Cybersecurity researcher Jeremiah Fowler has discovered an unprotected database containing nearly 150 million stolen login credentials, exposing users of major platforms including Gmail, Facebook, Instagram, and OnlyFans to potential identity theft and fraud. The 96-gigabyte database was found publicly accessible online without any password protection or encryption, leaving all credentials in plain text for anyone to read.
The breach affects accounts across dozens of popular services. Gmail leads with 48 million exposed credentials, followed by Facebook with 17 million accounts, Instagram with 6.5 million, Yahoo with 4 million, and Netflix with 3.4 million compromised logins. Other affected platforms include Outlook with 1.5 million accounts, educational institutions with 1.4 million .edu domain credentials, iCloud with 900,000 accounts, TikTok with 780,000, the cryptocurrency exchange Binance with 420,000, and the adult content platform OnlyFans with 100,000 exposed accounts.
The stolen data was harvested through infostealer malware, a type of malicious software designed to silently capture keystrokes, login credentials, and account URLs from infected devices. Security experts warn that this type of malware often spreads through phishing emails, malicious downloads, and compromised websites, making it particularly dangerous because victims typically remain unaware their credentials have been stolen.
One of the most alarming aspects of the breach involves credentials associated with government domains from numerous countries. While not every compromised government account grants access to sensitive systems, security analysts caution that even limited access could have serious national security implications depending on the role and permissions of the affected users.
Fowler reported the exposed database to the hosting provider through their abuse channel. The response took approximately one month before the hosting was eventually suspended. The provider declined to disclose who managed the database or explain its intended purpose, leaving questions about the perpetrators unanswered.
Cybersecurity experts urge all internet users to take immediate protective measures. Users should change passwords across all services, especially if they reuse credentials on multiple platforms. Enabling two-factor authentication provides an additional security layer even if passwords are compromised. Security professionals also recommend using reputable password managers to generate and store unique passwords for each account, while remaining vigilant against phishing attempts that may exploit the leaked data.
Comments