Publicly Accessible Database Discovered Hosting 149 Million Credentials

the exploit blog logo
Penetration Testing Blog
Publicly Accessible Database Discovered Hosting 149 Million Credentials
Posted on February 2, 2026
Written by Andrew Trexler

A security researcher recently found a publicly accessible database that contained 149 million stolen credentials. The data contained millions of records for Gmail, Facebook and other sensitive services. While they were unable to determine the owner of the data, they did successfully get the hosting provider to remove the service, preventing others from accessing the data further, at least from that location.

While attackers stealing usernames and passwords and distributing them widely is troubling, there are still ways to protect yourself. Use MFA (multi-factor authentication) on all your accounts so that, even if a hacker has your password, they can’t access your account without your approval. Also don’t reuse passwords across accounts. This limits the impact of having a password stolen or leaked, as it will only work for that one site. Password managers are a great tool to make it easy to keep track of several different passwords. If you’re interested in more login security tips, please check out Brad Herring’s recent post about 8-character passwords.

Andrew Trexler

Andrew Trexler
Andrew graduated from the University of Pittsburgh with a degree in Information Science where he focused on networking and security. He continued his education by obtaining the Offensive Security Certified Professional (OSCP) and the eLearnSecurity Junior Penetration Tester (eJPT) certifications. When not participating in capture the flag events, Andrew works as a pyrotechnic operator setting up and shooting firework shows in the Pittsburgh area.

About The Exploit Blog

The Exploit is written by Raxis penetration testers. Every post is a technical writeup from someone who runs engagements for a living, with code, command output, and the reasoning behind each step. Topics include exploit research, vulnerability disclosure, tool development, and the offensive techniques showing up in current client work.

Search The Exploit Blog

Raxis Discovered Vulnerabilities

View the CVEs and bugs that Raxis pentesters have uncovered and submitted.

Tested by the People Who Wrote This Blog Post

The engineers behind these posts run real engagements every week. Put them on your network, web apps, APIs, or cloud and see what an attacker would find first.

Request A Quote Schedule Call

Blog Categories

Join Our Newsletter

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.