A database containing 149 million account usernames and passwords, including 48 million for Gmail, 17 million for Facebook, and 420,000 for cryptocurrency platform Binance, was removed. researchers reported Exposure to Hosting Providers.
Jeremiah Fowler, a longtime security analyst who discovered the database, couldn’t find any evidence of who owned or operated it, so he sought to notify the host. As a result, the host deleted the database because it violated their terms of service.
In addition to email and social media logins for many platforms, Fowler also observed credentials for government systems in multiple countries, consumer bank and credit card logins, and media streaming platforms. Fowler suspects the database was built by information-stealing malware that infects devices and uses techniques such as keylogging to record information victims enter on websites.
Over the course of about a month of trying to connect to the hosting service, Fowler said the database continued to grow, accumulating additional logins for various services. He declined to name the provider, as the company is a global host that contracts with local independent companies to expand its reach. The database was hosted by one of these affiliates in Canada.
“This is like a criminal’s dream list because they have so many different types of credentials,” Fowler told WIRED. “Infostealer made the most sense. The database was a form created to index large logs, as if whoever set it up expected to collect a lot of data. And there were a lot of government logins from different countries.”
In addition to 48 million Gmail credentials, the trove also included approximately 4 million for Yahoo accounts, 1.5 million for Microsoft Outlook, 900,000 for Apple’s iCloud, and 1.4 million for .edu academic and institutional accounts. Additionally, TikTok had approximately 780,000 logins, OnlyFans had 100,000, and Netflix had 3.4 million. The data were publicly accessible and could be searched using only a web browser.
“It seemed like we were capturing everything, but one thing that was interesting was that the system seemed to automatically categorize each log by identifiers, and these identifiers were unique identifiers that never reappeared,” Fowler said. “The system seemed to automatically organize the data to make it easier to search.
Fowler emphasized that he does not specify who owned or used the information or for what purpose, but such a structure makes sense when querying data for cybercrime customers who are paying for different subsets of information based on fraud.
There are an infinite number of falsely insecure and publicly accessible databases online, exposing sensitive information for anyone to access. However, as data brokers and cybercriminals collect more information than ever before, the risk of a potential breach will only increase. The problem is further compounded by information-stealing malware that allows attackers to easily and reliably automate the collection of login credentials and other sensitive data.
“Information thieves create a very low barrier to entry for new criminals,” says Allan Liska, threat intelligence analyst at security firm Recorded Future. “We rented one popular piece of infrastructure; cost At between $200 and $300 a month, it’s cheaper than your car payment and could give criminals access to hundreds of thousands of new usernames and passwords each month. ”