2026 is not even one month old and already we have a huge data breach that could impact many of our readers. A report in Wired states that an unsecured database was the subject of a data breach exposing 149 million usernames and passwords. 48 million came from Gmail, 17 million were revealed from a database related to Facebook, and 420,000 usernames and passwords belonged to cryptocurrency platform Binance (more detailed info is found below).
Major social media platforms were impacted by the breach
Security analyst Jeremiah Fowler, who discovered the huge database, posted a more detailed list of apps and sites whose users were victims of the data breach as they had their usernames and passwords revealed and stolen. Fowler said that he saw "exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable."
Do you use two-factor authentication?
Yes. It does help to keep my apps safe.
100%
No. It 2FA can also backfire if someone steals your phone.
0%
Social media platforms impacted by the data breach include Facebook, Instagram, Tiktok and X. Dating apps and sites were also victims as were both content creators and customers of OnlyFans. Users of streaming apps related to entertainment content such as Disney+, Netflix, HBOmax, Roblox, and more were involved. Even worse, some of the data belonged to those with financial services accounts, crypto wallets or trading accounts. Fowler added that, "Banking and credit card logins also appeared in the limited sample of records I reviewed."
Other data was exposed from financial service apps and sites
Other data was leaked from streaming services and financial platforms. The database, which contained a huge amount of raw data that equaled 96GB combining all accounts, had no protection or safeguards in place making it easily accessible to anyone with malicious intent. Even more shocking, some of the data included credentials for logging into government websites. Login credentials from sites using a .gov domain from various countries were also spotted by Fowler.
The exposed data from .gov domains is very dangerous because it can lead to certain attacks using impersonation and other tactics to enter government networks. Such attacks against .gov domains can grow into national security risks.
Recommended For You
Accounts belonging to financial apps and trading apps are often targeted by cybercriminals. | Image credit-PhoneArena
Fowler could not find who the database belonged to, so he ended up reporting the breach to the hosting company using its online form. But a few days later, that company wrote back to say that the database was hosted by a subsidiary operating independently even though it used the name of the parent organization. It took months and several attempts before hosting of the database was halted and millions of login credentials were no longer accessible.
Some questions about the database need to be answered
There are some pretty big questions about the database that have not been answered. For example, it is not known how long the database was left exposed before Mr. Fowler discovered it. Also unknown is whether others were able to access the data. Fowler questioned whether the database was used for criminal activity or legitimate research purposes. It would be useful to know why the database was exposed to the public. The researcher found it disturbing that from the time he discovered the data breach until the time it was restricted, the number of records increased.
Fowler discovered that the following email providers had accounts exposed:
Gmail-48 million estimated exposed accounts.
Yahoo-4 million estimated exposed accounts.
Outlook-1.5 million estimated exposed accounts.
iCloud-900,000 estimated exposed accounts.
.edu domain-1.4 million estimated exposed accounts.
Other well-known apps and sites that were part of the data breach:
Facebook-17 million estimated exposed accounts.
Instagram-6.5 million estimated exposed accounts.
TikTok-780,000 estimated exposed accounts.
Netflix-3.4 million estimated exposed accounts.
OnlyFans-100,000 estimated exposed accounts.
Binance-420,000 estimated exposed accounts.
Reduce your risk with two simple tips
Fowler pointed out that the exposure of such a huge batch of unique login credentials could be serious for those who do not know that their information was stolen or exposed. Since the exposed data includes emails, usernames, passwords, and the exact login URLs, attackers could score a huge profit by obtaining email/password combos exposed by the data breach. Visiting apps where the rewards are high if they can break in (financial apps, trading apps, crypto apps) they try every combination using the email/password pairs they obtained in an attempt to gain access to online accounts with huge cash or cash equivalent values.
Consider this. Even if an attacker has only a 0.1% chance of finding the right email/password combo, if he has obtained a list of 10 million credentials, he has just gained access to 10,000 active accounts. To reduce the risk of being the victim of a data breach, you might want to use two-factor authentication. You also shouldn't reuse passwords for different apps and sites.
Alan, an ardent smartphone enthusiast and a veteran writer at PhoneArena since 2009, has witnessed and chronicled the transformative years of mobile technology. Owning iconic phones from the original iPhone to the iPhone 15 Pro Max, he has seen smartphones evolve into a global phenomenon. Beyond smartphones, Alan has covered the emergence of tablets, smartwatches, and smart speakers.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: