Learn how 16 billion credentials from Google, Apple, Meta, PayPal were stolen and how to protect yourself.
🔍 What happened?
In early May 2025, security researcher Jeremiah Fowler discovered an unsecured ElasticSearch database left exposed by a customer on World Host Group’s platform. This 47 GB trove contained 184 million plaintext credentials, including usernames, passwords, and URLs tied to major services (Google, Apple, Facebook, Instagram, PayPal, Discord, Netflix, Amazon, Nintendo, Spotify, Yahoo, Microsoft…)—even government email accounts from 29 countries.
🛠 Why this is dangerous
Credential stuffing— stolen username/password pairs are tried across other services to hijack accounts. Internet user online behavior ~81% of users reuse passwords.
2. Infostealer-related attacks — malware such as RedLine and Lumma are able to move millions of credentials from compromised units to a number measured in the billions of stolen passwords just in 2024.
3. Legacy risk — the stolen employee credentials go unmonitored, allowing bad actors to leverage them against corporate systems years down the road.
🌐What systems & best practices can stop this
1. Secure infrastructure hygiene
Misconfigured or open databases are a big risk to this day—have strict ACLs, data at rest encryption, and network-level protections for all data stores, even “test” ones.
2. Elastic Endpoint Security (EDR)
Security that sifts and sorts through the noise of alerts, so you see the threats that really matter.
Utilize EDR tools to find infostealers, unapproved exfiltration, and dirtyness on devices
3. Monitor the dark web
Enable dark-web scanning which will detect when your employees credentials were leaked early and alert you to the situation.
Restrict employee credentials to essential systems only. If stolen, limit potential lateral movement .
4. Multi-factor authentication (MFA) everywhere
Implement MFA on all accounts—users without the second factor are far less likely to be successfully compromised, even when passwords are exposed .
5. Password hygiene
Recommend unique, strong passwords via password managers.
Educate users against risks of reuse and phishing.
Roll-out passwordless alternatives: biometrics, passkeys (webauthn), SSO.
6. Credential stuffing defenses
Monitor for spikes in failed logins and block suspicious IP sources.
Throttle or CAPTCHAs on excessive login attempts.
7. Least-privilege & network segmentation
Restrict employee credentials to necessary systems only. In the event of compromise, limit potential lateral movement.
📌 Summary
A massive 184 million credential leak showed plaintext credentials for major services including Google, Apple, Meta, PayPal, and government.
The leak was from an exposed ElasticSearch server apparently filled via infostealer malware. To secure systems: Secure networks and databases Deploy EDR Conduct dark-web scans Enforce MFA Educate password hygiene Shield from credential stuffing Use least-privilege access and segmentation Combining organizational security controls (EDR, MFA, scanning, segmentation) with best practices for the users (unique passwords, managers, biometrics) forms a strong defense against future breaches as well as stolen credential logins. RD Auditors provide uptime monitoring for websites, API, RPC, LLM, AI and MCP. Simple setup process, with instant alerts, notifications of any downtime or issues.