149 Million Logins Exposed: Is Your Data in the 96GB Leak? (Security Analysis)
Author: Adam Collins
Scamadviser Risk Score: High Alert Threat Type: Credential Theft / Infostealer Malware Data Volume: 149,000,000+ Records
A massive database containing 149 million usernames and passwords has been discovered online, left unsecured for anyone to find. Unlike a traditional "hack" where a single company (like Facebook or Gmail) is breached, this data was likely harvested directly from victims' computers.
At Scamadviser, we analyzed the reports surrounding this 96GB leak. Here is everything you need to know to protect your digital identity.
What Happened?
Cybersecurity researcher Jeremiah Fowler discovered a publicly accessible database containing over 149 million records. The data was not protected by a password, meaning any malicious actor could have downloaded it.
The database included logins for:
- Email Services: Gmail, Outlook, Yahoo.
- Social Media: Facebook, Instagram, TikTok.
- Financial Services: Online banking portals and crypto exchanges.
- Corporate Portals: Internal links and employee login pages.
The Scamadviser Analysis: How Was The Data Stolen?
Our analysis suggests this wasn't a "server hack." Instead, it appears to be a collection of "Stealer Logs."
Most of this data was likely stolen via Infostealer Malware (such as RedLine or Vidar). When a user downloads a "cracked" game, a fake software update, or opens a malicious email attachment, the malware scrapes every saved password and "session cookie" from their web browser (Chrome, Edge, Firefox).
Why this is more dangerous than a normal leak:
- URL Mapping: The leak doesn't just show your password; it shows the exact URL where you used it. This allows hackers to target your specific bank or work portal directly.
- Bypassing 2FA: The database likely contained "Session Tokens." These allow hackers to clone your "logged-in" status, sometimes bypassing Two-Factor Authentication (2FA) entirely.
Is it a Scam? (Red Flags to Watch For)
Following a leak of this magnitude, scammers will go into overdrive. Be on high alert for:
- The "Account Locked" Phishing Email: You may receive a fake email from "Google" or "Facebook" claiming your account was compromised and asking you to click a link to "Verify your identity." Do not click.
- Extortion Scams: Scammers may email you showing you a password you used in the past, claiming they have recorded you via your webcam. They will demand Bitcoin. This is a bluff—they simply got your password from this 149M leak.
How to Protect Yourself (Step-by-Step)
If you use Gmail, Facebook, or TikTok, follow these Scamadviser-recommended steps immediately:
1. Check "Have I Been Pwned"
Enter your email address at [HaveIBeenPwned.com] to see if your data has appeared in recent "Combolists" or Stealer Logs.
2. Kill Active Sessions
Changing your password isn't enough if a hacker has your "Session Cookie."
Gmail: Go to Security > Your Devices > Sign out of all unknown sessions.
Facebook/Instagram: Go to Accounts Center > Password and Security > Where you're logged in.
3. Move to a Dedicated Password Manager
Stop saving passwords in your browser. Browsers are the primary target for infostealer malware. Use a dedicated encrypted manager like Bitwarden, 1Password, or Dashlane.
4. Enable Hardware 2FA
SMS-based codes are vulnerable. Use an authenticator app (Google Authenticator) or, better yet, a physical security key (Yubikey).
Why Limiting Online Data Exposure Matters More Than Ever
One practical way to reduce your exposure after a data leak is to limit how much of your personal information is floating around online in the first place. Services like Incogni help by automatically requesting the removal of your details from data broker sites that collect and resell personal data. This reduces the amount of information scammers can easily access, without requiring you to track down and manage dozens of opt-out requests yourself. Over time, a smaller digital footprint can mean fewer scam attempts and a lower risk of identity misuse.
The Bottom Line: Never Reuse Passwords
The 149 million credential leak is a stark reminder that your browser is not a safe vault. If you have downloaded "free" or "cracked" software recently, your credentials are likely in this 96GB file.
Scamadviser Advice: Treat every login as compromised. Use a clean device to change your most important passwords (Banking and Primary Email) and never reuse the same password across multiple sites.
Disclaimer: Some links in this article may be affiliate links. This means we may earn a small commission if you choose to purchase a product or service through them, at no extra cost to you.
Report a Scam!
Have you fallen for a hoax, bought a fake product? Report the site and warn others!
Scam Categories
Help & Info
Top Safety Picks
Your Go-To Tools for Online SafetyDisclaimer: Some of the links here are affiliate links. If you click them and make a purchase, we may earn a commission at no extra cost to you.
- ScamAdviser App - iOS : Your personal scam detector, on the go! Check website safety, report scams, and get instant alerts. Available on iOS
- ScamAdviser App - Android : Your personal scam detector, on the go! Check website safety, report scams, and get instant alerts. Available on Android.
- NordVPN : NordVPN keeps your connection private and secure whether you are at home, traveling, or streaming from another country. It protects your data, blocks unwanted ads and trackers, and helps you access your paid subscriptions anywhere. Try it Today!
- Incogni : Incogni automatically removes your personal data from data brokers that trade in personal information online, helping reduce scam and identity theft risks without the hassle of manual opt-outs. Reclaim your privacy now!
Popular Stories
As the influence of the internet rises, so does the prevalence of online scams. There are fraudsters making all kinds of claims to trap victims online - from fake investment opportunities to online stores - and the internet allows them to operate from any part of the world with anonymity. The ability to spot online scams is an important skill to have as the virtual world is increasingly becoming a part of every facet of our lives. The below tips will help you identify the signs which can indicate that a website could be a scam. Common Sense: Too Good To Be True When looking for goods online, a great deal can be very enticing. A Gucci bag or a new iPhone for half the price? Who wouldn’t want to grab such a deal? Scammers know this too and try to take advantage of the fact. If an online deal looks too good to be true, think twice and double-check things. The easiest way to do this is to simply check out the same product at competing websites (that you trust). If the difference in prices is huge, it might be better to double-check the rest of the website. Check Out the Social Media Links Social media is a core part of ecommerce businesses these days and consumers often expect online shops to have a social media presence. Scammers know this and often insert logos of social media sites on their websites. Scratching beneath the surface often reveals this fu
Disclaimer: This article was originally published in 2018 and has been updated in October 2025 to reflect more current information, resources, and advice. Scams and recovery options continue to evolve, so always double-check with your bank, payment provider, or local consumer protection authority for the latest guidance. So the worst has come to pass - you realise you parted with your money too fast, and the site you used was a scam - what now? Well first of all, don’t despair!! If you think you have been scammed, the first port of call when having an issue is to simply ask for a refund. This is the first and easiest step to determine whether you are dealing with a genuine company or scammers. Sadly, getting your money back from a scammer is not as simple as just asking. If you are indeed dealing with scammers, the procedure (and chance) of getting your money back varies depending on the payment method you used. PayPal Debit card/Credit card Bank transfer Wire transfer Google Pay Bitcoin PayPal Good news: PayPal gives you strong protection. You can file a dispute within 180 days of your purchase. You can get a refund if: Your order never arrives, and the seller cannot provide proof of delivery. The scammer sends you something completely different (e.g., a controller instead of a PlayStation). The product condition was misrepresented (sold as new but arrives used). The item is missing undisclosed parts. The item is counterfeit. Start your claim directly through Pay