Suspected InfoStealer data leak exposes 184 million login data

[German]Security researcher Jeremiah Fowler came across a freely accessible and unprotected database on the Internet. The find was quite something, as a look at the data sets suggests that it was probably data collected by InfoStealer malware. Records containing 184 million logins and passwords were stored in the database.

Jeremiah Fowler, who documented the discovery at WebsitePlanet in this blog post, was astonished when he came across the database on the Internet. The publicly accessible database was neither password-protected nor encrypted.

Millions of login data freely available on the Internet

In the database, Fowler found raw login data totaling 47.42 GB. In the end, he found that the database contained 184,162,718 records with unique login data and passwords.

He then found thousands of files containing emails, usernames, passwords and the URL links to the accounts' login or authorization data in a limited sample of the records of the disclosed documents.

• According to Fowler, the database contained login credentials and passwords for a variety of services, applications and accounts, including email providers, Microsoft products, Facebook, Instagram, Snapchat, Roblox and many more.
• The security researcher was also able to identify credentials for bank and financial accounts, healthcare platforms and government portals from numerous countries.

The discoverer assumes that the data was extracted from the victims' systems by info stealer malware. This database is likely to pose a significant risk to the people affected.

Unbekannte Eigentümer

The IP address shows that the database was linked to two domain names, writes the security researcher. But he was unable to determine the owner or creator of the database. This was because one domain was parked and not available. The other domain was not registered and was offered for sale.

The Whois registration of the domains is private, and there seemed to be no verifiable way to determine the actual owner of the database of potentially illegal data. The security researcher then immediately sent the hosting provider a notice of responsible disclosure, and the database was blocked from public access shortly thereafter.

Unfortunately, the hoster did not want to disclose the data of its customers, so it is not known whether the database was used for (the assumed) criminal activities or whether this data was collected for legitimate research purposes and then published due to an oversight. It is also not known how long the database was open before it was discovered. It is therefore not possible to say whether or not anyone else has gained access to this data.

However, according to Fowler, the records show several signs that the data was accessed by a type of Infostealer malware. Infostealers are a type of malware specifically designed to steal confidential information from an infected system. Such malware usually targets login credentials (such as usernames and passwords) stored in web browsers, email clients and messaging applications.

Some variants of the malware can also steal autofill data, cookies and crypto wallet information – some can even take screenshots or log keystrokes.

It's not known exactly how this specific data is collected, but cybercriminals use a range of methods to deploy Infostealers, often hiding malware in phishing emails, malicious websites or cracked software. Once the Infostealer is active, the stolen data is often either distributed on dark web marketplaces and Telegram channels or used directly for fraud, identity theft or other cyberattacks. Further details can be found in the relevant blog post.