A publicly visible database containing login details for some of the world’s most-used digital platforms was recently discovered online, raising concerns over the global impact of malware-based credential theft. The database remained accessible until late 2025 and has since been taken offline.
Initial scans revealed a vast trove of usernames, passwords, and platform-specific login links sourced from victims around the world. The breach was not caused by a single hack, but by malware silently siphoning login data from personal devices around the world. No password. No encryption. No restrictions.
Cybersecurity researcher Jeremiah Fowler uncovered the leak in late 2025 and published his findings in a detailed report via ExpressVPN. The unencrypted and publicly accessible cloud repository held over 149 million unique login records, totaling 96 gigabytes of data. Gmail users represented the largest share, with 48 million compromised credentials, followed by Facebook (17 million), Instagram (6.5 million), and Netflix (3.4 million).
The breakdown of email providers and services found in the exposed dataset includes:
Breakdown of email providers in the dataset
- 48 million – Gmail
- 4 million – Yahoo Mail
- 1.5 million – Outlook
- 900,000 – iCloud
- 1.4 million – .edu domains
Other notable platform credentials
- 17 million – Facebook
- 6.5 million – Instagram
- 3.4 million – Netflix
- 780,000 – TikTok
- 100,000 – OnlyFans
- 420,000 – Binance
Further reporting by The Independent confirmed that the exposed credentials were harvested using third-party malware tools known as infostealers. Other affected services included Yahoo Mail, Outlook, TikTok, OnlyFans, and Binance, as well as government-related email domains. Screenshots reviewed by Fowler showed thousands of records containing login paths, host names, and administrative interfaces.
The data was available without encryption, login credentials, or ownership identifiers. The leak’s structure allowed anyone with the URL to access and browse millions of compromised accounts directly through a browser interface.
The exposed data was not linked to a direct breach of corporate servers. Instead, it originated from infostealer malware installed on personal devices, which silently collected login data over time. Distribution methods for this malware include malicious email attachments, fake browser updates, compromised plugins, and deceptive ads.
In a report by Daily Mail, Fowler stated that the records included a structured set of metadata not commonly seen in previous leaks. Each entry contained a unique hash identifier and a reverse-formatted hostname, suggesting an effort to avoid duplication and simplify data indexing.
Despite reporting the exposure to the cloud hosting provider, Fowler said it took nearly a month and multiple abuse notifications before the database was removed. The hosting provider declined to release any information about the party responsible for maintaining the server.
Gmail accounted for nearly one-third of the compromised records, raising alarms due to its frequent use as a primary identity layer for other services. A Google spokesperson, quoted in Daily Mail, confirmed the authenticity of the dataset but emphasized that it was not the result of a breach of Gmail infrastructure.
“This data represents a compilation of ‘infostealer’ logs, credentials harvested from personal devices by third-party malware, that have been aggregated over time.”
Google said it had implemented automated protections that lock accounts and initiate password resets when exposed credentials are identified. The company continues to monitor this form of external activity across its platform ecosystem.
Records linked to .gov domains were also found in the exposed dataset. Though not all government credentials grant elevated access, even basic accounts can be weaponized through targeted phishing or used to pivot into more secure systems. Cybersecurity professionals have raised concerns that such leaks pose a long-term risk to public sector network integrity.
The leak underscores the limitations of password changes if the infected system remains compromised. Fowler recommended immediate action for anyone suspecting exposure: update all devices, install antivirus tools, review permissions, and monitor for unusual activity. His analysis, published in the ExpressVPN blog, also highlighted that only 66 percent of U.S. adults used antivirus software as of 2025.
Password managers, though useful in preventing reuse and basic keylogging, cannot fully defend against malware that captures clipboard contents or browser session data. Experts suggest enabling multi-factor authentication (MFA) and routinely auditing login histories and active sessions.
The database’s discovery has renewed calls for tighter reporting requirements for infrastructure providers. Despite repeated alerts, the hosting company failed to respond in a timely manner, and it remains unclear how long the database had been exposed prior to discovery. No group has claimed ownership or responsibility for the leaked cache.
