A security researcher recently discovered an unprotected online database with a staggering 149 million stolen logins.
Jeremiah Fowler says the database was live on the web, with no password protection or encryption. “It contained 149,404,754 unique logins and passwords, totaling a massive 96GB of raw credential data,” he wrote in a post for ExpressVPN.
(Credit: ExpressVPN/Fowler)
The database contained millions of unique logins for Gmail, Facebook, Instagram, Yahoo, and Netflix accounts. “Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records I reviewed,” he says.
Importantly, Fowler suspects a hacker created the database to store information stolen through malware. Such infections can silently operate on victim computers, stealing passwords from login fields or recording keystrokes.
(Credit: ExpressVPN/Fowler)
The database was structured to make it easy to search for information by victim and source. “One disturbing fact is that the number of records increased from the time I discovered the database until it was restricted and no longer available,” Fowler adds.
That said, Fowler couldn’t confirm if the database belonged to a cybercriminal or a fellow researcher. To protect users, he contacted the database’s hosting provider to have it taken down. “It took nearly a month and multiple attempts before action was finally taken, and the hosting was suspended, and millions of stolen login credentials were no longer accessible,” he says.
Still, the database’s mysterious creator and anyone else who accessed it could still have a copy of the stolen login credentials. “Taking a dataset offline does nothing to address the underlying issue, which is that many of these credentials remain valid and trusted long after they have been stolen,” says Shane Barney, Chief Information Security Officer at Keeper Security.
Recommended by Our Editors
The finding underscores the threat of malware and how cybercriminals often exploit stolen information to launch further attacks. Fowler notes that the database also contained logins for .gov domains from numerous countries. “Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks,” he writes.
Fowler recommends that consumers use antivirus protection on their PCs, keep their operating systems up to date, and install apps only from verified sources. You can also check out PCMag’s Simple Tips to Protect Your Money, Identity, and Sanity.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
