Credentials for 420,000 Binance accounts appeared in an unprotected database containing 149 million login combinations from cryptocurrency exchanges, financial services and government systems discovered last week.
Cybersecurity researcher Jeremiah Fowler identified the 96-gigabyte repository accessible without encryption or password protection.
The database remained online for over one month while records continued accumulating, according to Fowler's report.
Gmail accounts represented the largest portion with 48 million credentials, followed by 17 million Facebook logins. Cryptocurrency platforms accounted for smaller but significant exposure, with Binance's 420,000 accounts representing the primary exchange affected.
What Happened
Infostealer malware harvested the credentials from infected personal devices rather than direct exchange breaches. The malicious software operates silently on compromised systems, recording keystrokes and browser-stored passwords before transmitting data to attacker-controlled servers.
Fowler reported the database to its hosting provider, but removal required nearly a month of communications.
The database indexed stolen credentials using reversed host paths, enabling efficient searches by domain and user, suggesting organized criminal infrastructure.
Google confirmed the dataset compiled credentials stolen over time by third-party malware rather than new platform breaches. The company maintains automated protections that lock accounts and force password resets when exposed credentials appear.
Read also: BitMine Acquires 40,000 ETH In Largest 2026 Purchase After Share Expansion
Crypto Industry Impact
The exposure affects cryptocurrency users disproportionately compared to the breach's overall scale. While Binance accounts represented 0.28% of total leaked credentials, cryptocurrency holdings face permanent loss risks absent from traditional financial services with fraud protections and reversible transactions.
Binance Chief Security Officer Jimmy Su previously addressed infostealer threats in March 2025, noting increased detection of compromised user credentials from malware infections rather than exchange system breaches. The exchange monitors dark web sources and initiates password resets for affected accounts.
Security researchers estimate infostealer malware infrastructure costs $200-$300 monthly to rent, creating low barriers for credential theft operations. Recorded Future analyst Allan Liska noted criminals can access hundreds of thousands of new credentials monthly at subscription prices below typical car payments.
The database also contained credentials for crypto wallets, trading accounts and banking services alongside social media and streaming platforms. Government email domains from multiple countries appeared in samples, raising concerns about targeted phishing and system infiltration attempts.
Read next: UK Banks Block 40% of Crypto Exchange Payments, Industry Survey Finds