A cybersecurity researcher has uncovered a mysterious, publicly accessible database containing millions of login credentials from services including Facebook, Apple, and Microsoft.
The publicly exposed database was not password-protected or encrypted, and contained more than 184 million unique logins and passwords, adding up to 47.42GB of raw credential data.
The data included emails, usernames, passwords, and the URL links to the login or authorization for the accounts.
“The database contained login and password credentials for a wide range of services, applications, and accounts, including email providers, Microsoft products, Facebook, Instagram, Snapchat, Roblox, and many more,” said cybersecurity researcher Jeremiah Fowler.
“I also saw credentials for bank and financial accounts, health platforms, and government portals from numerous countries that could put exposed individuals at significant risk.”
The origin of the database is something of a mystery. The IP address linked the database to two domain names. One was parked and unavailable while the other was apparently unregistered and available to purchase.
Fowler contacted the hosting provider, which took the database down, but didn’t reveal the customer’s identity. One hint may be the fact that, while most text was in English, the files were listed as ‘senha’ – Portuguese for password.
He also messaged multiple email addresses listed in the database and was able to validate several records, with the victims confirming that they contained their accurate and valid passwords.
It’s not known how long the database was exposed. However, Fowler said there are clear signs that the exposed data has been harvested by some type of infostealer malware.
“It is not known exactly how this specific data was collected, but cybercriminals use a range of methods to deploy infostealers,” said Fowler.
“For instance, they often conceal malware within phishing emails, malicious websites, or cracked software. Once the infostealer is active, the stolen data is often either circulated on dark web marketplaces and Telegram channels or used directly to commit fraud, attempt identity theft, or launch further cyber attacks.”
Fowler advises users to change passwords and to delete sensitive documents, such as tax forms, medical records, contracts, and passwords from their emails. They should only share data like this through encrypted cloud storage systems, rather than email, he said.
“Databases like this are regularly bought, sold, and repackaged on dark web forums like BreachForums. Massive credential dumps are part of an ongoing black market where breached data is commoditized and often aggregated from multiple incidents over time,” commented Cory Michal, chief security officer at AppOmni.
“What’s new isn’t the existence of the data, but the scale, the recency of some credentials, and the targeting of identity providers that are widely used to access SaaS and cloud services — making this breach especially potent for enabling downstream account takeovers.”
