Nearly 150 Million Stolen Logins Exposed Online in Massive Infostealer Data Leak

A massive trove of stolen login credentials, totaling nearly 150 million unique usernames and passwords, was recently found sitting exposed on the open internet, underscoring just how industrialized and fragile the modern credential theft ecosystem has become.

The cache, uncovered by cybersecurity researcher Jeremiah Fowler at ExpressVPN, contained more than 149 million records and roughly 96 gigabytes of raw data. The database was neither encrypted nor protected by a password, making it accessible to anyone who stumbled across it. In a limited review of the files, Fowler identified login details tied to an enormous range of services, from social media and streaming platforms to financial accounts, crypto services, government email addresses, and enterprise tools.

Unlike many breaches that stem from compromised companies, this dataset appears to have originated from criminal infrastructure itself. The credentials were consistent with data harvested by infostealer malware, a category of malicious software designed to quietly collect usernames, passwords, cookies, and session tokens from infected devices. Once gathered, that information has to be stored somewhere, and cloud-hosted databases are often the most convenient option for attackers. In this case, convenience seems to have come at the cost of basic security.

The exposed records spanned popular consumer platforms such as Facebook, Instagram, TikTok, Netflix, Roblox, and dating services, as well as financial services and cryptocurrency trading accounts. Email providers were heavily represented, with tens of millions of Gmail addresses appearing in the dataset, alongside Yahoo, Outlook, iCloud, and educational domains. Fowler also identified credentials tied to government email addresses from multiple countries. While not every government account grants access to sensitive systems, even limited access can be leveraged for impersonation, spear phishing, or as a foothold for more targeted attacks.

Technically, the dataset stood out from similar infostealer collections because of how it was organized. Records were indexed using reversed hostnames, formatted to group stolen data by victim device and source. Each entry was assigned a unique hash identifier, suggesting a deliberate effort to avoid duplication and streamline large-scale reuse. That structure makes the data particularly attractive for automation, enabling attackers to quickly sort and deploy stolen credentials in credential-stuffing attacks across countless services.

The risks posed by an exposure of this scale are difficult to overstate. With exact login URLs included alongside usernames and passwords, attackers could automate login attempts against email accounts, banking portals, cloud services, and enterprise systems. Successful account takeovers can cascade, as access to a single inbox often enables password resets across dozens of other services. Beyond direct financial fraud, the data could fuel phishing campaigns that feel disturbingly authentic, referencing real accounts and platforms that victims actually use.

Fowler reported the exposed database to the hosting provider, but remediation was slow. According to his account, it took weeks and multiple follow-ups before the infrastructure was finally taken offline. During that window, the number of exposed records continued to grow, suggesting the database was still actively being fed with newly stolen credentials. The hosting provider did not disclose who controlled the data, how long it had been exposed, or whether it had already been accessed by others.

Security experts say this pattern is common. Criminal operations often prioritize speed, scale, and monetization over operational hygiene. Misconfigured cloud servers and open databases are routinely discovered during internet-wide scans, and once a dataset is exposed, it is often copied and redistributed long before the original source is shut down.

Mayur Upadhyaya, CEO at APIContext, said the real danger lies not just in the initial theft, but in how those credentials are reused.

“This kind of breach is a stark reminder that credentials don’t just get stolen, they get reused. And that’s where the real risk lies. Once login and password pairs are exposed, even from criminal infrastructure, they become fuel for credential stuffing: automated attempts to reuse those same credentials across other applications and services. Given how common password reuse is, this creates a persistent and highly scalable threat. The lesson here isn’t just about better monitoring. It’s about rethinking the authentication posture of your APIs and applications, especially those sitting in transactional or sensitive workflows. Stronger patterns like OAuth 2.0 and financial-grade APIs are specifically designed to limit exposure by scoping access and tying tokens to user intent. That kind of fine-grained access control isn’t just good hygiene, it’s now essential. Proactive visibility also plays a role. Monitoring for abnormal API usage, unusual traffic routes, or infostealer behavior on endpoints can help reduce time to detect and contain. But fundamentally, this is about designing systems that assume credential compromise is inevitable and making sure that even when it happens, blast radius stays small.”

For individuals, the incident highlights a hard truth: simply changing passwords is not enough if a device is already infected. Infostealer malware can capture new credentials as easily as old ones, along with clipboard data, browser memory, and session cookies. Antivirus and endpoint protection remain a critical first line of defense, yet a significant portion of users still operate without them. Regular operating system updates, cautious installation of apps and browser extensions, and careful review of device permissions all help reduce exposure.

Password managers and multi-factor authentication also play an important role. While no tool can fully protect a system that is deeply compromised, unique passwords and additional authentication steps can dramatically reduce the success rate of automated attacks and limit the damage from a single leaked credential.

From a privacy perspective, the exposure of email addresses and associated accounts enables attackers to build detailed profiles of individuals, mapping out where they bank, what platforms they use, and even aspects of their personal lives. That information can resurface years later in the form of harassment, extortion, or targeted social engineering.

The discovery of this unsecured database is a reminder that credential theft is no longer a niche cybercrime but a global, large-scale business. As attackers continue to refine their tools and infrastructure, both organizations and individuals are being forced to assume that passwords will eventually leak. The challenge now is designing systems, and habits, that can withstand that reality without collapsing under it.