In one of the largest data breaches of all time, Cybersecurity Researcher Jeremiah Fowler discovered an online database containing 184 million unique account credentials. The database wasn’t even password-protected and contains usernames and passwords for several websites like Microsoft, Apple, Google, Snapchat, Facebook, and Instagram. To make things worse, it even had credentials for financial accounts, health platforms, and government portals.

Fowler analyzed 10,000 records from the database, spanning user accounts accross Facebook (479), Instagram (240), Google (475), Roblox (227), and Discord (209). Fowler’s keyword search showed 187 instances of the word “bank.”

The sample even contained 220 email addresses with .gov domains linked to at least 29 countries, including the US, the UK, Canada, and Australia, sparking fears of espionage and other national security implications.

Researcher Discovers Massive Data Breach of Login Credentials

Fowler verified the authenticity of the data and contacted several of the leaked email accounts. He was able to validate several accounts that confirmed the breached database indeed contained their actual login credentials.

“This is probably one of the weirdest ones I’ve found in many years,” said Fowler. Highlighting the gravity of the situation, he added, “As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list.”

Because the identity of the entity that stored the data wasn’t disclosed by the hosting provider, Fowler wasn’t able to determine whether the database was used for criminal activity or legitimate research purposes, but got exposed due to a possible oversight. We also don’t know how long the data was exposed and whether anyone apart from Fowler was able to access it.

The Data Breach Looks Like the Handiwork of a Cybercriminal

Fowler made it clear that these credentials were almost certainly stolen by a cybercriminal, and said, “It’s the only thing that makes sense, because I can’t think of any other way you would get that many logins and passwords from so many services all around the world.”

Fowler was also able to guess how the information was stolen, saying, “The records exhibit multiple signs that the exposed data was harvested by some type of infostealer malware.” This is a kind of common malicious software that is designed to extract information from an infected system.

He reported the data to World Host Group, the associated hosting company, which promptly took down the data. In his statement to WIRED, Seb de Lemos, CEO of World Host Group, said, “It appears a fraudulent user signed up and uploaded illegal content to their server.” He added, “The system has since been shut down. Our legal team is reviewing any information we have that might be relevant for law enforcement.”

How To Keep Yourself Safe from Data Breaches

Data breaches are a growing menace as cybercriminals are getting smarter by the day. Users must follow some basic hygiene online to reduce the risk of their data getting breached and minimize their impact.

Firstly, while opening any website, it’s prudent to check that they are secure and begins with Hypertext Transfer Protocol Secure (HTTPS). One should be doubly cautious when filling out personal information on a website and refrain from doing so on unsecured websites. It’s also extremely important to avoid clicking on any unverified links and responding to suspicious emails.

Cybersecurity experts suggest that you always use complex, unique passwords, making sure not to use the same passwords across different accounts, as it drastically increases the risks of a breach. Changing your passwords regularly, ideally once a year, can also help lower the risk of data breaches.

Another important security tip is to always use multi-factor authentication (MFA) because it makes it much harder for hackers to access your accounts.

Sensitive Information Should Ideally Not Be Stored in Emails

Fowler also warned about storing sensitive information in email accounts, saying, “I highly recommend knowing what sensitive information is stored in your email account and regularly deleting old, sensitive emails that contain PII, financial documents or any other important files. If sensitive files must be shared, I recommend using an encrypted cloud storage solution instead of an email.”

Having an identity threat protection service might also be helpful, as it helps you figure out whether you have been part of a breach. Finally, if you discover that you were part of a breach, take action immediately. Change all of your passwords, add MFA if you haven’t already, and watch for any suspicious activity.