Researcher finds 184M unique login credentials in unsecured database

In the digital age, credentials are the new gold bars. Representing the intangible but infinitely monetizable value of identity, they are the target of endless ingenious heist attempts, as fraudsters harvest data for identity theft and increasingly varying and sophisticated fraud tactics. Those whose data is stolen may not know it’s happening until the treasure is gone; Comparitech says U.S. organizations typically take over four months to report a data breach following a ransomware attack. And the fallout can be extremely costly. 

As such, when a veritable Fort Knox of credentials is found unprotected, it’s a big deal. 

Cybersecurity researcher Jeremiah Fowler has discovered a publicly exposed database of credential data unprotected by passwords or encryption. In a report to Website Planet, Fowler explains how he gained access to 184,162,718 unique logins, totaling 47.42 GB of raw credential data, and how it contained “login and password credentials for a wide range of services, applications, and accounts, including email providers, Microsoft products, Facebook, Instagram, Snapchat, Roblox, and many more”.  

“In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler writes. “I also saw credentials for bank and financial accounts, health platforms, and government portals from numerous countries that could put exposed individuals at significant risk.” 

Fowler’s attempts to find out who managed the database led to the removal of public access – but, he says, “the hosting provider would not disclose their customer’s information, so it is not known if the database was used for criminal activity or if this information was gathered for legitimate research purposes and subsequently exposed due to oversight.” 

Fowler doesn’t know how long the data was exposed before he found it. Evidence suggests it was harvested by “some type of infostealer malware” – malicious software designed to harvest sensitive credential information from an infected system. Infostealer malware can be concealed in phishing emails or cracked software; once data is harvested, it usually ends up circulated on dark web marketplaces and Telegram channels. Identity theft and fraud are major risks. 

Data from IBM shows that, in 2024, the company recorded an 84 percent spike in emails delivering infostealer malware. Early 2025 metrics show a staggering 180 percent increase.

So, when there’s a breach like the one Fowler found, everyone takes notice. 

Coverage in Wired calls it a “privacy nightmare” that “underscores the risks of recklessly compiling sensitive information in a repository that could become a single point of failure.” It reports that Fowler’s analysis of a marginal 10,000 records found 479 accounts for Facebook, 475 for Google, 240 for Instagram, 227 for online game platform Roblox, 209 for messaging platform Discord, and over 100 accounts each for Microsoft, Netflix and PayPal. 

Other organizations included Apple, Amazon, Nintendo, Snapchat, Twitter, WordPress, Yahoo, Spotify and the UK’s National Health Service.

Information Age chimes in to add that data from the Australian Department of Home Affairs’s ImmiAccount immigration service is among the trove exposed in the “large infostealer campaign.”

Fowler’s report to Website Planet includes recommendations for data security: change passwords annually, consider using password managers, and so on. 

Passkeys better security solution than passwords

To that, Google says: let’s just get rid of passwords altogether. If an Android Authority code teardown is to be believed, Google’s password manager for Android is getting an automatic passkey update feature. 

“Android Authority enabled the feature that it had found, and discovered it would enable your phone’s existing website and app credentials to ‘be converted to passkeys without your explicit permission’,” says coverage in Forbes. “The idea being that the Google password manager for Android would upgrade any passwords for sites and services where passkeys are available, and do so in a seamless fashion.” 

The feature can reportedly be disabled for those who insist on using passwords or “want more control over passkey generation.”

It’s not just Google, either. All of the largest names of Silicon Valley are gradually pledging to finally make the switch to FIDO passkeys. Microsoft made its announcement on the first-ever World Passkey Day, joining the Passkey Pledge in commitment to eliminating passwords. The firm says it is seeing nearly a million passkeys registered every day. 

NIST keen on passkeys, digital identity wallets

A piece from Federal News Network features comments on passkeys from Ryan Galluzzo, digital identity lead for the Applied Cybersecurity Division at the National Institute of Standards and Technology (NIST). NIST’s Special publication 800-63 series aims to direct agencies on how to manage risk within the context of digital identity programs.

“If you can sync or copy a passkey, how do you make sure that doesn’t end up in the wrong kind of storage or export it out of the enterprise?” Galluzzo asks. “We look at how we can place additional controls through other kinds of security mechanisms on your identity and authentication systems to make sure they’re functioning and giving you the security you need.”

“Any technology that can start to consolidate a smooth user experience with increased security is the kind of thing that can show a lot of value and gain a lot of traction. That’s why we’re so interested in things like passkey and FIDO authentication, as well as things like mobile wallets, and the credentials that reside inside them.”

Article Topics

biometric authentication  |  biometrics  |  cybersecurity  |  FIDO Alliance  |  FIDO2  |  NIST  |  passkeys  |  passwordless authentication  |  passwords