An open database, likely storing data from credential-stealing malware, has exposed tens of millions of credentials. The data includes logins and passwords for popular services such as Facebook, Gmail, Netflix, Binance, and many others, researchers claim.
-
A misconfigured cloud database exposed over 149M unique login credentials collected by infostealer malware.
-
Leaked accounts include Gmail, Facebook, Instagram, Netflix, TikTok, Binance, and OnlyFans, affecting users worldwide.
-
The exposed dataset contained 96GB of structured credentials, URLs, and device identifiers enabling large-scale account takeovers.
The exposed database contained a whopping 96GB of raw credential data that covers over 149 million unique logins and passwords, researchers at ExpressVPN discovered. According to the research author, Jeremiah Fowler, the data also included URLs linking to specific services and accounts.
“This is not the first dataset of this kind I have discovered, and it only highlights the global threat posed by credential-stealing malware. When data is collected, stolen, or harvested, it must be stored somewhere, and a cloud-based repository is usually the best solution,” Fowler writes.
Credential-stealing malware, Fowler describes, also known as infostealer, is a type of malware that quietly sneaks onto user devices and collects credentials. Collected data is then sent to attackers’ databases. Later, malicious actors exploit the information to take over accounts and syphon funds.
The owner of the database managed to collect millions of credentials from popular services all around the world. According to Fowler's estimates, the data leak includes:
- Gmail - 48M
- Facebook - 17M
- Instagram - 6.5M
- Yahoo - 4M
- Netflix - 3.4M
- Outlook - 1.5M
- iCloud - 900k
- TikTok - 780k
- Binance - 420k
- OnlyFans - 100k
“I also saw a large number of streaming and entertainment accounts, including Netflix, HBOmax, Disney+, Roblox, and more. Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records I reviewed,” Fowler said.
According to Fowler, the dataset also included credentials associated with government accounts. At least in theory, malicious actors could utilize the leaked data to access sensitive government systems, which often house large amounts of sensitive personally identifiable (PII) data.
Malicious actors could also use government email addresses for targeted phishing attacks, which could result in malware being deployed on government networks.
The database did not have any ownership information, and the researcher reported the issue directly to the hosting provider. The hosting provider replied, saying that the IP is hosted by an independent subsidiary.
It took nearly a month for the exposed database to be closed off from the public, meaning not only did the infostealer’s admins have access to it, but also anyone who managed to discover the dataset.
“One disturbing fact is that the number of records increased from the time I discovered the database until it was restricted and no longer available,” Fowler said.
Curious what others think about this story? Contribute your thoughts to the debate below.
Investigating a data sample, the researcher noticed that, in addition to URLs and credentials, the database also contained a “host_reversed path” (com.example.user.machine) record. Fowler believes that by collecting this type of information, attackers were able to organize it better and bypass basic detection.
“The system used a line hash as the document ID to ensure one unique record per unique log line. In a limited search of these hash and document IDs, it was identified that they were indeed unique and returned no duplicates,” Fowler said.
Malicious actors can easily utilize this type of database for numerous nefarious purposes. The most obvious one is breaking into user accounts and stealing their personal data. Moreover, a structured database enables automated credential stuffing, as users often reuse passwords.
Infostealers are a major issue worldwide, as attackers collect massive databases for later action. For example, last year Cybernews reported on a combination of 16 billion exposed login credentials spread across several databases.
How can attackers exploit leaked passwords?
Hold your account hostage.
A hacker can log in and lock users out by changing their password and recovery info. Sometimes, they’ll even demand money to give it back, all while using the account to send spam or do shady stuff without users noticing.
Use your identity for malicious activity.
If attackers get into user financial accounts, they can impersonate them. That could mean emptying their accounts, making sketchy purchases, or digging into their private info.
Send convincing phishing messages.
Using details from exposed accounts, hackers can put together emails or texts that look very convincing. They might trick victims—or their friends—into clicking a link or giving away even more info.
Attempt to use exposed password on other accounts.
If users have a habit of reusing passwords, they’ll try the same one on other sites. It’s called password spraying, and it works more often than cybersecurity experts would like it to be.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked