On May 22, 2025, a massive data breach was reported that exposed over 184 million login credentials spanning major online platforms and services.
What happened
The breach involved a 47.42-gigabyte unsecured database containing usernames and passwords for accounts on Facebook, Instagram, Snapchat, Roblox, Microsoft products, and Apple services, including iCloud. Cybersecurity researcher Jeremiah Fowler discovered the database, which also included login details for banking, health, and government platforms across 29 countries.
The data was reportedly obtained through infostealer malware, a type of malicious software designed to extract saved credentials from web browsers and applications. Fowler verified the authenticity of the breach by contacting affected individuals, many of whom confirmed that their credentials were accurate and reused across multiple platforms.
The breach highlights the serious risks of password reuse and the shortcomings in existing security practices, especially as platforms push for passwordless authentication to counter such threats. The unsecured database was hosted by World Host Group and was taken offline after Fowler notified the provider.
What was said
According to the analysis by Cybersecurity Researcher Jeremiah Fowler, “While doing research for this report, I found that possessing or distributing potentially stolen personal data may constitute a criminal offence. Most emails contain partial or full names of users and, when combined with usernames and passwords, it could arguably be considered as personally identifiable information (PII). As an ethical researcher I never save data or test exposed credentials…In the U.S., laws such as the Computer Fraud and Abuse Act (CFAA) make it illegal to traffic in stolen login credentials. (18 U.S. Code § 1029 – Fraud and related activity in connection with access devices). In the EU, the General Data Protection Regulation (GDPR) treats the possession and processing of stolen personal data a serious violation of data protection law.
I imply no wrongdoing by the hosting or IP provider, and/or its employees, agents, contractors, affiliates, and/or related entities.”
Why it matters
Massive credential exposures like the May 22, 2025, breach matter because stolen usernames and passwords don’t stay confined to social media; they often unlock far more sensitive systems, including those in U.S. healthcare. Many clinicians and administrators reuse login details across personal and professional accounts, so infostealer malware that harvests credentials from a browser can give attackers a backdoor into electronic health record platforms or patient portals. Once inside, cybercriminals can siphon protected health information.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a data breach?
A data breach occurs when unauthorized individuals gain access to confidential, sensitive, or protected information, often involving theft or exposure of data such as login credentials, financial details, or medical records.
How do most data breaches occur?
Breaches typically happen through phishing attacks, malware (like infostealers), unpatched vulnerabilities, stolen credentials, or misconfigured cloud servers.
Why are healthcare organizations common targets?
Healthcare data is extremely valuable on the black market. A single medical record can be worth significantly more than a credit card number due to its depth and use in identity theft and insurance fraud.
Kirsten Peremore
