HERE’S ANOTHER DATA BREACH WE MUST PROTECT OURSELVES FROM
A massive cache of 149 million stolen login credentials for Gmail, Facebook, Instagram, and many other services was found exposed online in January 2026 — not because Google or Meta were breached, but because an unsecured database containing data harvested by infostealer malware was left publicly accessible.

The database was discovered by cybersecurity researcher Jeremiah Fowler. The exposed dataset was 96 GB and had no password protection or encryption.

How the Data Was Stolen
Credentials were collected from infected devices, not from the platforms themselves. Infostealer malware typically extracts:

  • Browser‑saved passwords
  • Autofill data
  • Cookies
  • Session tokens
  • Device identifiers

The stolen data was aggregated and stored by cybercriminals, then accidentally left publicly accessible.

What Services Were Affected

  • Gmail: 48 million credentials
  • Facebook: 17 million
  • Instagram: 6.5 million
  • Yahoo: 4 million
  • Netflix: 3.4 million
  • Outlook: 1.5 million
  • TikTok, Binance, OnlyFans, and many others: also included in the dataset

Why This Leak Is Extremely Dangerous

  • Passwords were stored in plain text, making them immediately usable.
  • Stolen session cookies can allow attackers to bypass 2FA.
  • Credential reuse means attackers can perform credential‑stuffing attacks across multiple services.
  • The scale (149M+) makes it likely that millions of people are unaware they were compromised.
  • Infostealer malware often remains undetected for long periods, silently collecting data.

Recommended Actions

  • Change passwords immediately, especially for email and social media accounts.
  • Enable 2FA, preferably using an authenticator app or hardware key.
  • Stop storing passwords in browsers, as they are a primary target for infostealers.
  • Switch to passkeys where supported (Google, Microsoft, Apple).
  • Monitor your accounts for unusual login attempts or password‑reset notifications.
  • Scan devices for malware if you suspect compromise.

Key Takeaway

  • This was not a breach of Gmail, Facebook, Instagram, or other major platforms.
  • It was a breach of a criminal database containing real, stolen credentials harvested from infected devices.
  • The risk is very real because the exposed passwords were valid, plain‑text, and immediately exploitable.

 

Tech Republic:
https://www.techrepublic.com/article/news-149-million-passwords-exposed-infostealer-database/

Tom’ Guide:
https://www.tomsguide.com/computing/online-security/149-million-passwords-for-gmail-facebook-instagram-and-other-popular-services-exposed-online-how-to-stay-safe-after-this-major-leak

 

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!