A cybersecurity researcher has uncovered a massive, publicly accessible database containing millions of stolen login credentials harvested from malware-infected personal devices, including accounts linked to major social media platforms and the crypto exchange Binance.
The dataset, uncovered by cybersecurity researcher Jeremiah Fowler, contained around 149 million usernames and passwords from personal phones and computers, according to a Friday blog post published on ExpressVPN. The records were tied to services including Facebook, Instagram, Netflix and Binance, with at least 420,000 credentials associated with Binance users.
The leak contained 48 million Gmail accounts, four million Yahoo accounts, 17 million Facebook accounts, 6.5 million Instagram accounts, 3.4 million Netflix accounts and 780,000 TikTok accounts, among others.
“This is not the first dataset of this kind I have discovered and it only highlights the global threat posed by credential-stealing malware,” said Fowler in the blog post. “Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records I reviewed,” he added.
The researcher also noted a concerning number of credentials associated with government-linked accounts and .gov domains, which open the door to phishing attacks, potentially allowing attackers to impersonate government agencies.
Related: Matcha Meta breach tied to SwapNet exploit drains up to $16.8M
Credential theft, not a Binance-specific system breach
Security experts stressed the exposure does not indicate a breach of Binance’s internal systems. Instead, the credentials were collected through so-called “infostealer” malware that silently extracts saved logins from compromised devices.
“Infostealer is a known malware variant that steals user credentials when the users’ devices are compromised. Those are not leaks from Binance,” a spokesperson for Binance told Cointelegraph.
The incident signals a data leak on the end-user devices, not a breach to the exchange’s core systems, Deddy Lavid, the CEO of blockchain cybersecurity company Cyvers, told Cointelegraph.
“This highlights why the industry is shifting toward prevention-first security models that can detect and stop suspicious activity before funds are moved, alongside strong user hygiene such as hardware-based MFA and secure password practices.”
To protect its users, Binance monitors dark web marketplaces, alerts affected users, initiates password resets and revokes compromised sessions, the exchange wrote in a blog post published in March, 2025.
Binance recommends that users employ antivirus and anti-malware tools along with regular security scans to protect against external threats like this.
Related: Bitcoin investor loses retirement fund in AI-fueled romance scam
Infostealer malware: a new threat for crypto investors’ wallets
Cybersecurity firm Kaspersky first reported on the threat of the new infostealer malware in December 2025, which disguises itself as a game cheat or mod, targeting cryptocurrency wallets and browser extensions.
Discovered in November, attackers use this malware to hijack accounts, steal cryptocurrency and install crypto miners on the victims’ computers, which are masked as video game cracks or mods, particularly for Roblox.
Built on the Chromium and Gecko engines, the malware’s dangers extend to over 100 browsers, including the most popular ones such as Chrome, Firefox, Opera, Yandex, Edge and Brave.
The malware also targeted the users of at least 80 cryptocurrency exchanges, including Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, Nexus and Exodus.
To avoid falling victim to infostealers, users should run a reliable antivirus on their computers and keep an updated security and operating system on their mobile devices, Fowler said.
Magazine: Meet the onchain crypto detectives fighting crime better than the cops
