Another huge leak of passwords is the tip of the infostealing iceberg

On Friday, security researcher Jeremiah Fowler reported finding an unprotected database storing 149 million sets of people's usernames and passwords. It's not clear why the database was open to the internet without a password of its own, but anyone could've accessed the millions of credentials inside if they, like Fowler, knew where to look.

Fowler couldn't find the database's owner, so he reported the security lapse to the web hosting provider, which took the data offline soon after.

Lily Hay Newman with exclusive details for Wired ($):

"In addition to email and social media logins for a number of platforms, Fowler also observed credentials for government systems from multiple countries as well as consumer banking and credit card logins and media streaming platforms. Fowler suspects that the database had been assembled by infostealing malware that infects devices and then uses techniques like keylogging to record information that victims type into websites."

This isn't the first time that we've seen a massive database of credentials exposed to the web, like the recent now-infamous report of 16 billion passwords floating around. While they seem sizable, these databases only reflect a slice of this booming underground economy of stolen credentials that powers much of cybercrime today. And it's thanks in large part to infostealing malware, which helps to fuel the trade of credentials on criminal forums and marketplaces.

Infostealing malware is an increasingly common and low-lift way for hackers to steal reams of passwords from your computer, because the victim does much of the hard work. 

Infostealers can be planted in a number of places, from malicious ads in search results to spoof error messages that prompt victims into entering a command into their computer's terminal. Password-stealing malware is also commonly found in apps downloaded from the internet, affecting Windows and Mac users. The result is usually a victim unwittingly installing the malware app on their own computer, granting the hackers instant and deep access to their private data, including the passwords saved in their web browsers. 

Credential theft is big business for cybercriminals and remains a top way for hackers to target their victims. But unless you're personally minted with crypto, there's a greater chance that the hackers are actually after your corporate credentials, which they're hoping you saved in your browser on the occasions you work from home. 

Stealing these credentials can make it really easy for hackers to break into corporations with just the employee's stolen username and password. Why use a fancy zero-day exploit when a hacker can just log in as if they are an employee? If the attacker is really lucky, they won't have to jump through an added hurdle of two-factor authentication.

Some of the biggest and most consequential breaches in recent years have been linked to password misuse coupled with lacking security protections. A 2024 breach at Change Healthcare allowed hackers to steal the private health data of most Americans, thanks to a stolen password for an internal account that didn't have two-factor enabled. 23andMe fell to a similar fate, after hackers used stolen credentials to break into thousands of user accounts, then exploited a bug in 23andMe's ancestry matching systems to scrape the sensitive health and genetic data belonging to millions of users.

Databases like the one Fowler discovered are the tip of the iceberg of data stolen by infostealers, revealing only a small window into the massive world of credential theft. 

The next time you see a headline about a breach involving millions or hundreds of millions of passwords (or more!), there is a good chance it may not be a singular breach but a collection of many. It's worth remembering why hackers create huge databases of passwords to begin with, and the risks they pose to people and companies alike. 

Thank you so much for reading and subscribing to this week in security! I hope you found this article helpful. If you like it, please share a link on your social media. Please reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com.