Unsecured Database Containing 149 Million Account Credentials Found in Canada

• January 24, 2026

A cybersecurity researcher recently uncovered an unsecured database hosted in Canada that contained credentials for approximately 149 million user accounts. The exposed data included login information from a wide range of platforms such as Gmail, OnlyFans, various banking services, government portals, and other online services.

Details of the Discovery

The database was found by cybersecurity expert Jeremiah Fowler during his routine investigations into exposed online data repositories. Despite intensive efforts, Fowler was unable to identify the owner of the database. After locating the server hosting the data, he contacted the hosting provider to report the security concern and prevent further exposure of sensitive account information.

The breadth of the compromised data is notable for including credentials from diverse categories of online accounts, spanning personal, financial, and governmental services. The exact nature of how the database was compiled and who was responsible for its creation remains undetermined, raising questions about potential large-scale data aggregation or unauthorized collections of personal information.

As the database was left unprotected without passwords or encryption, the data was freely accessible, increasing the risk of misuse by malicious actors. The incident highlights ongoing challenges in safeguarding vast amounts of credentials stored across multiple platforms and services.

This case adds to recent trends of massive data leaks and credential dumps, emphasizing the vulnerabilities that arise when large datasets containing usernames and passwords are improperly secured. Organizations handling sensitive data need to reinforce their security measures to prevent similar occurrences.

Within the broader cybersecurity landscape, the discovery resembles other recent incidents where unsecured or improperly configured databases have exposed millions of credentials to the internet. Such findings often prompt industry-wide warnings about password reuse, the importance of multi-factor authentication, and secure data storage protocols.

Further updates regarding any actions taken by the hosting provider or affected platforms have yet to be announced. Monitoring for subsequent developments, including possible attribution or remediation efforts, will be essential in understanding the full scope and impact of this exposure.

A cybersecurity researcher discovered an unprotected database in Canada holding 149 million login details from major platforms including Gmail and OnlyFans.