Change your password NOW! 149 million online accounts leak, including Gmail, Netflix, Yahoo, X, and more

Security expert Jeremiah Fowler teamed up with ExpressVPN to share details of the breach with the widest possible audience in a bid to warn those who might be impacted. Writing in a blog post for the award-winning VPN firm, Mr Fowler explained: "The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totalling a massive 96 GB of raw credential data.

"In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorisation for the accounts. This is not the first dataset of this kind I have discovered, and it only highlights the global threat posed by credential-stealing malware.

"When data is collected, stolen, or harvested, it must be stored somewhere, and a cloud-based repository is usually the best solution. This discovery also shows that even cybercriminals are not immune to data breaches. The database was publicly accessible, allowing anyone who discovered it to potentially access the credentials of millions of individuals."

The online accounts ranged from social media platforms, like Facebook, Instagram, TikTok, and X (formerly Twitter), as well as dating sites or apps, OnlyFans accounts for both creators and subscribers. The database also contains Netflix, HBO Max, Disney+, Roblox, and other entertainment accounts.

One of the most damaging categories included in the 96GB of leaked credentials was financial services, with crypto wallets and trading accounts, banking and credit card logins, also appearing in a small sample of records reviewed by the security expert.

This is a breakdown of the number of records associated with email accounts:

• Gmail | 48 million leaked accounts
• Yahoo | 4 million leaked accounts
• Outlook | 1.5 million leaked accounts
• .edu | 1.4 million leaked accounts
• iCloud | 900,000 leaked accounts

Working with ExpressVPN, Jeremiah Fowler highlighted other services with a high number of leaked credentials.

• Facebook | 17 million leaked accounts
• Instagram | 6.5 million leaked accounts
• Netflix | 3.4 million leaked accounts
• TikTok | 780,000 leaked accounts
• Binance | 420,000 leaked accounts
• OnlyFans | 100,000 leaked accounts

The security researcher added: "It is not known if the database was used for criminal activity, or if this information was gathered for legitimate research purposes, or how or why the database was publicly exposed. It is not known how long the database was exposed before I discovered and reported it, or others may have gained access to it.

"One disturbing fact is that the number of records increased from the time I discovered the database until it was restricted and no longer available."

Worried about what to do if your details are discovered in this dreaded database? Once a device has become infected with malware, changing passwords alone might not solve the problem.

That's because any new password entered will simply be captured by the malware and transmitted to criminals again, making it essential to address the underlying infection first, before taking further security steps.

Malware typically spreads through a few routes, including dodgy email attachments, fake software updates, compromised browser extensions, and deceptive adverts. Once it gets onto your device, it operates without being spotted while harvesting your credentials.

Password managers can defend against basic threats, like simple keyloggers, by automatically filling in your details rather than requiring you to type them. With nothing being typed on individual keys, there's nothing to steal.

However, these are not a complete solution when it comes to the most sophisticated malware.

The advanced versions of these threats have multiple ways to grab your information. They can capture whatever you've copied to your clipboard, scrape data directly from your browser's memory, or steal session cookies and tokens that websites use to keep you logged in.

Password managers do offer benefits against password reuse and basic keylogging. However, they simply cannot defend against every variant of advanced malware, particularly when a system has been fully compromised.

If you suspect your device has been infected, you'll need to act straight away.

Start by updating your operating system and installing any outstanding security software if you haven't already, then run a thorough scan to remove anything suspicious. On mobile devices, take time to check your app permissions, keyboard settings, and which apps have admin access. Stick to official app stores when downloading anything new.

You should enable two-factor authentication or biometric protections wherever they're available. Yes, it's an extra step, but it can stop criminals from accessing your accounts even when they've got hold of your password.

It's also worth checking your login history to spot any unusual locations or failed attempts.

Make sure you're using different passwords for each of your accounts rather than repeating the same one across multiple sites and services. ExpressVPN offers a standalone password manager, dubbed ExpressVPN Keys, at no extra cost with some of the subscription plans.

• Britons FINALLY ditch 'password' as most popular choice

When you enable a VPN, you'll automatically add military-grade encryption to everything you do online — blocking prying eyes from seeing your internet history, duration of website visits, and any personal details entered into online forms. ExpressVPN will stop advertisers, hackers, internet service providers, and even governments from keeping tabs on your online activity.

The security firm publishes findings, like the latest revelation from security researcher Jeremiah Fowler, to highlight the potential risks of such data exposure and to share ways people can protect themselves online. Because this data was likely collected by malicious third parties, there is a heightened risk of widespread credential-stuffing attacks, identity theft, and financial fraud.