A massive trove of 361 million email addresses from credentials stolen by password-stealing malware, in credential stuffing attacks, and from data breaches was added to the Have I Been Pwned data breach notification service, allowing anyone to check if their accounts have been compromised.
Cybersecurity researchers collected these credentials from numerous Telegram cybercrime channels, where the stolen data is commonly leaked to the channel's users to build reputation and subscribers.
The stolen data is usually leaked as username and password combinations, username and passwords along with a URL associated with them, and raw cookies.
The researchers, who asked BleepingComputer to remain anonymous, shared 122 GB of credentials with Troy Hunt, the owner of Have I Been Pwned, collected from many Telegram channels.
According to Hunt, this data is massive, containing 361 million unique email addresses, with 151 million never previously seen by the data breach notification service.
With a dataset this large, it is impossible to verify that all of the leaked credentials are legitimate.
Hunt said that he utilized sites' password reset forms to confirm that many leaked email addresses are correctly associated with the website listed in the stolen credentials.
Hunt could not confirm the password, as that would require him to log into the account, which would be illegal.
With a dataset this large, no site that allows logins is unaffected by these leaked credentials, including BleepingComputer.
Last week, the same researchers shared with BleepingComputer a list of credentials stolen by information-stealing malware associated with the BleepingComputer forums.
Information-stealing malware is an infection that steals passwords, cookies, browser history, cryptocurrency wallets, and other data from an infected device.
BleepingComputer is currently analyzing the data and removing duplicates so we can proactively reset impacted members' passwords and warn them that they were infected at some point with information-stealing malware.
Users who are infected with information-stealing malware will now have to reset every password on every account that was saved in their browser's password manager, and any other site using the same credentials.
Stolen credentials are usually not shared with a timestamp to indicate when they are stolen.
Impacted users must consider that all of their credentials have been compromised.
BleepingComputer is commonly contacted by people who tell us that their accounts continuously get hacked, even when they change the password over and over.
The user can now gain some closure, knowing that they were not crazy, but that the malicious activity is likely attributed to their credentials previously being stolen and threat actors abusing them for their own amusement or malicious activity.
Information-stealing malware has become a scourge of cybersecurity, used by threat actors to conduct massive attacks, such as ransomware and data theft attacks.
Some well known attacks caused by credentials being stolen by information stealing malware, including attacks on the Costa Rican government, Microsoft, CircleCi, and an account at Orange Spain RIPE that led to a intentional BGP misconfiguration.
More recently threat actors stole data from Snowflake databases using what is believed to be compromised credentials stolen using information-stealing malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Jun 2024 19:14:03 +0000