Security researcher Jeremiah Fowler uncovered an unsecured ElasticSearch database holding 184 million login records—usernames and plain-text passwords for services such as Apple, Google, Facebook, Microsoft and many more. A spot-check of 10,000 entries revealed hundreds of government email addresses from at least 29 countries, including the UK and the US, raising national-security concerns. The trove, hosted on an unmanaged server run by World Host Group, has now been taken offline, but its owner remains unknown. Fowler believes the data was almost certainly compiled by cyber-criminals using infostealer malware. World Host Group says the server was created by a fraudulent customer and is co-operating with law-enforcement. It is unclear whether anyone else accessed or downloaded the credentials before the takedown.

Mysterious Database Dump Exposes 184 Million User Logins

A security researcher has discovered a colossal cache of stolen usernames and passwords—many in plain text—left wide open on the internet.
What was found?
• 184 million records sat in an unsecured ElasticSearch database.
• Credentials covered the world’s biggest platforms: Apple, Google, Facebook, Microsoft, Netflix, PayPal and dozens more.
• A test sample also included .gov email accounts from 29 nations, the UK among them.

Who’s behind it?
Jeremiah Fowler, the researcher who found the trove, says there were no clues pointing to an owner. Given the variety of services and the scale involved, he suspects the data was collated by criminals running infostealer malware rather than by legitimate researchers.

Where was it hosted?
The database lived on an unmanaged server rented from hosting provider World Host Group. After Fowler raised the alarm, the company pulled the server offline and confirmed a fraudulent customer had uploaded the material. The firm is now liaising with law-enforcement.

Why it matters
Login combinations in plain text are a cyber-criminal’s wish-list. Anyone who grabbed the data could:
• Hijack personal and business accounts.
• Attempt further phishing or social-engineering attacks.
• Use government credentials to pivot into sensitive networks.

What you should do
1. Change any reused passwords immediately.
2. Enable multi-factor authentication wherever possible.
3. Keep an eye on password-breach alerts and credit-monitoring warnings.
4. Businesses should audit hosting accounts for unmanaged or “shadow” servers.
One unsecured server wiped away any security those 184 million users thought they had.