Massive Infostealer Database Exposes 149 Million Global Credentials
Learn More
Security researcher Jeremiah Fowler report that attackers left a database containing 149 million stolen logins open on the internet without a password or encryption.
Fowler discovered the 96 GB repository, which held 149,404,754 unique credentials. The data came from infostealer malware that harvests user information from infected devices worldwide.
The server held logs from malware designed to capture keystrokes and browser data. These logs used a host-reversed path format, such as com.example.user.machine, to organize stolen data by victim and source. Each entry used a unique line hash as a document ID to prevent duplicates.
The compromised data includes:
- 149,404,754 unique logins and passwords
- 48 million Gmail accounts
- 4 million Yahoo accounts
- 1.5 million Outlook accounts
- 900,000 iCloud accounts
- 1.4 million .edu email addresses
- 17 million Facebook credentials
- 6.5 million Instagram credentials
- 780,000 TikTok credentials
- 3.4 million Netflix accounts
- 100,000 OnlyFans accounts
- 420,000 Binance accounts
- Government (.gov) credentials from multiple countries
The hosting provider took nearly a month to shut down the server after multiple reports, during which time the database continued to grow in size.
Because the database included exact login URLs, attackers can automate break-ins across many platforms. The presence of government credentials poses a risk to national security, as these accounts can serve as entry points for network intrusion.
Organizations must monitor for leaked credentials and enforce MFA to block unauthorized access.
