361 million account credentials leaked on Telegram: Are yours among them?
A new trove of 361 million email addresses has been added to Have I Been Pwned? (HIBP), the free online service through which users can check whether their account credentials and other data has been compromised in one or more data breaches.
Have I Been Pwned? notification (Telegram Combolists)
Of these, 151 million haven’t been previously seen in HIBP, says Troy Hunt, the service’s creator. “Alongside those addresses were passwords and, in many cases, the website the data pertains to.”
What the analysis of the trove revealed
The massive cache of compromised credentials has been delivered to Hunt by an unnamed researcher. It contained 1,700+ files scraped from thousands of Telegram channels.
The data includes lists of credentials for accounts grouped either by service (e.g., Gmail, Yahoo, etc.) or country (of the online service).
Some of the files contain email address:password combinations, while others list URLs containing the credentials, usually in the form of online service domain/login, checkout, confirm, reset-password:email address:password.
Hunt tested some of the email addresses and confirmed that accounts associated with them exist on those specific online services.
Then he tried contacting users whose email addresses are in some of the lists. The feedback he received – as well as the format of the data – pointed to account credentials having been compromised in previous data breaches and via infostealers.
Among the persons he contacted was a teenage boy, who said that he had been receiving emails attempting to extort money from him.
“That’s the sort of thing criminals frequenting Telegram channels such as the ones in question are using this data for,” Hunt pointed out.
Check whether your account credentials have been compromised
Compromised email accounts can also be used to send out spam, to scam users’ contacts or trick them into downloading malware. If it’s a business email account, it can also be used for BEC scams.
Accounts with other services (e.g., online payment or shopping, social networks) can be used to steal money, fraudulently order products or use services, send out spam or phishing messages, and more.
While HIBP can’t tell you whether a current password has been compromised, it can tell you whether your email address can be found in this or other data breach caches. HIBP also offers the option of entering your email address and getting notified when it pops up in a data breach.
If you discover that some of your accounts are listed, you should first scan your devices for info-stealing malware. When you’re reasonably sure that your devices are clean/have been cleaned, log in to your potentially compromised email accounts and:
- Terminate existing sessions to boot out unauthorized users
- Check whether an unknown recovery email or phone number has been added to your account and, if so, remove them
- Change the password and make it long, complex and unique
- Reset backup codes, change security questions
- Review OAuth apps associated with the account and “un-tether” the ones you don’t recognize
- Enable two-factor authentication (if you can)
- Check your “Sent” folder and email forwarding rules for possible indicators of what the account has been (mis)used for
If credentials for other accounts have been compromised, perform similar actions (where possible) and try to find out how the account has been misused.