Image: GoldenDayz/Envato
Jeremiah Fowler, a veteran security researcher, recently stumbled upon 149,404,754 unique logins and passwords, totaling about 96GB of raw data.
There was no encryption… and it didn’t even have a password.
Sharing his findings with ExpressVPN, Fowler noted, “The publicly exposed database was not password-protected or encrypted.” The collection was so large and detailed that it wasn’t just a list of names; it included emails, usernames, passwords, and the specific website links needed to log into the accounts.
The scale of this exposure covers almost every corner of the internet. While consumer accounts like Gmail and Facebook make up the largest chunk, the database also contained sensitive logins for cryptocurrency exchanges and even dating sites.
Platform Estimated Compromised Accounts Gmail 48 Million Facebook 17 Million Instagram 6.5 Million Yahoo 4 Million Netflix 3.4 Million Outlook 1.5 Million .edu 1.4 million iCloud 900,000 Tiktok 780,000 Binance 420,000 OnlyFans 100,000
Perhaps most alarmingly, the cache also contained credentials linked to .gov domains from multiple countries.
While not every government account leads to sensitive systems, their presence raises serious flags. “Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks,” Fowler noted.
How the data was likely collected
So, where did this mountain of data come from?
... continue reading