Moor Studio/Getty Images
While it’s not as large in scale as the latest data breach that leaked over 16 billion passwords, another incident has exposed passwords and other sensitive information across some of the most popular services on the internet.
Cybersecurity researcher Jeremiah Fowler revealed his discovery of a massive online database containing more than 184 million unique account credentials, in a report published late last month. Usernames, passwords, emails, and URLs for a host of applications and websites, including Google, Microsoft, Apple, Facebook, Instagram, and Snapchat, among others, were stored in a file. The database also contained credentials for bank and financial accounts, health platforms, and government portals.
Also: 16 billion passwords leaked from Apple, Google, more: Here are the facts and how to protect yourself
The problem? The file was unencrypted. No password protection. No security. Just a plain text file with millions of sensitive pieces of data.
Based on his analysis, Fowler determined the data was captured by some kind of infostealer malware. A popular tool used by cybercriminals, an infostealer is designed to grab usernames, passwords, and other sensitive data from breached sites and servers. Once the criminals get their hands on the data, they can use it to launch their own attacks or peddle the information on the dark web.
After finding the database, Fowler contacted the hosting provider, which removed it from public access. Since the provider would not disclose the name of the file’s owner, Fowler said he didn’t know if the database was created legitimately and then accidentally exposed or intentionally used for malicious reasons.
To check on the validity of the information, Fowler emailed many of the people listed in the file and told them that he was researching a data breach. Several of the individuals confirmed that the records contained valid account passwords and other data.
Also: Oversharing online? 5 ways it makes you an easy target for cybercriminals
Though the person or people behind the database and exposure are obviously to blame for this incident, users also share some of the responsibility.
“Many people unknowingly treat their email accounts like free cloud storage and keep years’ worth of sensitive documents, such as tax forms, medical records, contracts, and passwords, without considering how sensitive they are,” Fowler said. “This could create serious security and privacy risks if criminals were to gain access to thousands or even millions of email accounts.”
In his report, the researcher highlighted the types of threats faced by people whose data is exposed in such breaches.
-
Credential stuffing attacks – People who use the same passwords on multiple accounts open themselves up to compromise. Hackers deploy automated credential stuffing scripts to try out different email and password combinations on thousands of different sites. The same password exposed on one site can then easily be exposed on others.
-
Account takeovers – Cybercriminals who gain access to usernames, passwords, and other private data are able to take over an account. They can steal your identity, commit financial fraud, and run other types of scams, not just on you but on family, friends, and other contacts.
-
Ransomware and corporate espionage – Fowler said he discovered many business credentials in the leaked data. The attackers can exploit this information to steal business records, launch ransomware attacks, and even commit corporate espionage.
-
Attacks against state and government agencies – Fowler also saw several government accounts across different countries. An attacker armed with this information can target state and federal agencies.
-
Phishing and social engineering – Leaked emails provide cybercriminals with a history of someone’s conversations and contacts. That information can then be used in targeted phishing attacks against the account owner as well as people they know.
How can you protect your own confidential data from being exposed in a breach? Though no perfect solution exists, Fowler shared the following tips in his report:
1. Change your passwords each year
Many people have only one email address connected to multiple accounts, which means they can’t easily change it. But you can change your password, at least periodically. Doing so is a good idea if you think your old password may have been compromised in a breach.
2. Use complex and unique passwords
Beyond using strong passwords, avoid using the same one for multiple accounts.
3. Consider a password manager
A password manager can take on the challenging role of creating, storing, and applying strong and unique passwords for each account. As Fowler pointed out, there is a risk in using a password manager. If your master password is ever stolen or compromised, a cybercriminal now has the key to unlock all your passwords. But that brings us to the next tip.
Also: The best password managers of 2025: Expert tested
4. Use multi-factor authentication
MFA offers a second level of authentication, typically through a code, authenticator app, or security key. If your password is ever breached, a cybercriminal can’t access your account without that code. Make sure you use MFA on all available accounts, but especially ones for bank and financial services and password managers.
5. Check if your credentials have been leaked
Services like HaveIBeenPwned will tell you if your email has popped up in any known breaches. If so, then make sure you change the password for the affected accounts.
6. Monitor the use of your accounts
Some websites and services will alert you to suspicious login activity and other atypical behavior, just like your credit card company alerts you to potentially suspect transactions. Avail yourself of this feature whenever possible.
Also: 10 passkey survival tips: Prepare for your passwordless future now
7. Use good security software
The right security software can detect and eliminate infostealer malware and other known threats. Be sure to update your software with the latest definitions to defend yourself against new variants.
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
