.jpg?width=1200)
In an alarming data leak, over 149 million unique logins and passwords, has been exposed online in a publicly accessible database. Discovered by cybersecurity researcher Jeremiah Fowler, the unsecured repository contained credentials harvested from infostealer malware, affecting users across various platforms worldwide.
Passwords of which websites have leaked online?
The database, which was not password-protected or encrypted, held 149,404,754 unique logins and passwords, amounting to 96GB of raw data. It included emails, usernames, passwords, and direct links to login pages for numerous services. Breakdowns show significant impacts on popular email providers - approximately 48 million Gmail accounts, 4 million Yahoo, 1.5 million Outlook, and 900,000 iCloud. Additionally, 1.4 million .edu accounts were compromised, alongside government credentials from .gov domains in multiple countries.
Among the hardest hit are social media and entertainment services. Facebook tops the list with 17 million affected logins, followed by Instagram at 6.5 million, TikTok with 780,000, and X also impacted. Streaming platforms like Netflix (3.4 million), HBO Max, and Disney+ were targeted, as was Roblox. Other categories include dating sites, OnlyFans (100,000 accounts, including creators and customers), financial services such as banking and crypto wallets (e.g., Binance with 420,000), and WordPress administrative logins.
Potential risks of this leak
While the database containing all the information has since been removed, the leak, if already exposed, poses severe threats. This includes credential-stuffing attacks where hackers automate logins across sites to commit fraud. Risks extend to identity theft, financial crimes, and phishing scams that appear legitimate. Government credentials could enable spear-phishing or impersonation, raising national security concerns, while personal data from dating or adult sites might lead to harassment or extortion. Even after removal, the data may have been copied and redistributed.
How to check if you're affected
To determine if your credentials are compromised, start by using the Have I Been Pwned (HIBP) website, a free service run by security expert Troy Hunt. Enter your email address on haveibeenpwned.com to see if it appears in known data breaches, including collections from infostealers. Additionally, review your account login history on affected platforms like Instagram, Netflix, X, or Roblox for suspicious activity, such as unfamiliar locations or devices. Check for unusual failed login attempts and monitor your financial statements for unauthorised transactions.
What to do if your password is compromised
If you suspect exposure, act swiftly.
- Scan your device with reputable antivirus software to detect and remove malware.
- Update your operating system and apps to patch vulnerabilities.
- Adopt a password manager for secure storage and enable two-factor authentication (2FA) or biometrics on all accounts.
- Avoid reusing passwords and only install apps from official sources.
- If infected, clean your device before changing passwords, as new ones could be captured otherwise.
- Regularly review app permissions and keyboard settings to prevent unauthorised access.
.jpg)
