An cloud-hosted database with no protection It has exposed millions of login credentials for popular services such as Facebook, Gmail, iCloud, TikTok, Netflix, Binance, and OnlyFans. The file, publicly accessible for an unknown period, contained complete username and password combinations ready to be reused by cybercriminals.
The discovery was made by the security researcher Jeremiah Fowlerwho immediately notified the cybersecurity firm ExpressVPN of the incident. The company analyzed the repository and confirmed that it was a massive collection of credentials from previous leaks, gathered in a single cloud container without encryption or access controls.
A database with 149 million exposed credentials
According to data collected by ExpressVPN, the unsecured server hosted around 96 gigabytes of information, primarily login credentials for all kinds of digital services. These weren't just random mailing lists: the archive included emails, usernames and passwords in plain text, an extremely valuable resource for large-scale automated attacks.
In total, the database contained approximately 149 million unique login recordsAmong them were 48 million credentials associated with Gmail, 900.000 of iCloud accounts1,5 million Outlook users, 17 million Facebook users, 6,5 million Instagram users, 780.000 TikTok users, and 3,4 million Netflix users. Also included were 100.000 OnlyFans logins and 420.000 Binance cryptocurrency platform accounts, in addition to hundreds of thousands of credentials linked to other financial and banking applications.
The list of affected services extends even further: Facebook, Instagram, TikTok and X (formerly Twitter) among social networks; Gmail, Outlook and Yahoo for email; and streaming platforms such as Netflix, HBO Max and Disney PlusFor more information about Instagram, you can consult the Alert over massive data leak on InstagramAlongside these were Roblox accounts, other cloud storage services, and digital wallet and trading applications, which increases the risk of potential fraudulent use.
Fowler himself confirmed that the number of records It increased while the database remained accessibleThis indicates that it was a live repository that was updated regularly. This detail reinforces the hypothesis that someone was systematically adding sets of credentials leaked from different incidents over time.
The records also contained information related to Educational accounts with .edu domains and, to a lesser extent, institutional or governmental domains (.gov)This type of profile can be especially sensitive if the compromised accounts have high permissions or access to internal systems of universities and administrations.
Uncertain origin and a repository that has already been removed
After confirming the extent of the exposure, ExpressVPN contacted the cloud service provider responsible for the hosting. Once the alert was issued, the repository was removed from the server and is no longer publicly accessibleHowever, experts acknowledge that it is impossible to know exactly how many times the file may have been downloaded or who had access to its contents.
Initial findings suggest that the database did not originate from a single recent attack, but rather It groups together credentials stolen in multiple previous breaches.Someone had been collecting lists of usernames and passwords from different incidents, and then storing them together in the same repository without applying any basic security measures.
Based on the available information, ExpressVPN admits that It cannot be determined whether the person responsible acted for criminal or legitimate purposes.It could be a malicious actor managing an arsenal of credentials for future campaigns, or someone handling leaked data for research purposes who completely neglected server security. In either case, the result is the same: millions of potentially reusable logins were exposed and accessible to anyone.
Another worrying aspect is that, although the original server is no longer online, any copies downloaded before the removal It can continue to circulate on underground forums or private channels. In the black market for stolen data, these kinds of massive collections are highly valued because they allow for large-scale automated attacks at very low cost.
Fowler himself indicated that he did not know how long exactly was the database visibleFrom the time it was discovered until access was restricted, the volume of records continued to grow, suggesting constant activity by whoever was managing it. That window of exposure may have been enough for various cybercriminal groups to download the entire dataset.
Risks: from credential stuffing to financial fraud
The main threat posed by credential collections like this is the intensive use of credential stuffing techniquesThis method consists of massively and automatically testing real combinations of email and password on a multitude of different services, taking advantage of the fact that many users repeat the same password on several platforms.
When a combination matches, the attacker succeeds direct access to the account without needing to breach complex technical systemsFrom there, a range of possibilities opens up: from taking control of social media profiles, used to spread scams or malware among trusted contacts, to logging into banking services, cryptocurrency wallets, or payment gateways linked to the compromised email.
Even if initial access is limited to a single email account, the situation can quickly escalate. With control of the inbox, an attacker can reset passwords for other associated services, review financial notifications, request recovery codes, and generally pivot to other critical platforms that rely on that email.
ExpressVPN researchers also warn of a potential increase in phishing and identity theft campaigns Based on this data, having the victim's email address, knowing which services they use, and even having some of their old credentials makes it much easier to create fraudulent messages that seem plausible and are difficult to identify as scams.
In the European context, where the use of online banking and payment applications is widespread, exposure of this magnitude can translate into a increase in targeted financial fraudSpain has been experiencing waves of SMS messages, emails, and social media posts impersonating banks, messaging companies, or digital platforms, often relying on data obtained from massive leaks like this one.
Although no specific wave of attacks has yet been publicly linked to this particular repository, experts emphasize that The effects of a leak can manifest themselves graduallyCybercriminals often exploit these collections for months or years, combining them with other sources of information to refine their campaigns, while many users remain unaware that their credentials are listed on compromised lists.
European and Spanish users in the spotlight
The global nature of services such as Gmail, Facebook, TikTok, iCloud or Netflix This means that a significant proportion of the affected accounts belong to European and Spanish users. In practice, these credentials provide access to much of digital life: banking, online shopping, government services, healthcare platforms, and education systems.
In the European Union, the General Data Protection Regulation (GDPRIt requires companies that experience internal breaches to notify the authorities and users. However, in this specific case, the repository appears to be an external compilation of previous incidentsThis complicates attributing responsibility to a single company and hinders the direct application of these notification mechanisms.
In Spain, the Spanish Data Protection Agency (AEPD) has been insisting for years on the importance of adopting good digital hygiene practicesStrong passwords, two-step verification, regular review of permissions, and limiting the information shared with third-party applications are key security measures. A set of 149 million exposed credentials tests the extent to which these recommendations are being followed in everyday practice.
For Spanish users with accounts on the aforementioned platforms—from Gmail or Outlook emails to social networks, streaming services, or financial applications—the most prudent recommendation is Update your login details as soon as possible.Especially if they haven't changed their password in a while or if they reuse it across multiple services. Even though there isn't a public list of compromised addresses, common sense dictates acting as if the risk were real.
The impact is not limited to individuals. Many Companies and public administrations allow access to corporate resources from personal devices and accountsIn these environments, a single compromised credential can be the gateway to poorly segmented internal networks, outdated systems, or applications without adequate protection, with consequences that go far beyond the theft of an individual account.
Immediate measures to strengthen security
The experts consulted agree that the first step, both for users in Spain and in the rest of Europe, is Change the passwords for potentially affected servicesThis action should be extended to any other platform where the same or a very similar key has been used, with the aim of cutting off at the root the domino effect that the attackers are seeking.
Additionally, it is recommended to activate the two-factor authentication (2FA or MFA) whenever possible. This system adds an extra layer of security by requiring a temporary code—sent via SMS, generated by an app, or stored on a physical key—even when the username and password have been compromised.
Another recommendation that is repeated is the use of password managersThese tools allow you to generate long, complex, and unique passwords for each service and store them securely. This avoids the still widespread temptation to reuse the same password across multiple platforms, one of the habits that most facilitates the work of cybercriminals.
Experts also advise reviewing the permissions granted to third-party applications connected to Google, Apple, social media, or other service accounts. Revoking access to apps that are no longer used, and limiting the privileges of those that remain, reduces the impact if a compromised credential is used to access more information than intended.
Equally important is maintaining updated operating systems, browsers, and security solutions on all devices, and exercise extreme caution with emails, SMS messages, or other messages that request personal or financial information. Verifying the sender, being wary of urgent requests, and accessing services by manually typing the address into the browser are small steps that help avoid many fraud attempts.
Exposing an unprotected database with 149 million login credentials for services such as Facebook, Gmail, iCloud, TikTok, streaming platforms, and financial applications This incident once again highlights how fragile digital security can be when basic measures are neglected. Although the repository has been removed and its exact origin remains a mystery, the possibility that copies of this data may still be circulating compels European and Spanish users to take the protection of their accounts very seriously: updating passwords, enabling two-factor authentication, reviewing permissions, and adopting prudent browsing habits can make the difference between continuing to use the internet with relative peace of mind or becoming the victim of a complex and difficult-to-reverse fraud.
