More than 184 million passwords may have been compromised in a massive data leak affecting everything from social media logins to bank accounts, according to a new report published by cybersecurity researcher Jeremiah Fowler. Ironically, the database containing the leaked passwords was itself non-password-protected, according to Website Planet.
Fowler says he uncovered the publicly accessible and unencrypted database, which contains 184,162,718 unique logins and passwords to popular websites and apps. As spotted by our colleagues at ZDNet, the exposed logins and passwords are reportedly tied to email providers like Google, a range of Microsoft products, as well as social media platforms like Facebook, Instagram, and Snapchat. Credentials for other applications and services, such as Roblox, were also found in the database. Furthermore, according to Fowler, sensitive information from bank accounts, health services, and even government portals was stored in the database, which is no longer online.
Because Mashable has not been able to review or independently confirm that the database contained leaked data, we reached out to some of the companies implicated in the report. A Snapchat representative said it has not found any evidence of a data breach or vulnerability on their platform. We’ll update this article if we hear back from any other companies.
While it’s not yet clear exactly how the sensitive data in the database may have been stolen, the fact that platforms like Snapchat have not found any vulnerabilities in their network makes sense considering Fowler’s assessment of the situation.
According to Fowler, the database showed signs that it was compiled with data from an infostealer malware. Fowler describes infostealer as a type of “malicious software designed specifically to harvest sensitive information from an infected system.” This means that the more than 184 million passwords were likely stolen directly from the affected users themselves.
Infostealer malware can scrape user data stored in web browsers, including autofill data and cookies. Data stored in emails, including drafts and documents, as well as messaging apps, can also be harvested by simply tricking the targeted user into downloading the malware.
These sorts of data breaches have become increasingly common in recent years. For example, Mashable previously reported on the RockYou2024 leak, which is regarded as the biggest password leak ever. In July of last year, a malicious user shared this compilation of nearly 10 billion credentials on hacker forums. These large data breaches provide bad actors with a dangerous tool to carry out automated brute force attacks.
Mashable will update this post with any new information about the leak.
