![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![What tool should I be using for mapping a function across the complex domain? [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
.jpg?#)
![YouTube Announces New Creation Tools for Shorts [Video]](https://www.iclarified.com/images/news/96923/96923/96923-640.jpg)
![Apple Faces New Tariffs but Has Options to Soften the Blow [Kuo]](https://www.iclarified.com/images/news/96921/96921/96921-640.jpg)
Have I Been Pwned Added 284 Million Accounts Stolen by Information Stealer Malware
Have I Been Pwned (HIBP) has incorporated 284 million email addresses compromised by information-stealer malware into its breach notification service. The data originates from a 1.5TB corpus of stealer logs dubbed “ALIEN TXTBASE”, marking one of the largest malware-related dataset incorporations in HIBP’s 11-year history. This update expands HIBP’s repository to include 493 million unique […] The post Have I Been Pwned Added 284 Million Accounts Stolen by Information Stealer Malware appeared first on Cyber Security News.
Have I Been Pwned (HIBP) has incorporated 284 million email addresses compromised by information-stealer malware into its breach notification service.
The data originates from a 1.5TB corpus of stealer logs dubbed “ALIEN TXTBASE”, marking one of the largest malware-related dataset incorporations in HIBP’s 11-year history.
This update expands HIBP’s repository to include 493 million unique website-email pairs and introduces critical tools for organizations to combat credential-based attacks.
Origin of ALIEN TXTBASE
The dataset emerged from a Telegram channel operated by cybercriminals distributing stealer logs—records of credentials harvested by malware like RedLine or Vidar.
These logs capture keystrokes, browser-stored passwords, and authentication cookies from infected devices.
HIBP founder Troy Hunt collaborated with international government agencies to acquire the 744-file corpus, which contained 23 billion raw entries of credentials extracted from victims’ machines.
Verification involved cross-referencing entries against target services. For example, Netflix accounts listed in the logs were confirmed via geofenced password reset flows—accessing country-specific login portals (e.g., /ph-en/login for Philippine users) through VPNs.
Hunt validated geographic consistency by testing entries against localized authentication endpoints, confirming both account existence and the malware’s accuracy in capturing login contexts.
Enterprise-Focused Search APIs
HIBP introduced two GraphQL APIs under its Pwned 5 subscription tier to help organizations mitigate risks:
Domain-Centric Stealer Log Search: Allows domain administrators to retrieve all email aliases (e.g., john@ in john@example.com) and associated website domains (e.g., netflix.com) from their DNS-controlled domains. Outputs JSON mappings like {“john”: [“netflix.com”]}.
Website Operator Search: Enables service providers like Netflix to fetch all email addresses exposed in stealer logs when users enter credentials into their domains, returning arrays like [“john@example.com”].
These APIs address credential-stuffing attack vectors by letting enterprises identify compromised accounts and enforce multi-factor authentication or password resets.
The Pwned 5 tier provides 1,000 requests/minute rate limits, with pricing starting at $3,500/month for sustained access.
HIBP’s open-source password breach repository added 244 million new unique passwords from ALIEN TXTBASE, including patterns like tender-kangaroo and CaptainKangaroo.
The service now contains over 13 billion compromised credentials, with 10 billion API monthly requests informing password policies globally. The k-anonymity model ensures users can check passwords securely via partial SHA-1 hash prefixes.
Implications for Cybersecurity
This update shifts how enterprises approach attack surface management:
- SOC Teams can now trace credential leaks to specific malware campaigns rather than generic “third-party breaches.”
- Identity Providers like Okta or Microsoft Entra ID gain actionable data to harden conditional access policies against stealer-log-sourced credentials.
- CISO Prioritization: With HIBP’s IsStealerLog breach flag, organizations can triage incidents involving direct malware compromises over bulk database dumps.
Hunt emphasized that while the Telegram-distributed logs represent a fraction of global stealer activity, integrating them into HIBP disrupts attackers’ economic models by converting exclusive data into public awareness.
The service now processes 10,000 new compromised accounts/minute from ongoing malware operations, underscoring the relentless growth of credential-based threats.
The ALIEN TXTBASE integration exemplifies HIBP’s evolution from a breach-notification tool to a critical infrastructure component in modern cybersecurity.
By transforming raw stealer logs into actionable intelligence, HIBP equips enterprises and individuals to preempt account takeovers—proving that even data born from criminal endeavors can be weaponized for defense.
As Hunt noted, this corpus is “just one of many channels,” but its inclusion marks a pivotal step in democratizing access to malware intelligence.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
The post Have I Been Pwned Added 284 Million Accounts Stolen by Information Stealer Malware appeared first on Cyber Security News.
