A massive unsecured database containing 149.4 million login credentials has been discovered, with nearly half a million crypto exchange accounts directly compromised.
Security researcher Jeremiah Fowler, in a report published by ExpressVPN, revealed the discovery of a 96 GB unprotected database containing 149,404,754 unique email and password combinations. Among the wreckage are an estimated 420,000 Binance account credentials, leaving traders who rely on weak operational security vulnerable to immediate account draining.
BNB traded flat at $868 (-0.6%) following the news, reflecting the market’s understanding that this is a client-side failure rather than an exchange-level breach.
The Vector: Industrial-Scale Malware
This was not a hack of Binance’s servers. The data appears to be an aggregation of logs harvested by “infostealer” malware, malicious scripts that infect personal devices to scrape saved passwords, session cookies, and autofill data. Fowler noted that the dataset included specific login URLs, making it a turnkey solution for automated account takeover attacks.
“The exposed records included usernames and passwords collected from victims around the world… indicating login paths of both creators and customers,” Jeremiah Fowler
The scale of the exposure is severe. Beyond the crypto-specific threats, the database contained:
- 48 million Gmail accounts
- 17 million Facebook accounts
- 6.5 million Instagram accounts
- 900,000 Apple iCloud accounts
The Institutional Context
While the database has been taken offline after Fowler contacted the hosting provider, the “time-to-exploit” for such data is often measured in hours. For crypto users, the risk extends beyond simple password reuse. Infostealers often capture session tokens, potentially allowing attackers to bypass standard 2FA methods if they act before the session expires.
This incident reinforces the critical distinction between platform security and user endpoint security. With 420,000 specific Binance entry points identified, users without hardware-based 2FA (like YubiKey) or passkeys face the highest risk of liquidation.
