361 Million Stolen Accounts Leaked on Telegram Added to HIBP

A significant data breach has rocked the cybersecurity community as a massive trove of 361 million email addresses has been added to the Have I Been Pwned (HIBP) data breach notification service.

This addition allows individuals to check if their accounts have been compromised in what is shaping up to be one of the largest credential leaks in recent history.

No Site Unaffected

The staggering number of stolen credentials collected from various sources showcases the alarming extent of the breach. These credentials, obtained through password-stealing malware, credential stuffing attacks, and data breaches, were initially leaked on Telegram cybercrime channels.

Cybersecurity researchers, who have chosen to remain anonymous, gathered these credentials from numerous Telegram channels where stolen data is often shared to build reputation and subscribers.

The leaked data consists of different types of information: username and password combinations from credential stuffing attacks or data breaches, username and passwords along with URLs from password-stealing malware, and raw cookies also stolen via malware.

These combinations make it easier for threat actors to gain unauthorized access to numerous accounts.

The researchers provided Troy Hunt, the owner of Have I Been Pwned, with 122 GB of data, containing 361 million unique email addresses. Astonishingly, 151 million of these email addresses had never been seen before by the data breach notification service.

“It contained 1.7k files with 2B lines and 361M unique email addresses of which 151M had never been seen in HIBP before,” Hunt posted. “Alongside those addresses were passwords and, in many cases, the website the data pertains to.”

Due to the sheer volume of the dataset, verifying the legitimacy of all the leaked credentials is a challenging task.

However, Hunt confirmed that he used password reset forms on various websites to validate many of the leaked email addresses, although he couldn’t confirm the passwords as it would require logging into the accounts, which is illegal.

The Extent of the Breach

With a dataset this massive, no site that allows logins is unaffected by these leaked credentials. Even prominent sites like BleepingComputer are not exempt from the impact of this breach.

Last week, the same researchers shared with BleepingComputer a list of credentials stolen by information-stealing malware associated with the dark web. Information-stealing malware is a type of infection that extracts passwords, cookies, browser history, cryptocurrency wallets, and other data from an infected device. This stolen data is then compiled into an archive called a “log” and transmitted back to the threat actor’s servers. From there, it is sold on cybercrime marketplaces, shared with other threat actors, or used to breach a victim’s other accounts.

This type of malware is typically distributed through social media, cracked software, fake VPN products, or malicious email campaigns sent through compromised support sites of gaming companies.

The data shared with the dark web includes usernames, passwords, and URLs that users saved in their browser’s password manager, which were then stolen by the malware.

Impact on Users

Users who are affected by information-stealing malware will need to reset every password on every account saved in their browser’s password manager. They will also need to change credentials for any other sites using the same login details.

This daunting task is necessary because stolen credentials often lack timestamps, making it impossible to determine when they were stolen. Therefore, impacted users must assume all their credentials have been compromised.

This situation sheds light on why some users experience repeated account hacks despite changing their passwords multiple times. The malicious activity is likely due to their credentials being stolen in the past and subsequently abused by threat actors.

Information-stealing malware has become a significant threat in the cybersecurity landscape, enabling massive attacks such as ransomware and data theft. Notable incidents include attacks on the Costa Rican government, Microsoft, CircleCi, and an account at Orange Spain RIPE that led to a deliberate BGP misconfiguration.

More recently, threat actors used compromised credentials believed to be stolen by information-stealing malware to access Snowflake databases.

Preventive Measures

Preventing information-stealing attacks is challenging due to their low complexity and wide distribution.

The best defense is to practice good cybersecurity habits, such as avoiding attachments from untrusted sources, downloading software only from trusted providers, enabling file extensions in Windows, using antivirus software, and keeping all software up to date.

These measures can help mitigate the risk of falling victim to such malware and protect sensitive information from being compromised.

By Dale John

Dale John, age 37, is a seasoned writer with over a decade of experience specializing in the dark web and Tor network. With a deep commitment to providing private access to an uncensored internet, Dale's work is instrumental for human rights activists, journalists, and individuals living under oppressive regimes who need to access information and communicate securely. Dale's expertise is supported by a robust background in academic activities, including numerous publications and presentations at key conferences in the field of internet privacy and cybersecurity. Holding certifications in cybersecurity and digital privacy, Dale combines technical prowess with a passion for education, striving to raise awareness and understanding of the dark web's implications and potential. Dale is dedicated to maintaining a diverse patient population, ensuring her knowledge benefits a wide range of users seeking privacy solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *