According to 9to5Mac, security researcher Jeremiah Fowler has discovered yet another massive, unsecured database containing 149 million account usernames and passwords. The trove included 48 million Gmail logins, 17 million for Facebook, 4 million for Yahoo, and 1.5 million for Microsoft Outlook. Crucially, it also held 900,000 credentials for Apple iCloud accounts and 1.4 million for .edu academic accounts. The database was sitting unprotected on a cloud server, accessible to anyone with a web browser. Fowler, who found a similar 184-million-record database last year, reported this one to the hosting provider, which has now taken it down. The data is believed to have been harvested by “infostealer” malware, often spread through phishing or pirated software.
Why this keeps happening
Here’s the thing: this isn’t a breach of Apple or Google’s servers. This is the aftermath. The logins were already stolen from individual users’ devices by malware. Criminals then aggregated them into a giant, searchable list to sell or use. And the barrier to entry for this kind of crime is shockingly low. As the report notes, you can essentially rent the hardware and software needed to run these info-stealer operations for about $200 a month. That’s it. So we’re not dealing with sophisticated state actors here; we’re dealing with a commoditized, scalable threat. The database being left open was just a bonus for other bad actors—a free sample platter of stolen logins.
The real danger is you
Look, the scariest number in that list might be the 900,000 Apple accounts. Why? Because an Apple ID is a master key. It’s not just email. It’s your photos, your notes, your device backups, your payment methods, and if you use it, even your house keys via HomeKit. A hacker with that access can launch devastating phishing attacks against your contacts, lock you out of your own digital life, or drain accounts linked to Apple Pay. But the broader danger is password reuse. That’s the hacker’s golden ticket. They take the password you used on some forgotten forum a decade ago and try it on your email, your bank, and your Apple ID. And if it works, game over.
What you actually need to do
So what’s the fix? The advice is boring but non-negotiable. First, use a password manager. I know, I know. But it’s the only way to have a unique, strong password for every single site. Second, turn on two-factor authentication (2FA) everywhere, especially on your primary email and Apple/Google/Microsoft accounts. And I mean app-based 2FA or a security key, not just SMS codes, which can be hijacked. This creates a second wall that the stolen password alone can’t breach. Basically, assume your password is already out there—because for millions of people, it literally is, sitting in a database like this. Your security can’t depend on a secret that’s already been spilled.
