Pakistan: Millions of passwords leaked, your account may be at risk

Dubai: Pakistanis have been warned to change their social media passwords after a massive global data breach.

The National Cyber Emergency Response Team (PKCERT) has issued a stark advisory, revealing that login credentials and passwords of more than 180 million Pakistani internet users were exposed in a massive global data breach. The agency has urged citizens to take immediate security measures to safeguard their accounts.

The breach involves a publicly accessible, unencrypted database containing over 184 million unique account credentials. The exposed data includes usernames, passwords, email addresses, and associated web services, Dawn news reported.

This advisory follows a significant revelation in March 2024, when a Joint Investigation Team (JIT) reported that credentials of 2.7 million Pakistani citizens had been compromised in a separate data leak from the National Database and Registration Authority (NADRA) between 2019 and 2023.

“The breach exposed sensitive login details linked to platforms such as Google, Microsoft, Apple, Facebook, Instagram, and Snapchat, as well as government portals, financial institutions, and health care systems worldwide,” PKCERT stated.

The leaked credentials are believed to have been harvested through infostealer malware, malicious software designed to extract confidential information from infected devices. Alarmingly, the stolen data was stored in plain text, without any form of encryption or password protection.

Compromised credentials

PKCERT, the federal agency tasked with securing Pakistan’s digital infrastructure, warned that the compromised credentials could be exploited for account takeovers, identity theft, and unauthorised access to sensitive systems, including government and corporate platforms.

“The publicly available data originated from infected endpoints and includes login information from major enterprises, government agencies, and banks,” the advisory noted. “It was left exposed without any authentication or security barriers.”

Credential stuffing on services where users reuse passwords

Phishing attacks using linked email addresses and leaked information

Social engineering campaigns leveraging exposed personal content

Unauthorised logins into business, administrative, or government accounts

Malware deployment using existing account credentials

Change all account passwords immediately

Enable multi-factor authentication (MFA), especially on financial and critical accounts

Use unique and complex passwords for each online service

Avoid saving passwords in unprotected files or emails

Consider using a reliable password manager

Perform annual password updates

Check exposure status using trusted breach-monitoring services