Learn how 16 billion credentials from Google, Apple, Meta, PayPal were stolen and how to protect yourself.
đ What happened?
In early May 2025, security researcher Jeremiah Fowler discovered an unsecured ElasticSearch database left exposed by a customer on World Host Groupâs platform. This 47âŻGB trove contained 184 million plaintext credentials, including usernames, passwords, and URLs tied to major services (Google, Apple, Facebook, Instagram, PayPal, Discord, Netflix, Amazon, Nintendo, Spotify, Yahoo, MicrosoftâŚ)âeven government email accounts from 29 countries.
đ Why this is dangerous
Credential stuffingâ stolen username/password pairs are triedâacross other services to hijack accounts. Internetâuser online behavior ~81% of users reuse passwords.
2. Infostealer-related attacks â malware such as RedLine and Lumma are able to move millions of credentials from compromised units to a number measuredâin the billions of stolen passwords just in 2024.
3. Legacy riskââ the stolen employee credentials go unmonitored, allowing bad actors to leverage them against corporate systems years down the road.
đWhat systems & best practices can stop this
1. Secure infrastructure hygiene
Misconfigured or open databases are a big risk to this dayâhave strict ACLs, data at rest encryption,âand network-level protections for all data stores, even âtestâ ones.
2. ElasticâEndpoint Security (EDR)
Security that sifts and sorts through the noise of alerts, so you see the threats that really matter.
Utilize EDR tools to find infostealers, unapprovedâexfiltration, and dirtyness on devices
3. Monitor the dark web
Enable dark-web scanning which will detect when your employees credentials were leaked early and alert you toâthe situation.
Restrict employee credentials to essential systems only. If stolen, limit potential lateral movement .
4. Multi-factor authentication (MFA) everywhere
Implement MFA on all accountsâusers without the second factor are far less likely to be successfully compromised, even when passwords are exposed .
5. Password hygiene
Recommend unique, strong passwords via password managers.
Educate users against risks of reuse and phishing.
Roll-out passwordless alternatives: biometrics, passkeys (webauthn), SSO.
6. Credential stuffing defenses
Monitor for spikes in failed logins and block suspicious IP sources.
Throttle or CAPTCHAs on excessive login attempts.
7. Least-privilege & network segmentation
Restrict employee credentials to necessary systems only. In the event of compromise, limit potential lateral movement.
đ Summary
A massive 184âŻmillion credential leak showed plaintext credentials for major services including Google, Apple, Meta, PayPal, and government.
The leak was from an exposed ElasticSearch server apparently filled via infostealer malware. To secure systems: Secure networks and databases Deploy EDR Conduct dark-web scans Enforce MFA Educate password hygiene Shield from credential stuffing Use least-privilege access and segmentation Combining organizational security controls (EDR, MFA, scanning, segmentation) with best practices for the users (unique passwords, managers, biometrics) forms a strong defense against future breaches as well as stolen credential logins. RD Auditors provide uptime monitoring for websites, API, RPC, LLM, AI and MCP. Simple setup process, with instant alerts, notifications of any downtime or issues.