Security researcher Jeremiah Fowler discovered an unsecured database containing 149 million logins, including credentials for Gmail, Facebook, and government accounts. The 96GB collection had no encryption or password protection, exposing emails, usernames, and passwords in plaintext.

The data was likely harvested by infostealer malware, which silently records keystrokes from infected devices. The database's structure allowed easy searching, and new records were still being added even as Fowler worked to get it taken down. This represents a significant breach of consumer and institutional security.

While the specific server is now secured, the credentials are almost certainly already in criminal hands. They can be used for credential stuffing attacks, identity theft, and targeted phishing. Fowler's discovery underscores the industrialized scale of credential theft and the persistent risks of malware infections.

Affected users should immediately change passwords, especially for email and financial accounts, and enable two-factor authentication. Using reputable antivirus software is critical to detect and remove infostealers before they can capture new credentials.