Full Report
HaveIBeenPwned has added over 500 million new passwords and email addresses lifted via infostealers
Analysis Summary
# Incident Report: Mass Infiltration from Infostealer Logs on Telegram
## Executive Summary
This report summarizes the addition of 244 million passwords and 284 million email addresses to the HaveIBeenPwned (HIBP) database, sourced from logs distributed by infostealer malware sold via the Telegram channel "Alien Textbase." The incident highlights the vast scale of credential harvesting facilitated by infostealers, which directly contributes to downstream compromises like those seen at Ticketmaster and AT&T. The response primarily involved the collection and integration of this data into HIBP's platform to enhance user protection.
## Incident Details
- **Discovery Date:** February 25, 2025 (Date HIBP announced new APIs/data processing)
- **Incident Date:** Ongoing data collection period, but logs derived from continuous infostealer activity.
- **Affected Organization:** Not applicable (This is a data aggregation/discovery event affecting potentially millions of victim organizations and individuals).
- **Sector:** Broad/All Sectors (Infostealers target individuals regardless of sector).
- **Geography:** Global (Logs sourced from Telegram distribution).
## Timeline of Events
### Initial Access
- **Date/Time:** Continuous (Logs being actively harvested prior to Feb 25, 2025)
- **Vector:** Infostealer Malware execution on end-user devices.
- **Details:** Malware harvested credentials, crypto assets, and credit card information from infected systems.
### Lateral Movement
- N/A (This is a data aggregation event, not a live breach timeline within a single network).
### Data Exfiltration/Impact
- **Data Exfiltration:** Harvested data (1.5TB total, 744 files) was compiled into logs and sold/distributed via Telegram channels like "Alien Textbase."
- **Impact:** Compromised credentials were used in subsequent attacks, including major breaches at organizations like Ticketmaster and AT&T via third-party access (Snowflake accounts).
### Detection & Response
- **Detection:** HIBP founder Troy Hunt identified and acquired 1.5TB of stealer logs distributed across 744 files on Telegram channel "Alien Textbase."
- **Response Actions:** HIBP processed the data, adding 244 million new passwords and 284 million new email addresses to its database. New APIs were launched on February 25, 2025, allowing domain owners to query these logs for customer compromise.
## Attack Methodology
- **Initial Access:** Phishing messages, drive-by-downloads, malicious advertisements, or bundled with legitimate/pirated software leading to infostealer execution.
- **Persistence:** Not specified, though infostealers often establish sessions to maintain command and control or await scheduled data exfiltration.
- **Privilege Escalation:** Not specified in the context of the initial infection vector.
- **Defense Evasion:** Common to infostealers, allowing them to operate without immediate security solution detection.
- **Credential Access:** Direct theft of saved credentials, browser cookies, autofill data, and crypto wallet keys from the endpoints.
- **Discovery:** System navigation to locate target files (e.g., specific browser data folders, configuration files).
- **Lateral Movement:** N/A
- **Collection:** Gathering of credentials, financial information (credit cards), and potentially sensitive documents into structured logs.
- **Exfiltration:** Logs sent to the malware operator, later consolidated and sold/distributed on platforms like Telegram.
- **Impact:** Compromise of user accounts or corporate infrastructure (especially cloud environments like Snowflake) due to credential reuse.
## Impact Assessment
- **Financial:** Not quantified for this data dump, but linked to major breach costs (e.g., Ticketmaster, AT&T). Increased costs for organizations implementing mandatory resets/monitoring.
- **Data Breach:** 244 million passwords and 284 million email addresses added to HIBP's repository, representing a massive exposure risk.
- **Operational:** Indirect operational disruption to organizations whose employees reuse credentials, leading to downstream breaches.
- **Reputational:** Significant reputational risk for individuals whose data is exposed, and for organizations where compromised credentials are used to breach systems.
## Indicators of Compromise
- **Network Indicators (Defanged):** N/A (No specific C2 IPs or domains mentioned for Alien Textbase, only the platform: telegram[.]org)
- **File Indicators:** N/A (Specific malware hashes are generally not listed in this type of high-level aggregation report).
- **Behavioral Indicators:** Observed high-volume data transfer originating from endpoint user directories to external command channels, consistent with infostealer activity. Note: Check Point recorded a 58% surge in infostealer attacks in EMEA prior to this event.
## Response Actions
- **Containment measures:** N/A (Response focused on risk mitigation post-discovery of the data set).
- **Eradication steps:** N/A (The source is external distribution; individual remediation is required by victims).
- **Recovery actions:** HIBP added the data to its platform, allowing domain owners and subscribers to proactively check accounts and force password resets for potentially compromised users.
## Lessons Learned
- **Key Takeaways:** Infostealer malware remains a primary, highly scalable vector for generating data used in large-scale attacks, often monetized through easily accessible channels like Telegram. The illicit market for compromised credentials is actively supplied by dedicated ‘vendors’ like Alien Textbase.
- **What could have been done better:** Organizations must emphasize better employee awareness training against phishing and malicious software downloads, as endpoint compromise is the critical failure point enabling this theft.
## Recommendations
- **Prevention measures for similar incidents:**
1. Mandate Multi-Factor Authentication (MFA) across all corporate systems, especially for cloud access (like Snowflake).
2. Implement endpoint detection and response (EDR) solutions capable of detecting and blocking infostealer execution behaviors.
3. Regularly audit saved credentials in browsers across the organization and enforce strong, unique password policies.
4. Utilize paid HIBP APIs or similar services to proactively scan organizational domains against newly known compromised credentials.