Cybersecurity expert Jeremiah Fowler released a report for ExpressVPN on Friday 23rd January 2026, outlining the extent of an exposed database containing 96GB of data, including 149,404,754 passwords. These passwords were for regular people’s accounts with Google, Facebook, Instagram, Netflix, Outlook, iCloud, Binance, TikTok, and… OnlyFans, as well as dozens of other sites.
Unlike other times when a huge number of passwords were suddenly exposed, this wasn’t from hackers breaking into a tech giant’s digital back door and stealing them all in one go. The passwords and other data found appear to have been stolen by malware infecting millions of devices. The exposed database is likely a handy location for the hacker(s) to store all that info. The fact that it was left exposed for Jeremiah to find does show that even hackers don’t take cybersecurity seriously.
There are steps you can take to make sure you don’t end up a victim of this sort of attack.
Password Procedures
First and foremost, the biggest vulnerability you will have is using the same password more than once or keeping the same password for a long time. I know it’s difficult to keep track of passwords, but reusing the same password over and over just means it gets exposed in one place; everywhere you’ve used that password is now exposed.
Changing your passwords at a regular interval is also important. Although I will admit I recently found a still-active 29-year-old email account, for which I still knew the password (despite not logging into it since 2004). But any account with your personal information, financial information, or just anything you don’t want exposed to the world should have its password updated every few months.
Password Managers
There are a number of password management services available, the most popular one of which is likely Google because it’s integrated into Chrome, but it’s far from the only one. These are a godsend because you don’t have to remember dozens of passwords.
A clear advantage of password managers is that you don’t have to go for a memorable password. Because a separate system stores your password, you can use a completely random selection of letters, numbers, and punctuation. You can also improve the security further by making the password much longer. This would have the added advantage of fitting the most stringent password complexity requirements (you know, those “your password must be at least eight characters long and include an uppercase letter and a number” sort of thing). Even better than that, password manager tools will even generate complex, hard-to-break passwords for you.
Many password managers also keep track of leaks and will warn you if your passwords ever get exposed. This won’t be entirely foolproof, and by the time the software detects your leaked password, it might already be too late.
Multi-Factor Authentication
Of course, using a password manager does mean that all of your passwords would be vulnerable if it was ever hacked, or you lost the password to it.
This is where additional security comes in. Multi-factor authentication (MFA, and sometimes called two-factor authentication or 2FA) requires a backup method of proving you are the legitimate user when you log in. While you might find it to be a bit of a faff, this additional layer of security is invaluable for the accounts you need to keep most secure, and that would certainly count for your password manager.
You have almost certainly experienced this, being sent a text message or an email from a website while you’re trying to log in. These are incredibly useful, and we strongly recommend using MFA wherever available. Of course, it does mean losing your phone can be even more of a nightmare, so make sure you have all of the emergency options (secondary email, passkeys, etc) sorted out before you need them.
That Danged Malware
Malware may not be the only way to have your password exposed, but as this story demonstrates, it’s one that is successful. It’s also possibly the easiest means of getting this sort of data from people. While it’s impossible to absolutely guarantee that you won’t ever fall victim to malware, there are steps that you can take to protect yourself.
While I could go on about being aware of your browsing behaviour and learning how to spot fake emails with dodgy links, these just aren’t enough anymore. You need to have antivirus protection on your devices. Yes. even your phone. Yes, even Apple devices.
It doesn’t need to be all-singing, all-dancing protection software. Even a free antivirus option is going to block 99% of malicious software. Combine that with safe browsing habits and you’re off to a great start. More advanced antivirus packages are available, some of which include a built-in VPN for added security (and getting around that pesky censorship), and some even come with identity protection and insurance, which pays out should you ever have your identity stolen.
What To Do Right Now
If you aren’t already doing the above, what you should do right now is get started with the guidance here. A quick course on basic cybersecurity wouldn’t hurt (there’s plenty available freely online).
You’re probably signed up for dozens of online services, and going through each and every one is going to be a chore. But figure out the most important ones and make sure you change the passwords there. Unsurprisingly, the one you probably think is the most important to keep secure, your online banking, is the one with the best defences (because banks expect at least some of their customers to be technologically challenged).
Virus protection is something that nobody should be without. If you have no antivirus software installed on your device, I would recommend getting one immediately, even if it’s free. Yes, you have to put up with some (sometimes annoying) popups, but the protection is invaluable. You can always upgrade to a less intrusive paid antivirus in future (just don’t try to install two at the same time).
