Someone Found Over 180 Million User Records in an Unsecured Online Database
If you use the Internet, you’ve probably had at least some personal information go missing. That’s the nature of the Internet. But this latest discovery, as Wired reports , is something different.
Security researcher Jeremiah Fowler discovered a publicly available online database containing more than 180 million records (184,162,718 to be exact), amounting to more than 47 GB of data. There was no indication of who owned the data or who put it there, which Fowler said is unusual for these types of online databases. Fowler saw emails, usernames, passwords, and URLs linking to sites where the credentials belonged. These accounts included major platforms like Microsoft, Facebook, Instagram, Snapchat, Roblox, Apple, Discord, Nintendo, Spotify, Twitter, WordPress, Yahoo, and Amazon, as well as bank and financial accounts, healthcare companies, and government accounts from at least 29 countries. This includes the United States, Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the United Kingdom.
Fowler filed a responsible disclosure notice with the database hosting provider, World Host Group. Fowler was able to detect signs that the credentials had been stolen using information-stealing malware, which attackers use to harvest sensitive information from a variety of platforms, including web browsers, email services, and chat applications.
After Fowler’s notification, World Host Group restricted public access to the database. The provider told Wired that the database was being operated by a customer, a “rogue user,” who was uploading illegal information to the server.
To make sure these credentials were real and not just a bunch of fake data, Fowler actually contacted some of the email addresses he found in the database. He got a few hits, and these users were able to confirm the records he found associated with their emails. That’s not a guarantee that all 184,162,718 records are accurate, but it’s a good sign that most of them are. So it’s entirely possible that you and I both had credentials exposed in that database. Worse, Fowler says there’s no way to tell how long the database was open to the public before his notice shut it down.
There’s a lot that scammers and hackers can do with this kind of information. If they know the username and password combination for one of your accounts, they’ll not only see if they can use it to hack that account, but they’ll also use it for your other accounts. If you reuse passwords, as many do, you could be looking at a massive breach. That’s bad enough when it comes to Facebook and Roblox accounts, but considering that there were financial, medical, and even government accounts involved, the implications are huge.
How to protect yourself
If you don’t have access to the database, you can’t tell for sure if your credentials are listed there or what credentials they have.
However, if you haven’t changed the passwords for your accounts in a while, now might be a good time to do so. You don’t need to change your passwords as often as traditional security advice would have you believe, but it certainly doesn’t hurt to do a quick security audit of your accounts.
Make sure you use a strong, unique password for each of your accounts. If you repeat passwords, you run the risk of credential stuffing (hackers trying to use the same stolen password for multiple accounts). To keep track of these passwords, use a secure password manager .
Make sure you use two-factor authentication (2FA) on all accounts that support it. That way, even if your password is compromised, hackers won’t be able to break into your account without a device containing the 2FA code. To improve your security, avoid SMS-based 2FA whenever possible , and opt for more secure 2FA options like an authenticator app or a physical security key. If your account offers it, try using a passkey to combine the convenience of a password with the security of 2FA.