Apple logins with plain text passwords found in massive database of 184M records

Apple login credentials were among a massive database of 184 million records found sitting unprotected on a web server. Other logins included Facebook, Google, Instagram, Microsoft, and PayPal.

The owner of the database is unclear, but the security researcher who discovered it says that it amounts to “a cybercriminal’s dream working list” …

Jeremiah Fowler said that the database itself was not protected in any way, and was simply sitting on a web hosting server. It includes logins for various government portals, as well as banks and other financial service companies.

The publicly exposed database was not password-protected or encrypted. It contained 184,162,718 unique logins and passwords, totaling a massive 47.42 GB of raw credential data.

In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts. The database contained login and password credentials for a wide range of services, applications, and accounts […]

I also saw credentials for bank and financial accounts, health platforms, and government portals from numerous countries that could put exposed individuals at significant risk.

The list of credentials included Apple IDs. The database is so large that Fowler hasn’t been able to identify every service it includes, but among them are logins for:

He was able to verify the authenticity of the personal data by emailing some of those whose records were included and confirming that the passwords included were genuine.

He contacted the web hosting company to report it, and they restricted access to it but would not confirm details of the owner of the account.

Fowler believes that the data was likely gathered from infostealers – malware specifically designed to mine devices for personal information.

Common methods for deploying infostealers include phishing emails and pirated software.

One specific danger is criminals using phishing attacks to gain access to email accounts, like Gmail. This can be an absolute treasure trove of data for criminals.

Fowler said that as an ethical researcher, he did not download the database, and instead sampled it using screenshots for the purposes of contacting victims to confirm details.

Photo by Benjamin Lehman on Unsplash