Malware Leak Exposes 149M Logins, Including 420,000 Binance Credentials

What Was Found in the Exposed Database?

A publicly accessible database containing millions of stolen login credentials has been uncovered by cybersecurity researcher Jeremiah Fowler, raising fresh concerns about the scale of infostealer malware activity targeting everyday devices. According to a blog post published Friday on ExpressVPN, the dataset included roughly 149 million usernames and passwords collected from malware-infected phones and computers.

The credentials were linked to a wide range of online services, including major social media platforms, streaming services, and the cryptocurrency platform Binance. Fowler said at least 420,000 of the exposed credentials were associated with Binance users. The broader dataset included 48 million Gmail accounts, four million Yahoo accounts, 17 million Facebook accounts, 6.5 million Instagram accounts, 3.4 million Netflix accounts, and 780,000 TikTok accounts.

“This is not the first dataset of this kind I have discovered and it only highlights the global threat posed by credential-stealing malware,” Fowler wrote. He added that the records also included “financial services accounts, accounts, banking and credit card logins,” based on a limited sample he reviewed.

The exposed data totaled roughly 94 gigabytes and was accessible without authentication, meaning anyone who found the server could view or download the information. Fowler also flagged a concerning number of logins tied to government-linked email addresses and .gov domains, which could be exploited for phishing or impersonation attacks.

Investor Takeaway

Why This Is Not a Binance System Breach

Security specialists stressed that the incident does not point to a breach of Binance’s internal systems. Instead, the stolen , a category of malicious software that quietly extracts saved logins and session data from compromised devices.

“Infostealer is a known malware variant that steals user credentials when the users’ devices are compromised. Those are not leaks from Binance,” a Binance spokesperson said. The platform emphasized that the exposure originated on end-user devices rather than within its own infrastructure.

Deddy Lavid, chief executive of blockchain cybersecurity firm Cyvers, echoed that assessment, saying the incident reflects a data leak at the device level rather than a failure of platform security controls. He said the case illustrates why security efforts increasingly focus on ahead detection of abnormal behavior before assets are moved, combined with stronger user-side practices such as hardware-based multi-factor authentication and secure password management.

Binance said it monitors for leaked credentials, alerts affected users, forces password resets, and revokes compromised sessions when exposure is identified. In a March 2025 blog post, the platform also urged users to deploy antivirus and anti-malware tools and to run regular security scans to reduce exposure to threats like infostealers.

How Infostealer Malware Targets Crypto Users

Infostealer malware has become a growing concern for browsers, wallet extensions, and locally stored credentials rather than centralized servers. Once installed, the malware can siphon login details, hijack accounts, and in some cases deploy additional payloads such as crypto miners.

Cybersecurity firm Kaspersky reported in December 2025 on a new infostealer strain that disguises itself as a game cheat or modification, with a particular focus on cryptocurrency wallets and browser extensions. Discovered in November, the malware was spread through fake downloads that appeared to offer cracked software or gaming mods, including content marketed to players of Roblox.

The malware is built to work across more than 100 browsers based on Chromium and Gecko engines, including Chrome, Firefox, Edge, Opera, Brave, and others. Kaspersky said it also targeted users of at least 80 cryptocurrency services, ranging from .

Because the malware operates at the device level, even users of reputable platforms can be affected if their systems are compromised. Attackers can capture credentials, bypass basic security checks, and drain wallets before victims realize access has been lost.

Investor Takeaway

What Users Can Do to Reduce Risk

Fowler advised users to run reputable antivirus software on their computers and keep operating systems and mobile devices fully updated. He said outdated software and unofficial downloads remain among the most common entry points for infostealer infections.

Security specialists also recommend avoiding cracked software, game cheats, and unofficial browser extensions, which are frequently used as distribution channels. Hardware-based authentication, unique passwords, and limiting saved credentials in browsers can further reduce exposure if a device is compromised.