Cybersecurity Watchdog Issues Advisory After Exposure of 1,600 Crore Online Credentials
The advisory, dated June 23, recommends urgent action to reduce the risk of unauthorised access, identity theft, and related cyberattacks.
The country's cybersecurity watchdog has issued a security advisory following the exposure of around 1,600 crore login credentials linked to major online platforms. The advisory, dated June 23, recommends urgent action to reduce the risk of unauthorised access, identity theft, and related cyberattacks.
"The dataset aggregates credentials from 30 separate sources, primarily obtained through infostealer malware and exposed through misconfigured, publicly accessible databases-such as unsecured Elasticsearch instances," CERT-In wrote in the advisory.
The breach included usernames, passwords, authentication tokens, and associated metadata from platforms such as Apple, Google, Facebook, Telegram, GitHub, and various virtual private network services.
The advisory outlines measures for individuals, cautioning them to "Change passwords for all affected services, prioritising email, banking, social media, and government portals."
It also recommends creating strong, unique passwords of at least 12 characters, and warns users to "avoid reusing passwords across services to prevent credential stuffing attacks."
"Activate MFA on all accounts that support it, using authenticator apps, hardware tokens, or SMS-based verification," the advisory added. Where available, individuals are encouraged to "enable passkeys for password-less, phishing-resistant authentication using biometrics or device PINS."
To reduce malware risk, the advisory recommends running antivirus scans and updating systems to fix known vulnerabilities.
For organisations, the advisory recommends enforcing multi-factor authentication and "least-privilege access controls for all users and systems," along with real-time threat monitoring. It also advises auditing databases to ensure they are not exposed publicly and to "implement encryption for stored credentials and sensitive data."
The advisory concludes with a call for cybersecurity awareness training, emphasising phishing prevention and secure password practices.
