Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained 184 million login and password credentials.
The publicly exposed database was not password-protected or encrypted. It contained 184,162,718 unique logins and passwords, totaling a massive 47.42 GB of raw credential data. In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts. The database contained login and password credentials for a wide range of services, applications, and accounts, including email providers, Microsoft products, Facebook, Instagram, Snapchat, Roblox, and many more. I also saw credentials for bank and financial accounts, health platforms, and government portals from numerous countries that could put exposed individuals at significant risk.
The IP address indicated that the database was connected to two domain names. One domain is parked and not available while the other appears to be unregistered and available to purchase. The Whois registration is private, and there seemed to be no verifiable method to identify the real owner of the database containing potentially illegal data. So, I immediately sent a responsible disclosure notice to the hosting provider, and the database was restricted from public access soon after.
The hosting provider would not disclose their customer’s information, so it is not known if the database was used for criminal activity or if this information was gathered for legitimate research purposes and subsequently exposed due to oversight. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it.
The records exhibit multiple signs that the exposed data was harvested by some type of infostealer malware. Infostealer is a type of malicious software designed specifically to harvest sensitive information from an infected system. This malware usually targets credentials (like usernames and passwords) stored in web browsers, email clients, and messaging apps. Some variants of the malware can also steal autofill data, cookies, and crypto wallet information — some can even capture screenshots or log keystrokes.
It is not known exactly how this specific data was collected, but cybercriminals use a range of methods to deploy infostealers. For instance, they often conceal malware within phishing emails, malicious websites, or cracked software. Once the infostealer is active, the stolen data is often either circulated on dark web marketplaces and Telegram channels or used directly to commit fraud, attempt identity theft, or launch further cyber-attacks.
This collage of screenshots shows how the logins and passwords appear to have been collected and stored inside the database. These include entries referencing Facebook, Roblox, Google, NHS, Live, Microsoft, Discord, and Snapchat. Interestingly, the files were listed as “senha” (which is portuguese for password) while all other text was in English.
This screenshot shows a list view of how the accounts were organized inside the database.
This collage of screenshots shows potentially compromised accounts with .Gov credentials. These samples show entries referencing Australia, Iran, India, Romania, and Brazil.❮❯
×
To confirm the authenticity of the data, I messaged multiple email addresses listed in the database and explained that I was investigating a data exposure that may have involved their information. I was able to validate several records as these individuals confirmed that the records contained their accurate and valid passwords.
Many people unknowingly treat their email accounts like free cloud storage and keep years’ worth of sensitive documents, such as tax forms, medical records, contracts, and passwords without considering how sensitive they are. This could create serious security and privacy risks if criminals were to gain access to thousands or even millions of email accounts.
From a cybersecurity perspective, I highly recommend knowing what sensitive information is stored in your email account and regularly deleting old, sensitive emails that contain PII, financial documents or any other important files. If sensitive files must be shared, I recommend using an encrypted cloud storage solution instead of an email.
The Potential Risks of This Type of Data Exposure
Knowing the login and passwords of millions of accounts is a dream come true for cyber criminals — they probably have a long list of how exposed credentials and emails could be exploited. I will not go too deep here on all of them, but these are the most common and highly successful methods that cyber criminals use for this type of data:
Credential Stuffing Attacks: Many people still use the same passwords on multiple accounts and services. It is very easy for cybercriminals to use automated scripts to try these email and password combinations across hundreds or thousands of websites and services. Even if one account is still active and they gain unauthorized access, it could create serious security risks and open the door to a wide range of potential attacks, depending on the account in question.
Account Takeovers (ATOs): Gaining control over accounts is relatively easy when only a login and password is needed. Accounts without 2FA are most at risk of a full account takeover. Once criminals have taken over the account, they have access to all the PII and other information that may be in the account. This could lead to identity theft, financial fraud, or social engineering scams targeting friends, family, business partners or contacts using the victim’s account.
Corporate Espionage: In this breach, I saw numerous business credentials included in the records. This could allow attackers the opportunity to attempt to gain access to a company’s internal network to steal critical business data, perform espionage, or even launch ransomware attacks.
State and Government: I saw numerous .gov accounts from countries around the world. These could be a serious potential risk if any of those compromised accounts had security clearance to sensitive areas of the state networks or data.
Phishing and Social Engineering: Even if the password to a certain account is old and no longer valid, knowing the email and a past password can make phishing attacks more convincing. Emails received from a trusted contact could increase the risk of a successful social engineering attempt. Years’ worth of emails could provide a wealth of inside knowledge that could be used to launch a targeted phishing campaign against the email account owner.
How Users Can Protect Themselves
Given the scale, global reach, and potentially illegal nature of this breach, it serves as a very big reminder to review your own personal password and security measures to ensure your accounts are safe. There is no silver bullet or one-size-fits-all approach, but there are a few basic, common-sense steps you can take to protect accounts from unauthorized access. Here are the basic steps that I would recommend:
Change Your Passwords Annually: Many people have only one email, and it is often connected to financial accounts, social media, applications, and more. The risks increase if the exposed email credentials are connected to critical work- or business-related systems. Changing passwords can help protect the account if the old password has been exposed in a known or unknown data breach.
Use Unique and Hard-to-Guess Passwords for Every Account: Everyone has been guilty of this at some point but, as a general rule, you should never reuse passwords. This could potentially allow criminals to compromise multiple accounts and create far more damage.
Activate Two-Factor Authentication (2FA): Most accounts offer this crucial extra layer of security, and it should absolutely be enabled for sensitive accounts. Yes — it adds extra steps to the login process, but we must accept that this is the price we must pay for security. If 2FA is enabled, then criminals cannot use a password alone to bypass the authorization process.
Check if Your Credentials Have Been Exposed: There are numerous services (like haveibeenpwned) to see if your email appears in any known breaches. Even if these services do not identify an exposure, it doesn’t mean that the account has not potentially been compromised. This is why it is still a good idea to change passwords occasionally — to take proactive measures.
Monitor Your Accounts: Some accounts provide login notifications, suspicious activity alerts, or the ability to see login geolocations. If the account offers these features, it can help identify unauthorized access or attempts to reset passwords.
Consider Using Password Managers: In my opinion, using a password manager has its pros and cons. On one hand, they are very good at generating and storing unique, complex passwords for a large number of accounts. On the other hand, the primary risk of using a password manager is that, should the master password get into the wrong hands, they would theoretically gain access to all your accounts at once. Although it is not common, there have been instances where the provider of the password management service itself is compromised. The LastPass data breach in 2022 is a prime example of a worst-case scenario where cybercriminals copied a cloud-based backup of the customer vault.
Invest in a Good Antivirus: Using antivirus software can help detect and remove infostealer malware and spyware if they are known threats and included in their virus database. The detection rate can be higher if the antivirus uses both signature-based and behavior-based detection. However, the bad news is that modified malware and new unknown variants can evade detection using obfuscation and other methods. So, the best thing we can do is regularly conduct a full system scan with a reputable antivirus software and make sure that the software is always updated with the latest version. For more advanced users, my recommendation is to use Endpoint Detection & Response (EDR) solutions to identify unusual system behavior, unknown processes, or unexpected network traffic.
While doing research for this report, I found that possessing or distributing potentially stolen personal data may constitute a criminal offence. Most emails contain partial or full names of users and, when combined with usernames and passwords, it could arguably be considered as personally identifiable information (PII). As an ethical researcher I never save data or test exposed credentials.
Many countries have cybercrime and privacy laws, though enforcement standards and definitions vary, resulting in a patchwork of legal frameworks governing what constitutes illegal activity. In the U.S., laws such as the Computer Fraud and Abuse Act (CFAA) make it illegal to traffic in stolen login credentials. (18 U.S. Code § 1029 – Fraud and related activity in connection with access devices). In the EU, the General Data Protection Regulation (GDPR) treats the possession and processing of stolen personal data a serious violation of data protection law.
I imply no wrongdoing by the hosting or IP provider, and/or its employees, agents, contractors, affiliates, and/or related entities. I do not claim that any internal or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity. It should not be construed as a reflection of or commentary on any organization’s specific practices, systems, or security measures.
As an ethical security researcher, I do not download the data I discover. I only take a limited number of screenshots as necessary and solely for verification and documentation purposes. I do not conduct any activities beyond identifying the security vulnerability and notifying the relevant parties. I disclaim any and all liability for any and all actions that may be taken as a result of this disclosure. I publish my findings solely to raise awareness of issues of data security and privacy. My aim is to encourage organizations to proactively implement measures to safeguard sensitive information against unauthorized access.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
