Cybersecurity researcher Jeremiah Fowler has uncovered a massive unsecured database containing 149 million unique usernames and passwords, exposing credentials from people around the world. The findings were shared with ExpressVPN and published to raise awareness about growing credential-theft risks.

The database was not encrypted or password-protected and held nearly 96GB of raw credential data. Anyone who discovered it could search through stolen login details using only a web browser. During a limited review, thousands of records were found containing email addresses, usernames, plaintext passwords, and direct login URLs. Even more concerning, the number of records increased while the database remained publicly accessible.

Accounts Affected and National Security Concerns

The exposed credentials covered almost every type of online service. These included social media platforms like Facebook, Instagram, TikTok, and X, along with streaming services such as Netflix, Disney+, and HBO Max. Financial services, crypto wallets, banking logins, and even OnlyFans accounts linked to both creators and subscribers were also present.

A particularly serious concern was the exposure of .gov email credentials from multiple countries. While not all government accounts grant access to sensitive systems, even limited access could be exploited for impersonation, targeted phishing, or as an entry point into government networks. This raises potential national security and public safety risks, depending on the role and permissions of the compromised users.

How the Data Was Collected and What Users Should Do

The database appears to be generated by infostealer and keylogging malware, designed to silently harvest credentials from infected devices. The data was highly structured, using reversed hostnames and unique hash-based identifiers, indicating a large-scale and organized credential-harvesting operation. Despite responsible disclosure, it took nearly a month before the hosting was suspended, and the ownership of the database remains unknown.

READ
Google Accidentally Leaks Details of Unfixed Chromium Bug

For users, experts warn that changing passwords alone is not enough if a device is infected. Devices should first be scanned for malware using updated antivirus or security software. Keeping operating systems and browsers up to date, enabling two-factor authentication, avoiding password reuse, and regularly reviewing login activity are essential steps to reduce risk. While password managers can help protect against basic keylogging, they cannot fully defend against advanced malware on compromised systems.


Buy ExpressVPN with PayPal or Credit Card

FAQ

What is an infostealer database? +
An infostealer database contains usernames, passwords, and login details collected by malware from infected devices without user knowledge.
What types of accounts were exposed? +
The leak included social media, streaming services, crypto wallets, banking logins, adult platforms, and even government-related accounts.
Why are .gov credentials especially dangerous? +
Government-linked accounts can be abused for impersonation, spear-phishing, or as entry points into sensitive networks, posing security risks.
Should I just change my passwords? +
No. If malware is present, new passwords can also be stolen. Devices must be scanned and cleaned before updating credentials.
How can users protect themselves? +
Use antivirus software, enable two-factor authentication, avoid password reuse, keep systems updated, and review login activity regularly.

Advertisement