A publicly accessible database containing 149 million stolen usernames and passwords has been taken offline after security researcher Jeremiah Fowler discovered the exposure and alerted the hosting provider. The trove - which Fowler calls a "dream wish list for criminals" - includes 48 million Gmail accounts, 17 million Facebook logins, and credentials for government systems, banks, and cryptocurrency platforms. The database appears to have been assembled using infostealing malware that silently harvests login data from infected devices.
An unsecured database containing 149 million usernames and passwords sat exposed on the internet until security researcher Jeremiah Fowler stumbled upon it and spent a month trying to get it removed. The massive credential trove has now been taken down, but not before Fowler documented what he describes as a cybercriminal's fantasy: login credentials spanning everything from Gmail and Facebook to government portals and cryptocurrency exchanges.
The numbers tell a staggering story. Fowler found 48 million Gmail credentials alongside 17 million Facebook logins and 420,000 accounts for Binance, the cryptocurrency trading platform. But the breach didn't stop at consumer services. Government login credentials from multiple countries sat in the database next to consumer banking portals, credit card accounts, and streaming service logins.
"This is like a dream wish list for criminals because you have so many different types of credentials," Fowler told WIRED. The database was publicly accessible through just a web browser, with no authentication required.
Fowler suspects the massive collection was assembled using infostealing malware - malicious software that infects devices and uses techniques like keylogging to capture everything victims type into websites. The database's structure supports this theory. It appeared designed for automatically indexing large volumes of logs, as if whoever set it up expected to process enormous amounts of incoming data on an ongoing basis.
During the month Fowler spent trying to contact the hosting provider, the database continued to grow. New credentials kept flowing in for services across the digital landscape. Beyond the Gmail accounts, the trove contained roughly four million Yahoo logins, 1.5 million for Microsoft Outlook, 900,000 for Apple's iCloud, and 1.4 million for .edu academic and institutional accounts.
Social media and entertainment platforms took major hits too. The database held about 780,000 TikTok credentials, 100,000 OnlyFans accounts, and 3.4 million Netflix logins. Each entry was automatically classified with a unique identifier that never repeated - a sophisticated system for organizing and searching the stolen data.
"It seemed like it captured anything and everything," Fowler says. "The system seemed to automatically classify each log with an identifier, and these were unique identifiers that didn't reappear. It seemed like the system was organizing the data automatically as it went for easier searching."
That automated organization hints at a commercial operation. While Fowler couldn't determine who owned or operated the database, the structure would make perfect sense for a credential marketplace where cybercriminal customers pay for specific subsets of data based on their particular scams.
Fowler eventually got the database removed by working with the hosting provider, though he's not naming the company publicly. The host turned out to be a global provider that contracts with independent regional affiliates to expand its reach, and this particular database was hosted by a Canadian affiliate. The provider took it down for violating terms of service.
The incident highlights a growing crisis in cybersecurity. Infostealing malware has become a turnkey business model that's flooding the criminal underground with fresh credentials. "Infostealers create a very low barrier of entry for new criminals," Allan Liska, a threat intelligence analyst at security firm Recorded Future, told WIRED. According to research on popular infostealer infrastructure, criminals can rent access for between $200 to $300 monthly.
"For less than a car payment, criminals could potentially gain access to hundreds of thousands of new usernames and passwords a month," Liska explains. That accessibility has turned credential theft from a specialized hacking skill into a commodity service available to anyone willing to pay a modest subscription fee.
The endless flow of exposed databases represents just the visible tip of this ecosystem. Data brokers and cybercriminals are amassing increasingly massive troves of personal information, and infostealing malware makes it simple to automate the collection process. Each new breach raises the stakes - not just for individual users whose accounts get compromised, but for the entire authentication infrastructure that underpins digital services.
For the 149 million accounts exposed in this database, the damage is already done. Those credentials are presumably in criminal hands, even though the public database has been removed. Users who reuse passwords across multiple services face compounded risk, since criminals can test stolen credentials against dozens of platforms to find matches.
What makes this breach particularly dangerous is its breadth. Unlike targeted attacks that focus on a single company or service, this database spans the entire digital ecosystem. A criminal could use it to target victims with highly personalized phishing attacks, take over accounts to launch further scams, or simply sell access to the highest bidders in underground marketplaces.
This massive credential exposure reveals how infostealing malware has industrialized identity theft, turning it into a subscription service accessible to low-skill criminals. The 149 million compromised accounts span every corner of digital life - from email and social media to government portals and cryptocurrency exchanges. Even with this particular database now offline, the credentials are already circulating in criminal networks, and the infostealer infrastructure continues harvesting fresh batches of logins daily. For users, the message is clear: unique passwords across services and multi-factor authentication aren't optional anymore. For enterprises and platforms, this breach underscores the urgent need to detect and respond to credential-based attacks before stolen logins get weaponized at scale.
