More than 184 million user logins for the likes of the Department of Home Affairs, Facebook, Google and many others have been exposed in what appears to be a large infostealer campaign.
Security researcher Jeremiah Fowler first discovered the leaked logins in early May when he came upon a “publicly exposed database” which contained fully 184,162,718 unique logins and passwords.
With the database holding 47.42 gigabytes of raw credential data, Fowler analysed a limited sampling of “exposed documents” to find accounts from Apple, Google, Facebook, and many others had been publicly exposed.
“I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorisation for the accounts,” wrote Fowler.
Fowler also identified account credentials linked to health platforms, banking and financial accounts and government services across the globe – including the Australian Department of Home Affairs’ visa and citizenship application platform, ImmiAccount.
A departmental spokesperson told Information Age Home Affairs was "aware of reports of a publicly accessible database containing account credentials".
"The Department’s ImmiAccount platform has not been breached and remains secure," they said.
"The Department takes its cyber security obligations seriously and continuously takes action to mitigate cyber risks, including implementing stronger security controls for ImmiAccount."
Speaking with Information Age, Fowler said the database constituted “one of the more dangerous discoveries” he’d made in years.
“Usually in a database I will find internal records, customers, and employees of an organisation,” said Fowler.
“These are bad enough but in this case you have government accounts, banking accounts, social media and just about anything else that requires a password.”
Fowler did not download the full database, but according to Wired his analysis of a marginal 10,000 records found 479 accounts for Facebook, 475 for Google, 240 for Instagram, 227 for online game platform Roblox, 209 for messaging platform Discord, and over 100 accounts each for Microsoft, Netflix and PayPal.
Fowler did not specify how many government-linked accounts were present in this small sample, while other organisations included Apple, Amazon, Nintendo, Snapchat, Twitter, Wordpress, Yahoo, Spotify and the UK’s National Health Service.
What is an infostealer?
Fowler added the database was “not password-protected or encrypted”, while the records within showed signs of being harvested by “some type of infostealer malware”.
Infostealers are malware designed to covertly harvest valuable data, such as user credentials, from an infected device.
The malware typically sends its haul to a central server where data from multiple infections is stored in bulk – while hackers later sell the data through underground marketplaces or messaging apps such as Telegram.
Logins for Home Affairs and social media accounts were included on the list. Photo: Shutterstock
Infostealers were most recently behind a series of credential exposures at Australia’s Big Four banks, while cyber intelligence firm Kela found over 330 million compromised credentials were stolen through such campaigns in 2024 alone.
While Fowler could not confirm how many of the 184 million logins were valid, or why they were stored on a publicly accessible database, Mandy Turner, adjunct lecturer in cyber criminology at The University of Queensland, told Information Age the massive size of the leak wouldn’t deter data brokers from attempting to sell it.
“Given data brokers can use AI and other advanced tools to check the veracity of stolen data, the size of the data set won’t be an issue for them to parse through,” said Turner.
Database taken down, but damages unknown
After finding the mysterious password collection, Fowler got in contact with its hosting provider World Host Group and saw the database had been taken down, though the provider refused to disclose its customers details.
“We will fully cooperate with the appropriate law enforcement authorities and, where appropriate, share all relevant customer data with them,” World Host Group chief executive Seb de Lemos told Wired.
Fowler was ultimately unable to confirm “if the database was used for criminal activity” or if the information was “gathered for legitimate research purposes and subsequently exposed due to oversight”.
“It is also not known how long the database was exposed before I discovered it, or if anyone else may have gained access to it,” he wrote.
Turner explained while Fowler’s discovery is “not the largest” she’s seen, its reported “diversity of accounts” and central, collated structure could make it “very useful to nation state threats and criminals”.
“I am not privy to the data, but I can only surmise this is potentially comprised of previously stolen or leaked data, and it could still contain new information,” said Turner.
“This does not mean it is not significant, however, as data combined like this makes it easier for cyber threats – whether nation state-backed or criminal entities – to misuse people’s logins, as all the collation and collection has been done for them.”
Fowler told Information Age there were no timestamps in the dataset, though nearly all the login URLs out of a “limited sample” were still valid and active.
Keep calm and roll your passwords
Fowler said the “scale, global reach and potentially illegal nature of this breach” served as a “very big reminder” for account holders to review their security measures and change their passwords annually.
“Many people have only one email, and it is often connected to financial accounts, social media, applications, and more,” he said.
“Changing passwords can help protect the account if the old password has been exposed in a known or unknown data breach.”
He added people should check if their credentials have been exposed through services like Have I Been Pwned – a data breach record checker which detects whether a given email has appeared in a known incident.
Meanwhile, Troy Hunt, founder of Have I Been Pwned, told Information Age he hasn’t been able to contact Fowler to verify the dataset.
“There’s every chance the data is old recycled stuff,” Hunt said.
“I’d like to see the data itself.”
Turner echoed that she preferred a calm, non-alarmist approach to advising on large-scale data exposures, and urged account holders to maintain unique passwords.
“So many people recycle or iterate passwords instead of changing them completely,” said Turner.
“Consider using passphrases instead of the traditional password – or a reliable and trustworthy password manager and biometrics – and use multi factor authentication wherever possible.
“Additionally, be cautious of email or phone calls purporting to be a criminal who has ‘hacked you’, even if they quote a password you have used as proof.”
