-
An unprotected database has exposed over 149 million username/password combinations to the public.
-
Most of the exposed data relate to different types of accounts from major financial & social networking sites (e.g. Yahoo, Gmail, Facebook, Instagram, TikTok, Binance, etc.).
-
The scale of the breach creates tremendous risks for affected individuals, which increases significantly in the era of modern-day cybercrime.
An enormous database containing close to 150 million different usernames and passwords for stolen accounts (many of which were previously unsecured) has recently been discovered on the internet. Cybersecurity researcher Jeremiah Fowler found this large database that had not been encrypted or secured in any way and was open to access with a normal web browser.
Cybercriminals can access highly sensitive personal and financial information through this data breach, and they may continue threatening individuals long after people believe they are safe.
The researcher noted that the exposed database contains 149,404,754 total logins (96 gigabytes of data). The hijacked database is that of no single company but rather a compilation of information harvested from individuals who have had their computers or mobile devices infected with the “infostealer” malware.
As a result, criminals are able to access all of your personal information – every keystroke you make, including passwords to your email, bank accounts, and social media accounts – without having to do anything to gain physical access to your computers.
To further compound this issue, the information also contains the specific website addresses associated with these logins, subsequently giving criminals the advantage of knowing where to go to find documentation of your digital life.
The Types of Accounts Exposed
The array of stolen credentials is alarming and vividly illustrates the extent to which the malware reached. The exposures hit the following account types:
Email and Communications:
- Gmail – 48 million accounts
- Yahoo – 4 million accounts
- Outlook – 1.4 million accounts
- iCloud – 900 thousand accounts
- .edu – 1.4 million accounts
Social and Entertainment:
- Facebook – 17 million logins
- Instagram – 6.5 million logins
- TikTok – 780 thousand logins
- Netflix – 3.4 million logins
- OnlyFans – 100 thousand logins
Finance and Government:
- Binance – 420 thousand crypto accounts
- Some login credentials related to .gov email domains that belong to several countries.
How Could This Happen?
The discovery of this database presents an irony within the cybercrime industry. Though cybercriminals use very sophisticated malware to steal information, they, however, store this stolen data using extremely poor security. In this instance, investigators found the database on a misconfigured cloud server that lacked password protection.
Such massive caches of credentials are a primary commodity of the digital underground, similar to the recent alleged leak of 4.9 million user records from the investment platform Republic.com on the dark web.
Fowler spent nearly a month following up with the hosting organization to get the database taken down. During that time, the number of records kept increasing, indicating that attackers continued adding newly stolen data from other victims.
Cybercriminals commonly use infostealer malware to steal data. They spread it through phishing emails, fake software updates, and compromised websites. Once installed—often without the user’s knowledge—the malware quietly records every keystroke.
Infostealer malware represents a huge and ongoing threat for both individuals & companies (according to the Cybersecurity and Infrastructure Security Agency (CISA)). And CISA encourages strong passwords, frequent updates of software, two-factor authentication (2FA), and extreme vigilance before clicking on suspicious hyperlinks when practicing effective cyber hygiene.
When managing your web-based accounts, you need to treat them as seriously as your physical wallet. In today’s digital environment, this is not optional; it is critical to your overall safety.
