25 votes

Mysterious database of 184 million records exposes vast array of login credentials

Posted by skybrian
Tags: social media, apple, google, data breaches, data, databases, credentials.login, politics, government, meta, author.matt burgess, author.lily hay newman, source.wired, paywall
https://www.wired.com/story/mysterious-database-logins-governments-social-media/

Link information

This data is scraped automatically and may be incorrect.

Authors
Matt Burgess Lily Hay Newman, Andy Greenberg, Micah Lee, Dell Cameron, Matt Burgess, Dhruv Mehrotra, Lily Hay Newman
Published
May 22 2025
Word count
523 words

19 comments

  1. [16]
    skybrian
    Link
    From the article: … … …

    From the article:

    In early May, longtime data-breach hunter and security researcher Jeremiah Fowler discovered an exposed Elastic database containing 184,162,718 records across more than 47 GB of data. Typically, Fowler says, he is able to gather clues about who controls an exposed database from its contents—details about the organization, data related to its customers or employees, or other indicators that suggest why the data is being collected. This database, however, didn’t include any clues about who owns the data or where it may have been gathered from.

    The sheer range and massive scope of the login details, which include accounts connected to a large array of digital services, indicate that the data is some sort of compilation, possibly kept by researchers investigating a data breach or other cybercriminal activity or owned directly by attackers and stolen by infostealer malware.

    In a sample of 10,000 records analyzed by Fowler, there were 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, 209 Discord accounts, and more than 100 each of Microsoft, Netflix, and PayPal accounts. That sample—just a tiny fraction of the total exposure—also included Amazon, Apple, Nintendo, Snapchat, Spotify, Twitter, WordPress, and Yahoo logins, among many others. A keyword search of the sample by Fowler returned 187 instances of the word “bank” and 57 of “wallet.”

    Fowler, who did not download the data, says he contacted a sample of the exposed email addresses and heard back from some that they were genuine accounts.

    Fowler says that while he does not know for certain, he suspects that the data was compiled by attackers using an infostealer.

    “It is highly possible that this was a cybercriminal,” he says. “It’s the only thing that makes sense, because I can’t think of any other way you would get that many logins and passwords from so many services all around the world.”

    10 votes
    1. [15]
      tanglisha
      Link Parent
      This is a good reminder to change important passwords once in a while. High on that list are banks, social media, and email addresses used to recover bank and social media passwords.

      This is a good reminder to change important passwords once in a while. High on that list are banks, social media, and email addresses used to recover bank and social media passwords.

      9 votes
      1. [14]
        skybrian
        Link Parent
        Password managers with strong, randomly generated passwords or passkeys seem like the way to go here. If you're doing that, I doubt changing passwords does anything.

        Password managers with strong, randomly generated passwords or passkeys seem like the way to go here. If you're doing that, I doubt changing passwords does anything.

        6 votes
        1. [13]
          tanglisha
          (edited )
          Link Parent
          I’m not following you. The article seems to be describing a massive rainbow table. It doesn’t matter how complex/obscure a password is if it’s available publicly, the only way to make that account...

          I’m not following you. The article seems to be describing a massive rainbow table. It doesn’t matter how complex/obscure a password is if it’s available publicly, the only way to make that account safe is to change the password. 1Password even has a service to try to help change compromised passwords.

          10 votes
          1. [6]
            teaearlgraycold
            Link Parent
            Gotta be honest, I wouldn’t be afraid of someone knowing the hash to my 32 character long randomly generated globally unique password. Unless the hashing algorithm used was broken.

            Gotta be honest, I wouldn’t be afraid of someone knowing the hash to my 32 character long randomly generated globally unique password. Unless the hashing algorithm used was broken.

            2 votes
            1. [5]
              zestier
              Link Parent
              I'm not clear on why the previous commenter referred to it as a rainbow table. From the article:

              I'm not clear on why the previous commenter referred to it as a rainbow table. From the article:

              Each record included an ID tag for the type of account, a URL for each website or service, and then usernames and plaintext passwords. Fowler notes that the password field was called “Senha,” the Portuguese word for password.

              7 votes
              1. [4]
                teaearlgraycold
                Link Parent
                I guess they were decoded with rainbow tables? Netflix/PayPal/etc. are absolutely not using plaintext passwords. Another possibility is these are reused passwords found on less secure sites and...

                plaintext passwords

                I guess they were decoded with rainbow tables? Netflix/PayPal/etc. are absolutely not using plaintext passwords.

                Another possibility is these are reused passwords found on less secure sites and then they found the credentials to be valid on Netflix etc. thus making them "Netflix passwords" but not sourced from any Netflix leak.

                3 votes
                1. [3]
                  zestier
                  (edited )
                  Link Parent
                  I think that is part of why it is suspected that it came from client-side info stealers. Those seek out the plain text directly from the user's machine. From the ones I've seen they usually go...

                  I think that is part of why it is suspected that it came from client-side info stealers. Those seek out the plain text directly from the user's machine. From the ones I've seen they usually go after the local copies of password vaults in some way.

                  7 votes
                  1. [2]
                    teaearlgraycold
                    Link Parent
                    Yeah a supply chain attack on a popular extension would be a good culprit.

                    Yeah a supply chain attack on a popular extension would be a good culprit.

                    4 votes
                    1. zestier
                      (edited )
                      Link Parent
                      Another way I recall seeing in a video was about one that was embedded into a special file that was either a music file or a password stealer depending on the application that happened to run it....

                      Another way I recall seeing in a video was about one that was embedded into a special file that was either a music file or a password stealer depending on the application that happened to run it. Distribute stuff like that around unwitting discord groups and such where people figure "how am I going to get hacked by an mp3?" not knowing that double clicking it could be malware.

                      I don't recall if it was music, image, video, or what. Just some piece of media. The point was more about it being doable than the specifics. Just that people think "that can't be malware, it's just media" even though Windows can be tricked into executing those things.

                      1 vote
          2. [6]
            skybrian
            Link Parent
            I'm assuming the password is strong, randomly generated, and your password manager can't be fooled into entering it into the wrong place, so it doesn't end up in a database of compromised...

            I'm assuming the password is strong, randomly generated, and your password manager can't be fooled into entering it into the wrong place, so it doesn't end up in a database of compromised passwords to begin with.

            But I guess that's more reasonable for passkeys.

            1. [5]
              zestier
              (edited )
              Link Parent
              But if this originated from a data stealer then it doesn't really matter how strong the passwords are or smart the password manager is. Alternatively if this originated from combining a bunch of...

              But if this originated from a data stealer then it doesn't really matter how strong the passwords are or smart the password manager is. Alternatively if this originated from combining a bunch of other breaches then it really really doesn't matter how strong your passwords are. The only cases that strong unique passwords really protect are guessing common passwords and preventing credentials leaked for service A being valid for service B.

              6 votes
              1. [4]
                skybrian
                Link Parent
                I guess another assumption is that my computers aren't infected by malware. If your computer is infected by malware then it can steal your current passwords. If you didn't notice the malware, it...

                I guess another assumption is that my computers aren't infected by malware.

                If your computer is infected by malware then it can steal your current passwords. If you didn't notice the malware, it could steal your passwords again after you change them.

                After getting rid of the malware, it does make sense to change all your passwords. Or maybe after switching to a new machine if you suspect malware?

                2 votes
                1. [3]
                  zestier
                  (edited )
                  Link Parent
                  I'll admit I don't rotate my passwords as often as I should, but it is good practice to rotate keys even when you don't think you're compromised because it's easy to be incorrect about that...

                  I'll admit I don't rotate my passwords as often as I should, but it is good practice to rotate keys even when you don't think you're compromised because it's easy to be incorrect about that assumption. The compromise could have been something temporary that you never noticed occurring or being fixed, such as a security bug in a random piece of non-malware software. Most obvious would be things like OS or browser vulnerabilities that allowed someone some degree of temporary access that has since been patched with you having no idea it happened.

                  There are reasons that best security practices for managing enterprise access keys don't include "just wait until it probably leaked to rotate it". It's probably good to force a rotation when suspicious, but that's on top of scheduled rotation.

                  3 votes
                  1. [2]
                    skybrian
                    (edited )
                    Link Parent
                    Yes, I agree that it can be useful for IT because it means that you can stop thinking about bugs that were patched long ago. A good example is how Let's Encrypt requires certificates to be rotated...

                    Yes, I agree that it can be useful for IT because it means that you can stop thinking about bugs that were patched long ago. A good example is how Let's Encrypt requires certificates to be rotated every 90 days, and this is automated. You'll never know whether it mattered at all, but somewhere out there, maybe it did?

                    I'm more skeptical about manual password rotation by end users where they're allowed to pick a new password themselves. This annoys people and they are going to cheat by picking passwords that aren't much different. If you're going to annoy your users, there are more effective interventions like requiring a second factor or moving to passkeys.

                    2 votes
                    1. papasquat
                      Link Parent
                      Yeah, regular end user password rotation hasn't been best practice for some time, as outlined by NIST SP 800-63. When you force users to rotate passwords on a time basis, they tend to choose...

                      Yeah, regular end user password rotation hasn't been best practice for some time, as outlined by NIST SP 800-63. When you force users to rotate passwords on a time basis, they tend to choose weaker passwords, or passwords that are an easy permutation of a previous password. Generally, modern best practice is to force password resets on suspected breaches but otherwise don't expire them.

                      2 votes
  3. [2]
    daychilde
    Link
    Alright, I'm way overdue and I've been lazy on some of my accounts. Just in case there is... Anyone know of a tool that can help bulk-change passwords on common services like Gmail, etc?

    Alright, I'm way overdue and I've been lazy on some of my accounts.

    Just in case there is... Anyone know of a tool that can help bulk-change passwords on common services like Gmail, etc?

    3 votes
    1. sleepydave
      Link Parent
      I'm not aware of any service like that, but even if there was, you wouldn't want to use it because the security risk outweighs the convenience reward and it likely wouldn't integrate into your...

      I'm not aware of any service like that, but even if there was, you wouldn't want to use it because the security risk outweighs the convenience reward and it likely wouldn't integrate into your password manager. Best just to reset your compromised passwords manually (and enable TOTP 2FA while you're at it for the platforms that support it).

      Mozilla Monitor is a free service that will notify you by email when your credentials are found in data breaches if you're interested.

      3 votes