Twitter is actively removing lists of email addresses and passwords allegedly from the National Institute of Health and the World Health Organisation, the BBC has learned.
They were initially posted to message group 4chan, according to a report from an organisation which monitors right-wing extremism.
The BBC understands that some of the credentials are from old hack attacks.
Site Intelligence Group did not say who posted them, or if they were authentic.
Later, the list was also posted to Pastebin, which is often used to reveal hacked information, and Twitter.
In a tweet, Site's director Rita Katz said the alleged list was being used by far-right extremists as part of a "harassment campaign."j
She also gave details of the research, which indicated that:
- 9,938 emails and passwords came from the National Institute of Health (NIH)
- 6,857 from the Centers for Disease Control and Prevention (CDC)
- 5,120 from the World Bank
- 2,732 from the World Health Organization (WHO)
- 269 from the Gates Foundation
- 21 from the Wuhan Institute of Virology
The NIH told the BBC it was investigating the leak, but none of the other organisation have responded to requests for comment.
The Gates Foundation told the Washington Post, which originally broke the news, that it was investigating but had no evidence of a data breach.
Security researcher Robert Potter tweeted that he believed the leaked WHO credentials were genuine but "from an earlier attack".
"Healthcare agencies are traditionally quite bad at cyber-security," he wrote.
The BBC understands that the World Bank credentials are also probably from an old attack.
Some right-wing groups have questioned the science around the coronavirus pandemic, and according to Graphika - a service that uses AI to study social media misinformation - they have played a disproportionate role in spreading fake news about the virus.
The WHO has called the amount of false and misleading information about Covid-19 an "infodemic".