Major social media platforms were impacted by the breach
Security analyst Jeremiah Fowler, who discovered the huge database, posted a more detailed list of apps and sites whose users were victims of the data breach as they had their usernames and passwords revealed and stolen. Fowler said that he saw “exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable.”
Social media platforms impacted by the data breach include Facebook, Instagram, Tiktok and X. Dating apps and sites were also victims as were both content creators and customers of OnlyFans. Users of streaming apps related to entertainment content such as Disney+, Netflix, HBOmax, Roblox, and more were involved. Even worse, some of the data belonged to those with financial services accounts, crypto wallets or trading accounts. Fowler added that, “Banking and credit card logins also appeared in the limited sample of records I reviewed.”
Other data was exposed from financial service apps and sites
The exposed data from .gov domains is very dangerous because it can lead to certain attacks using impersonation and other tactics to enter government networks. Such attacks against .gov domains can grow into national security risks.
Fowler could not find who the database belonged to, so he ended up reporting the breach to the hosting company using its online form. But a few days later, that company wrote back to say that the database was hosted by a subsidiary operating independently even though it used the name of the parent organization. It took months and several attempts before hosting of the database was halted and millions of login credentials were no longer accessible.
Some questions about the database need to be answered
There are some pretty big questions about the database that have not been answered. For example, it is not known how long the database was left exposed before Mr. Fowler discovered it. Also unknown is whether others were able to access the data. Fowler questioned whether the database was used for criminal activity or legitimate research purposes. It would be useful to know why the database was exposed to the public. The researcher found it disturbing that from the time he discovered the data breach until the time it was restricted, the number of records increased.
Fowler discovered that the following email providers had accounts exposed:
- Gmail-48 million estimated exposed accounts.
- Yahoo-4 million estimated exposed accounts.
- Outlook-1.5 million estimated exposed accounts.
- iCloud-900,000 estimated exposed accounts.
- .edu domain-1.4 million estimated exposed accounts.
Other well-known apps and sites that were part of the data breach:
- Facebook-17 million estimated exposed accounts.
- Instagram-6.5 million estimated exposed accounts.
- TikTok-780,000 estimated exposed accounts.
- Netflix-3.4 million estimated exposed accounts.
- OnlyFans-100,000 estimated exposed accounts.
- Binance-420,000 estimated exposed accounts.
Reduce your risk with two simple tips
Fowler pointed out that the exposure of such a huge batch of unique login credentials could be serious for those who do not know that their information was stolen or exposed. Since the exposed data includes emails, usernames, passwords, and the exact login URLs, attackers could score a huge profit by obtaining email/password combos exposed by the data breach. Visiting apps where the rewards are high if they can break in (financial apps, trading apps, crypto apps) they try every combination using the email/password pairs they obtained in an attempt to gain access to online accounts with huge cash or cash equivalent values.
Consider this. Even if an attacker has only a 0.1% chance of finding the right email/password combo, if he has obtained a list of 10 million credentials, he has just gained access to 10,000 active accounts. To reduce the risk of being the victim of a data breach, you might want to use two-factor authentication. You also shouldn’t reuse passwords for different apps and sites.
