HIBP adds 284M malware-stolen accounts: Takeaways on Telegram & infostealers

Leaked credentials are in high demand on underground marketplaces. A database of stolen credentials is a like a giant box of keys to a hacker. With the use of the right software, they can rapidly try these keys against user accounts in the hope that one fits and they gain unauthorized access to an organization. This is why there’s value in uncovering these databases and blocking end users from using compromised passwords.  

In January, we released research into over 1 billion malware-stolen credentials. But there’s always more to find. Just recently, HaveIBeenPwned have added 284 million accounts to their database. There’s some interesting takeaways from this HIBP database update about the use of Telegram, persistent threat of infostealers, and we’ll share what we know about the threat actor: ALIEN TXTBASE .  

What did HaveIBeenPwned find on Telegram? 

The owner of the HaveIBeenPwned website, Troy Hunt, has said he found 284,132,969 compromised accounts stolen by information stealer malware and posted on a Telegram channel. while analyzing 1.5TB of stealer logs likely collected from numerous sources and shared on a Telegram channel known as “ALIEN TXTBASE.” 

Hackers often use Telegram to share and trade stolen credentials. Telegram’s end-to-end encryption and secret chat features make it a popular platform for cybercriminals to communicate and exchange sensitive information securely. They can create private groups or channels to distribute stolen credentials, coordinate attacks, and share tools and techniques. 

Hunt stated on his blog about the findings: “They contain 23 billion rows with 493 million unique website and email address pairs, affecting 284M unique email addresses. We’ve also added 244M passwords we’ve never seen before to Pwned Passwords and updated the counts against another 199M that were already in there.” 

Given the extensive number of accounts in this collection, it’s probable that the data encompasses both recently compromised and older credentials obtained via credential stuffing attacks and data breaches. Prior to the HIBP database update, Troy verified their legitimacy by attempting a password reset using the stolen email addresses to see if the service responded with a password reset email. 

Are there compromised passwords in your Active Directory? 

Run a read-only scan with our free tool, Specops Password Auditor. You’ll get an exportable report detailing any password-related vulnerabilities the scan discovers. Download your free tool here.  

Telegram: Shifting cybercriminal tactics 

Victor Acin, Outpost24 (Specops’ parent company) Director of Product Management, had this to say: “The addition of 284 million compromised accounts to Have I Been Pwned underscores a growing trend in cybercriminal tactics—shifting from dark web marketplaces to more accessible platforms like Telegram for data sharing and sales. This aligns with what we’ve observed in recent years, where threat actors increasingly use communication platforms for illicit activities due to their ease of access and lower risk of takedowns. 

“While the size of this dataset is significant, it’s not an outlier in the broader landscape of cybercrime. Threat intelligence teams regularly uncover similar data dumps, often composed of stolen information from previous  breaches and infections. The fact that this dataset includes a mix of old and new credentials suggests that cybercriminals continue to recycle compromised data, increasing the risk of account takeovers for users who reuse passwords. 

“For individuals, this reinforces the critical need for strong security practices, including unique passwords for each account, multi-factor authentication, and regular checks on services like Have I Been Pwned to monitor for potential exposure. Organizations should also enhance their threat intelligence capabilities to track emerging risks from alternative platforms like Telegram and proactively secure their users’ data.” 

Infostealers: A persistent threat  

Borja Rodriquez, Manager of Outpost24’s KrakenLabs Threat Intelligence team said: “The recent addition of 284 million compromised accounts to Have I Been Pwned underscores the persistent threat posed by information stealer malware. At KrakenLabs, we’ve been closely monitoring the threat actor behind the “ALIEN TXTBASE” data leak, observing their periodic release of stolen credentials over several months. This pattern highlights the critical need for continuous credential monitoring, as waiting for large accumulations of data can delay threat detection and response.” 

What do we know about ALIEN TXTBASE? 

Borja’s team has uncovered some interesting information about the threat actor: “Interestingly, following increased media attention, the individual behind ALIEN TXTBASE announced the shutdown of their Telegram channel and claimed to cease operations. In a post on Breach Forums, they stated their intention to close all related activities and even changed their forum alias. However, our experience indicates that such actors often resurface under new identities, making ongoing vigilance essential. 

“It’s important to note that analyses of the ALIEN TXTBASE dataset have revealed inconsistencies, including artificially generated or recycled data from previous breaches. While some authentic stealer logs are present, the dataset also contains fabricated or outdated information. Therefore, organizations and individuals should assess their exposure carefully, implement robust security practices, and avoid undue alarm.” 

Protect your users from breached passwords  

Specops works closely with the KrakenLabs Threat Intelligence team to harvest leaked credentials from Telegram and add them to our database of over four billion unique compromised credentials. Specops Password Policy blocks end users from choosing these compromised passwords. On top of that, it continuously scans your Active Directory and alerts end users if they’re found to be using a breached password that’s been recently added to the database. Interested to see how it works? Try Specops Password Policy for free.