Keeping our information private as we participate in the digital world is one of the hardest problems of the internet age, and we got another unsettling example this week after cybersecurity researcher Jeremiah Fowler discovered an online database containing millions of usernames and passwords for well-known companies.
Fowler uncovered 184,162,718 unique logins and passwords (an enormous 47.42GB of raw data) for Apple, Discord, Facebook, Google, Instagram, Microsoft, Roblox, Snapchat, Spotify, WordPress, Yahoo, and a variety of other online services and email providers, Wired reports.
Some of the most concerning data includes “bank and financial accounts, health platforms, and government portals from numerous countries that could put exposed individuals at significant risk,” he writes in a blog post.
“This breach is a far bigger risk than most that I have discovered,” Fowler tells us. “I would say this is one of the most dangerous discoveries I have found in a very long time. It is not the first time I have seen the bad guys have a data breach, it’s just at a massive scale.”
Usually, databases belong to a specific company or developer, with data limited to the personal information of customers or employees or a firm’s source code. But in this one database, Fowler found “millions of accounts spread across hundreds of thousands of services.”
Screenshots from the database show a list of potentially compromised accounts with .Gov credentials from Australia, Iran, India, Romania, and Brazil. (Credit: Jeremiah Fowler)
To confirm the data was legit, Fowler sent messages to a multiple email addresses listed in the database. They responded and confirmed the records are valid.
The database is no longer public after Fowler traced the IP address back to two domain names. One was not available and the other appeared to be unregistered and available to purchase.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
He found the data on May 6, and “notified the hosting provider the following day to try and get the database removed,” he says. The hosting provider restricted the database from public access soon after.
As a cybersecurity researcher and the co-founder of Security Discovery, Fowler’s job is to look for exposed data. His methods vary, but one he shared with us are Internet of Things (IoT) search engines, which are more specialized and sophisticated ways to search for information online. “When I saw the name of the header [for this database was] ‘logins’ I conducted a manual review and was shocked at what I saw and just the diversity of the logins,” he says.
Screenshots from the database showing entries from Facebook, Roblox, Google, NHS, Live, Microsoft, Discord, and Snapchat. (Credit: Jeremiah Fowler)
There are still many unanswered questions about this nefarious trove, including who compiled it and why. The files were listed as “senha,” which is Portuguese for password, while all other text was in English. Fowler was not able to see access logs to know how frequently the database was visited, but says it’s “safe to say it was most likely accessed and extracted.”
Recommended by Our Editors
Based on several hallmark signs in the database, Fowler suspects someone compiled the database through infostealer malware. Cybercriminals deploy infostealers through phishing emails, malicious websites, and cracked software. They are designed to harvest data from the systems they infect, and usually target credentials like usernames and passwords stored in web browsers, email clients, and messaging apps.
“Some can even capture screenshtos or log keystrokes,” Fowler says. “Once the infostealer is active, the stolen data is often either circulated on dark web marketplaces and Telegram channels or used directly to commit fraud, attempt identity theft, or launch further cyberattacks.”
Screenshots from the database showing how accounts were organized. (Credit: Jeremiah Fowler)
(But wait, doesn’t Fowler have the data? Not necessarily. He describes himself as “ethical security researcher” who does not download the data he discovers. He only takes screenshots for verification and documentation.)
Fowler’s advice for those hoping to stay out of these types of data breaches is to stop storing sensitive information in your email. “Many people unknowingly treat their email accounts like free cloud storage and keep years’ worth of sensitive documents, such as tax forms, medical records, contracts, and passwords without considering how sensitive they are,” he says.
About Emily Forlini
Senior Reporter
