A publicly accessible database containing more than 149 million usernames and passwords was discovered, and before it was taken offline, it included logins from 900,000 iCloud users.
The database contained roughly 149.4 million unique login records totaling about 96 GB of data. The credentials spanned email providers, social networks, financial services, cryptocurrency platforms, streaming services, dating sites, academic institutions, and government systems, according to security researcher Jeremiah Fowler's analysis.
The exposure was disclosed on January 23. The database was reachable through a standard web browser and was neither encrypted nor password-protected.
What data was exposed in the 149 million password leak
The dataset included millions of credentials.
- Approximately 48 million Gmail credentials
- About 17 million Facebook logins
- Roughly 6.5 million Instagram accounts
- About 900,000 Apple iCloud usernames and passwords
Other services represented included Microsoft Outlook, Yahoo, Netflix, TikTok, OnlyFans, Binance, Roblox, and a wide range of banking and credit card logins.
Fowler also identified credentials tied to .gov domains from multiple countries. While not every government-linked account provides access to sensitive systems, some could enable impersonation, spear phishing, or deeper network access depending on user permissions.
The database continued growing during the reporting period, indicating ongoing automated collection rather than a one-time dump.
How infostealer malware steals login credentials
There is no evidence that Apple, Google, Meta, or any other company was breached at the server level. Fowler attributes the data to infostealer malware, which infects individual devices and silently collects credentials through keylogging, browser scraping, clipboard capture, and session token theft.
The database structure supported that conclusion. Records were organized using reversed host paths and unique hashes, a format designed for indexing and large-scale searching rather than casual storage.
Apple iCloud Advanced Data Protection feature designed to protect user data from account compromise
Once credentials are stolen at the device level, platform security measures offer limited protection. Valid usernames and passwords can be used for account takeovers, password resets, or targeted phishing attempts, regardless of how well a service secures its backend systems.
Why infostealers keep working
Infostealer malware remains popular because it's cheap, scalable, and difficult for users to detect. Criminal groups often prioritize speed and volume over operational security, storing stolen data in misconfigured cloud databases that are later discovered through routine scanning.
Researchers note that exposed databases like this one are often copied and redistributed quickly. Even after takedowns, stolen credentials may persist in underground markets and be reused for years.
Many modern account compromises start with infected Mac, iPhone, or browsers rather than direct attacks on Apple's infrastructure.
How to protect your accounts after a password leak
There is no practical way to confirm whether a specific account appeared in this database. The safest assumption is that exposure is possible.
Use unique passwords for every service and store them in a password manager. Enable two-factor authentication on Apple Account, email accounts, financial services, and social platforms.
Additionally, upgrade to passkeys if a service supports them. Passkeys replace passwords with cryptographic credentials that can't be reused, phished, or captured by infostealer malware.
Keep macOS, iOS, browsers, and extensions fully updated, and remove software you don't recognize. If a device shows signs of compromise, clean the system before changing passwords, since malware can capture new credentials as easily as old ones.
None of these steps are new. The uncomfortable reality is that infostealers remain effective because security habits are unevenly followed, even as credential theft continues to scale in the background.
