Massive Credential Breach of More Than 184 Million Records Exposes Your Info
July 19, 2025
A staggering 184,162,718 account credentials have been compromised in a recent cybersecurity breach, marking one of the largest credential thefts in recent history. A cybersecurity researcher discovered the stolen data on a dark web marketplace, where usernames, email addresses, and hashed or plain-text passwords are now being sold or shared among cybercriminals.
The massive data breach was discovered by cybersecurity researcher Jeremiah Fowler in early May 2025. He identified an unsecured ElasticSearch database containing the unique login credentials, totaling approximately 47.42 GB of raw data. The breach spans multiple platforms and industries, including email providers, social media accounts, financial services, and online shopping portals. In fact, some of the information included usernames, passwords, and URLs for accounts across major platforms such as Apple, Facebook, Microsoft, and various government domains.
Analysts believe this massive cache may have been compiled from several smaller breaches or gathered through credential stuffing attacks—where hackers reuse leaked credentials from previous incidents to access other accounts. They also suspect infostealer malware was at play. It’s unlikely just one method was used to gather that volume of credentials.
What You Should Do:
Never reuse passwords on multiple online accounts. Each set of credentials should be unique.
- Immediately change your passwords, if you use any of the noted sites, especially if you reuse them across services.
- Enable multi-factor authentication (MFA) wherever possible. Any type of MFA is better than none.
- Monitor accounts for unusual activity and consider a credit freeze if financial data may be at risk.
- Always be on the lookout for phishing. Often, these emails give a sense of urgency that something bad will happen if you don’t act right away. That’s a big red flag. And, if you don’t know the sender who includes a link or attachment, just delete the message.
- Make sure you have anti-virus installed and kept updated on all of your devices. While it doesn’t catch everything (phishing, in particular), it will catch most malware.
As always, keep your eyes open for phishing lures that show up in your email inbox and via text messaging or apps. If any of them come from unfamiliar senders or if you’re not expecting links or attachments from the sender, don’t click them. If you cannot be certain, reach out independently to the sender and ask. If it turns out to be phishing, you’ll be glad you took that extra time.
SUBSCRIBE TO WEEKLY NEWSLETTER
