149 million passwords exposed in massive credential leak

It has been a unsmooth commencement to the twelvemonth for password security. A monolithic database containing 149 cardinal stolen logins and passwords was recovered publically exposed online. 

The information included credentials tied to an estimated 48 cardinal Gmail accounts, on with millions much from fashionable services. Cybersecurity researcher Jeremiah Fowler, who discovered the database, confirmed it was not password-protected oregon encrypted. Anyone who recovered it could person accessed the data. 

Here is what we cognize truthful acold and what you should bash next.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

AI WEARABLE HELPS STROKE SURVIVORS SPEAK AGAIN

A publically exposed database near millions of usernames and passwords accessible to anyone who recovered it online. (Wei Leng Tay/Bloomberg via Getty Images)

What was recovered successful the exposed database

The database contained 149,404,754 unsocial usernames and passwords. It totaled astir 96 GB of earthy credential data. Fowler said the exposed files included email addresses, usernames, passwords and nonstop login URLs for accounts crossed galore platforms. Some records besides showed signs of info-stealing malware, which silently captures credentials from infected devices. 

Importantly, this was not a caller breach of Google, Meta oregon different companies. Instead, the database appears to beryllium a compilation of credentials stolen implicit clip from past breaches and malware infections. That favoritism matters, but the hazard to users remains real.

Which accounts appeared astir often

Based connected estimates shared by Fowler, the pursuing services had the highest fig of credentials successful the exposed database.

• 48 cardinal - Gmail
• 17 cardinal - Facebook
• 6.5 cardinal - Instagram
• 4 cardinal - Yahoo Mail
• 3.4 cardinal - Netflix
• 1.5 cardinal - Outlook
• 1.4 cardinal - .edu email accounts
• 900,000 - iCloud Mail
• 780,000 - TikTok
• 420,000 - Binance
• 100,000 - OnlyFans

Email accounts dominated the dataset, which matters due to the fact that entree to email often unlocks different accounts. A compromised inbox tin beryllium utilized to reset passwords, entree backstage documents, work years of messages and impersonate the relationship holder. That is wherefore Gmail appearing truthful often successful this database raises concerns beyond immoderate azygous service.

SUPER BOWL SCAMS SURGE IN FEBRUARY AND TARGET YOUR DATA

Email accounts appeared astir often successful the leaked data, which is particularly concerning due to the fact that inbox entree tin unlock galore different accounts. (Felix Zahn/Photothek via Getty Images)

Why the exposed database creates superior information risks

This exposed database was not abandoned oregon forgotten. The fig of records accrued portion Fowler was investigating it, which suggests the malware feeding it was inactive active. There was besides nary ownership accusation attached to the database. After aggregate attempts, Fowler reported it straight to the hosting provider. It took astir a period earlier the database was yet taken offline. During that time, anyone with a browser could person searched it. That world raises the stakes for mundane users.

This was not a accepted hack oregon institution breach

Hackers did not interruption into Google oregon Meta systems. Instead, malware infected idiosyncratic devices and harvested login details arsenic radical typed them oregon stored them successful browsers. This benignant of malware is often dispersed done fake bundle updates, malicious email attachments, compromised browser extensions oregon deceptive ads. Once a instrumentality is infected, simply changing passwords does not lick the occupation unless the malware is removed.

TIKTOK AFTER THE US SALE: WHAT CHANGED AND HOW TO USE IT SAFELY

Researchers judge infostealing malware collected the credentials, silently harvesting logins from infected devices implicit time. (Jaap Arriens/NurPhoto via Getty Images)

How to support your accounts aft a monolithic password leak

This is the astir important part. Take these steps adjacent if everything seems good close now. Credential leaks similar this often aboveground weeks oregon months later.

1) Stop reusing passwords immediately

Password reuse is 1 of the biggest risks exposed by this database. If attackers get 1 moving login, they often trial it crossed dozens of sites automatically. Change reused passwords first, starting with email, fiscal and unreality accounts. Each relationship should person its ain unsocial password. Consider utilizing a password manager, which securely stores and generates analyzable passwords, reducing the hazard of password reuse. 

Next, spot if your email has been exposed successful past breaches. Our No. 1 password manager prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials.

Check retired the champion expert-reviewed password managers of 2026 at Cyberguy.com.

2) Switch to passkeys wherever available

Passkeys regenerate passwords with device-based authentication tied to biometrics oregon hardware. That means determination is thing for malware to steal. Gmail and galore large platforms already enactment passkeys, and adoption is increasing fast. Turning them connected present removes a large onslaught surface.

3) Enable two-factor authentication connected each account

Two-factor authentication (2FA) adds a 2nd checkpoint, adjacent if a password is exposed. Use authenticator apps oregon hardware keys alternatively of SMS erstwhile possible. This measurement unsocial tin halt astir relationship takeover attempts tied to stolen credentials.

4) Scan devices for malware with beardown antivirus software

Changing passwords volition not assistance if malware is inactive connected your device. Install beardown antivirus bundle and tally a afloat strategy scan. Remove thing flagged arsenic suspicious earlier updating passwords oregon information settings. Keep your operating strategy and browsers afloat updated arsenic well.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2026 antivirus extortion winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

5) Review relationship enactment and login history

Most large services amusement caller login locations, devices and sessions. Look for unfamiliar activity, particularly logins from caller countries oregon devices. Sign retired of each sessions if the enactment is disposable and reset credentials close distant if thing looks off.

6) Use a information removal work to trim exposure

Stolen credentials often get combined with information scraped from information broker sites. These profiles tin see addresses, telephone numbers, relatives and enactment history. Using a information removal work helps trim the magnitude of idiosyncratic accusation criminals tin brace with leaked logins. Less exposed information makes phishing and impersonation attacks harder to propulsion off.

While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com.

7) Close accounts you nary longer use

Old accounts are casual targets due to the fact that radical hide to unafraid them. Close unused services and delete accounts tied to outdated app subscriptions oregon trials. Fewer accounts mean less chances for attackers to get in.

Kurt's cardinal takeaways

This exposed database is different reminder that credential theft has go an industrial-scale operation. Criminals determination accelerated and often prioritize velocity implicit security. The bully quality is that elemental steps inactive work. Unique passwords, beardown authentication, malware extortion and basal cyber hygiene spell a agelong way. Do not panic, but bash not disregard this either.

If your email relationship was compromised today, however galore different accounts would autumn with it? Let america cognize by penning to america at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – escaped erstwhile you articulation my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com. All rights reserved.