I seem to have spent a disproportionate amount of my time recently investigating, analyzing and reporting on stolen credentials. At one end of the scale, there was the discovery of 19 billion compromised passwords published to dark web forums, at the other the ridiculously low cost of buying them available to cybercriminals. It’s not all been bad news, though, as I reported May 22, one of the biggest culprits in the password infostealer industry, and that’s most certainly what it is, Lumma Stealer, has just been hit by a global takedown operation headed up by Microsoft’s digital crimes unit. But just as I was on something of a high, I’ve come crashing down to earth with the discovery of, wait for it, 184,162,718 credentials, including passwords and login data, available to anyone online. Yep, a whopping great database packed full of plaintext passwords, email addresses, and usernames all sitting there unprotected, in plaintext, for anyone to use. And it gets even worse when you realize that the likes of Apple, Facebook, Instagram, Roblox and Snapchat credentials were included. Here’s what you need to know.
Unprotected Database Of 184 Million Stolen Passwords And Login Credentials Found Online
It’s one thing to find databases of stolen credentials on the dark web, or within the many criminal marketplaces and forums that exist on the surface web, but an unprotected, publicly exposed, 47.42 GB database containing 84,162,718 unique logins and passwords just sitting there on a web hosting platform is something else. Yet here we are, that happened.
The purpose of the database is as yet unknown, the hosting platform has not released information regarding the owner, but the security researcher who disclosed the shocking discovery said that the records “exhibit multiple signs that the exposed data was harvested by some type of infostealer malware.”
Renowned cybersecurity researcher, Jeremiah Fowler, who both discovered the public credentials database and authored the published the May 22 report, said that as well as login and password credentials for the platforms already mentioned, he observed “credentials for bank and financial accounts, health platforms, and government portals from numerous countries that could put exposed individuals at significant risk.” Fowler sent a disclosure notice to the hosting provider, and I can report that the database, while not taken down, has now had its public access rescinded.
Be in no doubt, this is a very significant leak of sensitive credentials. I have approached Apple, Meta, Roblox and Snapchat for a statement regarding the discovery of these plaintext passwords and advice for their users as a result. In the meantime, if you use the same passwords across multiple services, I recommend you change them to unique ones as a matter of some urgency.
