Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing 184,162,718 unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled senha. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly.
The exposed records are believed to be linked to infostealer malware and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling 16 billion credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Group-IB says 16 billion-password cache is recycled stealer-log data
Group-IB analyzed samples from the reported 16 billion-password dataset and concluded it was not a new mega-breach but a compilation of previously leaked stealer-log data, with decipherable credentials tracing to public leaks from 2021 to 2023. The firm said no sampled credential was first recorded in 2025, the newest verified compromise dated to April 2024, and it found no credible evidence that the full collection was being sold on dark-web markets at the time of analysis.
Forbes reports broader 16 billion-password leak claims
Forbes published a report describing a much larger leak allegedly involving 16 billion passwords tied to Apple, Facebook, Google, and other services. Based on the provided reference, no additional underlying event details were available to determine whether this was the same dataset or a separate incident.
Hosting provider restricts public access after disclosure
After Fowler responsibly disclosed the exposed database to World Host Group, public access to the server was restricted. The owner of the database remained unidentified.
Affected users confirm exposed credentials are authentic
Fowler contacted affected individuals to verify the data, and several confirmed that the exposed credentials matched their real passwords. This established that the database contained valid account information rather than fabricated or test data.
Researcher discovers exposed database with 184 million credentials
Cybersecurity researcher Jeremiah Fowler found an unprotected, non-encrypted 47.42 GB database containing 184,162,718 unique usernames and passwords. The records affected accounts tied to major platforms and government portals across 29 countries, and the dataset's structure suggested collection via infostealer malware.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Social Insecurity: Billions of Social Security Number and Passwords | UpGuard
upguard.com
Open sourceHacker reveals 6.8 billion emails online and warns victims “your data is public” | Cybernews
cybernews.com
Open sourceIs The Truth Behind The 16 Billion Passwords Leak Finally Revealed?
forbes.com
Open source16 Billion Apple, Facebook, Google And Other Passwords Leaked
forbes.com
Open source184 Million Users' Passwords Exposed From an Open Directory Controlled by Hackers
cybersecuritynews.com
Open sourceMajor data leak exposes Facebook, Snapchat passwords | Cybernews
cybernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unsecured Infostealer Database Exposes 149M Usernames and Passwords
A publicly accessible database containing **~149.4 million unique usernames and passwords** (about **96GB** of data) was discovered online by security researcher **Jeremiah Fowler**. The trove included not just credential pairs but also associated site links, indicating it was designed to enable direct account access across many services; major concentrations included **Gmail (48M)**, **Facebook (17M)**, **Instagram (6.5M)**, **Yahoo (4M)**, **Netflix (3.4M)**, **Outlook (1.5M)**, **iCloud (900K)**, and **Binance (420K)**. The database was reportedly **not encrypted and not password-protected**, and it also contained credentials tied to **.gov domains** from multiple countries, raising risks of follow-on activity such as spearphishing, impersonation, and potential access attempts against government networks. Fowler reported the exposure to the hosting provider, and the database was subsequently **removed for terms-of-service violations**; Fowler said he could not determine who owned or operated the dataset. Reporting indicates the database likely aggregated logs from **infostealer malware**, which commonly uses techniques like **keylogging** to capture credentials from infected devices; Fowler noted the dataset continued to **grow over roughly a month** while he worked to reach the host. The hosting arrangement was described as a global provider using regional affiliates, with the exposed instance attributed to an affiliate in **Canada**, and the provider was not publicly named.
Mar 21, 2026
Exposed Elasticsearch Database Leaked 24 Billion Stolen Credentials
Researchers uncovered an exposed **Elasticsearch** database containing roughly **24 billion** plaintext credential records, including usernames, email addresses, passwords, and associated login URLs. The dataset was estimated at more than **8 terabytes** and appeared to aggregate data from **36 sources**, including infostealer logs, Telegram channels, prior breach collections, local database dumps, and exports from live servers. Investigators said the database was publicly accessible before being taken offline, but the owner could not be identified. The exposed records create a significant risk of **credential stuffing**, account takeover, and broader identity abuse at global scale, especially for users who do not use **multi-factor authentication**. Researchers reported that more than 30 of the sources were linked to Telegram channels and that **22.6 billion** entries were broadly labeled as “collections,” while signs of regular updates suggested the dataset was being actively curated. They also found records referencing **CVE** identifiers, GitHub links, breach news, and social media posts about incidents, indicating the operator may have been monitoring the cybersecurity landscape while maintaining the credential trove.
Jun 19, 2026
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
Mar 21, 2026