Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
Security Privacy IT

Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials (wired.com) 15

Posted by msmash from the password-paradise dept.
A security researcher has discovered an exposed database containing 184 million login credentials for major services including Apple, Facebook, and Google accounts, along with credentials linked to government agencies across 29 countries. Jeremiah Fowler found the 47-gigabyte trove in early May, but the database contained no identifying information about its owner or origins.

The records included plaintext passwords and usernames for accounts spanning Netflix, PayPal, Discord, and other major platforms. A sample analysis revealed 220 email addresses with government domains from countries including the United States, China, and Israel. Fowler told Wired he suspects the data was compiled by cybercriminals using infostealer malware. World Host Group, which hosted the database, shut down access after Fowler's report and described it as content uploaded by a "fraudulent user." The company said it would cooperate with law enforcement authorities.

Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials More | Reply

Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials

Comments Filter:

  • I bet one hacker group held another hacker group ransom, but they didn't pay up, so public went their stuff.

  • haveibeenpwned (Score:5, Interesting)

    by piojo ( 995934 ) on Wednesday May 28, 2025 @08:07PM (#65412205)

    Has this been incorporated into haveibeenpwned yet? (Note: that service requires you to submit a password, but it never leaves your browser. The sensitive part of the logic is run only in your javascript, and you can skip it entirely using curl and the shell.)

    • Also, Google Password Manager will scan the web for compromised passwords in your saved passwords. Since 99% of people already have a Google account, there's no new password to worry about, to use this service.

      I don't know if they've picked up this data set yet.

      • Re: (Score:3, Informative)

        by piojo ( 995934 )

        Note: this ridiculous service syncs your passwords in cleartext to your account even when you haven't explicitly set it up. You think you're just caching a password in your browser, but Google thinks it deserves no more protection than your inbox. Available to anybody that gains access to your account. It's a nice single point of failure.

        I just confirmed that though I try to keep Google from ever finding out any of my other passwords, it knows around ten of them (and is happy to display them with a few butt

        • If google knows the passwords, they are already public knowledge. If you continue to use them, then thats on you

        • Re:haveibeenpwned (Score:4, Informative)

          by AmiMoJo ( 196126 ) on Thursday May 29, 2025 @05:12AM (#65412889) Homepage Journal

          That is untrue.

          First, you have to have Chrome signed into your Google account. Second, the passwords are encrypted, not plaintext. They key is by default managed for you, but you are free to set your own password which generates a new key as well. If you do that, you can no longer view your saved passwords on the Gooogle Account Manager website, only in browsers where you have entered your password.

          Obviously if someone gets into your Google account and you didn't bother to secure it, you are in trouble. Which is why Google pushes very hard to make you set up 2FA. If you have an Android device it basically gets enabled automatically.

          That's why you don't see mass hacking of Google accounts, or mass compromises of bank accounts with stolen passwords saved in Chrome.

          • Re: (Score:1)

            by piojo ( 995934 )

            I'm not going to reply to your whole post because you've given too much material for rebuttal. I don't have the time. A few points:

            I don't login to Chrome. I despise Chrome. I probably logged in for a short time as an experiment, though.

            I don't care if I have the option to encrypt the passwords. The point is that BY DEFAULT and without clear opt-in they are available to anybody with access to the account.

            It sounded like you implied compromised Google accounts don't lead to compromised bank accounts. That wo

            • Re: (Score:2)

              by AmiMoJo ( 196126 )

              The default is to ask for permission, at least in the EU where the law requires it.

              • Re: (Score:1)

                by piojo ( 995934 )

                In my experience it asks permission to cache your password, but the description is not descriptive. It doesn't say it's created a password manager for your account and will make it available there.

                The images I've found of the prompt say it's stored "on this device", though I can't recall what the prompt last was for me and whether it was always consistent--or whether it's the same on Android versus in Chrome.

                • Re: (Score:2)

                  by AmiMoJo ( 196126 )

                  If it says it stored the in the device then it's not the prompt to sync with your online account.

  • "As an ethical security researcher, I do not download the data I discover. I only take a limited number of screenshots as necessary and solely for verification and documentation purposes." Great. As an ethical security researcher, he should have downloaded it and uploaded it to "Have I been pawned"

  • DOGE (Score:2, Interesting)

    by Anonymous Coward

    Probably the work of the fine folks over at DOGE.

Slashdot Top Deals

Variables don't; constants aren't.

Close