Cybersecurity researcher Jeremiah Fowler has just published a report about his discovery of a massive, unprotected online database of millions of sensitive pieces of data that were stored in a plain text file absent of any password requirement or encryption.
According to ZDNet, the 184 million unique account credentials that Fowler found include usernames, passwords, emails and URLs for apps and websites like Google, Microsoft, Apple, Facebook, Instagram and Snapchat, among others.
Perhaps more concerning were the even more sensitive information in the database – specifically credentials for bank and financial account, health platforms and government portals.
Fowler’s analysis determined that this data has been captured by some type of infostealer, meaning the individuals exposed and the accounts involved will be vulnerable to a host of further scams and malicious behavior from threat actors such as phishing attacks.
Fowler has said he doesn’t know if this database was legitimately or maliciously created in the first place, because the hosting provider would not disclose the name of the owner, though they have removed it from public access.
Fowler directly contacted people listed in the file, told them he was researching a data breach and confirmed that the information contained in the database was correct, valid account information.
Additionally, he has said that while whomever owns the database is to blame for the incident, users who treat their email accounts like free cloud storage leave themselves open to security and privacy risks by having years worth of sensitive documents such as tax forms, medical records, contracts or passwords readily available to cybercriminals who are able to gain access to their email accounts.
How to stay safe
People who are involved in a security breach of this nature are subject to a variety of further threats, especially if they’ve reused the same password, used weak passwords, or have accounts in a position of government or other importance.
Like Fowler, we recommend that you always use strong, unique passwords that include multiple upper and lower case characters as well as numbers and special characters, that you frequently change and update passwords and that you never reuse passwords. It’s often easiest to use a password manager to keep all of your passwords private and safe, or if possible, use a biometric passkey. Whenever possible, enable two-factor or multi-factor authentication on your accounts.
Keep a close eye on all your accounts, and if you feel like you’ve may have been or know you have been victim to a data breach, check your accounts on sites like HaveIBeenPwned or a password leak checker. You should also make sure that your antivirus software is set to regularly scan your computer; these scans can be set to run automatically when you’re asleep or when you’re otherwise not using your machine so that you won’t be interrupted.
Lastly, know the signs of phishing scams and social engineering attacks so you can watch out for them – you are always the last line of defense when it comes to malware, and threat actors will take all the information they have in order to try and trick you into clicking on a link or downloading an app or software that appears legitimate but is secretly malicious code.
Never click on unexpected links, QR codes or attachments or links or attachments from unknown senders. Verify through independent means if someone contacts you asking you to download or click on something. Don't share personal information with people you don't know online, and clear out your accounts of old emails and photos that contain documents that may contain personal details and information.
