Cybersecurity researchers have uncovered a massive online data exposure involving more than 149 million login credentials linked to widely used services including Facebook, Instagram, Gmail, Netflix, TikTok and Binance, raising fresh concerns over digital security and user privacy.
The exposed data was discovered by cybersecurity researcher Jeremiah Fowler, in collaboration with ExpressVPN, after identifying a misconfigured cloud database that was left openly accessible without encryption or authentication. According to researchers, the database could be accessed using nothing more than a standard web browser.
ExpressVPN’s analysis showed the database contained 149,404,754 unique records, totalling nearly 96 gigabytes of raw data. The information included email addresses, usernames, passwords and direct login URLs, linked to dozens of everyday online services.
A preliminary breakdown of affected email accounts suggests the scale of the exposure was particularly severe for major providers, with an estimated 48 million Gmail accounts, 4 million Yahoo accounts, 1.5 million Outlook accounts, and nearly 900,000 iCloud addresses included. Credentials tied to educational institutions and other domains were also identified.
Researchers also found millions of credentials associated with popular digital platforms, including Facebook (17 million), Instagram (6.5 million), Netflix (3.4 million), TikTok (780,000), OnlyFans (100,000) and Binance (420,000), indicating the broad reach of the dataset.
Security analysts believe the data was collected using infostealer malware, a type of malicious software that silently extracts saved passwords, cookies and session data from infected devices. The stolen information is typically aggregated and sold or reused for cybercrime. In this case, investigators said the unsecured database continued to grow, suggesting new victims were being added over time.
Experts warned that breaches of this magnitude significantly increase the risk of account takeovers, identity theft, financial fraud and targeted phishing attacks, particularly as many users reuse passwords across multiple services. Email accounts are considered especially sensitive, as access can enable attackers to reset passwords for banking, workplace and social media accounts.
Researchers stressed that there is no evidence of a direct breach of the internal systems of Google, Meta, Netflix or other named platforms. Instead, the exposure appears to stem from compromised user devices rather than corporate servers. Nevertheless, the impact on individuals remains severe.
Cybersecurity specialists urged users to immediately change passwords, enable two-factor authentication, and avoid reusing login credentials across services to reduce the risk of further compromise.
