149 Million Usernames and Passwords Exposed by Unsecured Database

This “dream wish list for criminals” includes millions of Gmail, Facebook, banking logins, and more. The researcher who discovered it suspects they were collected using infostealing malware.

A database containing 149 million account usernames and passwords—including 48 million for Gmail, 17 million for Facebook, and 420,000 for the cryptocurrency platform Binance—has been removed after a researcher reported the exposure to the hosting provider.

The longtime security analyst who discovered the database, Jeremiah Fowler, could not find indications of who owned or operated it, so he worked to notify the host, which took down the trove because it violated a terms of service agreement.

In addition to email and social media logins for a number of platforms, Fowler also observed credentials for government systems from multiple countries as well as consumer banking and credit card logins and media streaming platforms. Fowler suspects that the database had been assembled ...