Unsecured Database Leaks 149 Million User Credentials Across Major Platforms

Aegiron 4 mins0

A huge database of login credentials — nearly 149 million usernames and passwords — was found publicly exposed online without any protection (no encryption, no password) by cybersecurity researcher Jeremiah Fowler. The set contained raw credential data worth ~96 GB of information that included usernames, email addresses, and passwords for many popular services.

This was not a breach of the companies themselves (e.g., Google, Meta), but rather an exposed stash of credentials likely collected from users’ devices by malicious software (credential-stealing infostealer malware) and stored on a misconfigured cloud database.

  • Gmail: 48 million
  • Facebook: 17 million
  • Instagram: 6.5 million
  • Yahoo: 4 million
  • Netflix: 3.4 million
  • Outlook: 1.5 million
  • iCloud: 900k
  • TikTok: 780k
  • Binance: 420k
  • OnlyFans: 100k

What Kinds of Accounts Were Included?

According to researchers analyzing samples of the data:

  • Email accounts – including Gmail (reported ~48 million), Yahoo, and Outlook accounts
  • Social media – Facebook (~17 million), Instagram (~6.5 million), TikTok, X
  • Streaming & entertainment – Netflix and others
  • Financial accounts – Binance, banking logins
  • Sites like OnlyFans also appeared in small numbers of exposed credentials
  • Dating, gaming, and other platforms were also part of the dataset
    (Data from multiple reporting sources on the breach)

How Did It Happen?

This wasn’t a hack of the platforms themselves, but likely the result of infostealer malware — malicious software that:

  • infects a user’s device,
  • captures entered credentials (keylogging/screen scraping),
  • aggregates those stolen credentials in a repository,
  • and in this case, accidentally exposed them because the database wasn’t secured.

This kind of malware spreads through deceptive downloads, fake updates, compromised browser extensions, and similar attack vectors.

What Should You Do to Protect Yourself?

Experts recommend these steps if you might be affected:

  1. Scan devices for malware — Don’t just change passwords; first check that your phone/computer isn’t infected.
  2. Use a reputable antivirus or anti-malware tool and keep it updated.
  3. Enable Two-Factor Authentication (2FA) everywhere possible — adds a second layer of protection even if a password leaks.
  4. Use a password manager — to generate and store unique, strong passwords so you aren’t reusing the same one across sites.
  5. Avoid reusing passwords across multiple accounts.

Key Things to Know

  • This isn’t a confirmed “hack” of Gmail or Instagram servers — it’s credentials collected from other sources.
  • The exposed database has since been taken offline after researchers reported it.
  • Because the credentials were collected externally, standard platform security (like 2FA and signals of suspicious login attempts) still matters.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.