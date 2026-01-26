Cybersecurity Researcher Jeremiah Fowler uncovered a data leak of 149 million logins and passwords, and shared his findings with ExpressVPN. The records include 900,000 usernames and passwords for Apple accounts.

According to Fowler:

° The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totaling a massive 96 GB of raw credential data. In a limited sampling of the exposed documents.

° The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable. These ranged from social media platforms such as Facebook, Instagram, Tiktok and X (formerly Twitter), as well as dating sites or apps, and OnlyFans accounts indicating login paths of both creators and customers. I also saw a large number of streaming and entertainment accounts, including Netflix, HBOmax, DisneyPlus, Roblox, and more. Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records I reviewed.

° The exposure of such a large number of unique logins and passwords presents a potentially serious security risk to a large number of individuals who may not know their information was stolen or exposed. Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts including email, financial services, social networks, enterprise systems, and more. This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services.

The ExpressVPN article explains how to protect your accounts, credentials, and privacy.

