According to multiple reports, a credential leak involving 149 million passwords was discovered in January 2026 in an unsecured, publicly accessible database. The incident increases the global risk of credential stuffing, account takeovers, and identity fraud.
Credential leak 149 million passwords: what we know in January 2026
The reporting is based on a report by security researcher Jeremiah Fowler, published on January 23, 2026. It describes a publicly reachable database that was allegedly accessible online without password protection and without encryption. The report was published via ExpressVPN and was subsequently covered by established newsrooms, including WIRED and The Economic Times.
The reported scale is 149,404,754 unique combinations of login and password and a data volume of around 96 GB. Sample checks reportedly included email addresses, usernames, passwords, and associated login or authorization URLs. Entries are cited as matching widely used services, including Gmail, Facebook, Instagram, and Netflix.
A clear distinction is important in secondary reporting. A credential leak of this kind does not automatically mean that 149 million active accounts have been compromised. Such datasets can contain outdated passwords, duplicates, or combinations that are already invalid. For attackers, however, subsets are sufficient if a meaningful share of the credentials still works.
Why the credential leak is more consistent with infostealer malware
The available information provides no solid evidence of a centralized hack at a single provider. A more plausible explanation is that the credentials were collected from compromised endpoint devices via infostealer malware. Depending on the variant, such malware families extract data from browser stores, steal session artifacts such as cookies, or read from the clipboard. In some variants, techniques such as keylogging are also used. The resulting datasets are often consolidated, indexed, and later used for further attacks.
What concrete risks arise from “credential leak 149 million passwords”
Operational damage typically does not arise from the publication itself, but from follow-on activity. Credential stuffing is the most common and most scalable method in this context. Known combinations are tested automatically across many services until successful logins are found. The better structured the datasets are, the easier it becomes to prioritize targets, for example by service, region, or account type.
- Credential stuffing primarily affects users who reuse passwords or only make minor variations.
- Email accounts are especially critical because they serve as a reset channel for many other services.
- Compromised accounts are often used for subscription and payment fraud, extortion attempts, or phishing from trusted profiles.
- Spear-phishing becomes more credible when the login, service context, and typical password patterns are already known.
What affected users should check immediately after the credential leak
Whether a specific account was included in the database usually cannot be determined with certainty from public reporting. Still, there are reliable indicators of abuse following credential stuffing. These include login alerts from unusual countries, new devices in security or session overviews, unexplained password reset emails, or changes to recovery options.
If you see such signs, the order of actions matters. If an infostealer is suspected, the endpoint should be cleaned first before setting new passwords. Otherwise, an attacker may be able to capture the new credentials again immediately.
Protective measures after “credential leak 149 million passwords”
- Clean endpoints and browsers, install updates, and remove suspicious extensions before changing passwords.
- Change passwords wherever reuse is likely, starting with the email account and payment services.
- Enable multi-factor authentication, preferably via an authenticator app or a hardware token. ENISA outlines recommendations for secure authentication.
- End active sessions, log out unknown devices, and verify recovery details such as secondary email address and phone number.
- Use a password manager and going forward rely exclusively on unique, long random passwords. Additionally, passkeys can significantly reduce the attack surface for credential stuffing.
What companies should do additionally
A credential leak outside a company’s own platform becomes visible in its systems when automated login attempts increase. Resilience therefore comes less from reacting to the headline and more from robust controls against bot traffic and account takeovers.
- Prioritize detection of login anomalies, especially password spraying, credential stuffing, new devices, and unusual geolocations.
- Enforce MFA consistently, especially for privileged accounts, SSO, VPN, and administrative interfaces.
- Block weak or compromised passwords server-side and tie forced password resets to clear indicators of compromise.
- Cover infostealers as an initial access vector in SOC use cases, including EDR telemetry and detection of cookie theft.
