A cybersecurity researcher has uncovered one of the largest credential exposures of 2025, with an unprotected database containing over 184 million login credentials suspected to have been harvested through malicious InfoStealer malware.

Jeremiah Fowler, a security researcher with Website Planet, discovered the massive 47.42 GB database left completely exposed without password protection or encryption. The trove contained usernames, passwords, and URLs for accounts across major platforms including Facebook, Instagram, Microsoft products, Snapchat, Roblox, and numerous banking and government portals from countries worldwide.

"The database contained login and password credentials for a wide range of services that could put exposed individuals at significant risk," Fowler said in his report published Thursday. The researcher validated the authenticity of the data by contacting several email addresses listed in the database, with multiple individuals confirming their credentials were accurate.

Fowler states the structure and organization of the exposed data shows clear indicators of InfoStealer malware - malicious software designed to harvest sensitive information from infected computers. These programs typically target credentials stored in web browsers, email clients, and messaging applications, often stealing additional data like autofill information, cookies, and cryptocurrency wallet details.

Cybercriminals commonly deploy InfoStealers through phishing emails, malicious websites, or cracked software downloads. Once active on a victim's device, the malware silently collects stored passwords and other sensitive data, which is then either sold on dark web marketplaces or used directly for fraud and identity theft.

High-Risk Targets Include Government Accounts

Particularly concerning is the presence of numerous government email accounts with .gov domains from multiple countries, which Fowler noted could pose serious national security risks if the compromised accounts had access to sensitive networks or classified information.

Business credentials were also extensively represented in the breach, potentially providing attackers with pathways into corporate networks for espionage or ransomware attacks.

The hosting provider restricted public access to the database after Fowler's responsible disclosure, but crucial questions remain unanswered. The true owner of the database could not be identified due to private domain registration, and it's unknown how long the information was publicly accessible or whether other parties accessed the data.

The hosting company declined to provide customer information, leaving uncertainty about whether the database was used for criminal purposes or represented a research project that was accidentally exposed.

Expert Recommendations for Protection

Given the massive scale of the exposure, Fowler emphasized the critical importance of basic cybersecurity hygiene:

• Change passwords annually and use unique credentials for every account
• Enable two-factor authentication on all sensitive accounts
• Use reputable antivirus software with up-to-date definitions
• Monitor accounts for suspicious login activity
• Check breach databases like Have I Been Pwned to see if credentials have been exposed

"Many people unknowingly treat their email accounts like free cloud storage, keeping years' worth of sensitive documents without considering the security implications," Fowler warned.

Read the full Report.