In late January 2026, a significant cybersecurity incident came to light involving the exposure of approximately 149 million usernames and passwords from various online accounts.  This wasn’t a direct hack of a single company but rather an unsecured online database containing stolen credentials, likely aggregated from infostealer malware that infects devices and captures login information through methods like keylogging. 

Key Details of the Exposure

•  Discovery and Shutdown: The database was found by security researcher Jeremiah Fowler, who monitored it for about a month and noted it was still growing with new entries. He reported it to the hosting provider, leading to its removal for violating terms of service.  

•  Affected Platforms: The leaked data spanned numerous services, including:

•  48 million Gmail accounts

•  17 million Facebook accounts

•  4 million Yahoo accounts

•  1.5 million Microsoft Outlook accounts

•  900,000 Apple iCloud accounts

•  780,000 TikTok accounts

•  420,000 Binance accounts

•  100,000 OnlyFans accounts

•  3.4 million Netflix accounts

•  Plus logins for banking, credit cards, government systems from multiple countries, .edu academic accounts (1.4 million), Roblox, dating sites, and media streaming platforms.   

•  How It Happened: The database was publicly accessible via a web browser, organized with unique identifiers for easy querying—making it a potential “dream wish list” for cybercriminals. It totaled around 96GB and was left unprotected in the cloud.  

Potential Risks

This exposure heightens the danger of credential stuffing attacks, where hackers try the stolen logins on other sites, as well as scams, identity theft, and unauthorized access to sensitive accounts like banking or government systems. If your device was infected with malware, additional personal data beyond logins could be compromised.  

What Users Should Do

•  Change Passwords: Immediately update passwords for any potentially affected accounts, using strong, unique ones for each service.

•  Enable Two-Factor Authentication (2FA): Turn this on wherever possible to add an extra layer of security.

•  Monitor Accounts: Check for unusual activity and use tools like Have I Been Pwned? to see if your email was involved in known breaches.

•  Protect Devices: Run antivirus scans to detect and remove infostealer malware, and avoid clicking suspicious links or downloading unverified software.  

This incident underscores the ongoing threat of malware-driven data theft, with reports indicating it’s part of a broader pattern of credential leaks.  Recent discussions on X highlight widespread concern, with alerts from news outlets urging users to act quickly.   If you’re in Lucknow or elsewhere in India, local cybersecurity advisories may also apply, but the impact is global.