If you use Gmail, Netflix, or even Facebook, you need to read this. A massive database containing 149 million stolen records has been discovered floating on the open web, and it paints a terrifying picture of how modern hackers operate.
This week, cybersecurity researcher Jeremiah Fowler released a startling report after discovering a 96-gigabyte database left completely unsecured on the internet. It contained nearly 150 million unique email and password combinations.
While many headlines are focusing on the 48 million Gmail accounts found in the pile, the report reveals the problem is much bigger than just email.
The data wasn’t stolen from a single company like Google or Netflix. Instead, it was harvested by “Infostealer” malware—viruses that infect personal computers and silently log every keystroke. This means the database is a “Greatest Hits” of victims’ digital lives. The discovery included logins for:
-
Social Media: 17 million Facebook accounts and 6.5 million Instagram accounts.
-
Entertainment: 3.4 million Netflix accounts and even 100,000 OnlyFans logins.
-
Finance: 420,000 Binance crypto accounts.
-
Government: The leak even included emails ending in .gov, posing a potential national security risk.
Because this data includes the specific URLs for the login pages, it allows criminals to automate attacks, trying your stolen password across every site you visit.
Since this data came from infected devices, simply changing your password isn’t enough. If the virus is still on your laptop, it will just steal the new password too.
-
The “Scan First” Rule: Before you change a single password, run a deep scan with your antivirus software (Windows Defender, Malwarebytes, etc.). You must remove the spy before you change the locks.
-
Diversify Your Passwords: This leak proves that hackers get everything in one swoop. If you use the same password for your bank as you do for Netflix, you are in trouble. Ensure every important account has a unique password.
-
Check Your Exposure: You can use a reputable service like HaveIBeenPwned.com to see if your email address has appeared in major data dumps.
-
The Ultimate Defense (MFA): I say it every week because it works. Turn on Multi-Factor Authentication. Even if a hacker has your username and password from this list, they cannot get in without the code sent to your phone.
This discovery is a wake-up call: the danger often isn’t a server breach at a big tech company, but a silent program running on our own devices. Scan your system, lock down your accounts, and stay savvy. I’ll see you next week!
Feeling lost in the digital world? Dr. Tom is here to help!
Join Dr. Tom every week in his column, Dr. Tom’s Cyber Bits and Tips, for byte-sized advice on all things cyber and tech. Whether you’re concerned about online safety, curious about the latest cybercrime trends, or simply want to navigate the ever-evolving digital landscape, Dr. Tom has you covered.
From practical cybersecurity tips to insightful breakdowns of current threats, Dr. Tom’s column empowers you to stay informed and protect yourself online. So, dive in and get savvy with the web – with Dr. Tom as your guide!
