The National Cyber Emergency Response Team (PKCERT) on Monday issued an advisory warning that the login credentials and passwords of more than 180 million internet users in Pakistan have been stolen in a global data breach, urging people to take immediate protective measures.

According to the advisory, seen by Dawn.com, PKCERT identified the global breach involving a publicly accessible, unencrypted file containing more than 184 million unique account credentials.

“The breach exposed usernames, passwords, emails and associated URLs tied to services from Google, Microsoft, Apple, Facebook, Instagram [and] Snapchat, as well as government portals, banking institutions, and healthcare platforms worldwide,” the advisory read.

“The leaked database is believed to have been compiled using infostealer malware — malicious software that extracts sensitive information from compromised systems,” it added. “This data was stored in plain text and left completely unprotected, with no encryption or password safeguarding.”

PKCERT is a federal government entity responsible for protecting Pakistan’s digital assets, sensitive information, and critical infrastructure from cyberattacks, cyberterrorism, and cyber espionage.

It outlined the potential impacts of the data breach, warning that the stolen credentials could be used for account takeovers, identity theft and unauthorised access to government portals or other sensitive sites, among other potential threats.

The advisory highlighted that the publicly hosted database was storing credentials stolen from “infected endpoints” without any form of authentication or protection and “included sensitive login information for major platforms, enterprises, government agencies, and financial institutions”.

“Attackers may exploit this breach through credential stuffing across services with reused passwords; phishing attacks using associated emails and historical data; targeted social engineering leveraging exposed personal content; unauthorised access to business and government accounts; and malware deployment using existing email and password combinations,” the advisory warned.

PKCERT advised users to change their passwords and enable multi-factor authentication on all of their online services, particularly on financial and administrative accounts.

“Use unique, complex passwords for every online service, avoid storing passwords in emails or unprotected files [and] consider a password manager to securely handle account credentials,” the advisory recommended.

The advisory also recommended that people change their passwords annually and use a credible online service to find out about potential breaches.

“Timely action is essential to limit the impact of this massive credential breach and prevent subsequent compromise of systems and identities,” it wrote, urging people to change compromised credentials, enforce multi-factor authentication and educate users on the risks of data breaches.

In March 2024, a Joint Investiga­tion Team (JIT) formed to probe a data leak from the National Database and Registration Authority (Nadra), told the Interior Ministry that the credentials of as many as 2.7 million citizens had been compromised between 2019 and 2023.

Sources told Dawn.com that the JIT, headed by a senior officer of the Federal Investigation Agency and comprising representatives from various intelligence agencies, had completed its probe and subsequently submitted a report to the ministry.

The JIT found that Nadra offices in Karachi, Multan and Peshawar were allegedly involved in the data leak and recommended action against various officials.