Unsecured Database Exposes 149 Million Login Credentials, Including Government and Banking Data
A massive database, containing approximately 149 million login credentials for a wide array of services—including government systems, consumer banking, and major online platforms—was recently discovered publicly accessible by security researcher Jeremiah Fowler. The unsecured, unpassword-protected database has since been removed.
Discovery and Contents Detailed
Fowler identified the exposed database, which comprised 96 GB of raw credential data. The information included usernames, passwords, email addresses, and associated URL links for account logins. Critically, the database was publicly accessible and searchable via a web browser, allowing anyone to view its contents without restriction.
The database included credentials for a wide range of services, with estimated counts as follows:
- Gmail: 48 million accounts
- Facebook: 17 million accounts
- Instagram: 6.5 million accounts
- Yahoo: 4 million accounts
- Netflix: 3.4 million accounts
- Microsoft Outlook: 1.5 million accounts
- .edu (academic and institutional): 1.4 million accounts
- Apple iCloud: 900,000 accounts
- TikTok: 780,000 accounts
- Binance: 420,000 accounts
- OnlyFans: 100,000 accounts
Beyond these consumer services, the database also held sensitive login information for government systems across multiple countries, various consumer banking and credit card accounts, and additional media streaming platforms.
Data Origin and Resolution
Fowler indicated that the data is suspected to be a compilation from infostealing malware logs, which infect devices and record user-typed information, alongside data from past breaches. The database was observed to be actively growing, accumulating additional logins over approximately one month before its takedown. The system appeared to automatically classify each log with unique identifiers, suggesting an organized structure.
The researcher was unable to determine ownership of the database. He promptly alerted the hosting provider, identified as a Canadian affiliate of a global provider. The host subsequently took down the database, citing a violation of its terms of service. This incident echoes a similar discovery by Fowler last year involving a database of 184 million records.
Official Statements and Expert Commentary
Google acknowledged awareness of reports regarding datasets containing various credentials, including some from Gmail. The company stated that this data comprises aggregated 'infostealer' logs and confirmed that automated protections are in place to lock accounts and initiate password resets when exposed credentials are identified.
Cybersecurity experts weighed in on the implications of this significant exposure:
- Matt Conlon, CEO of Cytidel, highlighted the database's substantial value to malicious actors, particularly given the recent rise in infostealer prevalence.
- Boris Cipot, a senior security engineer at Black Duck, emphasized that the inclusion of logins for government, banking, and streaming services significantly increases its appeal to cybercriminals.
- Mayur Upadhyaya, CEO at APIContext, underscored the risk of credential stuffing, where exposed login pairs are automatically used in attempts to access other applications.
- Shane Barney, CISO at Keeper Security, stated that such datasets represent a continuous accumulation of access credentials from various endpoints, indicating that credential compromise is an ongoing condition of the internet.
- Mark McClain, CEO at SailPoint, observed that hackers frequently use legitimate credentials to gain unauthorized access, making databases like this a prime resource.
User Security Recommendations
To enhance account security and mitigate the risks associated with such exposures, users are strongly advised to take the following steps:
- Create unique and strong passwords for each online service.
- Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on all accounts where available.
- Utilize password managers to securely generate and store credentials.
- Consider using passkeys where supported for enhanced, passwordless security.
- Avoid accepting 2FA/MFA notifications that were not personally initiated.
- Consult resources like HaveIBeenPwned to check if their information has been previously exposed in this or other breaches.