LONDON, Jan 24, 2026, 12:01 (GMT)
- Researcher Jeremiah Fowler discovered 149,404,754 unique logins and passwords in an unsecured online database, which was later taken offline.
- The cache contained roughly 48 million Gmail credentials, along with logins linked to social media, streaming services, crypto accounts, and a few government domains.
- Analysts warned that low-cost “infostealer” malware services can automate account takeovers using this kind of data.
An open online database containing around 149 million stolen usernames and passwords — with about 48 million tied to Gmail accounts — has been taken down after a researcher alerted its host, cybersecurity expert Jeremiah Fowler reported. Fowler noted the 96-gigabyte dump was “not password-protected or encrypted.” 1
This discovery is significant because such collections feed directly into credential stuffing—automated attacks that try stolen passwords on various popular sites—and fuel more precise phishing campaigns, especially when the data contains direct login URLs.
This comes at a time when infostealer malware—malicious software that sneaks credentials off infected devices—has shifted from isolated hits to a constant source of crime.
Fowler described the cache as a “dream wish list for criminals” during an interview with WIRED. Allan Liska, a threat intelligence analyst at Recorded Future, pointed out that infostealers offer a “very low barrier of entry” and mentioned that renting top-tier infrastructure usually runs between $200 and $300 a month. 2
TechRepublic revealed the exposed logs included more than just a basic list of passwords. They contained email addresses, usernames, and direct links to the sites where those credentials could be tested. This setup makes it easier for attackers to quickly automate account takeovers before users update their passwords or platforms deactivate compromised accounts. 3
Fowler noted that the records he examined covered everything from social media and streaming platforms to dating apps, along with financial accounts like banking and crypto trading logins, all within a limited sample.
He also pointed out credentials linked to government “.gov” domains, which might be exploited for impersonation or serve as a gateway for more extensive breaches, depending on the level of access those accounts hold.
He said the database lacked any ownership details, and it took several tries over nearly a month before the hosting was finally shut down.
Fowler noted that the volume of records increased from the moment he found the data to when it was taken down, which boosted the risk that others might have copied the stash during that window.
Security Magazine reported the cache contained roughly 48 million Gmail accounts, 4 million Yahoo logins, and 1.5 million for Microsoft Outlook, plus millions linked to social media and streaming platforms. Shane Barney, Keeper Security’s chief information security officer, noted, “This is not a breach in the traditional sense.” 4
SC Media noted the database stood out from previous infostealer dumps Fowler has examined, featuring extra fields like a reversed hostname and a unique line hash for each record. “Infostealer breaches like this don’t just leak isolated accounts,” Boris Cipot, senior security engineer at Black Duck, told SC Media in an email. 5
One unknown: the exposed credentials could include both outdated and current ones, and many might no longer be valid if users updated passwords or providers forced resets. Still, if malware remains on the device, changing passwords might only offer temporary relief since the next login could be intercepted again.
Security experts usually recommend turning on two-factor authentication—an added login step like a code or app prompt—and steering clear of password reuse. On the company side, many monitor for sudden spikes in automated sign-ins and block dubious attempts, though these defenses vary widely between services.
Taking down one public copy of the database is just a small win—credential dumps tend to circulate rapidly after they surface. For organisations, the warning stays the same: stolen passwords continue to be a major weak spot, and the flow supplying them shows no sign of letting up.
