Last week, cybersecurity researcher Jeremiah Fowler announced the discovery of a non-password-protected database containing over 184 million login credentials and passwords. The database contained more than 47.42 GB of raw credential data. Fowler said in his “limited sampling,” he saw thousands of files that included emails, usernames, passwords, and URL links.
The database was also reported to have contained login and password credentials for a wide range of websites, services, and applications, including social media platforms, Microsoft products, Apple, Google, and PayPal, among numerous others. It also included account details for the Australian Department of Home Affairs’ visa and citizenship application platform, ImmiAccount.
It is unknown whether any account details related to U.S. government agencies or departments were also among the records in the database. However, Fowler noted that bank and government portals from “numerous countries” were among the credentials he had identified.
Database on Two Domains
The cybersecurity researcher was able to track the database via its IP address to two domain names, one of which he described as being “parked and not available,” while the other appears to be unregistered and available for purchase. After the hosting provider was notified of the database, it was restricted from public access.
“The hosting provider would not disclose their customer’s information, so it is not known if the database was used for criminal activity or if this information was gathered for legitimate research purposes and subsequently exposed due to oversight. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it,” Fowler explained in a post on WebsitePlanet.com.
He further explained that the data was “harvested by some type of infostealer malware,” which he described as malicious software explicitly designed to extract sensitive information from an infected system. What isn’t known is who was behind the harvest or what its purpose was at this point.
“Little seems known about the identity of the malicious agent,” warned Dr. Jim Purtilo, associate professor of computer science at the University of Maryland.
Purtilo told ClearanceJobs that the records were likely a combination of various types of user data.
“Most of it was probably taken from infected client machines one browser session at a time, and that is why it is a wide mix,” he added.
Are Major Breaches Coming?
It is unclear whether the database, in some form, is still available, and if so, it could be used for breaches to other networks and systems.
“What’s most noteworthy is how this breach highlights the immense value of centralized identity platforms like Google, Okta, Apple, and Meta to attackers. With over 184 million records exposed, threat actors can now launch widespread account takeover attempts across countless SaaS applications and cloud services that rely on these providers for authentication,” Cory Michal, chief security officer at cybersecurity provider AppOmni, told ClearanceJobs via email.
Michal said that the discovery of such a database isn’t remotely surprising. He added that databases like this are regularly bought, sold, and repackaged on dark web forums, such as BreachForums.
“Massive credential dumps are part of an ongoing black market where breached data is commoditized and often aggregated from multiple incidents over time,” Michal explained. “What’s new isn’t the existence of the data, but the scale, the recency of some credentials, and the targeting of identity providers that are widely used to access SaaS and cloud services—making this breach especially potent for enabling downstream account takeovers.”
This breach also highlights a larger issue: the significant reliance on online platforms and SaaS products for our personal and professional lives.
“Yet our digital identities are still largely protected by outdated, vulnerable methods like usernames, passwords, and easily phishable MFA methods,” Michal noted. “As long as these remain the primary means of access, attackers will continue to exploit them at scale with infostealer malware and phishing. This highlights the urgent need for adoption of stronger, phishing-resistant authentication methods, continuous identity monitoring, and a shift toward identity-centric security models.”
Will the Cloud Make It Worse?
Given that data is now routinely stored in the cloud, it may be easier for such harvesting to occur.
However, “The cloud angle only comes in since this was where the compiled data happened to be discovered,” added Purtilo. “Perhaps it was where the malware saved data it found, or alternately, a copy of the compiled data was left open to suit the agent’s illicit business needs. While fanciful speculation, potentially these are data hacked by one agent that in turn were hacked, and left open, by another malicious agent.”
Moreover, this reinforces the need for organizations to adopt an identity-centric security posture and monitor for malicious activity even when logins appear legitimate, whether on the cloud or not.
“In today’s SaaS driven environments, users and systems authenticate from anywhere, often using federated identity providers like Apple, Google, and Meta. This makes identity a primary control point for security,” said Michal.
“Though the volume of data here is quite large, this kind of activity goes on daily,” Purtilo continued. “I concur with the safety tips shared in that article: cloud or not, protect yourself with strong and unique passwords that are regularly changed, MFA, and application of regular updates to your system and malware protections.”
