149 million passwords exposed in massive credentials leak
NEWNow you can listen to News articles!
It’s been a tough start to the year for password security. A massive database containing 149 million stolen logins and passwords was found publicly exposed online.
The data included credentials linked to approximately 48 million Gmail accounts, along with millions more popular services. Cybersecurity researcher Jeremiah Fowler, who discovered the database, confirmed that it was not password protected or encrypted. Anyone who found it could have accessed the data.
Here’s what we know so far and what you should do next.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
AVAILABLE AI HELPS STROKE SURVIVORS SPEAK AGAIN
A publicly exposed database left millions of usernames and passwords accessible to anyone who found it online. (Wei Leng Tay/Bloomberg via Getty Images)
What was found in the exposed database
The database contained 149,404,754 unique usernames and passwords. It totaled approximately 96GB of raw credential data. Fowler said the exposed files included email addresses, usernames, passwords and direct login URLs for accounts on many platforms. Some logs also showed signs of information-stealing malware, which silently captures credentials from infected devices.
Importantly, this was not a new breach by Google, Meta or other companies. Instead, the database appears to be a collection of credentials stolen over time from past breaches and malware infections. That distinction is important, but the risk to users remains real.
Which accounts appeared most frequently?
According to estimates shared by Fowler, the following services had the most credentials in the exposed database.
- 48 million – Gmail
- 17 million – Facebook
- 6.5 million – instagram
- 4 million – Yahoo Mail
- 3.4 million – netflix
- 1.5 million – Perspective
- 1.4 million: .edu email accounts
- 900,000 – iCloud Mail
- 780,000 – tiktok
- 420,000 – binance
- 100,000 – Fans
Email accounts dominated the data set, which is important because access to email often unlocks other accounts. A compromised inbox can be used to reset passwords, access private documents, read years of messages, and impersonate the account holder. That’s why Gmail’s frequent appearance in this database raises concerns that go beyond any particular service.
SUPER BOWL SCAMS ADVANCE IN FEBRUARY AND ADVANCE IN YOUR DATA
Email accounts appeared most frequently in the leaked data, which is especially concerning because inbox access can unlock many other accounts. (Felix Zahn/Photothek via Getty Images)
Why exposed database creates serious security risks
This exposed database was not abandoned or forgotten. The number of logs increased as Fowler investigated them, suggesting that the malware feeding them was still active. There was also no ownership information attached to the database. After several attempts, Fowler reported it directly to the hosting provider. Almost a month passed before the database was finally taken offline. During that time, anyone with a browser could have searched for it. That reality increases the risks for everyday users.
This was not a traditional hack or company breach.
The hackers did not break into Google or Meta systems. Instead, the malware infected individual devices and collected login data as people typed it or stored it in browsers. This type of malware is usually spread through fake software updates, malicious email attachments, compromised browser extensions, or deceptive advertisements. Once a device is infected, simply changing passwords does not solve the problem unless the malware is removed.
TIKTOK AFTER SALE IN THE USA: WHAT HAS CHANGED AND HOW TO USE IT SAFELY
Researchers believe the data-stealing malware collected credentials and, over time, silently collected logins from infected devices. (Jaap Arriens/NurPhoto via Getty Images)
How to protect your accounts after a massive password breach
This is the most important part. Follow these steps even if everything seems fine right now. Credential leaks like this usually emerge weeks or months later.
1) Stop reusing passwords immediately
Password reuse is one of the biggest risks exposed by this database. If attackers get a working login, they often automatically test it on dozens of sites. Change any reused passwords first, starting with email, financial, and cloud accounts. Each account must have its own unique password. Consider using a password manager, which stores and generates complex passwords securely, reducing the risk of password reuse.
Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.
2) Switch to passcodes when available
Access keys Replace passwords with device-based authentication tied to biometrics or hardware. That means there is nothing for the malware to steal. Gmail and many major platforms already support passcodes, and adoption is growing rapidly. Activating them now removes a major attack surface.
3) Enable two-factor authentication on each account
Two-factor authentication (2FA) adds a second checkpoint, even if a password is exposed. Use authenticator apps or hardware keys instead of SMS when possible. This step alone can stop most account takeover attempts linked to stolen credentials.
4) Scan devices for malware with powerful antivirus software
Changing passwords won’t help if there is still malware on your device. Install powerful antivirus software and run a full system scan. Delete anything marked as suspicious before updating passwords or security settings. Keep your operating system and browsers fully up to date as well.
The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
5) Review account activity and login history.
Most major services show locations, devices, and recent login sessions. Look for unknown activity, especially logins from new countries or devices. Log out of all sessions if the option is available, and reset credentials immediately if something seems strange.
6) Use a data deletion service to reduce exposure.
Stolen credentials are often combined with data scraped from data broker sites. These profiles may include addresses, phone numbers, family members, and employment history. Using a data removal service helps reduce the amount of personal information that criminals can link to leaked logins. Less exposed data makes phishing and spoofing attacks more difficult to carry out.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.
7) Close accounts you no longer use
Old accounts are easy targets because people forget to protect them. Shut down unused services and delete accounts linked to outdated app subscriptions or trials. Fewer accounts mean less chance of attackers breaking in.
Kurt’s Key Takeaways
This exposed database is another reminder that credential theft has become an industrial-scale operation. Criminals move fast and often prioritize speed over security. The good news is that a few simple steps still work. Unique passwords, strong authentication, malware protection, and basic cyber hygiene go a long way. Don’t panic, but don’t ignore this either.
If your email account were compromised today, how many other accounts would go down with it? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2026 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea, or comment on Cy berGuy.com.