Overview
- Security researcher Jeremiah Fowler found a 96 GB database containing about 149,404,754 unique usernames and passwords spanning email, social media, streaming, gaming, crypto, banking, and some government accounts.
- The trove included an estimated 48 million Gmail, 17 million Facebook, 6.5 million Instagram, 4 million Yahoo, 3.4 million Netflix, 1.5 million Outlook, 900,000 iCloud, and roughly 420,000 Binance credentials.
- The database was publicly accessible and searchable in a web browser, appeared structured for indexing with unique identifiers and reverse domain labeling, and kept growing as Fowler escalated takedown reports.
- A regional affiliate in Canada suspended the hosting after about a month, the operators remain unidentified, and the data may have been copied, heightening risks of credential-stuffing, fraud, and account takeover.
- Experts attribute the cache to infostealing malware and recommend unique passwords or passkeys, password managers, multi-factor authentication, and device updates and scans if compromise is suspected.