More than 184 million passwords may have been exposed in a massive data breach that experts are calling a “cybercriminal’s dream.”
According to a new report by cybersecurity researcher Jeremiah Fowler, the leak affected everything from Apple and Google usernames and passwords and social media logins to bank accounts.
The database containing the compromised passwords was ironically unencrypted and not password-protected itself, the report said.
The publicly accessible database contained 184,162,718 unique logins and passwords reportedly tied to email providers such as Google and a range of Microsoft products, as well as social media platforms like Facebook, Instagram and Snapchat, ZDNet reported.
Fowler shared that information from bank accounts, health services and government portals was also unprotected.
The database may have been compiled via infostealer malware, a type of “malicious software designed specifically to harvest sensitive information from an infected system,” according to Fowler. This means that the sensitive information was likely stolen directly from users.
This kind of malware can steal user data that’s stored in web browsers, including autofill data and cookies, data stored in emails, and messaging app data.
It’s unclear exactly how the data may have been compromised, but a Snapchat representative told Mashable that they have not found any vulnerability or evidence of a breach on its platform.
After finding the unprotected database, Fowler contacted the hosting provider, which removed it from public access. However, since the provider wouldn’t share the file’s owner, he said that he’s unsure if it was created with a legitimate purpose and accidentally exposed, or if it was used with malicious intent.
To confirm the authenticity of the leaked data, Fowler messaged multiple email addresses listed in the database to confirm that the records had accurate, valid passwords and information.
“Many people unknowingly treat their email accounts like free cloud storage and keep years’ worth of sensitive documents, such as tax forms, medical records, contracts, and passwords without considering how sensitive they are. This could create serious security and privacy risks if criminals were to gain access to thousands or even millions of email accounts,” he wrote.
“From a cybersecurity perspective, I highly recommend knowing what sensitive information is stored in your email account and regularly deleting old, sensitive emails that contain PII, financial documents or any other important files,” he further advised. “If sensitive files must be shared, I recommend using an encrypted cloud storage solution instead of an email.”
