TL;DR: Cybersecurity researcher Jeremiah Fowler discovered 149,404,754 stolen usernames and passwords sitting in a publicly accessible, unencrypted database. The 96 GB trove included 48 million Gmail accounts, 17 million Facebook logins, 6.5 million Instagram credentials, 3.4 million Netflix accounts, and credentials for banks, crypto exchanges, and government portals. The data came from infostealer malware, programs that silently record everything you type. While Fowler was investigating, the database kept growing, meaning the malware was still actively feeding it. It took the hosting provider nearly a month to pull it offline. If you reuse passwords or store them in your browser, assume your credentials are compromised.

A 96 GB Buffet of Stolen Lives

Jeremiah Fowler, a cybersecurity researcher with a track record of finding exposed databases, discovered this one sitting wide open on the internet. No password. No encryption. No access controls. Just 149 million sets of stolen credentials, available to anyone who knew where to look.

The database wasn't a hack of Google or Facebook or Netflix. None of those companies were breached. This was something worse: a collection server for infostealer malware that had been quietly harvesting credentials from infected devices. Every entry represented a real person whose computer or phone had been compromised.

And the database was still growing while Fowler was looking at it. New records were being added in real time, which means the malware network feeding it was still active: still infecting devices, still stealing passwords, still uploading them to this unprotected server.

What Was In the Database

Fowler documented the scope. Here's what 149 million stolen credentials look like broken down by service:

  • Gmail: 48 million accounts
  • Facebook: 17 million accounts
  • Instagram: 6.5 million accounts
  • Yahoo Mail: 4 million accounts
  • Netflix: 3.4 million accounts
  • Outlook: 1.5 million accounts
  • iCloud Mail: 900,000 accounts
  • TikTok: 780,000 accounts

But those are just the biggest names. The database also contained credentials for banking portals, cryptocurrency exchanges like Binance (420,000 accounts), healthcare systems, government websites, and corporate VPNs. Each entry included the username, the password in plaintext, and the direct login URL for the service: everything an attacker needs to walk right in.

How Infostealers Got Your Password

Infostealers are a category of malware designed to do exactly what the name says: steal information. They typically arrive via phishing emails, malicious downloads, cracked software, or fake browser extensions. Once installed, they silently harvest:

  • Passwords saved in your browser (Chrome, Firefox, Edge all store them in ways infostealers can read)
  • Keystrokes as you type them
  • Session cookies that let attackers hijack your active logins
  • Autofill data including credit card numbers and addresses
  • Cryptocurrency wallet files
  • Screenshots of your desktop

The major infostealer families (Lumma, RedLine, Raccoon, Vidar) operate as services. Criminals pay a subscription fee (often $150-300/month) to access the malware and a dashboard where stolen data gets uploaded. The data from this database showed hallmarks of multiple infostealer variants, suggesting it was either a collection point for several operations or a resale aggregation server.

This is the same malware ecosystem behind the 16 billion credential compilation reported in January. That dump was years of compiled stealer logs. This database was a live, active collection, still receiving fresh stolen data in real time.

A Month to Shut It Down

When Fowler found the database, he immediately sent a responsible disclosure notice to the hosting provider. Standard protocol: researcher finds exposed data, reports it, provider takes it down.

It took nearly a month.

During that month, the database remained publicly accessible. Anyone (security researchers, criminals, intelligence agencies, your nosy neighbor) could have accessed those 149 million credentials. There's no way to know how many people found it before Fowler did, or how many copied it before it was finally pulled offline.

A month of exposure for 96 GB of plaintext passwords. That's not a response time. That's negligence.

Your Browser Is the Problem

Most of these credentials were stolen from browser password managers: the built-in "save password" feature in Chrome, Firefox, Safari, and Edge. Every major browser offers to remember your passwords. Most people say yes. Infostealers know this.

Browser-stored passwords are not encrypted the same way a dedicated password manager encrypts them. Chrome, for example, stores passwords using the operating system's credential protection (DPAPI on Windows), which infostealers can decrypt if they're running on the same machine. It's trivial for malware with local access.

A dedicated password manager like Bitwarden or 1Password stores your credentials in an encrypted vault that requires a master password to unlock. Even if malware is running on your machine, it can't read the vault without that master password. It's not perfect protection (a keylogger could still capture the master password) but it's orders of magnitude harder to crack than browser-stored credentials.

What You Should Do Right Now

Stop Using Browser Password Storage

Go to your browser settings and disable the built-in password manager. In Chrome: Settings → Passwords and autofill → Google Password Manager → Settings → toggle off "Offer to save passwords." Export your passwords first, import them into a real password manager, then delete the browser copies.

Get a Real Password Manager

Bitwarden (free, open-source) or 1Password ($3/month) both encrypt your vault properly. Generate unique passwords for every account. Yes, all of them. If you're reusing passwords across services, one infostealer infection compromises everything.

Enable Two-Factor Authentication Everywhere

Even if your password is stolen, 2FA stops the attacker from logging in. Use an authenticator app (Aegis, Ente Auth), not SMS, which can be SIM-swapped. Prioritize email, banking, crypto, and any account that can be used to reset other passwords.

Check If You're Compromised

Visit Have I Been Pwned and check your email addresses. If your credentials appear in known breaches, change those passwords immediately. Also check Mozilla Monitor for a broader scan.

The Infostealer Economy Is Booming

This database is a symptom, not the disease. The infostealer economy has exploded over the past two years. Malware-as-a-service subscriptions are cheap. Distribution channels (phishing kits, SEO-poisoned downloads, YouTube tutorial scams, fake cracked software) are mature and automated. The stolen data flows into credential stuffing operations, account takeover attacks, and identity theft at industrial scale.

In January 2026, researchers cataloged 16 billion credentials compiled from infostealer logs. ShinyHunters, the group behind the Harvard and UPenn breaches, routinely uses stolen credentials as initial access for larger attacks. The pipeline is simple: infect devices, harvest passwords, use them to break into bigger targets.

This particular database being exposed is almost ironic: criminals' own stolen-data infrastructure was left unprotected, exposing the scale of their operation. But the uncomfortable truth is that there are thousands of similar databases that haven't been found. Your credentials might be in one of them right now.

References

  1. Fox News: 149 Million Passwords Exposed in Massive Credential Leak (February 2026)
  2. TechRadar: Huge Data Leak of 149 Million Credentials Exposed Without Any Protection (February 2026)
  3. Gracker: Major Data Leak: 149M Usernames and Passwords Exposed Online (February 2026)
  4. WWPass: 149 Million Credentials Leaked: The Authentication Method Itself Is the Vulnerability (February 2026)
  5. AOL: 149 Million Passwords Exposed in Massive Credential Leak (February 2026)