NEW YORK, January 25, 2026, 08:27 EST
- A researcher flagged an unsecured database containing about 149 million username-password pairs, prompting its removal from the web
- The trove contained tens of millions of logins from Gmail and Facebook, along with banking, streaming, and crypto accounts
- Researchers linked the cache to “infostealer” malware instead of a breach of a single major platform
An unsecured database holding roughly 149 million usernames and passwords — including 48 million tied to Gmail and 17 million linked to Facebook — was taken offline after a security researcher alerted the hosting provider, according to reports. Allan Liska, a threat intelligence analyst at Recorded Future, noted that “infostealers create a very low barrier of entry for new criminals,” pointing to tools available to rent for just a few hundred dollars a month. (WIRED)
This exposure is serious since password lists like these enable hackers to take over email and social media accounts—gateways to resetting credentials on other platforms. They also fuel phishing attacks, where scammers impersonate banks, colleagues, or support teams to steal additional information.
Researchers traced the cache back to “infostealer” malware—a kind of malicious software designed to stealthily grab credentials from infected devices, often by recording keystrokes. This suggests a widespread, chaotic theft happening directly on devices, rather than a targeted breach of a single company’s servers.
Jeremiah Fowler reported for ExpressVPN that the database lacked both password protection and encryption, containing 149,404,754 unique login credentials—roughly 96 gigabytes of unprocessed data. He noted that the samples included emails, usernames, passwords, and the exact URLs where the logins occurred, a factor that could accelerate automated attacks. (ExpressVPN)
The leaked cache covered a wide range of consumer services like Instagram, Netflix, TikTok, Yahoo, Outlook, and iCloud, as well as financial accounts and crypto platforms, TechRepublic reported. Fowler cautioned that credentials linked to government email domains might enable “targeted spear-phishing, impersonation, or serve as an entry point into government networks.” (TechRepublic)
People.com, referencing Fowler’s report, admitted it couldn’t independently confirm the findings and pointed out that criminals frequently leave massive data caches unsecured in their rush for speed and scale. Fowler warned that the combination of credentials and login links “dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns.” (People)
Hardly anything is known about who put together the database or how long it stayed exposed, TechRadar reported. It took nearly a month to get it taken down after the hosting provider initially blamed a subsidiary acting on its own. The outlet noted the data seemed indexed for easier searching, suggesting it was likely built for reuse rather than simply left out by mistake. (TechRadar)
But those headline figures can be deceptive. Fowler admitted he didn’t pinpoint who runs the server, and it’s still unknown how many credentials are current, how many come from active accounts, or how many were already out there.
The dataset alone doesn’t prove that Google, Meta, or any other named companies were directly hacked. Infostealer-driven data usually comes from compromised devices before being pooled, resold, reposted, and blended with older leaks.
Fowler advised users to check their account activity, strengthen security settings, and steer clear of recycling passwords on multiple sites, according to his report and related coverage. Security experts frequently recommend two-factor authentication—a backup layer involving a code or biometric scan—when passwords get compromised.
For companies and public agencies, the threat extends beyond consumer fraud. Employee email logins and “.edu” or “.gov” credentials can help attackers craft more believable phishing attempts or even access internal systems when passwords are reused.
Taking down a database doesn’t erase the fallout. Copies can circulate fast, and stolen login markets keep churning — a constant source for scams that rely more on fresh credentials and patience than on complexity.
