Experts call for stronger online protection as massive data breach unveiled

KARACHI: Cybersecurity experts have urged internet users across Pakistan to immediately change their passwords and enable two-factor authentication, following news reports about a major global data breach that has exposed login credentials of more than 180 million internet users worldwide.

The National Cyber Emergency Response Team (PKCERT), the government body responsible for securing Pakistan’s digital infrastructure, issued an advisory on Monday warning of a publicly accessible, unencrypted database containing over 184 million unique account credentials. The breach, believed to be the result of infostealer malware, has compromised sensitive information -- including usernames, passwords, email addresses and URLs -- tied to platforms such as Google, Microsoft, Apple, Facebook, Instagram and Snapchat, a s well as government, financial and healthcare systems.

Digital rights experts say the threat is not abstract -- and called for immediate, practical steps by the public to limit potential damage.

In his comments to The News, digital rights activist Usama Khilji shared steps that users could take for online protection. He said that “everybody should change their passwords; they should be careful about clicking on any links”, adding that it is also important to be careful about “what communication they are getting from other contacts that they know because other people’s accounts could potentially be hacked while they are interacting with you.”

The leak was first reported by the US-based tech magazine WIRED. A report published on May 22 said that in early May, cybersecurity researcher Jeremiah Fowler stumbled upon an exposed ElasticSearch database packed with over 184 million records -- roughly 47GB of data -- just sitting open online. Normally, Fowler can piece together where such leaks come from by digging through clues inside: company names, user info, internal notes. But this time? Nothing -- just a massive trove of data with no obvious origin. Access to the database was quickly shut down, the report added.

Nighat Dad, founder of the Digital Rights Foundation, emphasised the importance of proactive steps, particularly since it is unclear which accounts have been specifically affected. “Given the lack of clarity, all users should update their passwords. Many people reuse the same password for multiple platforms -- that needs to stop,” she said. “Set different, strong passwords for each account.”

Khilji also recommended enabling two-factor authentication (2FA) across all accounts -- including messaging apps like WhatsApp and financial services -- as an essential security measure.

Dad further advised users to install antivirus and anti-malware tools on their devices, keep software up to date, and be wary of phishing attempts. “Never click on a password reset link unless you requested it,” she warned. “And be sure to follow verified accounts only -- there are copycat PKCERT accounts out there spreading disinformation.”

PKCERT’s advisory noted that the leaked credentials, harvested from infected user devices, were stored in plain text and left unprotected. This leaves users vulnerable to a range of threats -- including identity theft, account takeovers, unauthorised access to sensitive platforms, and malware deployment.

Cybercriminals could also exploit the breach through credential stuffing — automated login attempts using reused passwords — and through phishing attacks designed to steal even more data. To limit exposure, PKCERT advised users to adopt best practices for online safety: change passwords regularly, use unique and complex combinations for each account, and avoid storing passwords in unsecured locations such as emails or text files. Users are also encouraged to use a reliable password manager and regularly check whether their credentials have been compromised using trusted online tools.

“Timely action is essential to prevent further damage,” the advisory said, urging people to treat the breach with the seriousness it demands.