Is your email or password among the 240+ million compromised by infostealers?
For the second time since the start of 2025, a huge number of login credentials extracted from infostealer logs has been added to the database powering the HaveIBeenPwned (HIBP) site and breach notification service.
In January 2025, HIBP’s creator Troy Hunt added 71 million email addresses to the database.
This time around, Hunt has loaded 284 million unique email addresses, alongside the websites they were entered into and the passwords used, as well as 244 million never-before-seen passwords to the Pwned Passwords database.
What is HaveIBeenPwned?
Launched some eleven years ago, HaveIBeenPwned has become one of the services individuals and organizations turn to to check whether their private information or login credentials have been compromised in a data breach and/or leaked.
Hunt has been adding verified database dumps received from various sources to the HIBP database for years. With the explosion of infostealer infections in 2024, he has also begun adding account credentials scraped from infostealer logs and shared on Telegram.
“Telegram makes it super easy to publish large volumes of data (…) under the veil of anonymity and distribute it en mass. This is just one of many channels involved in cybercrime, but it’s noteworthy due to the huge amount of freely accessible data,” he explained.
This latest addition – named ALIEN TXTBASE after the Telegram channel from where the stealer logs were obtained – contains a record number of compromised login credentials.
Have your login credentials been compromised by infostealers?
Individual users who have signed up to be notified when their email address or addresses appear in a database dump or list that has been added to HIBP will be receiving notification emails. Everyone else is welcome to check manually via the service’s website, and should consider signing up to receive notifications in the future.
Users can also use HIBP’s Pwned Passwords to check whether one or more of their passwords have previously appeared in a data breach.
Organizations, on the other hand, can take advantage of two new APIs that will allow them to query stealer logs by email domain and by website domain, to discover their users’ compromised accounts with a single request.
They will first have to prove that they are the owners/operators of the domain(s), but once they do and they take out a (paid) subscription, they are good to go.
The rise of infostealers
Credentials compromised via infostealers have became a significant tool for attackers looking to find a way into organizations. Infostealers make all sorts of attacks – including targeted ones – much easier.
Despite law enforcement and legal actions aimed at disrupting high-profile infostealer operations, the infostealer threat is omnipresent: the malware is being pushed onto unsuspecting users via malicious ads, phishing emails and spear-phishing messages, LinkedIn and YouTube posts, GitHub repositories, fake human verification pages, etc.