Last Updated:
Experts are urging users to perform deep system scans using reputable antivirus software and to enable Multi-Factor Authentication (MFA) on all sensitive accounts
Simply changing a password may be futile if the underlying malware remains active on the user’s computer or smartphone, as any new credentials will be immediately captured and uploaded. Representational image
In a staggering breach of global digital security, a massive, unencrypted database containing 149.4 million unique usernames and passwords has been discovered exposed on the open web. The discovery, made by cybersecurity researcher Jeremiah Fowler, revealed approximately 96 GB of raw credential data that was entirely unprotected, allowing anyone with a standard web browser to access, search, and download the information.
The sheer scale of the exposure touches almost every major corner of the digital economy. The database contained logins for 48 million Gmail accounts, 17 million Facebook accounts, 6.5 million Instagram credentials, and 3.4 million Netflix profiles. Crucially for the financial sector, the leak included over 420,000 logins for Binance, alongside countless other banking details, crypto wallets, and credit card credentials. Beyond consumer platforms, the cache even contained sensitive logins for .gov domains from multiple countries, posing a significant risk for national security and targeted spear-phishing campaigns.
The Rise of the ‘Infostealer’
Security analysts believe the database was likely compiled using “infostealer” malware. This type of malicious software silently infects devices via phishing emails, deceptive ads, or compromised browser extensions, recording keystrokes to harvest credentials as users log in to various services.
A particularly disturbing detail noted by Fowler was that the database continued to grow in real-time while he attempted to have it taken down. This indicates that active malware was still funnelling fresh victim data into the repository during the month-long period it took for the hosting provider to finally suspend access.
Why a Password Change Isn’t Enough
This breach presents a unique danger because the data was stolen directly from infected devices rather than through a server-side hack. Consequently, simply changing a password may be futile if the underlying malware remains active on the user’s computer or smartphone, as any new credentials will be immediately captured and uploaded.
Experts are urging users to perform deep system scans using reputable antivirus software and to enable Multi-Factor Authentication (MFA) on all sensitive accounts. By requiring a second form of verification, such as a biometric scan or a hardware token, users can prevent unauthorised access even if their passwords have been compromised.
January 25, 2026, 01:38 IST
Read More
