Database Leak Reveals 184 Million Infostealer-Harvested Emails and Passwords

Cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing a massive 184 million login credentials, likely collected using infostealer malware.

Cybersecurity researcher Jeremiah Fowler has discovered a misconfigured and unprotected database, containing over 184 million unique login names and passwords. According to Fowler’s research, shared with Hackread.com, this exposed collection amounted to approx. 47.42 gigabytes of data.

The database, which was not secured by a password or encryption, stored credentials for numerous online services. These included popular email providers, major tech platforms like Microsoft, and social media sites such as Facebook, Instagram, Snapchat, and Roblox.

Worse, the leak also contained access information for bank accounts, health platforms, and even government portals from various nations, putting unsuspecting individuals at high risk. Fowler confirmed the authenticity of some records by contacting individuals whose emails were found in the database. Several people verified that the listed passwords were indeed accurate and valid ones.

Upon discovery, Fowler quickly notified the hosting provider, and the database was removed from public access. The database’s IP address pointed to two domain names, one of which appeared to be unregistered. Due to private registration details, the true owner of this data cache remains unknown.

It’s also unclear how long this sensitive information was exposed or if other malicious actors had accessed it before its discovery. Since the hosting provider did not reveal customer details, the purpose of the data collection whether for criminal activity or legitimate research with an oversight.

From the looks of it, the database belonged to cybercriminals who were collecting data using infostealers and ended up exposing their own database in the process. Infostealers are widely used and effective tools among criminals. In fact, reports have shown that even the US military and FBI have had their systems compromised by infostealers costing as little as $10.

Infostealer malware is specifically designed to secretly collect sensitive information from infected computers, typically targeting login credentials stored in web browsers, email programs, and messaging apps.

Hackread.com’s reporting of the recent coordinated action by Microsoft and Europol to disrupt Lumma Stealer’s infrastructure, which infected over 394,000 Windows computers worldwide, offers a critical insight into the kind of threat highlighted by Fowler’s discovery.

As analysed by Fowler, the data, often raw credentials and URLs for login pages, aligns perfectly with what infostealers like Lumma are designed to steal. Although Fowler could not definitively name the specific malware responsible for the exposed database, the characteristics of the data strongly suggest such a method.

Cybercriminals exposing their own servers is nothing new. Just a few months ago, reports revealed that the well-known ShinyHunters and Nemesis hacking groups collaborated to target and extract data from exposed AWS buckets, only to accidentally leak their own in the process.

The availability of millions of login details presents a major advantage for cybercriminals who can exploit them through methods like “credential stuffing attacks” and “account takeovers.” These attacks allow criminals to access personal data, enabling identity theft or financial fraud.

The exposed data can also include business credentials, posing risks of corporate espionage, and even sensitive state networks. Knowing an email and an old password can make phishing and social engineering attacks more convincing.

Fowler urges users to stop using their emails as cold storage, regularly perform password updates, especially in cases of unknown breaches, never reuse unique passwords across accounts, use Two-Factor Authentication (2FA), and enable login notifications or suspicious activity alerts.