A security report detailing the exposure of nearly 149 million stolen usernames and passwords is a clear signal that cybersecurity failures, especially those involving credential leaks, are now inseparable from customer trust and digital experience strategy.
The findings, uncovered by cybersecurity researcher Jeremiah Fowler and shared with ExpressVPN, describe a publicly accessible database containing 149,404,754 unique logins and passwords, totaling 96 GB of raw data.
The database was not password-protected or encrypted and could be accessed using a standard web browser. Fowler wrote:
“This is not the first dataset of this kind I have discovered and it only highlights the global threat posed by credential-stealing malware.”
The exposed data appears to have been collected by infostealer malware, designed to harvest credentials, session data and other sensitive information from infected devices.
A CX Crisis Hiding in Plain Sight
The scale and composition of the exposed data is especially concerning. The credential leak spanned consumer, entertainment, financial, and government-linked services, including social platforms, streaming providers, dating apps, financial services, crypto exchanges, and email providers.
In a limited sample, Fowler saw credentials tied to services such as Facebook, Instagram, TikTok, X, OnlyFans, Netflix, HBOmax, DisneyPlus, and Roblox. Even more concerning was the fact that the credentials included accounts associated with .gov domains in numerous countries, which could have serious implications depending on the role of the compromised user.
For customers of the various platforms, credential exposure can lead to account lockouts, fraud alerts, forced password resets, and heightened friction, directly degrading experience and eroding confidence in brands. Even when a company is not the original source of the breach, customers tend to associate the pain with the service they can see.
The exposed email addresses and account associations could allow criminals to build detailed profiles of individuals. Knowing where they have accounts, what services they use, and potentially their professional or personal affiliations could increase the success rate of social engineering or phishing attempts.
“The exposure of such a large number of unique logins and passwords presents a potentially serious security risk to a large number of individuals who may not know their information was stolen or exposed,” Fowler wrote.
“This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services.”
Unlike previous datasets Fowler has investigated, this credential leak included structured metadata such as reversed host paths and hashed document IDs, making the stolen data highly searchable and automation-ready.
The same technologies that customer-facing teams use to personalize journeys and reduce friction can also be used by attackers to launch large-scale credential-stuffing attacks across services at machine speed.
The result is often a wave of suspicious login attempts, false positives in fraud detection systems, and legitimate users being challenged or blocked at critical moments.
Trust, Not Convenience, Is Now the Differentiator
The use of malware serves as a reminder that changing passwords alone is ineffective if a device remains infected. This creates a gap between what brands ask customers to do and what actually keeps them safe.
Security-driven customer experience is about guiding customers toward safer behaviors without overwhelming them. That includes clearer education around malware risks, smarter authentication, and proactive communication.
An estimated 66 percent of U.S. adults were using antivirus software in 2025, Fowler noted, adding “This means there are a large segment of users with unprotected and potentially vulnerable devices to this type of infostealer malware.”
This raises difficult questions: how much responsibility should brands take for educating customers, and where does that guidance belong in the journey?
For technology leaders, the incident reinforces several priorities:
- Identity and access management (IAM) must be adaptive, risk-based, and context-aware, not static.
- Fraud and security signals need to be better integrated into CRM and CX platforms so that frontline teams understand why friction is being introduced.
- Passwordless and MFA experiences must be designed as trust builders, not obstacles, especially during moments of stress like security breach notifications or account recovery.
- Incident response workflows should include customer experience as well as security and legal teams. How customers experience a breach response often matters as much as the breach itself.
The report also highlights operational failures beyond the breach itself. The database that Fowler uncovered did not have associated ownership information so he reported it to the hosting provider directly via its online report abuse form. There was then a nearly month-long delay before the hosting company took the exposed database offline, despite responsible disclosure attempts. During that time, the number of records continued to grow.
Security Failures Are Experience Failures
While it may seem ironic that such a valuable cache of stolen data was left unsecured, researchers note that this is not uncommon. Criminal operations often prioritize speed and scale over operational security, storing data in misconfigured cloud servers or databases that can be discovered through routine internet scanning. Once exposed, such datasets are frequently copied and redistributed, making the damage difficult to reverse.
The lesson for enterprises is that credential theft is now industrialized and its effects are felt most acutely at the customer interface. As Fowler noted:
“The discovery of this unprotected database serves as another reminder that credential theft has become a large-scale business that will only continue to be a threat.”
In an environment where customers increasingly judge brands by how safe and respectful digital interactions feel, trust and resilience are now core experience metrics, and incidents like this show how fragile they can be.
