Cybersecurity researcher Jeremiah Fowler discovered on May 22, 2025, that a password-protected database contained 184,162,718 login credentials and passwords, and reported it to the overseas cybersecurity media Website Planet.
The database size is estimated to be 47.42GB and is believed to have been collected by InfoStealer malware (information-stealing malware).
Details of the leaked data and impact scope
Source: Website Planet
Type of authentication information included
The published database contained authentication credentials for a wide range of services. Account information from major social media platforms, including email providers, Microsoft products, Facebook, Instagram, Snapchat, and Roblox, has been confirmed.
It also includes access information for bank accounts and financial institution accounts in multiple countries, medical platforms, and government agency portal sites, putting leaked individuals and organizations at significant risk.
Mr. Fowler contacted multiple email addresses registered in the database to verify that the records contained accurate and valid passwords. The database was connected to two domain names, but no identification of the owner was achieved.
Features of InfoStealer malware
InfoStealer is a generic term for malicious software that specializes in exfiltrating sensitive information from infected systems. It primarily targets credentials stored in web browsers, email clients, and messaging apps, but also steals autofill data, cookies, and cryptocurrency wallet information. Some variants also have the ability to capture screenshots and record keystrokes.
Currently, the data collection route related to this matter is unknown, but it is necessary to be cautious as cybercriminals often distribute malware through phishing emails, malicious websites, and cracked software.
Expected Major Security Risks
Credential Stuffing Attack
Credential stuffing attacks are automated attack methods that attempt unauthorized access to multiple online services using stolen authentication information.
Attackers exploit the habit of many users reusing the same password across multiple services and use botnets to execute thousands of log in attempts per second. By utilizing the leaked 184 million authentication credentials, attackers can attempt to log in to any online service, including banks, social media, e-commerce sites, and corporate systems.
The success rate is generally considered to be around 0.1 to 2%, but in this scale, there is a possibility that hundreds of thousands to millions of accounts could be compromised.
Account Takeover (ATO)
Account Takeover (ATO) is an attack that takes complete control of a user's account using legitimate credentials.
Accounts that do not have two-factor authentication (2FA) enabled are exposed to extremely high risks, as they can be accessed solely with a login ID and password. Once attackers take over an account, they gain access to all stored data, including personal information (PII), credit card information, purchase history, and contact lists.
Furthermore, there is a risk of secondary damage occurring in a chain reaction, such as sending fraudulent emails targeting friends, family, and business partners by impersonating the victim, unauthorized remittances, and lockouts due to changes in account settings.
Impact on businesses and government agencies
It has been confirmed that the leaked data this time includes numerous corporate accounts and government agency (.gov) accounts from various countries. If corporate credentials are misused, attackers could gain access to internal networks, steal confidential business data, engage in industrial espionage activities, and even execute ransomware attacks.
Particularly concerning are the accounts of government agencies. If these include accounts with access rights to critical national infrastructure or confidential information, it poses a serious threat to national security. Additionally, there is a possibility that they could be exploited as a starting point for supply chain attacks, creating a risk of one breach cascading into others.
risks related to cryptocurrency assets
Variants of InfoStealer malware target not only exchange accounts but also the private keys and seed phrases of browser extension wallets.
Such threats are on the rise. For example, the "StilachiRAT" that Microsoft warned about in March 2025 targets over 20 types of wallets including MetaMask, Trust Wallet, and Phantom, stealing credentials via the Windows registry.
If the leaked authentication information includes accounts from cryptocurrency exchanges, accounts without 2FA set up may be subject to immediate unauthorized transfers.
Cryptocurrency transactions are irreversible, making recovery extremely difficult once funds have been sent. Additionally, some of the latest malware has the capability to monitor the clipboard and automatically detect and steal addresses and private keys, posing a continuous threat to cryptocurrency holders.
Security Measures Users Should Implement
The recent large-scale leak presents an important opportunity to review personal passwords and security measures. To prevent the expansion of damage, all users are required to promptly implement countermeasures.
The main measures that users should take are as follows. By combining these measures, they will serve as a means to protect against information leakage.
Password Management
Change your password annually, using a unique and complex password for all accounts. It is recommended to use a password manager.
Two-Factor Authentication (2FA)
Essential for financial institutions, cryptocurrency exchanges, and important accounts.
Account Monitoring
Check for leaks on Have I Been Pwned (HIBP), utilize log in notifications and activity alerts.
Protection of Cryptocurrencies
Large amounts of assets are managed with hardware wallets.
Security Software
Install reliable antivirus software and keep it up to date. Consider EDR solutions for advanced protection.
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
180 million log in credentials leaked, possibly collected by malware = reports
The database size is estimated to be 47.42GB and is believed to have been collected by InfoStealer malware (information-stealing malware).
Details of the leaked data and impact scope
Type of authentication information included
The published database contained authentication credentials for a wide range of services. Account information from major social media platforms, including email providers, Microsoft products, Facebook, Instagram, Snapchat, and Roblox, has been confirmed.
It also includes access information for bank accounts and financial institution accounts in multiple countries, medical platforms, and government agency portal sites, putting leaked individuals and organizations at significant risk.
Mr. Fowler contacted multiple email addresses registered in the database to verify that the records contained accurate and valid passwords. The database was connected to two domain names, but no identification of the owner was achieved.
Features of InfoStealer malware
InfoStealer is a generic term for malicious software that specializes in exfiltrating sensitive information from infected systems. It primarily targets credentials stored in web browsers, email clients, and messaging apps, but also steals autofill data, cookies, and cryptocurrency wallet information. Some variants also have the ability to capture screenshots and record keystrokes.
Currently, the data collection route related to this matter is unknown, but it is necessary to be cautious as cybercriminals often distribute malware through phishing emails, malicious websites, and cracked software.
Expected Major Security Risks
Credential Stuffing Attack
Credential stuffing attacks are automated attack methods that attempt unauthorized access to multiple online services using stolen authentication information.
Attackers exploit the habit of many users reusing the same password across multiple services and use botnets to execute thousands of log in attempts per second. By utilizing the leaked 184 million authentication credentials, attackers can attempt to log in to any online service, including banks, social media, e-commerce sites, and corporate systems.
The success rate is generally considered to be around 0.1 to 2%, but in this scale, there is a possibility that hundreds of thousands to millions of accounts could be compromised.
Account Takeover (ATO)
Account Takeover (ATO) is an attack that takes complete control of a user's account using legitimate credentials.
Accounts that do not have two-factor authentication (2FA) enabled are exposed to extremely high risks, as they can be accessed solely with a login ID and password. Once attackers take over an account, they gain access to all stored data, including personal information (PII), credit card information, purchase history, and contact lists.
Furthermore, there is a risk of secondary damage occurring in a chain reaction, such as sending fraudulent emails targeting friends, family, and business partners by impersonating the victim, unauthorized remittances, and lockouts due to changes in account settings.
Impact on businesses and government agencies
It has been confirmed that the leaked data this time includes numerous corporate accounts and government agency (.gov) accounts from various countries. If corporate credentials are misused, attackers could gain access to internal networks, steal confidential business data, engage in industrial espionage activities, and even execute ransomware attacks.
Particularly concerning are the accounts of government agencies. If these include accounts with access rights to critical national infrastructure or confidential information, it poses a serious threat to national security. Additionally, there is a possibility that they could be exploited as a starting point for supply chain attacks, creating a risk of one breach cascading into others.
risks related to cryptocurrency assets
Variants of InfoStealer malware target not only exchange accounts but also the private keys and seed phrases of browser extension wallets.
Such threats are on the rise. For example, the "StilachiRAT" that Microsoft warned about in March 2025 targets over 20 types of wallets including MetaMask, Trust Wallet, and Phantom, stealing credentials via the Windows registry.
If the leaked authentication information includes accounts from cryptocurrency exchanges, accounts without 2FA set up may be subject to immediate unauthorized transfers.
Cryptocurrency transactions are irreversible, making recovery extremely difficult once funds have been sent. Additionally, some of the latest malware has the capability to monitor the clipboard and automatically detect and steal addresses and private keys, posing a continuous threat to cryptocurrency holders.
Security Measures Users Should Implement
The recent large-scale leak presents an important opportunity to review personal passwords and security measures. To prevent the expansion of damage, all users are required to promptly implement countermeasures.
The main measures that users should take are as follows. By combining these measures, they will serve as a means to protect against information leakage.
Essential for financial institutions, cryptocurrency exchanges, and important accounts.
Check for leaks on Have I Been Pwned (HIBP), utilize log in notifications and activity alerts.
Large amounts of assets are managed with hardware wallets.