149 Million Passwords Exposed: 900,000 iCloud Logins Found in Massive Unsecured Database

Security researcher Jeremiah Fowler just pulled the curtain back on a 96GB treasure trove of stolen data that had been sitting wide open on the web. This wasn't a standard corporate leak. It was a sprawling, 149-million-record inventory of digital lives, including highly sensitive credentials for roughly 900,000 Apple iCloud accounts.

Disclosed on January 23, 2026, the database represents what Fowler calls a "dream wish list" for cybercriminals. If you haven't updated your passwords recently or still haven't enabled two-factor authentication, your digital front door might have been wide open. This wasn't the result of a single company getting hacked. Instead, it’s the fallout of a massive, coordinated campaign using infostealer malware to snatch data directly from the source: you.

The database was remarkably accessible. No encryption. No password. Anyone with a web browser could have spent the last month browsing through nearly 150 million personal records.

A Massive Inventory of Digital Identities

The numbers are staggering, but they tell a clear story of how efficiently modern malware vacuums up our lives. While the 900,000 iCloud accounts are the headline-grabbers, the database hit almost every corner of the internet.

According to Fowler’s analysis, the stolen credentials included:

• Gmail: 48 million credentials
• Facebook: 17 million logins
• Instagram: 6.5 million accounts
• Yahoo: 4 million accounts
• Netflix: 3.4 million logins
• Microsoft Outlook: 1.5 million accounts
• Educational (.edu): 1.4 million institutional accounts

The reach didn't stop at social media. The haul included logins for government portals, consumer banking, and 420,000 Binance cryptocurrency accounts. This wasn't a surgical strike. It was a dragnet designed to capture every single thing a user typed into an infected device.

Inside the Infostealer Economy

This data likely came from "Infostealers" like RedLine or Raccoon—malicious software that has become the backbone of the cyber-underground. You don’t catch these by clicking a suspicious link from a "Nigerian Prince" anymore. These infections usually hide inside "cracked" software, "free" PDF converters, or links found in the descriptions of YouTube tutorials for pirated games.

Once a device is infected, the malware acts like a silent digital tape recorder. It scrapes saved passwords from your Chrome or Safari browser, captures keystrokes, and even steals session cookies to bypass security. This data is then bundled and sold on Telegram or dark web forums as "logs."

Sophisticated Organization and Real-Time Growth

This wasn't just a static "dump" of old, dusty passwords. The database was a live, organized operation. Fowler noted that the system automatically assigned unique identifiers to each record. It was built for speed and easy exploitation.

The database wasn't just exposed. It was growing.

During the month Fowler spent trying to track down the hosting provider to get the file pulled, new credentials never stopped flowing in. The infection was active. Somewhere, thousands of computers and phones were still bleeding data into this central hub in real-time. The hosting provider eventually killed the connection for a terms-of-service violation, but the identity of the person running the operation remains a mystery.

The Game Has Changed: Hackers are on Your Desktop

The game has changed: hackers aren't just hitting servers anymore; they’re sitting on your desktop. While we often wait for a "breach notification" from a big company like Apple or Google, this 96GB file proves that the biggest threat is now client-side. The compromise didn't happen at a data center; it happened on individual phones and laptops.

If your credentials were in this database, a complex password wouldn't have saved you. The malware simply watched you type it.

We are now firmly in the era of "Malware-as-a-Service," where even low-level criminals can rent the tools needed to harvest millions of identities. To stay safe, "standard" security isn't enough. You need to use a dedicated password manager that doesn't just store passwords in a browser, and you must enable hardware-based MFA (like a YubiKey) or authenticator apps.

Check your accounts. Reset your passwords. Turn on MFA. Because if you’re waiting for a company to tell you that you’ve been hacked, you’re already too late.