Cybersecurity Researcher Jeremiah Fowler uncovered a data leak of 149 million logins and passwords, and shared his findings with ExpressVPN. We are publishing his report to help the public stay informed and protected as part of our ongoing effort to highlight important security risks. The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totaling a massive 96 GB of raw credential data. In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts. This is not the first dataset of this kind I have discovered and it only highlights the global threat posed by credential-stealing malware. When data is collected, stolen, or harvested it must be stored somewhere and a cloud based repository is usually the best solution. This discovery also shows that even cybercriminals are not immune to data breaches. The database was publicly accessible, allowing anyone who discovered it to potentially access the credentials of millions of individuals. The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable. These ranged from social media platforms such as Facebook, Instagram, Tiktok and X (formerly Twitter), as well as dating sites or apps, and OnlyFans accounts indicating login paths of both creators and customers. I also saw a large number of streaming and entertainment accounts, including Netflix, HBOmax, DisneyPlus, Roblox, and more. Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records I reviewed. One serious concern was the presence of credentials associated with .gov domains from numerous countries. While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user. Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks. This increases the potential of .gov credentials posing national security and public safety risks. The database had no associated ownership information so I reported it directly to the hosting provider via their online report abuse form. I received a reply several days later stating that they do not host the IP and it is a subsidiary that operates independently while still using the parent organization's name. It took nearly a month and multiple attempts before action was finally taken and the hosting was suspended and millions of stolen login credentials were no longer accessible. The hosting provider would not disclose any additional information regarding who managed the database, it is not known if the database was used for criminal activity or if this information was gathered for legitimate research purposes or how or why the database was publicly exposed. It is not known how long the database was exposed before I discovered and reported it or others may have gained access to it. One disturbing fact is that the number of records increased from the time I discovered the database until it was restricted and no longer available. The database appeared to store keylogging and “infostealer” malware, a type of malicious software designed to silently harvest credentials from infected devices. These files were different from previous infostealer malware datasets that I have seen because it logged additional information. The records also included the “host_reversed path” formatted as (com.example.user.machine). This structure is used to create an easily indexable way to organize the stolen data by victim and source. Reversing the hostname can also help avoid directory conflicts or as an attempt to bypass basic detection rules that look for standard domain formats. The system used a line hash as the document ID to ensure one unique record per unique log line. In a limited search of these hash and document IDs it was identified that they were indeed unique and returned no duplicates. The exposure of such a large number of unique logins and passwords presents a potentially serious security risk to a large number of individuals who may not know their information was stolen or exposed. Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts including email, financial services, social networks, enterprise systems, and more. This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services. For more visit Our Forum.