A database containing 149 million account IDs and passwords, including 48 million for Gmail17 million for Facebookand 420,000 for the cryptocurrency platform Binance– was removed after a researcher reported the exposure to the hosting provider.
The longtime security analyst who discovered the database, Jeremiah Fowler, could not find any indication of who owned or operated it. So he worked to inform the host, who removed the treasure because it violated the terms of service.
In addition to email and social media logins for a number of platforms, Fowler also observed credentials for government systems in several countries, as well as logins to consumer banking and credit cards and media streaming platforms. Fowler suspects that the database was put together by information stealing malware which infects devices and then uses techniques like keylogging to record information that victims enter on websites.
As he attempted to contact the hosting service for about a month, Fowler says the database continued to grow, accumulating additional connections for a range of services. It doesn’t name the provider because the company is a global host that contracts with independent regional companies to expand its reach. The database was hosted by one of these affiliated companies in Canada.
“It’s like a criminal’s dream wish list, because you have so many different types of credentials,” Fowler told WIRED. “An information thief would make the most sense. The database was in a format designed to index large newspapers, as if whoever set it up expected to collect a lot of data. And there were tons of government connections from many different countries.”
In addition to the 48 million Gmail IDs, the trove also contained approximately four million Yahoo accounts, 1.5 million Microsoft Outlook accounts, 900,000 for Apple’s iCloud, and 1.4 million university and institutional “.edu” accounts. There were also, among others, around 780,000 connections for TikTok, 100,000 for OnlyFans and 3.4 million for Netflix. The data was publicly available and searchable using a simple web browser.
“It seemed like it was capturing anything and everything, but one interesting thing was that the system seemed to automatically categorize every log with an identifier, and they were unique identifiers that didn’t reappear,” Fowler says. “It seemed like the system was automatically organizing the data as it went along to make it easier to find.
Although Fowler points out that he did not determine who owned or used the information and for what purpose, such a structure would make sense if the data was interrogated by cybercriminal clients paying for different subsets of information depending on their scams.
There is a seemingly endless stream of mistakenly unsecured, publicly accessible online databases that expose sensitive information for anyone to see. But as data brokers and cybercriminals accumulate ever greater wealth, the stakes for potential breaches only increase. And information-stealing malware has added to the problem by allowing attackers to easily and reliably automate the collection of login information and other sensitive data.
“Information stealers create a very low barrier to entry for new criminals,” says Allan Liska, a threat intelligence analyst at security firm Recorded Future. “Rent popular infrastructure that we have seen costs between $200 and $300 per month, so for less than a car payment, criminals could potentially access hundreds of thousands of new usernames and passwords per month.
