149 million passwords for Gmail, Facebook, Instagram, others leaked online
Cybersecurity researcher reveals that a massive 96 GB database was compromised. He also revealed that financial service accounts, crypto wallets, trading accounts, banking and credit card logins were also leaked
In a massive leak globally, discovered by cybersecurity researcher Jeremiah Fowler during a cybersecurity breach, credentials of over 149 million (14.9 crore) accounts have been compromised, which equates to 96 GB of raw data. The compromised records include usernames and passwords of several platforms, including Facebook, Instagram, Google, TikTok, X, and OnlyFans.
“I also saw a large number of streaming and entertainment accounts, including Netflix, HBOmax, DisneyPlus, Roblox, and more,” Fowler said.
Intensity of breach
He also revealed that financial service accounts, crypto wallets, trading accounts, banking and credit card logins were also leaked.
Fowler also detailed the scale of the breach across categories. The compromised accounts included 48 million Gmail accounts, 4 million Yahoo accounts, 1.5 million Outlook accounts, 900,000 iCloud accounts, and 1.4 million .edu accounts.
Also read: Cybercrimes may rob Indian entities of Rs 20,000 Cr in 2025: Intel firm
Among social media platforms, credentials for 17 million Facebook accounts, 6.5 million Instagram accounts, and 780,000 TikTok accounts were exposed. The leak also affected streaming platforms, including 3.4 million Netflix accounts and 100,000 OnlyFans accounts, as well as 420,000 accounts on the cryptocurrency exchange Binance.
How data was leaked
Explaining how the data was leaked, Fowler indicated that the database reportedly stored keylogging and “infostealer” malware, a type of malicious software designed to harvest credentials from infected devices silently.
“The records also included the “host_reversed path” formatted as (com.example.user.machine). This structure is used to create an easily indexable way to organize the stolen data by victim and source,” he detailed.
Also read: Digital arrest scams: Smarter fraudsters, lagging govt response? | AI With Sanket
Malware is commonly spread through phishing emails, fake software updates, compromised browser extensions, and deceptive online advertisements. Once a device is infected, malware can operate silently, harvesting credentials and transmitting them to attackers — rendering simple password changes ineffective.
Concerns
Jeremiah, in his blog on ExpressVPN, mentioned that a serious concern was present in .gov domains of various countries. Exposure of government credentials may enable targeted spear-phishing, impersonation, and unauthorised access to government networks, heightening risks to national security and public safety, he explained.
Apart from national security, Fowler highlighted that there is an increased risk of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services.
“Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts including email, financial services, social networks, enterprise systems, and more,” he added.
How to safeguard?
Fowler outlined the measures to be taken to safeguard oneself from cyber fraud. Users should install reputable antivirus or endpoint security software, keep operating systems up to date, and regularly scan for malicious activity, as initial steps to be safe from cyberthreats.
Installing apps only from official app stores, limiting app permissions, and reviewing browser extensions and background processes can further reduce exposure. On computers, even non-technical users can check for unfamiliar programs or suspicious activity, while mobile users should ensure security software and system updates are current, he elaborated.
Also read: 34 pc Indian users targeted, blocked over 74 mn local threats last year: Kaspersky
Stronger account-level protections are equally critical. Using unique passwords for each service, enabling multi-factor authentication, and regularly reviewing login activity can significantly reduce the risk of account takeover. Password managers can help limit damage from basic keylogging and password reuse, though they are not a substitute for securing an infected device.
Since stolen credentials can be exploited for profiling, phishing, extortion, or identity theft, users should treat email and online accounts as high-risk assets. Taking preventive steps — such as monitoring accounts, tightening privacy settings, and acting quickly at the first sign of compromise — can help contain damage and protect personal data from increasingly sophisticated cyber threats.