The longtime security analyst who searched the database, Jeremiah Fowler, could not find indications as to who owned or operated it, so he worked to inform the host, which removed the funds because it violated its terms of service agreement.
In addition to email and social media logins for multiple platforms, Fowler also looked at government systems from several countries, as well as consumer banking and credit card logins and credentials from media streaming platforms. Fowler suspects that the database was assembled by infostealing malware that infects devices and then uses techniques such as keylogging to record information typed into websites by victims.
While attempting to contact the hosting service over the course of about a month, Fowler says the database continued to grow, accumulating additional logins for a range of services. He would not name the provider, as the company is a global host that contracts with independent regional companies to expand its reach. The database was hosted by one of these affiliates in Canada.
“It’s like a dream wish list for criminals because you have so many different types of credentials,” Fowler told WIRED. “An infostealer would be most useful. The database was in a format built for indexing large logs as if whoever installed it was expecting to gather a lot of data. And there were a lot of government logins from many different countries.”
In addition to the 48 million Gmail credentials, the fund also included approximately four million for Yahoo accounts, 1.5 million for Microsoft Outlook, 900,000 for Apple’s iCloud, and 1.4 million for “.edu” academic and institutional accounts. Among others, there were also about 780,000 logins for TikTok, 100,000 for OnlyFans, and 3.4 million logins for Netflix. The data was publicly accessible and searchable using only a web browser.
“It seemed to capture anything and everything,” says Fowler, “but one thing that was interesting was that the system automatically classified each log with an identifier, and these were unique identifiers that did not appear twice.” “It seemed as if the system was automatically organizing the data as it went for easy searching.
Although Fowler emphasizes that he did not determine who owned or used the information and for what purpose, such a structure would make sense if the data was being interrogated for cybercriminal clients to pay for different subsets of the information based on their scams.
There is an endless flow of accidentally unsecured and publicly accessible databases online that expose sensitive information for anyone to access. But as data brokers and cybercriminals amass more and more money, the risk of potential breaches only increases. And infostealing malware has compounded the problem by making it easy and reliable for attackers to automate the collection of login credentials and other sensitive data.
“Infostealers create a very low barrier to entry for new criminals,” says Alan Liska, threat intelligence analyst at security firm Recorded Future. “We’ve seen that a popular infrastructure costs around $200 to $300 per month to rent, so for less than a car payment, criminals can potentially gain access to hundreds of thousands of new usernames and passwords a month.”
<a href