Cybersecurity researcher Jeremiah Fowler discovered an unprotected database containing over 149 million unique login and password records. The database was unencrypted and required no password for access. The compromised data includes accounts for crypto exchanges, social networks, and government portals.
Inside the 96 GB dataset, researchers found thousands of files containing email addresses, passwords, and direct links to login pages. For the crypto community, the situation is alarming: the sample includes 420,000 Binance accounts.
Fowler also identified credentials for other trading platforms, crypto wallets, and banking apps. Direct login URLs simplify the attack vector. With a ready-made “login-password-link” combo, attackers can automate account takeovers, skipping the manual search for the correct service portal.
How the Scheme Worked
The leak stems from active malicious software known as infostealers. The malware infected victims’ devices, harvested data, and transmitted it to this cloud storage instance.
The file structure points to a sophisticated operation. The record format allows operators to easily sort stolen data by specific victim and source, while bypassing basic security algorithms that scan for standard domain names. The system used string hashing to eliminate duplicates–ensuring the database contained only unique data.
The Scale
The victims are spread globally. Beyond crypto traders, users of mainstream platforms were hit hard:
- Gmail — 48 M accounts
- Facebook — 17 M
- Instagram — 6.5 M
- Netflix — 3.4 M
A critical issue is the exposure of credentials from .gov domains across various nations. This creates vectors for espionage, phishing, and infiltration of internal government networks.
Slow Provider Response
The database had no ownership info but was hosted by a specific provider. Fowler filed a formal abuse report but received a reply only days later. The company claimed the IP was managed by a subsidiary operating independently.
During this bureaucratic delay, the database continued to grow in real time. The record count increased right before the researcher’s eyes. It took nearly a month to block access. It remains unknown who managed the server or how many criminals downloaded the archive before the shutdown.
How to Protect Your Data
Fowler and ExpressVPN experts warn that simply changing passwords is insufficient. If an infostealer is still active on the device, it will capture the new credentials immediately.
First, users must scrub the system with antivirus software, update the OS, and audit browser extensions. Only after the malware is removed should you change passwords and enable two-factor authentication wherever possible.
This post is for informational purposes only and does not constitute advertising or investment advice. Please do your own research before making any decisions.