🔓 184 Million Plain-Text Passwords Exposed in Mysterious Database — Apple, Google, and Government Accounts at Risk
On this page
- What the Database Contained
- The Government Security Risk — 220 .Gov Emails Exposed
- Where Did This Data Come From?
- Why This Is Different From the 16-Billion Credential Leak
- How Attackers Exploit Leaked Credentials
- How to Protect Your Accounts Right Now
- What This Means for Password Security in 2026
- FAQs About the 184 Million Password Database
Security researcher Jeremiah Fowler has uncovered one of the most alarming credential leaks in recent memory — an unprotected database containing 184,162,718 records of plain-text usernames and passwords, spanning Apple, Google, Facebook, Microsoft, Netflix, PayPal, Amazon, and 220 government email addresses from at least 29 countries. The database, which was publicly accessible on an unmanaged server, has since been taken down, but the data had already been sitting exposed — and the implications for account security are severe.
In our analysis of this discovery, we found that this isn't a typical breach involving hashed or encrypted passwords. These credentials were stored in plain text, meaning anyone who accessed the database could log into the corresponding accounts directly. Security researcher Jeremiah Fowler told WIRED, "This is probably one of the weirdest ones I've found in many years. As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal's dream working list."
What the Database Contained
Each record in the database included an ID tag identifying the account type, the URL of the service the credentials were for, a username or email address, and — most critically — the password in plain text. The password field was labelled "Senha", the Portuguese word for password, suggesting the data was compiled by Portuguese-speaking cybercriminals or hosted by someone with linguistic ties to Brazil or Portugal.
In a sample analysis of 10,000 records, Fowler identified credentials for a broad cross-section of major online platforms:
- Facebook: 479 compromised accounts
- Google: 475 accounts (including Gmail, YouTube, Google Workspace)
- Instagram: 240 accounts
- Roblox: 227 accounts (a significant risk for families with children)
- Discord: 209 accounts
- Microsoft: Over 100 accounts (including Outlook, Azure, Office 365)
- Netflix, PayPal, Amazon, Apple, Nintendo, Snapchat, Spotify, Twitter (X), WordPress, Yahoo: All with significant numbers of exposed credentials
The sample also revealed keywords like "bank" appearing 187 times and "wallet" appearing 57 times, indicating that financial accounts were specifically targeted. Fowler verified the authenticity of the leaked credentials by contacting several email holders, who confirmed the accounts were genuine.
The Government Security Risk — 220 .Gov Emails Exposed
Perhaps the most alarming aspect of this breach is the number of government email addresses caught in the database. In the 10,000-record sample, Fowler found 220 email addresses with .gov domains, representing at least 29 countries including the United States, Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the United Kingdom.
Government credentials exposed in plain text represent a national security risk. An attacker with a compromised .gov email and password could potentially access sensitive internal systems, inter-agency communications, and classified government portals. This incident mirrors the pattern of the CISA contractor leak in May 2026, where AWS GovCloud keys and plaintext passwords for dozens of internal CISA systems were exposed on a public GitHub repository for six months.
Public sector organisations should treat this as an urgent incident response trigger. Any government employee whose email appears in this database needs immediate password resets, credential reviews, and potentially full system access audits across their agency's infrastructure.
Where Did This Data Come From?
Fowler suspects the data was compiled by cybercriminals using infostealer malware — malicious software that silently infiltrates devices and steals saved passwords, browser autofill data, browser cookies, credit card numbers, and cryptocurrency wallet keys. "It is highly possible that this was a cybercriminal," Fowler told WIRED. "It's the only thing that makes sense, because I can't think of any other way you would get that many logins and passwords from so many services all around the world."
The database was hosted by World Host Group on an unmanaged server that was controlled by a customer. After Fowler reported the exposure, access was quickly shut down. World Host Group CEO Seb de Lemos stated, "It appears a fraudulent user signed up and uploaded illegal content to their server. The system has since been shut down. Our legal team is reviewing any information we have that might be relevant for law enforcement."
It remains unknown whether anyone else accessed the database before it was secured, or whether the data has already been downloaded and distributed across criminal marketplaces.
Why This Is Different From the 16-Billion Credential Leak
You may have seen headlines about 16 billion passwords being exposed — the record-breaking infostealer data leak reported by Cybernews. The 184-million record database discovered by Fowler is a separate, distinct incident with a crucial difference: where the 16-billion leak was a compilation of many datasets, this single database contained plain-text credentials that can be used immediately, without any cracking or decryption required.
Infostealer logs typically contain session cookies and structured data. This database provided direct, plain-text login credentials — a much more dangerous level of exposure because the passwords can be typed directly into login pages.
How Attackers Exploit Leaked Credentials
When credentials like these fall into criminal hands, here's what typically happens next:
- Account takeover: The attacker changes the password and recovery information, locking the legitimate owner out.
- Credential stuffing: The same email and password combination is tried on hundreds of other websites. According to the Verizon 2026 Data Breach Investigations Report, 86% of web application breaches involve stolen or weak credentials, and credential stuffing is one of the most common attack vectors.
- Identity theft: Access to email, social media, and financial accounts enables attackers to steal personal information, apply for credit, and commit fraud.
- Targeted phishing: Armed with specific knowledge of which services you use, attackers craft convincing phishing emails that are far more likely to succeed.
- Financial exploitation: Compromised PayPal, Amazon, and banking accounts can be drained or used to make fraudulent purchases.
How to Protect Your Accounts Right Now
If you use any of the services listed above — and statistically, you almost certainly do — here are the steps you need to take immediately:
1. Change Your Passwords — Every Single One
Do not wait for a notification from the service. If any of your credentials were in this database, the attackers may already have them. Use our TitanPasswords generator to create strong, unique passwords for every account. Aim for at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols.
2. Never Reuse Passwords
The single most important rule of credential security: every account needs its own password. If you reused the same password across Facebook, Amazon, and your bank, a leak of your Facebook credentials gives attackers access to your bank account too. Read our guide on the Three-Tier Password Strategy to learn how to prioritise your most critical accounts.
3. Enable Multi-Factor Authentication Everywhere
Two-factor authentication (2FA) is your most effective defence against credential theft. Even if an attacker has your password, they cannot log in without the second factor. For maximum protection, use a hardware security key or an authenticator app rather than SMS codes, which can be intercepted through SIM-swapping attacks.
4. Check If You've Been Affected
Visit Have I Been Pwned and enter your email addresses to see if any of your accounts appear in known data breaches. This is free and does not require registration. If your email appears, change the password for that service immediately.
5. Use a Password Manager
A password manager generates, stores, and autofills strong, unique passwords for every account. You only need to remember one master password. For banking and financial accounts where the stakes are highest, we recommend choosing a manager with zero-knowledge encryption and a strong audit trail. See our comparison of the best password managers for banking security for detailed recommendations.
What This Means for Password Security in 2026
This breach reinforces a pattern we have been tracking throughout 2026: credential theft is the single greatest threat to online security, and plain-text storage of passwords by criminals — not by companies — is enabling mass exploitation at an unprecedented scale.
The 184-million record database is not a failure of a single company's security practices. It is a testament to the scale at which cybercriminals are now operating, compiling stolen credentials from infostealer malware campaigns and centralising them into searchable databases for easy exploitation. The "Senha" database is just one of at least 30 such datasets that security researchers have identified in 2026 alone.
Your best defence is to assume your credentials have been compromised at some point — because statistically, they probably have been. The question is not whether a breach will expose your password, but whether that password is unique enough that the exposure only affects one account. That is what the zero-trust approach to password security looks like in practice: assume breach, verify everything, and never let a single compromised credential cascade into a total account takeover.
FAQs About the 184 Million Password Database
Was my password in the 184-million record database?
It is possible but not certain. The full list of credentials has not been published, and researchers have only analysed a 10,000-record sample. The safest assumption is that if you use any of the affected platforms (Apple, Google, Facebook, Microsoft, Netflix, PayPal, Amazon, or any .gov service), your credentials may have been exposed. Use Have I Been Pwned to check.
Is this the same as the 16-billion password leak?
No. The 16-billion credential leak reported by Cybernews is a separate compilation of multiple datasets. The 184-million record database is a single, distinct database discovered by Jeremiah Fowler. Crucially, this database contained plain-text passwords — not hashed credentials that would need to be cracked.
How did the database become public?
It was stored on an unmanaged server hosted by World Host Group, left accessible without a password. The company says a fraudulent user uploaded the data. It was discovered by security researcher Jeremiah Fowler and taken down after reporting.
Should I change my password even if I don't see my account in checkers?
Yes. Breach checkers only cover known breaches, and this database has not been fully indexed. If you are using any of the affected services, change your passwords proactively. Use a unique password for every account.
Does two-factor authentication protect me if my password is leaked?
Yes, in most cases. If your account has 2FA enabled, an attacker with your password alone cannot log in without the second factor. However, sophisticated attackers may attempt to bypass 2FA through session token theft or phishing. Enable 2FA on every account that supports it, and prefer hardware security keys or authenticator apps over SMS codes.
What specific action should .gov employees take?
Any government employee should immediately reset their passwords, review account activity for suspicious logins, enable 2FA on all work accounts, and report the potential exposure to their agency's security team. Given that government credentials were found alongside financial and consumer platform credentials, the risk of targeted exploitation is significant.
What is infostealer malware?
Infostealers are malicious programs that secretly install themselves on devices — often through pirated software, fake downloads, or phishing links — and steal saved passwords, browser cookies, credit card numbers, and cryptocurrency wallet data. Examples include RedLine, Raccoon, and Vidar. Protect yourself by downloading software only from official sources, keeping your OS and antivirus updated, and avoiding suspicious email attachments.
How can a password manager help in this scenario?
A password manager ensures every account has a unique, strong password, so even if one set of credentials is exposed in a breach, no other account is at risk. It also makes it easy to rapidly rotate passwords if you discover you have been affected — you can update hundreds of accounts in the time it would take to reset a handful manually.
⚡ Try NordPass — Get NordPass Up to 53% Off - 2 Year Family Plan and experience enterprise-grade password security at an affordable price. Features include zero-knowledge encryption, cross-platform sync, and breach monitoring.