The Weekly Breach Breakdown: The Future is Now – Data Event Involving 184M Records Highlights Importance of Passkey Adoption

Summary 

• At the end of May, Cybersecurity Researcher Jeremiah Fowler discovered an unprotected online database that exposed over 184 million records. The records included email addresses, passwords and login links – stored in plain text.  
• The leaked data is tied to major platforms, including Apple, Google, Facebook and Microsoft, as well as government and financial services.  
• The owner of the database has not been identified, and the purpose and origin of the credentials have not been confirmed. Therefore, pending further information, the Identity Theft Resource Center (ITRC) is categorizing this event as a compromise because no known notices have been issued to credential holders. 
• This data event illustrates the importance of passkey adoption among consumers. All of the exposed records were login credentials. If a criminal with malicious intent obtains your email address and password, they can commit a range of identity crimes. However, criminals cannot steal a passkey because it is a digital credential that allows users to sign in without entering a password or username.  
• Passkey adoption can eliminate an entire class of identity crimes. Also, they are safer. You cannot lose a passkey like a password. Identity criminals cannot steal it because it is unique to you. Also, it is bound to a company’s website, meaning it will not work if used to log on to a fake website or during a phishing attack.  
• To learn about the latest data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool. If you believe you are the victim of an identity crime, call or text the ITRC toll-free at 888.400.5530 or live chat on our website, www.idtheftcenter.org.  

Full Transcript 

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for June 13, 2025. I’m Alex Achten, Senior Director of Communications & Media Relations of the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. Today, we will examine a data event that has dominated the headlines for the last two weeks, its implications for consumers and why it highlights the importance of passkey adoption.  

You’ve probably heard the phrase “the future is now.” There is a debate over the origin of this term. Some say it was from the back cover of Alvin Toffler’s 1970 book “Future Shock.” Some think its origins may be older, stretching back to a speech given by Robert F. Kennedy in 1966 or a similar phrase from Sir Austen Chamberlain in 1936. Regardless of who coined the phrase, it is relevant to our conversation today, as it pertains to findings recently discovered by cybersecurity researcher Jeremiah Fowler.  

At the end of May, Fowler discovered an unprotected online database that exposed over 184 million records. The records included email addresses, passwords and login links – stored in plain text. The leaked data appears to be tied to major platforms, including Apple, Google, Facebook and Microsoft, as well as government and financial services. Fowler told Wired that “this is a cybercriminal’s dream working list.” 

As more companies shift to cloud services, it opens the door for identity criminals. According to the ITRC’s 2024 Annual Data Breach Report, there was a 211 percent increase in victim notices in 2024 compared to 2023, a shift driven by a handful of mega-breaches that impacted companies’ digital ecosystems.  

It is important to note that the owner of the database has not been identified, and the purpose and origin of the credentials have not been confirmed. Therefore, pending further information, the ITRC is categorizing this event as a compromise, rather than a breach, because no known notices have been issued to credential holders and there is no evidence to indicate that the credentials were copied or misused. With that said, the ITRC believes there is a significant risk of identity crimes, including account takeover, ransomware attacks, data breaches, phishing attacks and business email compromise.  

Right about now, you are probably asking this question: “What on earth does the phrase ‘the future is now’ have anything to do with this data event?” Two words: Passkey adoption. All of the exposed records were login credentials. If a criminal with malicious intent obtains your email and password, they can commit all the identity crimes just referenced. However, criminals cannot steal a passkey because it is a digital credential (typically a face scan, fingerprint or PIN) that allows users to sign in without entering a password or username. It is unique to you and only you; therefore, it cannot be stolen. 

Consumers have reservations about providing biometric information. According to the ITRC’s recently released Biometric Consumer Attitude Report, 63 percent of respondents to an ITRC survey on biometrics said they had serious concerns about providing biometric information. While two-thirds of respondents agreed that biometrics can reduce identity crimes, 39 percent believed that the use of biometrics should be banned.  

Despite these concerns surrounding biometric use, the ITRC believes consumers should start switching to passkeys wherever they are offered. When fully implemented, passkey adoption can eliminate an entire class of identity crimes. Also, they are safer. You cannot lose a passkey like a password. Identity criminals cannot steal it because it is unique to you. It is bound to a company’s website, meaning it will not work if used to log on to a fake website or during a phishing attack.  

Passwords are not going anywhere anytime soon. Everyone should continue to use a unique 12+-character passphrase on accounts where passkeys are not offered. However, one of the top things you can do to protect yourself from falling victim to an identity crime in a day and age where data events are at a near all-time high is to adopt passkeys everywhere they are offered. Passkeys are no longer the future. They are the present. The future is now. 

If you want to know more about how to protect your business or personal information, passkey adoption or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts. We will return next week with another episode of the Weekly Breach Breakdown. I’m Alex Achten. Until then, thanks for listening.