.png)
Summary
- A massive database containing 184 million login credentials from major services like Microsoft, Apple, and social media platforms was found publicly exposed.
- The exposed data includes sensitive information across a wide range of services, including major email providers, social media platforms, financial accounts, and health services.
- Although the hosting provider restricted access to the database after it was reported, the owner remains unknown
You could have what's referred to as the strongest password in the entire world, and it'd still be absolutely useless if it ends up in a massive database. Unfortunately, a cybersecurity researcher recently discovered a publicly exposed database that wasn’t encrypted or protected by a password.
The worst part? It contains details from some of the biggest services and applications, meaning your information could very well be lurking in there.
Related
10 fairytales about password security that are pretty grim
Do you still believe these myths about password security?
The database is no longer publicly available, but the owner is still unknown
Jeremiah Fowler, a cybersecurity reporter at Website Planet, discovered a database containing 184,162,718 unique login and password credentials, totaling 47.42 GB of raw data. Fowler got his hands on a limited sample of the data, where he found thousands of files that included emails, usernames, and passwords for a wide range of services, including major email providers, Microsoft products, Apple accounts, and social accounts you use every day like Facebook, Instagram, Snapchat, and more. Children’s gaming sites weren’t spared either, as the database also included Roblox account details.
Fowler mentioned he also saw credentials for bank and financial accounts, health platforms, and even government portals from numerous countries. He verified the authenticity of the leaked data by emailing some of the addresses included in the database, informing them he was investigating a data leak that might include their credentials. The individuals confirmed that the records indeed matched their actual passwords.
Unfortunately, he wasn’t able to identify the owner tied to the database. Though the IP address linked to the database was connected to two domain names, one was unavailable and the other showed as unregistered and ready for purchase. Fowler took immediate action and notified the hosting provider, who soon restricted public access to the database. However, the hosting provider refused to disclose the database owner’s information.
This means it’s still unknown whether the database was created for purely criminal activity or research purposes. It’s also unclear how long the database was publicly accessible before Fowler discovered it. He added that the records exhibited multiple signs that the data was harvested by a type of infostealer malware, which is a software designed specifically to collect sensitive information from infected systems.
Given that this breach wasn’t limited to a single service and seems to have affected users globally, take this as a serious reminder to regularly change your passwords (and create strong ones), enable security measures like two-factor authentication, and subscribe to a reliable antivirus.
English (US) ·