A dataset of more than 149 million login credentials, likely sourced from infostealers, was found to be exposed on the internet, ExpressVPN reported Friday.

The database containing 96 GB of unencrypted data was discovered by cybersecurity researcher Jeremiah Fowler, who noted the information was not password-protected and could have been accessed by anyone over the web.

“This reported dataset matters less because of its size and more because of what it represents operationally. This is not a breach in the traditional sense, and it is not evidence of a single failure. It is the byproduct of an ecosystem that continuously harvests credentials from endpoints and quietly accumulates access over time,” Shane Barney, CISO at Keeper Security, said in comments to SC Media.

Gmail login details made up the largest chunk of the data, with 48 million logins included. Other email accounts affected included 4 million Yahoo accounts, 1.5 million Outlook accounts, 900,000 iCloud accounts and 1.4 million .edu email addresses.

Social media accounts also made up a significant portion of the data, including 17 million Facebook accounts and 6.5 million Instagram accounts. Financial accounts such as crypto wallets, trading accounts, banking logins and credit card logins were also spotted in the data, with 420,000 Binance login details exposed.

Related reading:

Logins for WordPress, Coinbase, TikTok, X, Netflix, HBOmax, DisneyPlus, Roblox and OnlyFans were also seen by Fowler, who noted he took limited screenshots of the data to document his findings and did not download or retain any of the data. Instead, he was able to make estimates of the number of accounts affected for each platform due to the database being easily searchable via the web browser.

Fowler noted that several credentials from .gov domains from around the world were included in the database, raising concerns about potential risks to sensitive government systems.

The data most likely originated from infostealer malware, according to Fowler. However, the database was different from previously infostealer datasets he has observed as it included additional information such as the hostname in a reversed format and a line hash to identify each unique record, Fowler said.

“Infostealer breaches like this do not just expose isolated accounts, they create a long-term attack surface that gives cybercriminals opportunities across every aspect of our digital lives,” Boris Cipot, senior security engineer at Black Duck, told SC Media in an email. “Organisations and individuals alike must assume that usernames and passwords are constantly at risk and adopt layered defences accordingly.”

Fowler reached out to the hosting provider for the database site to have it taken down, noting that it took nearly a month before the site was removed. He observed that the number of records included in the database continued to increase between the time he discovered it to the time it went down. No information about the owner of the site could be uncovered during Fowler’s research.

Fowler recommended users take measures to secure their devices against infostealer infections, for example, by using antivirus software, reviewing app permissions on mobile devices and reviewing programs, browser extensions and running processes on computers.

“Infostealing malware can come from a variety of sources like sideloading applications, jailbreaking, vulnerabilities/exploits etc. Users should only use verified sources for applications (AppStore) and on applicable devices, ensure they are running anti-virus solutions with the latest updates,” Morey Haber, chief security advisor at BeyondTrust, told SC Media.

Fowler also emphasized the importance of multifactor authentication (MFA) and basic cyber hygiene such as using strong, unique passwords for each account.