LONDON, Jan 24, 2026, 12:01 (GMT)
- Researcher Jeremiah Fowler said he found 149,404,754 unique logins and passwords in an unsecured online database later taken offline.
- The cache included an estimated 48 million Gmail credentials, plus logins tied to social media, streaming, crypto and some government domains.
- Analysts said cheap “infostealer” malware services can turn such data into automated account-takeover attempts.
An unprotected online database holding about 149 million stolen usernames and passwords — including roughly 48 million linked to Gmail accounts — has been taken offline after a researcher flagged it to the host, according to a report by cybersecurity researcher Jeremiah Fowler. Fowler said the 96-gigabyte cache was “not password-protected or encrypted.” (ExpressVPN)
The discovery matters because collections like this can be plugged straight into credential stuffing — automated attempts to reuse stolen passwords across popular services — and into more targeted phishing, especially when records include direct login links.
It also lands at a moment when infostealer malware, malicious software designed to quietly pull credentials from infected devices, has become a steady pipeline for criminals rather than a one-off smash-and-grab.
Fowler called the cache a “dream wish list for criminals” in an interview with WIRED. Allan Liska, a threat intelligence analyst at Recorded Future, said infostealers create a “very low barrier of entry” and noted that renting popular infrastructure can cost $200 to $300 a month. (WIRED)
TechRepublic reported the exposed logs went beyond a flat list of passwords, bundling email addresses, usernames and direct links to the sites where the credentials could be tried. That packaging can speed up automated account takeover attempts before users change passwords or providers lock accounts. (TechRepublic)
Fowler said the records he reviewed spanned social media, streaming services, dating apps and financial accounts, including banking and crypto trading logins in a limited sample.
He also flagged the presence of credentials tied to government “.gov” domains, which could be used for impersonation or as an entry point for deeper intrusions, depending on what access those accounts carry.
The database carried no ownership information, he said, and it took multiple attempts and nearly a month before the hosting was suspended.
Fowler said the number of records grew between his discovery and the takedown, raising the chance that others could have copied the trove while it was exposed.
Security Magazine said the cache included an estimated 48 million Gmail accounts, 4 million Yahoo logins and 1.5 million for Microsoft Outlook, alongside millions more tied to social platforms and streaming services. Shane Barney, chief information security officer at Keeper Security, said: “This is not a breach in the traditional sense.” (Securitymagazine)
SC Media said the database differed from earlier infostealer troves Fowler has seen, with extra fields such as a reversed hostname and a line hash used to tag each record as unique. “Infostealer breaches like this do not just expose isolated accounts,” Boris Cipot, a senior security engineer at Black Duck, said in an email. (SC Media)
One uncertainty: the exposed credentials may be a mix of old and new, and many may no longer work if users changed passwords or providers forced resets. But if a device is still infected with malware, simply updating passwords can be short-lived because the next login may be captured again.
Security researchers generally advise users to enable two-factor authentication — an extra login step such as a code or app prompt — and to avoid reusing passwords across sites. Companies, meanwhile, tend to watch for automated sign-in spikes and block suspicious logins, but those controls can be uneven across services.
The takedown removes one public copy of the database, but credential collections often spread quickly once discovered. For organisations, the broader message is familiar: stolen passwords remain a common entry point, and the pipeline feeding them is not slowing.
