149 Million Credentials Leaked: The Authentication Method Itself Is the Vulnerability

In a Forbes investigation published January 25, 2026, veteran cybersecurity journalist Davey Winder revealed that security researcher Jeremiah Fowler discovered a database containing 149,404,754 unique login credentials exposed online without password protection or encryption. The database, which Fowler described as “96 GB of raw credential data,” included an estimated:

• 48 million Gmail accounts,
• 17 million Facebook logins,
• 6.5 million Instagram credentials,
• 4 million Yahoo accounts, 3.4 million Netflix logins, and
• 1.5 million Outlook credentials.

The most alarming detail in Fowler’s report is not the scale of the exposure. It is that the database was still growing during his investigation, expanding continuously over the month it took to shut down. As Boris Cipot, senior security engineer at Black Duck, noted in the Forbes article, “the database was still growing during his investigation, this strongly suggests the malware is still active.”

This is not a breach. This is evidence that credential harvesting has become continuous background infrastructure of the internet.

What the Forbes Investigation Actually Reveals About Modern Authentication

Shane Barney, chief information security officer at Keeper Security, told Forbes that the 149 million-record dataset “is the byproduct of an ecosystem that continuously harvests credentials from endpoints and quietly accumulates access over time.” His conclusion: “Credential compromise is now a background condition of the internet.”

The Forbes report confirms that infostealer malware, also known as keyloggers, infected user devices and recorded credentials at the endpoint. These harvested credentials were then compiled into the database Fowler discovered. The database had no ownership information and was hosted on infrastructure that took over a month to respond to abuse reports. During that month, credential harvesting continued uninterrupted.

Mayur Upadhyaya, CEO at APIContext, explained to Forbes the real danger of exposed credential databases: “credentials don’t just get stolen, they also get reused. Once login and password pairs are exposed, even from criminal infrastructure, they become fuel for credential stuffing: automated attempts to reuse those same credentials across other applications and services.”

Mark McClain, CEO at SailPoint, captured the fundamental problem: “Hackers today don’t need to break your system to get in. They can simply walk through the front door with legitimate credentials.”

Google’s response to the Forbes investigation confirmed the reactive nature of credential-based authentication. A Google spokesperson stated: “We continuously monitor for this type of external activity and have automated protections in place that lock accounts and force password resets when we identify exposed credentials.”

Force password resets when credentials are identified as exposed. Not prevent credential harvesting. Not eliminate the credentials that can be harvested. Reset passwords after the compromise has already occurred.

Why Traditional Security Recommendations Cannot Address the Root Cause

The Forbes article included standard security recommendations from multiple cybersecurity experts. These recommendations represent current best practices for credential-based authentication:

• use unique passwords for every site,
• enable 2FA or MFA,
• use password managers,
• switch to passkeys, and
• monitor for exposed credentials using services like Have I Been Pwned.

Each of these recommendations accepts credential-based authentication as the foundation and attempts to add protective layers on top. None of them address why credentials exist in the first place.

Unique passwords still require users to create, remember, or store credentials that keyloggers can capture at the endpoint. The Forbes report confirms that infostealer malware harvested credentials from user devices, which means the moment a credential is typed or retrieved from storage, it becomes vulnerable.

Multi-factor authentication adds a second verification step, but MFA phishing has become trivial for sophisticated attackers. More importantly, MFA does not prevent the initial credential from being harvested. As Morey Haber, chief security advisor at BeyondTrust, warned in the Forbes article: “never accept 2FA/MFA notifications unless you have initiated them.” But this assumes the user knows when their credentials have been compromised and can distinguish legitimate authentication attempts from credential stuffing attacks using their stolen credentials.

Password managers centralize credential storage and introduce master password vulnerabilities. Every password manager stores credentials that must be encrypted, decrypted, and transmitted during authentication. These processes create multiple points where credentials can be intercepted or compromised. The master password itself becomes a single point of failure, a credential that, if harvested by infostealer malware, grants access to every stored credential in the vault.

Passkeys eliminate passwords but retain username identifiers. These usernames can still be harvested and used for account enumeration, phishing campaigns, and social engineering attacks. Passkeys also require server-side storage of public keys and user account identifiers, which creates a database that can be targeted for breach. The Forbes investigation revealed that cybercriminals compiled credentials across multiple platforms. Username databases would provide similar aggregation value for attackers.

Monitoring services like Have I Been Pwned perform critical work in alerting users to compromised credentials. However, as Chris Hauk from Pixel Privacy noted in the Forbes article, these services identify compromises after they have occurred. Users discover their credentials are exposed after they have already appeared in databases like the one Fowler discovered, after they have already been sold or traded, and after they have already been used for credential stuffing attacks.

The architectural problem is that every solution still relies on credentials that exist somewhere. If it can be typed, it can be logged. If it is stored, it can be stolen. If it must be transmitted for authentication, it can be intercepted.

Zero-Knowledge Architecture: Eliminating Credentials at the Foundation

50% of breaches start with stolen credentials (IBM Cost of a Data Breach Report). The average cost per breach is $4.81 million. Breaches involving stolen credentials last approximately 292 days undetected (Verizon DBIR). These statistics, combined with the Forbes report of 149 million continuously harvested credentials, confirm that credential-based authentication has failed at an architectural level.

WWPass developed patented technology (USA Patent 8,826,019) that eliminates credentials entirely through zero-knowledge architecture. No usernames. No passwords. No credentials of any kind stored centrally or transmitted during authentication.

The WWPass authentication system stores no authentication credentials on servers or user devices. Instead, authentication relies on cryptographic proof generated through distributed key operations. User identity is verified through cryptographic operations that occur without transmitting or storing any credential that could be harvested by infostealer malware.

The technical implementation uses Reed-Solomon (6,12) dispersion to fragment authentication data across 12 globally distributed data centers. The system requires any 6 out of 12 fragments to reconstruct authentication data, which means a compromised node yields nothing usable. More critically, no single fragment contains credentials or identifying information that infostealer malware could harvest from endpoints or servers could compile into databases like the one in the Forbes investigation.

WWPass employs hardware-based authentication with dynamic QR codes that contain only session-specific cryptographic tickets, not static identifiers that can be logged and reused. These QR codes change with every authentication attempt and become invalid after a single use, which eliminates replay attacks and makes credential stuffing architecturally impossible.

The zero-knowledge architecture means that even WWPass administrators cannot access user authentication data. There is no master password to compromise, no credential database to breach, and no stored authentication data to harvest. By design, WWPass users are anonymous to WWPass. Authentication data comes from service providers in encrypted form with keys unknown to WWPass and returns intact without WWPass ever possessing the ability to decrypt or access the data.

This architecture directly addresses the scenarios in the Forbes investigation. Infostealer malware running on a user device would find no credentials to log because WWPass authentication does not use credentials that can be typed or stored. Cybercriminals attempting to compile credential databases would find no WWPass credentials to aggregate because WWPass authentication generates cryptographic proofs rather than transmitting static identifiers. Credential stuffing attacks would fail because WWPass creates unique, service-specific identifiers through Protected User Identifier (PUID) technology that cannot be reused across different applications.

The Enterprise Cost of Continuing with Credential-Based Authentication

Healthcare organizations face an average breach cost of $10.93 million. Financial services breaches average $5.90 million. These industries cannot afford authentication architectures that assume credential compromise as a background condition.

Regulatory frameworks increasingly require authentication methods that eliminate credential storage. NIST Special Publication 800-63 establishes authentication assurance levels, with AAL3 requiring cryptographic hardware devices and prohibiting knowledge-based authentication factors that can be harvested. GDPR and HIPAA compliance requirements demand data protection that extends to authentication credentials, which means organizations storing usernames and passwords face regulatory exposure even if they implement encryption and access controls.

The Forbes report confirms that Fowler’s database grew continuously for over a month while he attempted to have it shut down. During that month, how many credentials were harvested from enterprise authentication systems? How many of those credentials have already been used for unauthorized access that has not yet been detected? Breaches with stolen credentials last an average of 292 days undetected, which means organizations are currently experiencing unauthorized access using credentials that were harvested months ago and will not discover the compromise until late 2026 or 2027.

Password reset costs alone exceed $1 million per year in helpdesk time for large enterprises. These resets do not prevent credential harvesting. They simply force users to create new credentials that infostealer malware will harvest again.

Organizations deploying “passwordless” solutions that retain username identifiers are building on compromised foundations. The Forbes investigation proves that usernames are valuable targets for credential databases. Username enumeration enables account takeover attacks, phishing campaigns, and social engineering that bypasses password security entirely.

The market has moved beyond securing credentials to eliminating them. Healthcare and financial services organizations are leading adoption of zero-knowledge authentication because they understand that credential-based systems cannot be secured, only compromised at different rates.

What the Forbes Investigation Demands from Enterprise Authentication

The Forbes report should fundamentally change how organizations evaluate authentication architecture. This is not about better password hygiene, stronger MFA, or faster breach response. This is about recognizing that credentials themselves have become the vulnerability.

Fowler’s database proves that credential harvesting is continuous, global, and accelerating. The security industry’s response has been to add layers of protection around credentials rather than questioning why credentials must exist. But as the investigation confirms, every protective layer can be bypassed because the underlying credentials remain available to harvest.

Organizations must ask why their authentication architecture still relies on credentials that can be harvested, credentials that will appear in the next database leak that Fowler or another researcher discovers, credentials that are currently being used for unauthorized access that will not be detected for 292 days.

Zero-knowledge authentication eliminates these questions by eliminating credentials. When no credentials exist to harvest, infostealer malware captures nothing. When no credential database can be compiled, cybercriminals have nothing to sell. When authentication relies on cryptographic proof rather than static identifiers, credential stuffing becomes architecturally impossible.

The Forbes investigation by Davey Winder and the research by Jeremiah Fowler has provided definitive evidence that credential compromise is now a background condition of the internet. The only remaining question is whether organizations will continue securing credentials or will eliminate them entirely.