Massive Credential Leak: 149 Million Account Logins Exposed across Gmail, Facebook, Netflix, Yahoo, Outlook, TikTok, OnlyFans, and more 

Updated: January 2026 

A massive set of ≈149 million usernames and passwords tied to major online accounts, including Gmail, Instagram, Facebook, Netflix, Yahoo, Outlook, TikTok, was discovered living in an unsecured database on the public internet. This exposed data has been left accessible without a password or protection, meaning anyone who found it could view it.  

This isn’t a direct hack of corporate systems like Google or Meta, but a collection of stolen credentials likely gathered over time. Experts analyzing the dataset believe it came from malicious software that quietly collects credentials from infected personal devices and sends them back to a server for storage.  

According to the researcher’s analysis, this unsecured database included credentials for the following platforms:  

• Email & Account Providers 

• Gmail: ~48 million 

• Yahoo: ~4 million 

• Outlook (Microsoft): ~1.5 million 

• iCloud: ~900,000 

• Social Media / Messaging 

• Facebook: ~17 million 

• Instagram: ~6.5 million 

• TikTok: ~780,000 

• Entertainment & Streaming 

• Netflix: ~3.4 million 

• HBO Max, Disney + and others also present 

• Crypto & Other Services 

• Binance: ~420,000 

• OnlyFans: ~100,000  

 

The dataset also reportedly contained credential records tied to government accounts, banking and credit platforms, academic (.edu) domains, and other online services, although exact figures for some of these categories were not publicly confirmed.  

Unfortunately, attackers are already using these credentials in automated attacks and scams. Protect yourself by changing weak or reused passwords, enabling two-factor authentication (2FA), reviewing account activity, and watching for suspicious emails or texts.