Nearly 150 Million Online Accounts Exposed In Massive Data Leak

On January 21, 2026, the cybersecurity world was rocked by the discovery of a sprawling data leak that left nearly 150 million unique logins and passwords exposed to the public. The incident, uncovered by cybersecurity researcher Jeremiah Fowler and reported by ExpressVPN, revealed a massive trove of sensitive credentials—spanning everything from social media accounts and financial services to government domains—sitting unprotected and unencrypted in a cloud-based repository. The scale and scope of the breach are hard to overstate, and the implications for personal privacy and national security are profound.

Fowler’s investigation revealed that the exposed database contained a staggering 149,404,754 unique login and password combinations, amounting to roughly 96 gigabytes of raw credential data. What made this breach particularly alarming was the ease of access: the database required no password, no encryption—just a web browser and the right URL. Anyone who stumbled upon the repository could sift through millions of usernames, passwords, email addresses, and even direct login URLs for a dizzying array of online services.

According to ExpressVPN, the leak affected a broad spectrum of platforms. Social media giants were hit especially hard, with 17 million Facebook accounts, 6.5 million Instagram accounts, 780,000 TikTok accounts, and untold numbers of X (formerly Twitter) logins exposed. The breach also swept up dating sites, OnlyFans accounts (including both creators and customers), and a raft of streaming and entertainment services like Netflix (3.4 million accounts), HBO Max, Disney Plus, and the wildly popular Roblox platform. Financial accounts weren’t spared either—420,000 Binance accounts, crypto wallets, banking logins, and credit card credentials were all found in the exposed trove.

Perhaps most concerning, Fowler noted, was the presence of credentials associated with government (.gov) domains from multiple countries. While not every government-linked account grants access to highly sensitive systems, even limited exposure could open the door to targeted spear-phishing, impersonation, or even serve as a foothold into government networks. Fowler warned, “Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks. This increases the potential of .gov credentials posing national security and public safety risks.”

The database itself bore all the hallmarks of so-called ‘infostealer’ malware—a type of malicious software designed to silently harvest credentials from infected devices. Fowler described how the repository was organized: each record was indexed by a unique line hash, and the data included not just usernames and passwords but also the “host_reversed path,” a structure that helps organize stolen data by victim and source. This method, he explained, can also help cybercriminals evade basic detection systems that look for standard domain formats.

In addition to the sheer number of records, Fowler observed that the database appeared to be actively growing during the period it remained exposed. “One disturbing fact is that the number of records increased from the time I discovered the database until it was restricted and no longer available,” he reported. This suggested that the malware was continuing to siphon new stolen data into the repository even after its initial discovery.

Fowler’s attempts to secure the data highlight another challenge in the fight against cybercrime: the slow and sometimes opaque response of hosting providers. After discovering the leak, Fowler reported it to the hosting provider through their online abuse form. But it took nearly a month—and multiple follow-ups—before the hosting was finally suspended and public access to the stolen credentials was cut off. The hosting provider, for its part, declined to disclose information about who managed the database, leaving open questions about whether the data was amassed for criminal activity or legitimate research. Fowler noted, “It is not known if the database was used for criminal activity or if this information was gathered for legitimate research purposes or how or why the database was publicly exposed.”

The risks posed by such a breach are far from hypothetical. With emails, usernames, passwords, and login URLs all exposed, malicious actors could automate credential-stuffing attacks against a wide range of accounts—email, financial services, social networks, enterprise systems, and more. The potential consequences include fraud, identity theft, financial crimes, and highly convincing phishing campaigns. The exposure of government credentials adds an additional layer of risk, potentially threatening national security and public safety.

Fowler offered a sobering reminder that simply changing passwords isn’t always enough, especially if a device remains infected with infostealer malware. “If your device is infected with malware, any new password you type will also be captured,” he warned. He outlined several steps for individuals to protect themselves: installing and updating antivirus software, regularly updating operating systems, reviewing app permissions, using password managers with multi-factor authentication, and practicing good cyber hygiene. He also stressed the importance of never reusing passwords across different sites or services, as this can allow attackers to compromise multiple accounts with a single stolen credential.

Interestingly, the incident also highlights a paradox in the world of cybercrime: even those who steal data are vulnerable to data breaches themselves. As Fowler observed, “This discovery also shows that even cybercriminals are not immune to data breaches.” Criminal operations, he explained, often prioritize speed and scale over operational security, sometimes leaving valuable caches of stolen data on misconfigured servers that can be discovered by security researchers—or anyone else with the right tools.

From a privacy perspective, the breach of email addresses and account associations could allow criminals to build detailed profiles of individuals, increasing the success rate of social engineering or phishing attempts. Unauthorized access to sensitive documents, communications, or even images and chat histories from dating or adult entertainment accounts could lead to harassment or extortion attempts long after the initial breach.

Fowler’s report, published by ExpressVPN on January 21, 2026, with an update on January 23, 2026, underscores the ongoing arms race between cybercriminals and those seeking to thwart them. As infostealer malware continues to evolve, so too must the defensive measures employed by individuals and organizations. Fowler recommended that hosting providers improve their abuse reporting channels and ensure that reports of clear violations are reviewed by humans, not just automated systems. “Failure to respond to responsible disclosure reports of clear violations of terms of service such as hosting malware or stolen credentials only enables malicious infrastructure to remain active, exposing individuals to serious potential risks,” he cautioned.

For now, the discovery of this unprotected database serves as a stark reminder: credential theft is big business, and the digital world remains a risky place for the unwary. Staying vigilant, updating security practices, and demanding accountability from service providers are more crucial than ever as the threat landscape continues to shift beneath our feet.