Outlook Business Desk
A major cybersecurity lapse exposed 149,404,754 unique usernames and passwords, nearly 96 GB in size. The data was stored without encryption or access protection, allowing anyone to access the credentials freely and raising serious concerns about online security.
Cybersecurity researcher Jeremiah Fowler discovered the massive data leak and reported his findings through ExpressVPN. The credentials were openly accessible online, exposing serious security failures and showing that sensitive login details from multiple platforms were available without any direct hacking involved.
Fowler found login details linked to nearly every major online platform. The exposed data covered social media accounts such as Facebook, Instagram, TikTok and X, along with dating apps, OnlyFans, streaming services including Netflix and Disney Plus, and even banking and government-linked accounts.
The leak exposed around 17 million Facebook accounts, 6.5 million Instagram logins, 780,000 TikTok accounts and several X credentials. The scale of exposure shows how vulnerable social media platforms remain, with compromised accounts often becoming entry points for wider online misuse.
Nearly 3.4 million Netflix login details were exposed, along with accounts linked to HBO Max, Disney Plus and Roblox. While exact figures for some platforms remain unclear, the leak shows that popular entertainment services were also vulnerable to large-scale credential exposure.
The exposed data also included financial and government-related logins, with around 420,000 Binance accounts, several banking credentials and .gov domain logins from multiple countries. The scale of exposure has raised serious concerns over possible misuse of sensitive financial and official information.
Fowler said the database appeared to be generated by infostealer malware that quietly steals login details from infected devices. The number of records kept increasing while the database remained online, indicating the malware was actively feeding new stolen credentials into it.
Fowler urged users to scan devices for malware, rely on password managers, enable two-factor authentication and avoid reusing passwords. He warned that changing passwords alone offers little protection if malware remains active, as new credentials can still be captured.