A staggering 96GB database containing 149 million unique login credentials sat exposed on the internet for weeks, accessible to anyone with a web browser. No password required.
Security researcher Jeremiah Fowler discovered the unsecured trove, which reads like a criminal's shopping list: 17 million Facebook accounts, 6.5 million Instagram logins, 3.4 million Netflix credentials, and roughly 420,000 Binance crypto exchange accounts. Banking logins, government email addresses from .gov domains across multiple countries, and even OnlyFans creator accounts were all sitting in plain sight.
"This is not the first dataset of this kind I have discovered, and it only highlights the global threat posed by credential-stealing malware," Fowler noted in his findings shared with ExpressVPN.
How Criminals Build Their Vault
The database appears to be a collection from infostealer malware — malicious programs that silently record everything you type on infected devices. What makes this cache particularly dangerous is its organization. Each stolen credential included the victim's email address, username, password, and the exact URL they used to log in. Criminals could automate attacks across millions of accounts without lifting a finger.
The Breakdown: Who Got Hit Hardest
Email providers bore the brunt of the exposure. Gmail users accounted for 48 million compromised accounts — nearly a third of the entire database. Yahoo users contributed 4 million credentials, while Outlook and iCloud users lost 1.5 million and 900,000 accounts, respectively. Educational institutions weren't spared either, with 1.4 million .edu email addresses included.
Social media platforms accounted for the majority of service-specific breaches. Facebook led with 17 million stolen logins, followed by Instagram with 6.5 million, and TikTok with 780,000. The entertainment sector showed streaming habits are a prime target: Netflix credentials topped 3.4 million, while 100,000 OnlyFans accounts were exposed — affecting both creators and subscribers.
The financial exposure is particularly alarming. Binance, one of the world's largest cryptocurrency exchanges, exposed 420,000 user credentials. Traditional banking and credit card logins peppered throughout the database, though exact counts weren't disclosed for these high-value targets.
The records used a reversed hostname structure (formatted as com.example.user.machine) to index stolen data by victim and source, suggesting a sophisticated operation designed for easy searching and credential stuffing (automated login attempts using stolen passwords across multiple sites).
The Government Problem
Perhaps most concerning: credentials tied to government domains appeared throughout the database. While not all .gov accounts access classified systems, even basic access could enable spear-phishing campaigns, impersonation attacks, or serve as entry points into broader government networks.
Fowler reported the database to the hosting provider, but action took nearly a month. During that window, the number of stolen records actually increased, suggesting the database was still being actively fed by infected devices worldwide.
What You Should Do Right Now
If you're among the estimated 34% of U.S. adults without antivirus software, this is your wake-up call. Changing passwords on an infected device is pointless — the malware will just capture the new one.
First, run a complete antivirus scan. Update your operating system to apply available patches for known vulnerabilities. Then enable two-factor authentication on every account that offers it. Review your app permissions, browser extensions, and delete anything you don't recognize.
Stop reusing passwords. Full stop. A password manager won't protect you from advanced malware, but it dramatically reduces your risk profile against basic keyloggers and credential stuffing attacks.
The irony? Even cybercriminals aren't immune to data breaches. Their misconfigured cloud server just exposed their entire operation. For everyone else, it's a stark reminder that your credentials are valuable currency in an underground economy you never agreed to participate in.
Check your email against known breach databases at haveibeenpwned.com, and assume the worst if you haven't updated your security practices in years. Because somewhere in those 149 million stolen logins, your Netflix password might be the least of your problems.