I seem to have spent a disproportionate amount of my time recently investigating, analyzing and reporting on stolen credentials.
But just as I was on something of a high, I’ve come crashing down to earth with the discovery of, wait for it, 184,162,718 credentials, including passwords and login data, available to anyone online.
Yep, a whopping great database packed full of plaintext passwords, email addresses, and usernames all sitting there unprotected, in plaintext, for anyone to use.
And it gets even worse when you realize that the likes of Apple, Facebook, Instagram, Roblox and Snapchat credentials were included.
I have approached Apple, Meta, Roblox and Snapchat for a statement regarding the discovery of these plaintext passwords and advice for their users as a result.
It appears that I have devoted an excessive amount of my time lately to looking into, evaluating, and reporting on credentials that have been stolen. The discovery of 19 billion compromised passwords posted to dark web forums was at one extreme of the spectrum, while cybercriminals could purchase them for absurdly low prices. But there is some good news as well. On May 22, I reported that Lumma Stealer, one of the largest offenders in the password infostealer industry—which is exactly what it is—had recently been the target of a global takedown operation led by Microsoft’s digital crimes unit. However, I was just getting off the ground when I discovered that, wait for it, 184,162,718 credentials—passwords and login information—were accessible to anybody on the internet. Indeed, there is a massive database full of unprotected, plaintext usernames, email addresses, and passwords that are available for anyone to use. Even worse is the fact that credentials from companies like Apple, Facebook, Instagram, Roblox, and Snapchat were included. Here’s what you should know.
ForbesChrome Password Update for 3 Billion Google Browser Users.
184 million stolen passwords and login credentials were discovered in an unprotected database on the internet.
Finding databases of stolen credentials on the dark web or in the numerous illegal marketplaces and forums on the surface web is one thing, but discovering a 47.42 GB database with 84,162,718 unique logins and passwords sitting on a web hosting platform without any security measures is quite another. Still, that occurred, and here we are.
Although the hosting platform has not made information about the database’s owner public, the security researcher who made the startling discovery claimed that the records “exhibit multiple signs that the exposed data was harvested by some type of infostealer malware.” The database’s purpose is still unknown. “.”.
Along with login and password credentials for the platforms already mentioned, renowned cybersecurity researcher Jeremiah Fowler, who also found the public credentials database and wrote the report that was published on May 22, noted that he had “credentials for bank and financial accounts, health platforms, and government portals from numerous countries that could put exposed individuals at significant risk.”. I can report that the database has had its public access revoked, even though it hasn’t been removed, after Fowler sent a disclosure notice to the hosting company.
This is unquestionably a huge breach of private credentials. In response to the discovery of these plaintext passwords, I have asked Apple, Meta, Roblox, and Snapchat to issue statements and offer guidance to their users. In the interim, I advise you to quickly switch to unique passwords if you use the same ones for several services.
