Massive Data Breach: 149 Million Gmail, Facebook and Netflix Passwords Exposed, Says Report
A vast database containing nearly 149 million usernames and passwords has been discovered exposed online, raising fresh concerns about how stolen digital credentials are stored and shared. The incident was not caused by a direct cyberattack on major platforms, but by a massive cache of data left completely unsecured and accessible without any password or encryption.
The exposure was identified by cybersecurity researcher Jeremiah Fowler, who found 149,404,754 unique login records amounting to about 96GB of raw credential data openly available on the internet. Fowler shared details of the discovery through ExpressVPN, warning that anyone with the right link could access the information.
The exposed database contained login details tied to a wide range of popular online services. These included social media platforms such as Facebook , Instagram, TikTok and X (formerly Twitter), as well as dating platforms and creator-focused services like OnlyFans.
Entertainment and streaming accounts were also heavily impacted. Credentials linked to Netflix , HBO Max, Disney Plus and Roblox appeared in the dataset, alongside sensitive logins for financial services, crypto wallets, online banking and even government-related (.gov) domains from several countries.
Scale of the exposure
Fowler estimates the database included credentials from across multiple categories:
How did the data get exposed?
According to Fowler, the database appears to have been compiled using “infostealer” malware — malicious software designed to quietly infect devices and harvest saved usernames and passwords. Once collected, the stolen data was stored in an online repository that was left completely unprotected.
“When data is collected, stolen, or harvested it must be stored somewhere and a cloud-based repository is usually the best solution. This discovery also shows that even cybercriminals are not immune to data breaches,” Fowler said in his report.
Was the data taken down?
Fowler said he reported the unsecured database to the hosting provider, but it took nearly a month for access to be suspended. During that time, the number of exposed records continued to rise, indicating that the malware was still feeding newly stolen credentials into the database.
The hosting provider has not disclosed who controlled the data, and it remains unclear whether the information was gathered for criminal use or under the guise of research.
Fowler cautioned that simply changing passwords may not be enough if a device is infected with malware, as new credentials can also be captured. He recommends several steps to reduce risk:
Scan devices for malware:
Malware often spreads through malicious email attachments, fake software updates, compromised browser extensions and deceptive ads. Users should install reputable antivirus software and run full scans. Mobile users should update their operating systems, security tools and review app permissions, especially those linked to keyboards and accessibility settings.
Use a password manager:
Password managers encrypt stored credentials and can help protect against basic keyloggers that capture typed passwords.
Enable two-factor authentication:
Adding two-factor or biometric authentication provides an extra layer of security, even if a password is compromised.
Avoid password reuse:
Passwords should never be reused across different apps, websites or services, as one leak can otherwise unlock multiple accounts.
The incident serves as a reminder that even when platforms themselves are not breached, unsecured data storage can still put millions of users at risk.
The exposure was identified by cybersecurity researcher Jeremiah Fowler, who found 149,404,754 unique login records amounting to about 96GB of raw credential data openly available on the internet. Fowler shared details of the discovery through ExpressVPN, warning that anyone with the right link could access the information.
Which platforms were affected?
The exposed database contained login details tied to a wide range of popular online services. These included social media platforms such as Facebook , Instagram, TikTok and X (formerly Twitter), as well as dating platforms and creator-focused services like OnlyFans.
Entertainment and streaming accounts were also heavily impacted. Credentials linked to Netflix , HBO Max, Disney Plus and Roblox appeared in the dataset, alongside sensitive logins for financial services, crypto wallets, online banking and even government-related (.gov) domains from several countries.
Scale of the exposure
Fowler estimates the database included credentials from across multiple categories:
- Email services: Around 48 million Gmail accounts, 4 million Yahoo accounts and 1.5 million Outlook accounts
- Social media: Roughly 17 million Facebook accounts, 6.5 million Instagram accounts, 780,000 TikTok accounts and numerous X logins
- Entertainment platforms: About 3.4 million Netflix accounts, with additional exposure involving HBO Max, Disney Plus and Roblox
- Financial and government services: Approximately 420,000 Binance accounts, multiple banking logins and various government-linked credentials
How did the data get exposed?
According to Fowler, the database appears to have been compiled using “infostealer” malware — malicious software designed to quietly infect devices and harvest saved usernames and passwords. Once collected, the stolen data was stored in an online repository that was left completely unprotected.
“When data is collected, stolen, or harvested it must be stored somewhere and a cloud-based repository is usually the best solution. This discovery also shows that even cybercriminals are not immune to data breaches,” Fowler said in his report.
Was the data taken down?
Fowler said he reported the unsecured database to the hosting provider, but it took nearly a month for access to be suspended. During that time, the number of exposed records continued to rise, indicating that the malware was still feeding newly stolen credentials into the database.
The hosting provider has not disclosed who controlled the data, and it remains unclear whether the information was gathered for criminal use or under the guise of research.
How can users protect themselves?
Fowler cautioned that simply changing passwords may not be enough if a device is infected with malware, as new credentials can also be captured. He recommends several steps to reduce risk:
Scan devices for malware:
Malware often spreads through malicious email attachments, fake software updates, compromised browser extensions and deceptive ads. Users should install reputable antivirus software and run full scans. Mobile users should update their operating systems, security tools and review app permissions, especially those linked to keyboards and accessibility settings. Use a password manager:
Password managers encrypt stored credentials and can help protect against basic keyloggers that capture typed passwords.You may also like
- Hyderabad police to deal firmly with digital blackmail, cyberstalking
- 5 dead in Hyderabad Nampally fire; Telangana Minister announces Rs 5 L ex-gratia to kin of deceased
- Sepoy's Shadow: When India's taxes funded private army to guard London's tea (From The Archives)
- Rs 400 cr 'heist': Will register FIR based on concrete evidence, not on 'hearsay', says Belagavi SP
Are You Officially Into The 'Cuffing Season'? Time You Find Yourself A 'Green Forest'
Enable two-factor authentication:
Adding two-factor or biometric authentication provides an extra layer of security, even if a password is compromised. Avoid password reuse:
Passwords should never be reused across different apps, websites or services, as one leak can otherwise unlock multiple accounts. The incident serves as a reminder that even when platforms themselves are not breached, unsecured data storage can still put millions of users at risk.
More from our partners
Loving Newspoint? Download the app now
