Someone Found Over 180 Million User Records in an Unprotected Online Database

[Nairaland]

BOOK INTERNATIONAL FLIGHTS TICKETS LOCAL FLIGHTS HOTELS BOOKINGS WORLDWIDE AND MORE AT CHEAPEST RATE EVER! CLICK HERE TO BOOK YOUR FLIGHT AND RECEIVE YOUR FLIGHT TICKET INSTANTLY

Someone Found Over 180 Million User Records in an Unprotected Online Database

If you use the internet, you've probably had at least some personal information go missing. It's just the nature of the web. But this latest discovery, as reported by Wired, is something different.

Security researcher Jeremiah Fowler found a public online database housing over 180 million records (184,162,718 to be exact) which amounted to more than 47GB of data. There were no indications about who owned the data or who placed it there, which Fowler says is atypical for these types of online databases. Fowler saw emails, usernames, passwords, and URLs linking to the sites where those credentials belonged. These accounts included major platforms like Microsoft, Facebook, Instagram, Snapchat, Roblox, Apple, Discord, Nintendo, Spotify, Twitter, WordPress, Yahoo, and Amazon, as well as bank and financial accounts, health companies, and government accounts from at least 29 countries. That includes the U.S., Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the UK.

Fowler sent a responsible disclosure notice to the hosting provider of the database, World Host Group. Fowler was able to detect signs that the credentials here were stolen with infostealer malware, which bad actors use to harvest sensitive information from a variety of platforms—think web browsers, email services, and chat apps.

Following Fowler's notice, World Host Group restricted the database from public access. The provider told Wired that the database was operated by a customer, a "fraudulent user" who uploaded illegal information to the server.

In order to ensure these credentials were real, and not just a bunch of bogus data, Fowler actually contacted some of the email addresses he found in the database. He got some bites, and those users were able to confirm the records that he found associated with their emails. That's no guarantee that all 184,162,718 records are accurate, but it's a good sign that most are. As such, it's entirely possible you and I both had credentials exposed in this database. What's worse, Fowler says there's no telling how long the database was open to the public before his notice shut it down.

There's a lot bad actors and hackers can do with this type of information. If they know the username and password combo to one of your accounts, they'll not only see if they can use it to break into that account, but they'll use it on other accounts of yours as well. If you reuse passwords, as many do, you could be facing a mass breach. It's bad enough when that concerns Facebook and Roblox accounts, but seeing as there were financial, health, and even government accounts here, the implications are huge.

How to protect yourself 

If you don't have access to the database, you can't say for sure whether your credentials are listed there, or which credentials they have.

Still, if you haven't changed the passwords for your accounts in some time, now might be a good time to do so. You don't need to change your passwords as frequently as traditional security advice has taught us, but it certainly wouldn't hurt to give your accounts a quick security audit.

Make sure you're using a strong and unique password for each and every one of your accounts. If you repeat passwords, you run the risk of credential stuffing (hackers trying the same stolen password on multiple accounts). In order to keep tabs on those passwords, use a secure password manager.     

Make sure you're using two-factor authentication (2FA) on all of the accounts that allow it. That way, even if a password is exposed, hackers won't be able to break into your account without the device containing the 2FA code. To boost your security, avoid SMS-based 2FA when possible, and opt for more secure 2FA options, like an authenticator app or physical security key. If your account offers it, try a passkey to combine the convenience of a password with the security of 2FA.

Source: Someone Found Over 180 Million User Records in an Unprotected Online Database