149 Million Passwords Left Exposed in Massive Credential Leak: What Users Must Do Now

A major cybersecurity lapse has exposed more than 149 million login credentials, putting users of popular platforms like Instagram, Gmail, Netflix, and even banking services at potential risk. Unlike a traditional hack, the data wasn’t stolen through a targeted attack. Instead, it was left sitting openly online, unprotected by encryption or passwords, where virtually anyone could access it.

The discovery was made by cybersecurity researcher Jeremiah Fowler, who found a massive database containing 149,404,754 unique usernames and passwords — roughly 96 GB of raw credential data. The records spanned nearly every type of digital service people use daily, from social media and email to streaming subscriptions and financial accounts.

Among the most affected were email accounts, with around 48 million Gmail logins, 4 million Yahoo accounts, and 1.5 million Outlook credentials exposed. Social platforms were heavily represented too, including 17 million Facebook accounts, 6.5 million Instagram users, and hundreds of thousands tied to TikTok and X. Entertainment services weren’t spared either, with 3.4 million Netflix credentials and access to platforms like HBO Max, Disney Plus, and Roblox found in the mix.

More worrying, however, was the inclusion of sensitive financial data — around 420,000 Binance accounts, banking logins, crypto wallets, and even government domain credentials.

Fowler believes the database was likely compiled using “infostealer” malware — malicious software designed to silently infect devices and extract saved passwords and login details.

“When data is collected, stolen, or harvested it must be stored somewhere and a cloud-based repository is usually the best solution. This discovery also shows that even cybercriminals are not immune to data breaches,” Fowler noted in his report.

He promptly alerted the hosting provider, but it reportedly took nearly a month before the server was taken down. During that period, the number of exposed records actually grew, suggesting new stolen data was continuously being added. It remains unclear who operated the database or whether the collection had criminal intent.

For everyday users, simply changing passwords may not be enough. If a device is already infected, new passwords could be captured just as easily.

Fowler recommends starting with a full malware scan and installing trusted antivirus protection. Users should also update operating systems, review app permissions, and remove suspicious browser extensions.

He further advises adopting safer digital habits. Using a password manager can generate and securely store complex passwords. Two-factor authentication adds another layer of protection by requiring additional verification beyond just a password. Most importantly, users should avoid reusing passwords across multiple sites.

The incident serves as a stark reminder that even without sophisticated hacking, poor data security can put millions at risk — and personal vigilance remains the first line of defense.