Massive 149M Credentials Leak Discovered – Gmail, Facebook, Instagram & Government Accounts Exposed

A 149 million credentials database, including Gmail, Facebook, Instagram, and government accounts, was found exposed in an unprotected cloud repository. Learn how the breach happened, who’s affected, and steps to stay safe.

  Cyber Security News   Jan 26, 2026   0   86  Add to Reading List
Massive 149M Credentials Leak Discovered – Gmail, Facebook, Instagram & Government Accounts Exposed

Massive 149 Million Credentials Exposed in Unsecured Cloud Database

RoxoHost Shared Hosting
RoxoHost Shared Hosting

A massive database containing 149.4 million exposed logins and passwords has been discovered in an unprotected, unencrypted cloud repository. Cybersecurity researcher Jeremiah Fowler uncovered the breach and reported it to ExpressVPN, revealing a massive collection of stolen accounts spanning major platforms including Gmail, Instagram, Facebook, and government systems.

The raw dataset totaled 96 GB, publicly accessible without password protection or encryption. The database contained thousands of files with emails, usernames, passwords, and direct login URLs, making it easy for attackers to conduct automated credential-stuffing campaigns.

Scope of Exposed Accounts

Email Providers:

  • Gmail: 48 million accounts

  • Yahoo: 4 million accounts

  • Outlook: 1.5 million accounts

  • iCloud: 900,000 accounts

  • .edu domains: 1.4 million accounts

Major Platforms:

  • Facebook: 17 million accounts

  • Instagram: 6.5 million accounts

  • Netflix: 3.4 million accounts

  • TikTok: 780,000 accounts

  • Binance: 420,000 accounts

  • OnlyFans: 100,000 accounts

Notably, credentials associated with .gov domains from multiple countries were also included, raising serious national security concerns.

Technical Analysis

The database was generated from advanced infostealer malware, organizing stolen data using “host_reversed paths” (e.g., com.example.user.machine) to structure information by victim and source. Each record included unique line hashes to avoid duplication. The database was searchable through a basic web browser without authentication, making millions of credentials instantly accessible.

Fowler reported the issue to the hosting provider, but it took nearly a month and multiple escalations for the database to be suspended. During that time, the record count increased, suggesting unauthorized access by other parties.

Risks for Users

  • Credential-stuffing attacks on email, financial services, and enterprise systems

  • Automated account takeovers using valid usernames and passwords

  • Identity theft and financial fraud

  • Phishing campaigns using real account details for authenticity

Immediate Actions:

  1. Enable multi-factor authentication on all accounts

  2. Review login histories for suspicious activity

  3. Update passwords across all platforms

  4. Use antivirus software to scan devices

Recommendations for Organizations

  • Enforce encryption for credential storage

  • Establish rapid response protocols for responsible disclosure

  • Maintain human-monitored abuse reporting channels

This breach highlights a worrying trend: cybercriminals prioritize speed over security, leaving stolen data exposed, while researchers exploit these vulnerabilities to disrupt criminal operations.

Tags