A newly published incident report describes a massive credential exposure involving 149,404,754 unique logins and passwords stored in a publicly accessible database. Cybersecurity researcher Jeremiah Fowler says the dataset was not password-protected and not encrypted, and it contained about 96 GB of raw credential data. In addition to usernames and passwords, many records also included the exact login URLs, which can speed up automated account takeover attempts.
Source: expressvpn.com – 149M infostealer data exposed database size and record count
What was exposed
Fowler reports that the database included credentials tied to a wide range of services. These included major email providers, social platforms, streaming services, dating apps, adult platforms, and financial services such as crypto and banking logins. He also observed credentials tied to .gov domains from multiple countries, which raises the risk of targeted phishing and potential access attempts against government-linked accounts.
The dataset format also stood out. Fowler says the records included a “host_reversed path” structure, formatted like (com.example.user.machine). This structure helps index and organize stolen logs for easy searching. He also states the system used unique hashes to avoid duplicates and improve searchability.
How attackers likely collected the data
The report ties the exposure to infostealer and keylogging malware. Infostealers typically harvest credentials from infected endpoints by capturing keystrokes, scraping browser-stored data, stealing session cookies, or collecting form data. The database’s indexing structure suggests it was built to handle large volumes of stolen logs and to support fast querying.
Source: expressvpn.com – 149M infostealer data exposed searchable index via browser
Takedown and timeline
Fowler says the database had no ownership details, so he reported it directly to the hosting provider. He describes a slow process that took nearly a month before the host suspended access. He also notes something important for defenders: the record count increased between discovery and takedown, which suggests ongoing ingestion of new credential logs during that period.
Authenticity and “Is it old or new”
This story is new as an event and disclosure. The report itself is dated 23.01.2026, and multiple independent outlets reported the same core numbers and details within the same timeframe, which strongly supports authenticity.
However, the credentials inside the database likely include both old and new data. Infostealer logs often contain historic credentials harvested over time. At the same time, Fowler’s note that the database continued growing during the month-long exposure indicates the collection also contained freshly added records. So, the exposure is recent, but the contents are probably a mix of older stolen creds plus newly harvested ones.
Why this matters to cybersecurity teams
This type of dataset fuels three high-impact threats:
- Credential stuffing at scale because the dataset includes login URLs and common services.
- Spear-phishing based on real account ownership signals, especially when .gov or enterprise-related accounts appear.
- Session hijacking and follow-on compromise if infostealer logs also include tokens, cookies, or browser artifacts.
What to do now
If you manage user accounts or security operations, prioritize these steps: enforce MFA, block password reuse, monitor for credential stuffing, and hunt for infostealer infections on endpoints. For individuals, rotate passwords for email and financial accounts first, enable MFA, and run a full malware scan before changing passwords if you suspect an infection.
For a more detailed breakdown of the exposure and what was found, read the full report here.
No Comment! Be the first one.