Security expert warns users to update passwords after massive leak of 180 million credentials

A staggering 180 million private login details from some of the world’s most popular online services have been exposed in a massive data dump, sparking urgent warnings from cybersecurity experts.

The leaked database includes credentials for widely used platforms such as Facebook, Netflix, Google, PayPal, and many others including Roblox, Microsoft, Apple, and Discord. Even sensitive login information from banks, health services, and government portals was part of the breach.

Cybersecurity researcher Jeremiah Fowler discovered the exposed database, which shockingly was left unprotected without any encryption or password safeguards. He believes the breach resulted from infostealer malware—a type of malicious software that quietly steals usernames, passwords, and other sensitive data from infected computers by scanning browsers, email clients, and messaging apps.

“Many people treat their email accounts like free cloud storage and store years of sensitive documents—tax forms, medical records, contracts, passwords—without thinking about the risk,” Fowler said. “If criminals get access to these accounts, it could cause serious security and privacy problems for millions.”

Fowler strongly advises everyone to check what sensitive information they have stored in their emails and to regularly delete old, sensitive messages containing personally identifiable information (PII), financial details, or other important documents. “If you must share sensitive files, use encrypted cloud storage instead of email,” he added.

The incident highlights the critical need for users to routinely update their passwords to prevent their accounts from being compromised. It is still unclear how long the database remained publicly accessible before it was taken offline, or who was behind the leak.

Fowler reported the breach to World Host Group, the web hosting company where the data was found. According to the company’s CEO, a fraudulent user signed up and uploaded the illegal content, which has since been removed. The hosting firm’s legal team is now assisting law enforcement investigations.

Security experts are increasingly urging users to move beyond traditional passwords. Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, told The Sun that passwords are “hard to remember and easy to guess,” leading many people to reuse them across multiple sites.

“While password managers help, they’re just a stopgap and don’t offer complete protection,” Hauk said. He recommends adopting passkeys, which allow users to log in without needing an email or password. Passkeys are unique to each app or website, cannot be shared or guessed, and remain stored only on the user’s device. They also require biometric authentication, such as Face ID or Touch ID, for added security.

Unlike passwords, passkeys cannot be stolen in a data breach because they are never stored on company servers.

This enormous password leak is a stark reminder that no one should be complacent about online security. Regularly changing passwords, deleting sensitive data stored in emails, and considering new login technologies like passkeys can all help reduce the risk of falling victim to cybercrime.