Unsecured Infostealer Database Exposes 149M Usernames and Passwords
A publicly accessible database containing ~149.4 million unique usernames and passwords (about 96GB of data) was discovered online by security researcher Jeremiah Fowler. The trove included not just credential pairs but also associated site links, indicating it was designed to enable direct account access across many services; major concentrations included Gmail (48M), Facebook (17M), Instagram (6.5M), Yahoo (4M), Netflix (3.4M), Outlook (1.5M), iCloud (900K), and Binance (420K). The database was reportedly not encrypted and not password-protected, and it also contained credentials tied to .gov domains from multiple countries, raising risks of follow-on activity such as spearphishing, impersonation, and potential access attempts against government networks.
Fowler reported the exposure to the hosting provider, and the database was subsequently removed for terms-of-service violations; Fowler said he could not determine who owned or operated the dataset. Reporting indicates the database likely aggregated logs from infostealer malware, which commonly uses techniques like keylogging to capture credentials from infected devices; Fowler noted the dataset continued to grow over roughly a month while he worked to reach the host. The hosting arrangement was described as a global provider using regional affiliates, with the exposed instance attributed to an affiliate in Canada, and the provider was not publicly named.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Public reporting warns exposed credentials could fuel fraud and account takeovers
News coverage on January 23, 2026 publicized the exposure of credentials tied to major consumer services, financial platforms, and government domains. Reports warned the data could be used for credential stuffing, phishing, identity theft, financial fraud, and possible downstream access to government systems.
Hosting provider suspends access to the exposed database
The hosting provider ultimately removed or secured the database for terms-of-service violations after Fowler's report. The owner or operator of the database was not identified publicly.
Fowler reports the database to the hosting provider
After identifying the exposure, Fowler contacted the hosting provider to request remediation. Reports indicate there were delays and uncertainty over hosting responsibility and control of the IP address.
Exposed credential database continues growing during takedown effort
While Fowler worked for nearly a month to get the database removed, the dataset reportedly continued to grow, suggesting ongoing collection or updates. The contents and structure were assessed as consistent with aggregation from infostealer and keylogging malware rather than a single breach.
Jeremiah Fowler discovers exposed database with 149 million credentials
Security researcher Jeremiah Fowler found a publicly accessible 96 GB database containing 149,404,754 usernames, passwords, email addresses, and login URLs. The data was unencrypted, not password-protected, and appeared accessible through a web browser.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Massives Datenleck bedroht rund 150 Millionen Benutzer | CSO Online
csoonline.com
Open source48M Gmail, 6.5M Instagram Exposed Online From Unprotected Database
cybersecuritynews.com
Open sourceMillions of Gmail, Facebook and other account credentials exposed | SC Media
scworld.com
Open sourceData Leak Exposes 149M Logins, Including Gmail, Facebook
techrepublic.com
Open source149 Million Usernames and Passwords Exposed by Unsecured Database | WIRED
wired.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing **184,162,718** unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled `senha`. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly. The exposed records are believed to be linked to **infostealer malware** and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling **16 billion** credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
May 25, 2026
Exposed Elasticsearch Database Leaked 24 Billion Stolen Credentials
Researchers uncovered an exposed **Elasticsearch** database containing roughly **24 billion** plaintext credential records, including usernames, email addresses, passwords, and associated login URLs. The dataset was estimated at more than **8 terabytes** and appeared to aggregate data from **36 sources**, including infostealer logs, Telegram channels, prior breach collections, local database dumps, and exports from live servers. Investigators said the database was publicly accessible before being taken offline, but the owner could not be identified. The exposed records create a significant risk of **credential stuffing**, account takeover, and broader identity abuse at global scale, especially for users who do not use **multi-factor authentication**. Researchers reported that more than 30 of the sources were linked to Telegram channels and that **22.6 billion** entries were broadly labeled as “collections,” while signs of regular updates suggested the dataset was being actively curated. They also found records referencing **CVE** identifiers, GitHub links, breach news, and social media posts about incidents, indicating the operator may have been monitoring the cybersecurity landscape while maintaining the credential trove.
Jun 19, 2026
Massive Aggregation of Stolen Credentials Added to Have I Been Pwned
Have I Been Pwned (HIBP) has incorporated a new dataset containing 183 million unique stolen email and password pairs, sourced and aggregated by a U.S. college student known as Ben for the cybersecurity company Synthient. The dataset, totaling 23 billion rows and 3.5 terabytes, was compiled from infostealer malware logs, Telegram groups, Tor sites, and various underground forums, reflecting the industrial scale at which credentials are stolen, traded, and reused across the dark web. Security experts note that this aggregation highlights the persistent threat posed by credential theft, password reuse, and the automation of attacks, which collectively undermine digital trust and make traditional defenses less effective. The Synthient dataset is notable for its breadth, as it combines real credentials captured from infostealer malware with credential stuffing lists, rather than being the result of a single breach. This collection process demonstrates how stolen credentials move through a digital supply chain, being shared, merged, and resold repeatedly. The exposure of such a vast number of credentials underscores the importance of maintaining visibility into leaked data, enforcing multi-factor authentication, and adopting stronger authentication practices to mitigate the risks associated with widespread credential compromise.
Mar 21, 2026