149M passwords leaked! Check if your online accounts are safe
24 Jan 2026

A massive exposure of over 149 million unique usernames and passwords, including those of Instagram, Gmail, and OnlyFans accounts, was discovered.

The leak was discovered by cybersecurity researcher Jeremiah Fowler.

He found the data in an unprotected database that was left open without any password or encryption.

The exposed records included logins for almost every major online service imaginable.

Extensive range of services affected by the breach
Service impact

The data leak affected a wide range of online services, from social media platforms like Facebook, Instagram, TikTok, and X to dating sites and OnlyFans accounts.

Streaming and entertainment services such as Netflix, HBO Max, Disney+, Roblox were also impacted.

Financial service accounts, including crypto wallets and banking logins, were compromised too.

Even government domain credentials (.gov) from multiple countries were exposed in this massive breach.

Breakdown of compromised accounts in the data leak
Account details

Fowler estimates that around 48 million Gmail accounts, four million Yahoo accounts, and 1.5 million Outlook accounts were part of the data leak.

The database also had logins for 17 million Facebook accounts, 6.5 million Instagram accounts, and 780k TikTok accounts.

Around 3.4 million Netflix account credentials were exposed in this breach along with those from HBO Max, Disney+, and Roblox platforms.

Infostealer malware suspected in massive data leak
Malware involvement

Fowler suspects that the database was created by 'infostealer' malware, a type of malicious software designed to silently infect devices and harvest credentials.

He noted in his report, "When data is collected, stolen or harvested it must be stored somewhere and a cloud-based repository is usually the best solution."

This discovery shows even cybercriminals aren't immune to data breaches," Fowler added.

Hosting provider's delayed response and increasing records
Response delay

Fowler reported the database to its hosting provider, but it took them a month to suspend access.

During this time, the number of records actually increased, suggesting that malware was adding more stolen data to the repository.

This highlights how quickly sensitive information can be compromised and underscores the importance of timely action in such cases.

Password changes alone may not be enough
Protection advice

Fowler warns that simply changing your passwords may not be enough to protect you from infostealer malware.

He suggests a few ways to protect yourself online, including scanning for malware, using a password manager, and enabling two-factor authentication or biometric protections on accounts.

He also advises against reusing passwords across different sites, apps, services as this can increase vulnerability in case of data breaches.