In an unprotected, unencrypted cloud repository, a massive credential database with 149.4 million exposed logins and passwords was found. After discovering the breach and reporting his findings to ExpressVPN, cybersecurity researcher Jeremiah Fowler uncovered a vast collection of stolen accounts from major platforms, including Facebook, Instagram, Gmail, and government systems. The 96 GB of credential data in the raw dataset was publicly available without encryption or password protection.

Thousands of files with emails, usernames, passwords, and direct login URLs were indexed by the database, giving attackers all they needed to start automated credential-stuffing campaigns.

Exposed Accounts' Scope Credentials from social media, financial, and entertainment platforms were captured in the breach, which is an unprecedented collection of infostealer malware output: Email Service Providers (Main Objectives): 48 million accounts on Gmail 4 million accounts on Yahoo 1.5 million accounts in Outlook 900,000 accounts on iCloud.1.4 million accounts on edu domains Principal Platforms Compromised 17 million accounts on Facebook 6.5 million accounts on Instagram 3.4 million accounts on Netflix 780,000 accounts on TikTok 420,000 accounts on Binance 100,000 accounts on OnlyFans The database notably contained credentials linked to.gov domains from several nations, which poses a serious threat to national security. Targeted spear-phishing, network infiltration, or impersonation attacks against government infrastructure could be made easier by compromised government accounts. Analysis shows that the advanced infostealer malware's database stored output is organized by victim and source using "host_reversed paths" (com.example.user.machine).

Efficient indexing is made possible by this formatting, which may also get around detection rules that target common domain formats. To avoid duplication, each record contained distinct line hashes as document identifiers. Anyone could instantly access millions of credentials because the database could be searched using simple web browser queries without the need for specialized tools or authentication.

Fowler encountered considerable delays when reporting the discovery to the hosting provider via abuse channels. At first, the provider denied any liability, claiming that a subsidiary was using the parent company's name to operate the intellectual property. Before the database was eventually suspended, it took almost a month and several escalations. Unsettlingly, the number of records rose between discovery and removal, indicating that the data might have been accessed by others.

For impacted users, the exposure poses serious risks: Attacks using credentials to compromise enterprise systems, financial services, and email Automated account takeovers with working passwords and usernames Financial fraud and identity theft take advantage of compromised banking data. Phishing campaigns that use genuine accounts and services to boost their efficacy Multi-factor authentication should be enabled right away, login histories should be examined for unusual activity, all account passwords should be changed, and antivirus software should be installed. Establishing rapid response procedures for responsible disclosure reports, enforcing encryption standards for credential storage, and implementing human-monitored abuse reporting channels are all necessary for organizations.

The discovery highlights a crucial paradox: cybercriminals put operational speed ahead of security, leaving valuable stolen data unprotected. Researchers continue to use this vulnerability to reveal and disrupt criminal infrastructure.