Cybersecurity researcher Jeremiah Fowler has uncovered a massive data leak containing more than 149 million unique logins and passwords, which he disclosed to ExpressVPN. The findings of his research were lated published by ExpressVPN to help raise public awareness and highlight the growing risks posed by large-scale data breaches.
The exposed database was neither password-protected nor encrypted and held approximately 149,404,754 login credentials, amounting to nearly 96GB of raw data. A limited review revealed thousands of files containing email addresses, usernames, passwords, and direct URLs to login or authorization pages. Fowler said the discovery underscores the global threat posed by credential-stealing malware, which collects stolen data and stores it in cloud-based repositories. The incident also shows that even cybercriminals are vulnerable to breaches, as the database was publicly accessible to anyone who found it.
The leaked records span users from around the world and cover a wide range of online services. These include social media platforms such as Facebook, Instagram, TikTok and X (formerly Twitter), dating apps, and OnlyFans accounts linked to both creators and subscribers. Streaming and entertainment services like Netflix, HBO Max, Disney+, and Roblox were also present, alongside financial services, crypto wallets, trading platforms, banking logins, and credit card details.
One of the most serious concerns was the presence of credentials linked to government (.gov) domains from multiple countries. While not all such accounts provide access to sensitive systems, even limited access could be exploited for spear-phishing, impersonation, or as a foothold into government networks, posing potential national security and public safety risks.
Estimated breakdown of exposed email providers included:
-
48 million Gmail accounts
-
4 million Yahoo accounts
-
1.5 million Outlook accounts
-
900,000 iCloud accounts
-
1.4 million .edu addresses
Other notable accounts identified:
-
17 million Facebook accounts
-
6.5 million Instagram accounts
-
780,000 TikTok accounts
-
3.4 million Netflix accounts
-
100,000 OnlyFans accounts
-
420,000 Binance accounts
Security experts warn that the scale and detail of the leaked data significantly increases the risk of credential-stuffing attacks, where criminals automatically test stolen usernames and passwords across multiple services. Because the dataset includes exact login URLs, attackers could more easily launch fraud, identity theft, financial crimes, and highly targeted phishing campaigns that appear legitimate.
Fowler noted that malware used to steal credentials can spread through malicious email attachments, fake software updates, compromised browser extensions, or deceptive online ads. Once installed, such malware can operate silently, harvesting new passwords even after users change them. Antivirus and endpoint security software, along with regular operating system updates, remain critical first lines of defence.
Experts also caution that exposed email addresses and account associations allow criminals to build detailed personal profiles, increasing the effectiveness of social engineering, harassment, or extortion attempts. As a precaution, users are advised to enable two-factor authentication, review login activity, avoid password reuse, and consider password managers alongside robust antivirus protection.
While it may seem ironic that stolen data of this scale was left unsecured, researchers say such lapses are common. Criminal groups often prioritise speed and volume over operational security, storing sensitive data on misconfigured servers. Once exposed, these datasets are frequently copied and redistributed, making the damage difficult to undo.
