Gmail and Facebook passwords among 149 million logins leaked

How millions of login details ended up in an unprotected online database

Devices infected by malware sent 149 million login details, including Gmail and Facebook credentials, to a public database. | ©Image Credit: Anderson Guerra/Pexels
Devices infected by malware sent 149 million login details, including Gmail and Facebook credentials, to a public database. | ©Image Credit: Anderson Guerra/Pexels

A jaw-dropping trove of 149 million login credentials — including millions of Gmail and Facebook passwords — was recently found sitting in a publicly accessible database, but this isn’t another blockbuster hack of Google or Meta’s fortress-like systems. Instead, it was the result of malware quietly harvesting credentials from infected devices over time, compiling them into a massive cache that anyone with a browser could access. Wondering how that was even possible? Keep reading to uncover how infostealer malware works, where it hides, and what this alarming leak reveals about the unseen risks lurking on you everyday device.

Table of Contents show

Unpacking the massive login credential leak

Cybersecurity researcher Jeremiah Fowler recently discovered a digital treasure chest for cybercriminals, sitting wide open on the public web. This database contains 96 GB of raw, sensitive data. Unlike a typical encrypted file, this 149-million-record cache was completely visible to anyone with an internet connection—no password or special decryption required.

A comprehensive toolkit for identity theft, this set of stolen files contained a lethal combination of email addresses, usernames, plain-text passwords, and even the direct login URLs for the specific platforms being targeted. While the leak spanned hundreds of platforms, the sheer volume of credentials for major household names is staggering. Based on Fowler’s analysis, the platforms most heavily represented in the exposed dataset included:

  • Gmail: 48,000,000
  • Facebook: 17,000,000
  • Instagram: 6,500,000
  • Yahoo Mail: 4,000,000
  • Netflix: 3,400,000
  • Outlook: 1,500,000
  • .edu (Academic) Accounts: 1,400,000
  • iCloud Mail: 900,000
  • TikTok: 780,000
  • Binance: 420,000
  • OnlyFans: 100,000

The most alarming takeaway from this dataset isn’t just the sheer number of passwords, but also the dominance of email accounts. With over 50 million combined records from Gmail, Outlook, Yahoo, and iCloud, hackers have more than just a login; they have a master key to your entire digital existence. When a criminal gains access to your primary inbox, the domino effect begins:

  • Password resets: They can trigger reset links for your bank, health insurance, and social media.
  • Identity impersonation: They can send convincing messages to your contacts to spread further malware.
  • Data mining: Years of private documents, tax returns, and travel itineraries stored in your folders become an open book.

Tracing the source of the leak

This massive collection of stolen logins didn’t come from a fresh hack of Google, Meta, or any other major platform. Instead, it’s a patchwork of credentials gathered over time from older breaches and malware infections. The logins were siphoned from infected devices, with malware capturing passwords as users typed them or pulled them from saved browser credentials. This type of malware spreads through phony software updates, infected email attachments, compromised browser extensions, or misleading online ads.

As Fowler dug into it, the number of credentials kept growing, indicating the malware feeding it was still operational. Even after Fowler reported it to the hosting provider, it remained online for nearly a month, giving potential attackers plenty of time to comb through it. The prolonged exposure shows just how serious the threat from malware-collected credentials can be for everyday users.

How to protect yourself from malware-collected login leaks

1. Keep devices and software updated

Only install official updates from trusted sources. Malware often spreads through fake software updates or malicious downloads. Regularly patching your operating system, browsers, and apps reduces the risk of infection.

2. Use strong, unique passwords for every account

Avoid reusing passwords across platforms. Even if malware steals one login, other accounts remain protected. Consider using a reputable password manager to generate and securely store strong passwords.

3. Switch to passkeys where available

Passkeys replace traditional passwords with device-based authentication linked to biometrics or hardware keys. Since there’s no password to type or store, malware has nothing to capture. Platforms like Gmail, Apple, and other major services already support passkeys, and adoption is increasing. Enabling them now closes a major entry point for cybercriminals.

4. Enable two-factor authentication (2FA)

Adding an extra verification step, such as a code from an authenticator app or SMS, prevents attackers from accessing your accounts even if they have your password. Gmail, Facebook, and most major services support 2FA.

5. Be cautious with links, attachments, and browser extensions

Malware often enters devices via malicious email attachments, deceptive ads, or compromised browser extensions. Only open attachments from known senders and verify suspicious links before clicking. Remove extensions you don’t use or don’t trust.

6. Regularly scan for malware and monitor your accounts

Use reputable antivirus or anti-malware software to detect and remove infections. Simply changing passwords won’t stop malware actively logging your keystrokes or stored credentials. Keep an eye on unusual login alerts or unexpected password reset requests, and take immediate action if you suspect a compromise.

Source: CyberGuy