149 Million Stolen Passwords Exposed: Gmail, Facebook, Netflix, and More at Risk – What You Need to Know Now
In late January 2026, cybersecurity researcher Jeremiah Fowler made a chilling discovery: a massive, completely unprotected online database containing 149 million unique login credentials usernames paired with plaintext passwords was sitting openly accessible on the internet.
No login required. No encryption. Just a treasure trove of stolen data, totaling around 96 GB, waiting for anyone (including cybercriminals) to grab.
What Was in the Leak?
The exposed credentials weren't from a fresh hack on big tech companies like Google, Meta, or Netflix. Instead, they came from infostealer malware sneaky programs that quietly harvest login details from infected computers, browsers, and devices over months or years.
Key numbers from the database (as reported by Fowler, WIRED, PCMag, Forbes, and ExpressVPN):
- ~48 million Gmail accounts
- ~17 million Facebook logins
- ~6.5 million Instagram credentials
- ~3.4 million Netflix accounts
- Millions more for Yahoo, Outlook, iCloud, TikTok, Roblox, OnlyFans, dating apps, banking portals, cryptocurrency exchanges (like Binance), and even some financial services.
The data included direct URLs to login pages, making it incredibly easy for attackers to launch automated credential-stuffing attacks — trying these leaked username/password combos on the corresponding sites.
Fowler called it a "cybercriminal’s dream wish list." Once copies of this database spread (which they almost certainly have), thousands of accounts could be compromised in hours.
How Did This Happen?
The database belonged to an unknown party possibly a malware operator, data broker, or even a careless criminal reseller. It had no password protection, no access controls, and was indexed publicly.
Fowler responsibly reported it to the hosting provider, and the database was eventually taken down. But in the world of cybercrime, "taken down" often means "too late" copies are already circulating on dark web forums and hacker channels.
Important: This is not a breach of Gmail, Facebook, or Netflix servers. The passwords were stolen from individual users' infected devices (via malware like RedLine, Raccoon, or similar stealers).
Why This Is Extremely Dangerous
- Plaintext passwords mean no guessing needed.
- Many people reuse passwords across services — one leak can domino into email, social media, banking, and crypto account takeovers.
- Attackers can:
- Reset passwords and lock you out
- Steal personal data or money
- Launch phishing or BEC (business email compromise) attacks
- Sell or trade your credentials
Even if your account isn't directly listed, the scale shows how widespread infostealer infections are.
What Should You Do Right Now?
-
Change passwords immediately especially on Gmail/Google, Facebook/Meta (including Instagram), Netflix, and any other services you use frequently. Make them strong and unique.
-
Enable two-factor authentication (2FA/MFA) everywhere possible preferably app-based (like Google Authenticator) or hardware keys, not just SMS.
-
Use a password manager (Bitwarden, 1Password, LastPass, etc.) to generate and store unique passwords for every account.
-
Check for breaches : Visit Have I Been Pwned and enter your email addresses to see if they've appeared in known leaks.
-
Scan your devices : Run a full antivirus/malware scan (use reputable tools like Malwarebytes, ESET, or Windows Defender).
-
Monitor accounts : Watch for unusual logins, password reset emails you didn't request, or suspicious activity.
-
Be cautious with emails/links : Infostealers often spread via phishing or malicious downloads.
The Bigger Picture
This isn't the first massive credential exposure in recent years, and it won't be the last. With infostealers becoming cheaper and more effective, millions of devices are silently compromised every month.
The real fix starts with users: stop reusing passwords, turn on MFA, and treat every login like it could be targeted.
Stay safe out there — one leaked password today could cost you much more tomorrow.