284 Million Stolen Accounts Added to Have I Been Pwned After Telegram Leak

A staggering 284 million email accounts have been added to the Have I Been Pwned (HIBP) database after being discovered in a massive trove of stolen credentials circulating on Telegram. The data, collected from information-stealing malware, underscores the growing threat of credential theft and the dark web marketplaces that trade in personal information.

Millions of Stolen Credentials Exposed in Telegram Leak

Troy Hunt, the creator of HIBP, uncovered the massive data dump while analyzing 1.5 terabytes of logs from an infostealer operation. The logs, reportedly from various sources, were shared in a Telegram channel known as “ALIEN TXTBASE.”

“They contain 23 billion rows with 493 million unique website and email address pairs, affecting 284 million unique email addresses,” Hunt revealed in a blog post on Tuesday.

Among the findings, HIBP added 244 million previously unseen passwords to its Pwned Passwords database. Another 199 million existing passwords were also updated.

How the Data Was Verified Before Being Added

To ensure authenticity, Hunt conducted a series of tests. His method? Attempting password reset requests using the stolen email addresses. If the reset email was successfully triggered, it confirmed the validity of the compromised accounts.

This verification process helps eliminate fake data dumps, which are often recycled from older breaches or manipulated to appear larger than they actually are.

New API Helps Businesses Detect Stolen Credentials Faster

With this latest breach, HIBP has rolled out new API features allowing domain owners and security teams to track stolen credentials more efficiently.

• Up to 1,000 email address searches per minute are now supported.
• Security teams can check for compromised accounts using email domain or website domain queries.
• Organizations subscribed to HIBP’s services can use these APIs to monitor potential credential stuffing attacks.

While the API tools are available to business users, individual subscribers can also check if their email addresses were found in the ALIEN TXTBASE dump. However, details on which websites the credentials were used for remain private unless verified via the notification service.

A Pattern of Infostealer-Related Breaches

This isn’t the first time HIBP has incorporated stolen data from infostealer malware.

• In December 2021, the service added 441,000 accounts stolen using RedLine malware, one of the most widely used infostealers at the time. The breach exposed more than 6 million RedLine logs found on an unsecured server.
• Earlier this month, HIBP added 12 million Zacks Investment accounts after a breach leaked sensitive user information, including IP addresses and phone numbers.
• Back in June 2023, a database containing 8.8 million user records, including usernames and SHA256 passwords, from Zacks Investment Research was also incorporated into HIBP.

What This Means for Users

With 284 million new email addresses now flagged as compromised, millions of individuals may be at risk of account takeovers, phishing attacks, and other security threats.

To mitigate risks:

• Change passwords immediately if your email is found in HIBP.
• Use a password manager to generate and store unique credentials.
• Enable multi-factor authentication (MFA) wherever possible.
• Be wary of phishing emails attempting to exploit stolen credentials.

As cybercriminals continue to exploit data breaches and malware logs, security-conscious users and organizations must remain proactive. This latest discovery highlights just how vast and persistent the underground trade in stolen credentials has become.