Massive Credential Leak Exposes Millions of Users Across Multiple Platforms

Cybersecurity researcher Jeremiah Fowler has uncovered a significant login and password breach affecting multiple popular websites. The leak exposed passwords from 900,000 iCloud users within an unprotected database, alongside 148 million other stolen logins, silently harvested by malware from infected devices worldwide.

Discovery and Database Details

Fowler disclosed the breach through ExpressVPN, identifying 149.4 million unique login records, totaling approximately 96 GB of data. This unencrypted, password-free database was accessible via any standard web browser, making the stolen credentials vulnerable to anyone who stumbled upon it. Fowler noted the irony that cybercriminals themselves often fail to secure stolen data.

Scope of the Breach

• iCloud Accounts: 900,000 users affected
• Gmail Accounts: Approximately 48 million credentials
• Facebook Accounts: About 17 million logins
• Instagram Accounts: Roughly 6.5 million credentials

The breach extended beyond these platforms, including account data from email providers, social networks, financial services, cryptocurrency platforms, streaming services, dating sites, academic institutions, and government systems. Other affected services included Microsoft Outlook, Yahoo, Netflix, TikTok, OnlyFans, Binance, Roblox, and various banking and credit card logins.

Organization of the Stolen Data

The database was described as a “dream wish list for criminals” due to its breadth. Records were structured using reversed domain notation, creating an indexable format by victim and source. Line hashes served as document IDs to ensure no duplicate entries. Additionally, government credentials from multiple countries were found, raising concerns about national security implications.

National Security Risks

The presence of government employee logins linked to .gov domains highlights risks beyond individual security. Exposed government accounts put personal documents, account recovery messages, and private communications at risk. This breach poses potential threats of espionage or targeted attacks against government systems and personnel.

How the Breach Happened

Traditional security measures often fail against the methods used in this breach. Unlike server hacks targeting centralized databases, infostealer malware harvests credentials directly from infected devices. Such malware collects data through keylogging, browser scraping, clipboard capture, and session token theft. Notably, there is no evidence that major companies like Apple, Google, or Meta were breached at the server level.

Infostealer Malware Techniques

• Keylogging
• Browser scraping
• Clipboard capture
• Session token theft

Infostealer operations prioritize speed and scale over security, often storing stolen data in poorly configured cloud servers or databases, which are easily discoverable through routine internet scanning. Some attackers exploit OAuth vulnerabilities to generate persistent authentication cookies, bypassing traditional password protections entirely.

Protective Measures for Users

Morey Haber, Chief Security Advisor at BeyondTrust, emphasized that infostealer infection vectors include sideloading applications, jailbreaking, and exploiting vulnerabilities. Users can protect themselves by:

• Downloading apps only from verified sources such as official app stores
• Maintaining updated antivirus software
• Regularly updating operating systems

Growing Threat and Criminal Interest

Infostealer attacks surged by 84 percent in 2024, according to the IBM X-Force Threat Intelligence Index. Despite the prevalence of endpoint security solutions, 66 percent of malware infections occur on devices with such protections in place. These statistics highlight the high return on investment for cybercriminals compared to traditional cybercrime methods.

Ongoing Operation

Fowler observed that the breached database’s record count increased until the dataset was eventually taken offline, suggesting an ongoing automated collection operation. However, affected users were not notified promptly, as nearly a month passed before the hosting provider responded to Fowler’s report. The provider eventually suspended the database but indicated that the IP address was linked to an independently operated subsidiary in Canada. The delay in action allowed additional victim data to be compromised.

Lessons for Future Cybersecurity

Security professionals stress the need for a fundamental shift in defensive strategies. Boris Cipot, Senior Security Engineer at Black Duck, emphasized that credential breaches create a “long-term attack surface”, requiring organizations and individuals to adopt layered security measures. He also called for assuming that usernames and passwords are always at risk.

Recommended Security Practices

• Use password managers to encrypt data
• Enable multi-factor authentication (MFA) for accounts
• Adopt passkey authentication for enhanced protection against phishing and keylogging
• Avoid reusing passwords across services
• Regularly change passwords after potential compromises

While password managers and MFA offer substantial protection, they are not foolproof. Infostealer malware can capture session tokens, clipboard contents, and browser memory, bypassing these security layers. Alarmingly, only 54 percent of organizations reset passwords after malware infections, and just 33 percent terminate active sessions after detecting credential theft. This negligence extends the damage caused by infostealer malware long after the initial attack.

Response from Tech Giants

Google confirmed awareness of the dataset, describing it as an aggregation of infostealer logs collected over time from personal devices by third-party malware. The company clarified that this was not a new breach of its systems. Google stated it continuously monitors for such activity, employing automated protections to lock accounts and force password resets when exposed credentials are identified. Apple and Meta have not commented publicly on the exposure.

Addressing the Root Problem

Despite the breached database being taken offline, the underlying issue remains unresolved for affected users. Many stolen passwords remain valid and in use, presenting ongoing risks. Users are advised to change passwords for any potentially compromised accounts, especially if they reuse passwords across platforms. Additionally, enabling multi-factor authentication and adopting passkey authentication offer stronger defenses against credential theft.

Conclusion

This incident underscores the persistent and evolving nature of cybersecurity threats. The combination of social media, financial, and government credentials in a single database amplifies risks for affected users. Organizations and individuals must adopt robust security practices, assume that credentials are always at risk, and implement layered defenses to mitigate the impact of future breaches.