A staggering 184 million unique login and password combinations, affecting a vast array of online services including government and financial accounts, were discovered in a publicly accessible database, cybersecurity researcher Jeremiah Fowler.
The massive 47.42 GB data trove, detailed in Fowler’s report for Website Planet, was likely harvested by infostealer malware and presents a severe risk of identity theft and widespread account compromise for users globally.
The unsecured database contained plaintext usernames, email addresses, passwords, and the corresponding login URLs for services ranging from social media giants like Facebook, Instagram, and Snapchat, to gaming platforms like Roblox, and critical portals for banking, healthcare, and various international government bodies.
Although the hosting provider restricted access after Fowler’s notification, the duration of the exposure and whether malicious actors previously accessed the data remain unknown, a critical nuance Fowler himself pointed out. The incident starkly illustrates the pervasive threat of large-scale credential leaks and the urgent need for enhanced cybersecurity vigilance.
Unsecured Credential Stash Reveals Extensive Exposure
Jeremiah Fowler’s investigation detailed that the 184,162,718 unique login records were entirely unprotected by passwords or encryption. The database’s ownership is obscured by private Whois registration, though its IP address was linked to two domain names—one parked and the other apparently unregistered and available for purchase.
An interesting linguistic quirk noted by Fowler was the use of “senha,” the Portuguese term for password, for the credential files, while other text was in English. Fowler validated the authenticity of some records by contacting affected individuals, who confirmed their exposed passwords were accurate.
The sheer scope of compromised services is alarming. Beyond major social media and productivity suites from Google and Microsoft, government and financial credentials were also part of the leak making it a potential enabler for state-sponsored actors or cybercriminals.
Infostealer Malware: A Persistent and Growing Threat
The characteristics of the exposed data strongly suggest collection via infostealer malware, a type of malicious software designed to siphon login credentials and other sensitive information from infected computers.
Infostealer campaigns are growing in sophistication, often disguised within legitimate-looking software or spread through convincing phishing emails. Fowler’s report emphasized the severe risks, including automated credential stuffing attacks, complete account takeovers, corporate espionage, and highly targeted phishing campaigns.
The possession or distribution of such stolen data carries legal consequences under regulations like the US Computer Fraud and Abuse Act (CFAA) and the EU’s General Data Protection Regulation (GDPR).
Alistair Finch, threat intelligence lead at SecureWorks, highlighted the notorious difficulty in attributing ownership of such vast, illicit datasets, as perpetrators are “adept at using anonymization techniques.”
In light of such exposures, Fowler stressed the importance of users regularly reviewing and deleting sensitive information from email accounts, suggesting that if sensitive files must be shared, an encrypted cloud storage solution is preferable to email.
Users that don’t prioritize unique passwords and multi-factor authentication across their accounts are particularly vulnerable to such cases of credential theft.
Data Security Incidents on the Rise
This 184 million record leak joins a continuous stream of significant data security events. A hack of a Signal clone run by the TeleMessage communications service, just recently compromised data of U.S. government officials.
Earlier in May 2025, an investigation by The Markup revealed that Covered California, a health insurance marketplace, had inadvertently transmitted sensitive user health data to LinkedIn via website trackers, sparking a class-action lawsuit.
The preceding months of 2025 also witnessed notable breaches. In April, an outdated software vulnerability led to the exposure of 4chan moderator emails and passwords, and a separate incident saw workplace monitoring app WorkComposer leak 21 million employee screenshots due to a misconfigured Amazon S3 bucket.
These events underscore the diverse attack vectors threatening user data. Historically, massive breaches like AT&T’s April 2024 exposure of 73 million customer records and France Travail’s March 2024 leak affecting 43 million citizens highlight the ongoing vulnerability of large organizations. Scrutiny of major tech providers also continues, as seen in April 2024 when a CISA board criticized Microsoft for a “preventable” Exchange Online breach, and CISA mandated action following a separate Microsoft email system compromise.
