Cybersecurity researcher Jeremiah Fowler recently discovered a non-password-protected database containing over 149 million unique credentials. These records were collected from victims of malware worldwide and include everything from social media and streaming services to sensitive financial logins.
In a few words, the publicly accessible database:
- Exposed 149,404,754 unique logins and passwords (96GB of raw data);
- Revealed user credentials for major platforms (including Facebook, Instagram, TikTok, X, dating sites, and OnlyFans, affecting both creators and customers);
- Included high-risk financial credentials (such as crypto wallets, trading services, and banking logins).
Because this data was likely collected by malicious third parties, there is a heightened risk of widespread credential-stuffing attacks, identity theft, and financial fraud.
Jeremiah published his detailed findings on the ExpressVPN blog here: https://www.expressvpn.com/blog/149m-infostealer-data-exposed/
UPDATE: I have commentary on this starting with Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“The data is a gold mine for cybercriminals launching credential stuffing attacks. Cybercriminals can use stolen username and password combinations to log into a wide array of accounts under the assumption that many people use the same password across multiple accounts. This process is automated, so a hacker can attempt to use a single set of credentials across dozens or even hundreds of accounts in a matter of seconds.
This data exposure highlights the importance of setting unique passwords and using two-factor authentication when available. If you don’t reuse passwords, then you are immune to credential stuffing attacks. Even if a cybercriminal tries to log into your account with the correct password. two-factor authentication will prevent them from doing so in the vast majority of attacks.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy:
“The report indicates the harvested login credentials were the results of “Keylogger” and other types of “infostealer” malware underscores the need for computer users to run Antivirus and ant-malware protection on their machines. Whether they use Windows or macOS, there are risks to not keeping your machine safe by running security apps in the background.
The exposure of such a huge number of credentials poses a significant risk to users that are not aware of the breach and to what extent they are exposed. While it may be too soon to have this information included in the “HaveIBeenPwned” (https://haveibeenpwned.com/) website’s extensive database, I still strongly recommend that users visit the site and enter their email address(es) to determine whether their information has been exposed in previous data breaches. I also recommend that they take advantage of the website’s option to notify them when their email address was exposed in future data breaches.
Last but not least, everyone should use a password manager. In addition to keeping track of login information for multiple sites, password managers often offer warnings about password reuse or if a login has been exposed in a breach. This makes it easy to guard against password reuse, and to update passwords when they need to be changed.”
Chatbot logs and audio exposed in data breach at major department store chain
Posted in Commentary with tags ExpressVPN on March 17, 2026 by itnerdCybersecurity researcher Jeremiah Fowler recently discovered 3 separate databases that were neither password-protected nor encrypted and contained a total of 3.7 million chat log transcripts, audio recordings, and text transcriptions of phone calls exposing Sears Home Services.
The publicly exposed databases totaled over 4TB and contained:
Jeremiah’s detailed findings are published on the ExpressVPN blog here: https://www.expressvpn.com/blog/searshomeservices-data-exposed/.
Leave a comment »