A database has just dumped millions of leaked login credentials on the internet for anyone to find. I’m rushing to change my passwords, and you should too.

A Huge, Mysterious Database Has Been Leaked

Cybersecurity researcher Jeremiah Fowler has discovered an unprotected database containing 184 million credentials, including emails, login account names, passwords, and authorization URLs. The database totals 47.42 GB of “raw credential data” exposed to the internet with no password protection.

These aren’t passwords to random websites on the internet either. The database contains login credentials for websites like Apple, Amazon, Discord, Google, X, WordPress, Yahoo, PayPal, Facebook, Instagram, Snapchat, Roblox, Microsoft products, financial accounts, health platforms, and even government portals from several countries.

Fowler, who reported his findings to Website Planet, claims that the database shows multiple signs of the exposed data being harvested by infostealer malware. He also confirmed the authenticity of the leaked credentials by reaching out to multiple email addresses from the database and was able to validate several records as the contacted individuals confirmed their email addresses and passwords.

What’s even more surprising is that we have no idea where this data came from or who collected it. Its IP address shows that the database was connected to two separate domain names, but the Whois registration information is private, and the hosting provider didn’t disclose customer information. Thankfully, public access to the database was revoked shortly after the hosting provider received a disclosure notice from Fowler.

We also don’t know for how long the database was exposed to the public before Fowler discovered it, or if anyone else had accessed it before him. Since the data’s origins are unknown, there’s no information on whether this is the result of a massive hacking campaign or data gathered for legitimate research that got exposed due to oversight.

It’s Time to Change Your Passwords

As you can probably guess, finding millions of username and password combinations randomly on the internet would make any cybercriminal’s day. It’s unclear whether this information has already been exploited. Still, it could be used to carry out credential stuffing attacks, account takeovers, phishing and social engineering hacks, and even corporate espionage.

Related

Chrome Can Now Change Your Weak Passwords for You

Changing passwords can be annoying; let Google Chrome handle it for you.

I recommend changing all your important passwords as soon as possible and enabling two-factor authentication wherever applicable. If a hacker already has your username and password, two-factor authentication is the only thing stopping them from taking over your online accounts.

This is also a good time to start using a password manager if you don’t already. They can spot weak or compromised credentials ahead of time and prompt you to update them. You can also use free tools to check if your passwords have been compromised.