The possibility that data could be inadvertently exposed in a misconfigured or otherwise unsecured database is a longtime privacy nightmare that has been difficult to fully address. But the new discovery of a massive trove of 184 million records—including Apple, Facebook, and Google logins and credentials for accounts connected to multiple governments—underscores the risks of recklessly compiling sensitive information in a repository that could become a single point of failure.
In early May, longtime data-breach hunter and security researcher Jeremiah Fowler discovered an exposed Elastic database containing 184,162,718 records across more than 47 GB of data. Typically, Fowler says, he is able to gather clues about who controls an exposed database from its contents—details about the organization, data related to its customers or employees, or other indicators that suggest why the data is being collected. This database, however, didn’t include any clues about who owns the data or where it may have been gathered from.
The sheer range and massive scope of the login details, which include accounts connected to a large array of digital services, indicate that the data is some sort of compilation, possibly kept by researchers investigating a data breach or other cybercriminal activity or owned directly by attackers and stolen by infostealer malware.
“This is probably one of the weirdest ones I’ve found in many years,” Fowler says. “As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list.”
Each record included an ID tag for the type of account, a URL for each website or service, and then usernames and plaintext passwords. Fowler notes that the password field was called “Senha,” the Portuguese word for password.
In a sample of 10,000 records analyzed by Fowler, there were 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, 209 Discord accounts, and more than 100 each of Microsoft, Netflix, and PayPal accounts. That sample—just a tiny fraction of the total exposure—also included Amazon, Apple, Nintendo, Snapchat, Spotify, Twitter, WordPress, and Yahoo logins, among many others. A keyword search of the sample by Fowler returned 187 instances of the word “bank” and 57 of “wallet.”
Fowler, who did not download the data, says he contacted a sample of the exposed email addresses and heard back from some that they were genuine accounts.
Aside from individuals, the exposed data also presented potential national security risks, Fowler says. In the 10,000 sample records there were 220 email addresses with .gov domains. These were linked to at least 29 countries, including the United States, Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the United Kingdom.
While Fowler could not identify who had put the database together or where the login details originally came from, he reported the data exposure to World Host Group, the hosting company it was linked to. Access to the database was quickly shut down, Fowler says, although World Host Group did not respond to the researcher until after it was contacted by WIRED.
