A security researcher stumbled on an astonishing trove: an unsecured, publicly searchable database containing roughly 149 million account credentials — usernames and passwords for email, social media, streaming services, financial accounts and even government logins. The researcher, Jeremiah Fowler, alerted the hosting provider and the dataset was taken down, but not before it had been growing for weeks and appeared to be harvested automatically.
The scale is what makes this different. There were about 48 million Gmail credentials, roughly 17 million Facebook entries, 4 million Yahoo logins, and smaller but still serious counts for services such as TikTok, OnlyFans, Netflix and the crypto platform Binance. Fowler found credentials tied to banking and credit cards as well as government systems from several countries. The pattern of entries — long, indexed logs with unique identifiers — looks a lot like the output from infostealing malware that quietly siphons typed and stored credentials from infected devices.
Why this matters
This isn’t just another headline about leaked emails. Two things raise the stakes: the apparent automation and breadth of the collection, and the fact the data was freely searchable in a web browser. That combination turns the database into an easy shopping list for fraudsters. A criminal can query specific service types, regions or identifiers and pull out exactly the accounts needed for phishing campaigns, credential stuffing, SIM-swap attempts, or direct account takeover.
Infostealers have lowered the barrier to entry for would‑be criminals: many of these tools are sold or rented on underground forums, and they automate capture of passwords, cookies and other session data. That makes large-scale collections common, and it means more users — not just high-value targets — get swept up.
The discovery also sits against a backdrop of other security headaches: software supply-chain flaws and actively exploited vulnerabilities still appear in the wild, forcing defenders to juggle patching with threat hunting. Recent flaws such as the React Native CLI remote-execution issue are reminders that developers and organizations must stay vigilant about tooling and dependencies Critical React Native CLI Flaw (CVE-2025-11953) Lets Remote Attackers Run OS Commands. Meanwhile, agencies tracking exploitation of known issues have added multiple flaws to their catalogs, underscoring the variety of attack paths adversaries can use CISA Adds Gladinet and Control Web Panel Flaws to KEV Catalog as Active Exploitation Persists.
There’s another layer of irony: Gmail and other email accounts are growing ever more central to people’s digital lives, and in some cases AI tools and integrations now read inboxes to offer shortcuts or search. Tightening email security matters more than ever as those inboxes become keys to other services Google’s Gemini Deep Research plugs into Gmail, Drive and Chat.
What to do — practical steps for people and organizations
If your email, social, streaming or banking account is on any of those services, assume risk and act deliberately. Here are concrete actions that cut through the noise:
- Enable multi-factor authentication (MFA) everywhere it’s offered. Use an authenticator app or hardware security key when possible rather than SMS.
- Change passwords on affected accounts and any other site where you reused the same password. Long, unique passphrases are easier to manage with a password manager.
- If you sign in with email-based single sign-on (Google, Apple, Facebook), check the connected apps and revoke access for anything unfamiliar. Attackers who control an email account can often escalate into other services.
- Check financial accounts closely for unauthorized transactions and alert your bank immediately if you see anything suspicious.
- Scan your devices for malware. Infostealers often live on compromised machines; a full OS scan (and in serious cases, a device wipe and rebuild) may be required.
- Monitor for unusual account activity: unexpected password resets, login alerts from new locations or devices, or surprising changes to recovery options.
- Use a reputable password manager to generate and store unique passwords. They make the “change everything” chore manageable.
- Prefer passkeys or hardware tokens for sensitive accounts when the service supports them; they’re far more resistant to credential stuffing and phishing.
- Keep your recovery phone number and email current, but consider locking recovery options behind extra verification if your provider offers it.
- If a device feels slow, behaves strangely, or serves up odd pop-ups after downloading software from unofficial sources, treat it like it may be infected and investigate.
For organizations and defenders: hunt for anomalous logins, require strong authentication for admin accounts, rotate any sensitive credentials that could have been exposed, and instrument monitoring on systems that handle credential resets or account recovery. Threat intel teams should watch the usual forums and feeds for signs of the dataset resurfacing or being traded.
A few practical tips that help more than you might expect
This incident is a reminder: digital keys are as valuable as cash. Treat them with the same care — rotate them when exposed, lock them down with MFA, and don’t reuse them across doors.