In yet another sign of cybercriminals shifting their tactics, Have I Been Pwned (HIBP) has added over 284 million compromised accounts harvested from stealer malware and leaked on Telegram. This dataset, discovered in a massive 1.5TB trove of logs from the "ALIEN TXTBASE" channel, underscores the growing role of messaging platforms in cybercrime.
According to HIBP founder Troy Hunt, the breach consists of an astounding 23 billion data rows, comprising 493 million unique website and email address pairs, affecting 284 million individual email accounts.
"We've also added 244 million passwords we've never seen before to Pwned Passwords and updated the counts against another 199 million that were already in there," Hunt revealed in a blog post. The data set likely contains a mix of new and old stolen credentials, further fueling credential stuffing attacks and unauthorized access to online accounts.
Telegram: The New Dark Web?
Victor Acin, Head of Threat Intel at Outpost24, points to a disturbing trend in how cybercriminals share and monetize stolen data.
"The addition of 284 million compromised accounts to Have I Been Pwned underscores a growing trend in cybercriminal tactics—shifting from dark web marketplaces to more accessible platforms like Telegram for data sharing and sales," Acin explained.
"This aligns with what we've observed in recent years, where threat actors increasingly use communication platforms for illicit activities due to their ease of access and lower risk of takedowns."
This shift makes it more difficult for law enforcement and security teams to track and take down malicious actors, as Telegram offers a semi-private, decentralized space that is harder to regulate than traditional dark web forums.
New APIs Enable Proactive Defense
To mitigate the impact of these breaches, HIBP has introduced new API capabilities allowing domain owners and website administrators (who subscribe to the service) to search up to 1,000 email addresses per minute against the newly added stealer logs.
When asked if individual users could check whether their credentials appeared in the ALIEN TXTBASE leak, Hunt clarified that they could—but with a caveat.
"But it'll only show what websites their credentials were captured against if they use the notification service to verify their address. I didn't want to show that info publicly as it can expose the use of sensitive services," Hunt explained.
The ability to proactively identify compromised accounts could significantly bolster security for organizations and prevent malicious activity before it escalates.
"The introduction of these new APIs today will finally help many organizations identify the source of malicious activity and even more importantly, get ahead of it and block it before it does damage," Hunt added.
ALIEN TXTBASE: A Cybercriminal’s Exit?
The emergence of ALIEN TXTBASE has been closely monitored by security firms. Borja Rodriguez, Manager of Threat Intelligence Operations at Outpost24, noted that KrakenLabs has been tracking this particular threat actor for months.
"The recent addition of 284 million compromised accounts to Have I Been Pwned (HIBP) underscores the persistent threat posed by information stealer malware," Rodriguez said. "At KrakenLabs, we've been closely monitoring the threat actor behind the ALIEN TXTBASE data leak, observing their periodic release of stolen credentials over several months."
But the saga took an unexpected turn. Following increased media scrutiny, the individual behind ALIEN TXTBASE announced they were shutting down their Telegram channel and ceasing operations.
"In a post on Breach Forums, they stated their intention to close all related activities and even changed their forum alias. However, our experience indicates that such actors often resurface under new identities, making ongoing vigilance essential," Rodriguez warned.
Old Data, New Risks
Despite the massive scale of the leak, some experts urge caution in assessing its actual risk.
"While the size of this dataset is significant, it is not an outlier in the broader landscape of cybercrime," Acin said. "Threat intelligence teams regularly uncover similar data dumps, often composed of stolen information from previous breaches and infections. The fact that this dataset includes a mix of old and new credentials suggests that cybercriminals continue to recycle compromised data, increasing the risk of account takeovers for users who reuse passwords."
Adding to the complexity, Rodriguez noted that not all the data in ALIEN TXTBASE is necessarily authentic.
"It's important to note that analyses of the ALIEN TXTBASE dataset have revealed inconsistencies, including artificially generated or recycled data from previous breaches," he explained. "While some authentic stealer logs are present, the dataset also contains fabricated or outdated information. Therefore, organizations and individuals should assess their exposure carefully, implement robust security practices, and avoid undue alarm over sensationalized reports."
What Should Users and Organizations Do?
Given the growing sophistication of credential theft and the reuse of stolen data, security experts emphasize the importance of strong cybersecurity hygiene.
"For individuals, this reinforces the critical need for strong security practices, including unique passwords for each account, multi-factor authentication, and regular checks on services like Have I Been Pwned to monitor for potential exposure," Acin advised.
"Organizations should also enhance their threat intelligence capabilities to track emerging risks from alternative platforms like Telegram and proactively secure their users' data."
As data breaches become increasingly commonplace, users and businesses alike must stay vigilant, adapt their security measures, and take proactive steps to protect their digital identities. The days of assuming data breaches only happen on the dark web are over—now, they’re happening right in the open.