A collection of 361 million accounts leaked on Telegram added to HIBP, check now

A substantial data set of 361 million email addresses has been added to the Have I Been Pwned (HIBP) data breach notification service.

The credentials are amassed from various sources including password-stealing malware, credential stuffing attacks, and data breaches, were primarily collected from numerous Telegram cybercrime channels. These channels often disseminate stolen data to build reputation and gain subscribers.

Cybersecurity researchers, who have requested anonymity, compiled 122 GB of these credentials and shared them with Troy Hunt, the owner of HIBP. Hunt confirmed the data's magnitude, noting it contained 1,700 files with 2 billion lines and 361 million unique email addresses, 151 million of which had never been seen by HIBP before. The dataset includes:

• Usernames and passwords
• Usernames, passwords, and associated URLs (stolen via password-stealing malware)
• Raw cookies (stolen via password-stealing malware)

Given the dataset's size, verifying the legitimacy of all credentials is challenging. However, Hunt used password reset forms on various websites to confirm that many email addresses were correctly associated with the listed sites, though he did not confirm the passwords due to legal constraints.

It seems that no online platform that allows logins appears unaffected by this breach.

Victims of information-stealing malware must reset passwords for all accounts stored in their browser's password manager and any other site using the same credentials. Since the stolen credentials lack timestamps, users should assume all their credentials have been compromised.

Information-stealing malware has facilitated significant cyberattacks, including those on the Costa Rican government, Microsoft, CircleCi, and an Orange Spain RIPE account, leading to a BGP misconfiguration. More recently, data theft from Snowflake databases was linked to credentials stolen via such malware.