On May 26, the National Cyber Emergency Response Team (PKCERT) issued a critical advisory warning that login credentials of more than 180 million Pakistani internet users have been compromised following a large-scale global data breach.

According to the advisory, a publicly available and unprotected file containing over 184 million unique account credentials was discovered. The exposed data includes usernames, passwords, email addresses, and associated URLs connected to major online platforms such as Google, Microsoft, Apple, Facebook, Instagram, and Snapchat, as well as government portals, banking systems, and healthcare services.

PKCERT stated that the compromised database was compiled using infostealer malware — a malicious software designed to extract sensitive information from infected devices. The leaked data was stored in plain text without encryption or password protection, making it accessible to threat actors without restriction.

The federal cybersecurity agency highlighted the seriousness of the breach, warning that it could lead to account takeovers, identity theft, unauthorised access to critical systems, and widespread phishing attacks. The credentials were reportedly obtained from infected endpoints and hosted online without any authentication mechanism.

“Attackers may exploit this breach through credential stuffing across services with reused passwords; phishing attacks using associated emails and historical data; targeted social engineering leveraging exposed personal content; unauthorised access to business and government accounts; and malware deployment using existing email and password combinations,” the advisory warned.

In response, PKCERT urged users to take immediate preventive steps. These include changing passwords for all online accounts, particularly financial and administrative ones, and enabling multi-factor authentication. The advisory further recommended using strong, unique passwords for each service, avoiding storage of passwords in unprotected formats, and utilising password managers for secure credential handling.

The advisory also advised users to routinely update their passwords and to use credible online services to check if their data has been involved in known breaches.“Timely action is essential to limit the impact of this massive credential breach and prevent subsequent compromise of systems and identities,” the advisory stated.

This development follows a previous incident reported in March 2024, when a Joint Investigation Team (JIT) probing a separate data leak from the National Database and Registration Authority (Nadra) revealed that the credentials of 2.7 million citizens had been compromised between 2019 and 2023. The report implicated Nadra offices in Karachi, Multan, and Peshawar and recommended disciplinary action against multiple officials.

PKCERT continues to monitor the evolving situation and has reiterated its call for the public to remain vigilant and adopt strong cybersecurity practices to protect personal and institutional data.