Overview
- Security researcher Jeremiah Fowler discovered an unencrypted, 96GB repository containing about 149.4 million unique usernames and passwords accessible to anyone via a web browser.
- The dataset aggregated credentials for major platforms, including roughly 48 million Gmail, 17 million Facebook, 6.5 million Instagram, 3.4 million Netflix, 4 million Yahoo, 1.5 million Outlook, 900,000 iCloud, and 420,000 Binance accounts, plus .gov and 1.4 million .edu logins.
- The hosting provider removed the publicly exposed server after repeated notifications, but researchers warn the information may have been copied or redistributed before takedown.
- Analysis indicates the trove was compiled from infostealer malware logs and appeared to be actively growing while online, with some records also exposing crypto wallet recovery phrases and exchange API keys.
- Google says it is monitoring for exposed credentials and enforcing automated protections, while experts urge users to check Have I Been Pwned, change passwords, enable MFA or passkeys, scan devices, and revoke unused API keys.