for impersonation, spear-phishing, or as an initial access to government networks, posing risks to public safety and even national security. 

The big question now: who was collecting this data in the first place? 

At this time, it is unclear. Fowler states that the database had no ownership information, and so he reported the issue to the hosting provider. 

“I received a reply several days later stating that they do not host the IP and it is a subsidiary that operates independently while still using the parent organization’s name,” recounts Fowler. “It took nearly a month and multiple attempts before action was finally taken and the hosting was suspended and millions of stolen login credentials were no longer accessible.”  

The hosting provider refused to disclose information on who was managing the database. While the owner of the database is unknown, it is suspected to be associated with criminal activity. 

Between the time of Fowler’s initial discovery and the database being removed, the number of records within it increased. 

The Threat of Infostealing Malware

While the manager of the database is currently unknown, the sensitive and varied nature of the credentials collected suggests it is connected to cybercriminal activity. This highlights the global risk that infostealing malware presents.  

Morey Haber, Chief Security Advisor at BeyondTrust, explains that “infostealing malware can come from a variety of sources like sideloading applications, jailbreaking, vulnerabilities/exploits” and more. 

The threat of infostealers is not contained to the singular moment of credential theft, nor are they limited to a one-time exploit. Boris Cipot, Senior Security Engineer at Black Duck, warns, “Infostealer breaches like this do not just expose isolated accounts, they create a long-term attack surface that gives cybercriminals opportunities across every aspect of our digital lives. Organisations and individuals alike must assume that usernames and passwords are constantly at risk and adopt layered defences accordingly.”  

Estimated Breakdown of Exposed Accounts 

• Gmail: 48 million 
• Yahoo: 4 million
• Outlook: 1.5 million
• iCloud: 900,000
• .edu: 1.4 million
• FaceBook: 17 million
• Instagram: 6.5 million
• TikTok: 780,000
• Netflix: 3.4million
• OnlyFans: 100,000

What Are Implications of This Leaked Dataset? 

While the sheer size of this data exposure is alarming, experts are more concerned by what it represents. 

“This reported dataset matters less because of its size and more because of what it represents operationally,”  insists Shane Barney, Chief Information Security Officer at Keeper Security. “This is not a breach in the traditional sense, and it is not evidence of a single failure. It is the byproduct of an ecosystem that continuously harvests credentials from endpoints and quietly accumulates access over time.”  

The leaked data underscores the continually evolving, continually working nature of the modern threat landscape. Consistently, malicious actors search the digital space for exploitable vulnerabilities. 

“For security teams, the takeaway is not simply ‘change passwords,’” says Barney. “It’s recognizing that credential compromise is now a background condition of the internet. Controls need to assume that passwords will leak, that endpoints will be infected and that attackers will arrive authenticated. The question is no longer how to prevent every theft, but how effectively access is constrained once it inevitably occurs.”