No, this wasn’t a data breach and hackers weren’t involved, at least not in the way that you might think. They didn’t break into Google or Meta’s systems or steal your data from the inside. Instead, this new data leak involved a massive collection of stolen passwords accumulated by info-stealing malware.
According to a new report from ExpressVPN, cybersecurity researcher Jeremiah Fowler recently discovered an exposed database online that contained approximately 149,404,754 unique logins and passwords across 96GB of raw data. These stolen credentials also came with links that point back to which service or platform they’re used to access.
With all of this stolen data in hand, other cybercriminals could try and use it to access victims’ accounts. Worse still, if a victim reused the same password across multiple accounts, the fallout from this leak could be even worse since hackers will likely try those login details across multiple sites and services, likely through automation.
Here’s everything you need to know about this major data leak including which services had the most stolen credentials along with some tips and tricks to help you stay safe in the aftermath.
Exposed accounts by service
From email providers to social media and even streaming services, stolen credentials for almost all of the most popular sites were discovered by Fowler in that unsecured database. Here’s a full breakdown of the sites and services these logins belong to:
- Gmail: 48 million
- Facebook: 17 million
- Instagram: 6.5 million
- Yahoo: 4 million
- Netflix: 3.4 million
- Outlook: 1.5 million
- iCloud: 900k
- TikTok: 780k
- Binance: 420k
- OnlyFans: 100k
It’s worth noting that logins were stolen from other sites and services like HBOmax, Disney Plus, Roblox, X and more too. However, Fowler chose to specifically highlight the ones listed above as the majority of these stolen credentials are associated with accounts there.
Even hackers have trouble with passwords
So how did all of these logins end up on a database? Well, they were stolen via a specific type of malware often referred to as infostealers.
When a company leaves a database open online, they can be held accountable… When a hacker does so, other cybercriminals will be quick to swoop in.
Unlike traditional malware that tries to maintain persistence and basically “live” on an infected computer or smartphone, info-stealing malware is designed to do exactly what its name implies: steal info. Whether that be by recording your keystrokes or stealing your passwords and personal data outright, all of this information is then repackaged and sent back to the hackers that deployed this malicious software in the first place.
As Fowler points out in his report, all of that stolen data has to be stored somewhere and just like businesses do with their documents, hackers have also turned to the cloud to store massive amounts of data. The problem though is that when a company leaves a database open online, they can be held accountable by the government and regulators. When a hacker does so, other cybercriminals will be quick to swoop in and use that stolen data to launch their own phishing attacks and other campaigns.
When Fowler discovered the exposed database filled with stolen credentials, he tried to figure out who owned it but there was no info available. As such, he did the next best thing by directly contacting the hosting provider through an online form to report abuse. After almost a month and multiple attempts to contact them, the database was finally taken offline after its hosting was suspended.
Likewise, it’s unclear as to how long the database was left exposed online without a password before Fowler discovered it. Surprisingly though, the number of stolen records contained within the database did increase during the period he had access to it before it was taken down.
How to stay safe after a major data leak
A major data breach or even a data leak like this one will definitely be a wake up call for most people. Even if the logins for your accounts weren’t stolen and then leaked online, there’s never a bad time to give them all a security audit. To not get overwhelmed though, I recommend you start small and then work your way up to making bigger, more significant changes when it comes to your security hygiene.
For starters, do you reuse any of your passwords across multiple accounts? Well, if you do, you’re putting yourself at serious risk of getting hacked because once hackers get the credentials for one of your accounts, they will absolutely try using them to access your other ones.
Changing your passwords is an essential first step but if you have trouble coming up with strong, complex passwords on your own, I recommend using one of the best password managers instead. Not only can they generate better passwords than you’d be able to come up with on your own but they also securely store and let you easily access them later.
And if you want to say goodbye to passwords for good, you might want to consider switching to passkeys instead (when possible) as they provide a more secure way to log into and access your accounts.
The best antivirus software can help stop info-stealing malware from infecting your devices but you also need to be careful where you click and avoid opening any attachments in emails, text messages and on social media.
Since some attacks can slip through the cracks, investing in one of the best identity theft protection services is a worthwhile investment too. These services often come with an antivirus built-in and they can help you get your identity back if it’s ever stolen. At the same time, their experts and the included identity theft insurance can be used to recover funds lost to fraud or scams.
One last thing I always recommend — just like with the apps on your phone — is to close any online accounts you haven’t used in a while. The fewer accounts you have, the less likely they can be hacked and this means that any sensitive data they contain can’t be exposed in a data breach.
We might learn more about this database filled with stolen credentials and if so, I’ll update this article with any new information. Even if we don’t though, a major security incident like this one should be a wake up call for all of us when it comes to our passwords and making sure we use a unique one for each of our online accounts.
Follow Tom’s Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
