Database with 184 million access data discovered
Numerous services affected:
Database with 184 million login details discovered
The data leak includes passwords for user accounts at Microsoft, Google, Facebook, Amazon, Apple, Nintendo, Paypal and many more.
A security researcher named Jeremiah Fowler has discovered a huge unsecured database containing login information for more than 184 million online accounts. In his own blog post, the researcher mentions 47.42 GB of access data. It is still unclear exactly where the data came from. It was probably collected by malware or from previous data leaks.
According to Fowler, the database, which has since been taken offline, contained email addresses, usernames, passwords and URLs of the services for which the respective login data is intended. The latter include those from Microsoft, Google, Facebook, Instagram, Snapchat, Roblox, Discord, Netflix, Paypal, Amazon, Apple, Nintendo, Spotify and Wordpress.
According to a report by Wired, Fowler also found access data for banking applications, wallets and government portals from 29 different countries in an extract of 10,000 data records. The passwords were probably available in plain text. Fowler contacted several of those affected and was able to verify that the login data was genuine and that at least some of the passwords were still valid.
Host intervenes
The security researcher was unable to determine how long the database had been freely accessible and who exactly owned it. After contacting the hosting provider responsible, World Host Group, the latter immediately took steps to remove the data from the network. However, it remains uncertain whether other actors discovered the database beforehand and accessed the data it contained.
Fowler assumes that the access data was collected by Infostealer malware. However, it is also conceivable that the data originated at least in part from other sources, such as previous data leaks, and was simply collected in a large database by an unknown actor.
Users should act
Users who want to protect themselves from possible misuse should regularly check services such as HaveIBeenPwned or the Hasso Plattner Institute's Identity Leak Checker to see whether their login details are included in known data leaks and change their passwords if necessary. When assigning passwords, care should also be taken to ensure that they are sufficiently complex and are not used more than once.
It is also worth making use of available two-factor authentication (2FA) methods, as a captured password alone is not sufficient to hijack the associated account.