news

149M Stolen Logins Exposed: Binance and Crypto Users Caught in Massive Infostealer Data Leak

Nahid
Published: January 27, 2026
(Updated: January 27, 2026)
5 min read
149M Stolen Logins Exposed: Binance and Crypto Users Caught in Massive Infostealer Data Leak

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Facebook
Instagram
LinkedIn
YouTube

Summary:

  • A cybersecurity researcher found a public database containing 149 million stolen login credentials from malware-infected devices.
  • At least 420,000 Binance-related logins were included, raising direct risks for crypto users.
  • Email accounts from Gmail, Yahoo, Outlook, iCloud, and .edu domains were heavily affected.
  • Social platforms like Facebook, Instagram, TikTok, and even Netflix and OnlyFans accounts appeared in the dump.
  • The breach shows how infostealer malware, not exchange hacks, is becoming a major threat to crypto holders.

A cybersecurity researcher has uncovered a massive trove of stolen login data, and the scale alone is enough to make anyone pause. The exposed database held around 149 million usernames and passwords, all collected from personal phones and computers infected with credential-stealing malware. Unlike a traditional exchange hack, this data didn’t come from breaking into one company. It came directly from users’ own devices.

The discovery was made by cybersecurity researcher Jeremiah Fowler and detailed in a blog post published by ExpressVPN. The records tied to the dataset included accounts linked to everyday platforms people use without a second thought like Facebook, Instagram, Netflix, TikTok, email providers, and notably, the crypto exchange Binance.

Source

At least 420,000 credentials were associated with Binance users, putting crypto holders directly in the crosshairs. For people active in digital assets, this type of exposure carries more than just the risk of a social media account being taken over. It can lead to drained exchange balances, phishing attacks, and targeted scams based on personal data.

Fowler warned clearly in his findings:

“This is not the first dataset of this kind I have discovered and it only highlights the global threat posed by credential-stealing malware,” He added, “Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records I reviewed,” Source

The danger goes well beyond social media embarrassment, it moves into direct financial risk.

Crypto users face sharper danger

The breakdown of affected accounts paints a picture of how broad the infection spread really was. Email providers alone made up a huge portion. Around 48 million Gmail accounts, 4 million Yahoo accounts, 1.5 million Outlook accounts, 900,000 iCloud accounts, and 1.4 million .edu accounts appeared in the data. When email access is compromised, everything else connected to that inbox becomes easier to reset, hijack, or impersonate. The dataset included about 17 million Facebook accounts, 6.5 million Instagram accounts, and 780,000 TikTok accounts. Streaming and subscription platforms also showed up, with 3.4 million Netflix accounts and even 100,000 OnlyFans accounts.

Source

But crypto users sit in a different risk category. When someone’s exchange login, trading platform details, or wallet-related credentials are exposed, attackers may not even rush immediately. Sometimes they monitor accounts, craft believable phishing emails, or wait for the right moment when balances increase. In some cases, stolen data feeds into broader criminal networks that specialize in targeting crypto holders because transactions are fast and hard to reverse. This is what makes infostealer malware so dangerous. It doesn’t need to break sophisticated blockchain security. It simply waits for a person to install a fake app, open a malicious attachment, or download a compromised file. Once inside a device, the malware quietly copies saved passwords, browser data, autofill details, cookies, and sometimes wallet information. To the user, nothing looks wrong. In the background, their digital identity is being packaged and sold.

A shift in how crypto risk works

For years, headlines about crypto security mostly focused on exchange breaches or smart contract exploits. Those still happen, but this incident shows another trend that’s becoming just as serious: attacks that start at the user level. Here, Binance itself wasn’t reported as hacked. Instead, user credentials connected to Binance accounts were found in a massive dump gathered from infected personal devices. So, even the most secure platform can’t protect an account if the username, password, and possibly email access are already in criminal hands.

This is also why these leaks are especially valuable to attackers. They don’t just get one login or something. They actually get identity bundles like email, social media, entertainment accounts, and sometimes financial services, in rest all tied to the same person. That makes impersonation easier and social engineering more convincing. The exposed database also shows how routine online habits connect together. A person might reuse passwords across services, save credentials in a browser, or ignore security alerts. Infostealer malware thrives in that environment.

For crypto users, the lesson isn’t abstract. If exchange logins, wallet services, or related email accounts appear in these dumps, attackers may attempt account takeovers, phishing campaigns, SIM-swap attacks, or targeted scams pretending to be support teams.

Closing Thoughts

It’s all about how personal device security has become one of the weakest links in the crypto world. As more financial activity moves online, stolen credentials turn into direct money trails. The 149 million-record exposure is another reminder that protecting digital assets now starts long before someone opens an exchange app.

 

Related Topics

#Hacking#Binance#Data Leak#Infostealer

About the Project

Crypto News

About the Author

Nahid

Nahid

Nahid is a contributor at CotiNews from Bangladesh, covering developments across the COTI ecosystem. His work focuses on breaking down complex updates, technical concepts, and ecosystem news into clear, accessible stories for a wider audience.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.