184 million records data leak: Google, PayPal and Netflix passwords leaked online

Security researcher Jeremiah Fowler stumbled upon a large database of login information and passwords containing over 184 million records recently. He mentioned the discovery in an article on Website Planet.

The data was not encrypted in any form and stored publicly, which meant that anyone with knowledge of its existence could download the data.

The sheer size of the database, more than 47 gigabytes of data, makes it one of the largest leaks in recent history. In early 2024, a 70 million records password dump was discovered.

A preliminary sampling of the data unveiled emails, usernames, passwords, and also links to login or authorization pages. Fowler found login information and passwords for a wide range of services in the dump. Notable products and services include Facebook, Instagram, Snapchat, Microsoft products, Google, Discord, and NHS.

Fowler discovered the database in early May 2025 and reported it to the web hosting company, which blocked public access shortly after to prevent further spreading of the data. He wrote to several of the email accounts found in the database to verify the authenticity of the data and was able to confirm it based on the replies that he received.

The security researcher suspects that it could be an infostealer's dump. Infostealer malware is designed to copy sensitive information, including passwords, cookies, recovery keys, credit card numbers, on infected systems.

The potential risks

Cybercriminals may use exposed credentials and other sensitive data for various attacks or gains:

• Credential stuffing: this refers to trying found username and password combinations on popular sites. Many Internet users use the same username and passwords on sites. Gain access to one, gain potential access to all.
• Account takeovers: changing the password of the account may block the original owner from signing in, especially if identification information, such as linked email addresses or phone numbers, are also changed.
• Corporate / government espionage: gain access to corporate or government networks through the accounts of employees.
• Phishing and social engineering: attacks may be run against emails or mobile phone numbers found in the dump.

How to protect your accounts

The database is no longer available online and it has not been integrated into a tool like Have I Been Pwned yet. Users may improve the security of their online accounts as a precautionary measure.

Here are our suggestions:

• Make sure that each online account uses a secure, unique password. Avoid dictionary words and names in passwords and combine numbers, upper- and lower-case letters, and special characters. Password managers are your friend.
• Enable two-factor authentication, especially for high-value accounts, e.g., PayPal, your email account, bank accounts and so on.
• Alternative: passkeys or security keys for extra security.
• Protect sensitive data, e.g. financial documents, tax information, medical documents, private photos and videos. Encryption is key.
• Don't store sensitive information in email accounts or online.
• Use good antivirus and keep it up to date to protect against the bulk of threats online.

Now you: have any tips on staying secure online? Feel free to share them with everyone in the comment section below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend