Introduction
In early 2025 [2] [6], Have I Been Pwned (HIBP) [2] [3] [4] [5] [8], a prominent cybersecurity platform founded by Troy Hunt, significantly expanded its database by integrating a vast collection of compromised data known as “ALIEN TXTBASE.” This integration underscores the growing threat of infostealer malware and its impact on global cybersecurity, highlighting the need for robust protective measures and awareness.
Description
In early 2025 [2] [6], Have I Been Pwned (HIBP) [2] [3] [4] [5] [8], founded by Troy Hunt [2] [3] [8], significantly expanded its database by integrating a massive collection of compromised data known as “ALIEN TXTBASE.” This dataset, comprising 1.5 terabytes and 23 billion entries, included 493 million unique pairs of website and email addresses, impacting 284 million individual email addresses compromised by infostealer malware [3]. The update also added 244 million previously unseen passwords to the Pwned Passwords feature, along with updated frequency counts for another 199 million existing entries [4]. The data was sourced from a Telegram channel that shared “stealer logs,” which documented credentials harvested from malware-infected devices [8]. Initially, the channel provided teaser files before requiring paid subscriptions for full access [8], and it hosted a total of 744 files used for credential-stuffing attacks.
The rise in infostealer infections in 2024 was marked by notable variants like Lumma, StealC [3] [5] [7], and Redline [3] [7], which infected 4.3 million machines and compromised 330 million credentials [7]. These attacks primarily targeted personal computers [7], with nearly 65% of infected devices storing corporate credentials [7], including email accounts and systems like Active Directory Federation Services [7]. A cybersecurity report revealed that 3.9 billion credentials were shared in credential lists sourced from infostealer logs [7], underscoring the alarming trend of credential theft [7]. One significant incident involved the breach of Snowflake [7], where attackers accessed customer accounts using stolen login credentials obtained through infostealers [7], affecting at least 165 companies [7].
Infostealer malware often hides in cracked software [1], including popular applications like Adobe products, and can be disguised as legitimate software [1]. Once installed, this malware operates in the background [1], capturing login credentials [2] [6] [7] [9], keystrokes [3], browser-stored passwords [3], and authentication cookies as they are entered on infected devices. These malicious programs are frequently disseminated through phishing messages, malicious downloads [2] [6] [10], and pirated software [2] [4] [8] [10]. The ALIEN TXTBASE data surfaced in February 2025 after a government agency alerted HIBP to two files containing compromised email addresses and passwords associated with various websites. Further investigation revealed a larger collection of over 744 files shared on Telegram, a platform increasingly utilized for distributing cybercriminal data [2].
While the ALIEN TXTBASE dataset contains some authentic stealer logs, it also includes unreliable and potentially recycled data. Testing a sample of email addresses from the leak indicated that many were nonexistent [5], with only one valid email previously exposed in the 2020 ‘APB Combolist 58M’ leak [5]. This suggests that a significant portion of the credentials may be artificially generated or derived from earlier leaks. Caution is advised regarding alarmist interpretations of the dataset [5], as the presence of an email does not confirm that it was stolen via malware or that the user is currently at risk [5].
The increase in cyberattacks linked to infostealer malware has led to a reported 58% surge in incidents, with over 10 million stolen credentials now available on the dark web [10], particularly affecting organizations in the EMEA region. Infostealers pose a significant threat to cybersecurity [10], driving major data breaches that have impacted organizations such as Ticketmaster and AT&T, where hackers accessed accounts through compromised credentials [10].
To assist organizations in identifying compromised accounts, HIBP has launched two new GraphQL APIs under its Pwned 5 subscription tier [3]. The Domain-Centric Stealer Log Search allows domain administrators to query their entire domain for stealer logs, retrieving email aliases and associated website domains from their DNS-controlled domains [3]. Meanwhile, the Website Operator Search enables service providers to identify customers whose email addresses have been compromised during login, allowing them to obtain all email addresses exposed in stealer logs when users enter credentials on their domains [3]. A new “IsStealerLog” flag has also been introduced for differentiated handling of stealer log data [4]. These tools facilitate multi-factor authentication and password resets [3], helping organizations mitigate risks associated with credential-based attacks.
HIBP’s Pwned Passwords feature serves as a massive open-source repository that enables users to check if their passwords have been involved in breaches without disclosing the searched password. The service now processes 10 billion API requests monthly [3], supporting global password policies [3], and utilizes a k-anonymity model to allow secure password checks via partial SHA-1 hash prefixes. Verification of the dataset involved testing email addresses against legitimate services and direct communication with affected users [2], confirming the authenticity of the stolen credentials [2]. Recently, HIBP added the login data of approximately 96 million users from the online gaming platform 1win to its archive. Despite ongoing efforts by law enforcement to disrupt infostealer operations [6], these malware variants remain a critical tool for attackers. Individuals and organizations are advised to use password managers [2], enable multi-factor authentication (MFA) [2] [3] [8], avoid downloading pirated software [2], regularly check for breaches using HIBP [2], and utilize endpoint security solutions to mitigate the risk of credential theft [2]. Users can sign up for notifications when their email addresses appear in new database dumps or check manually via the HIBP website [6]. The integration of the Telegram-distributed logs into HIBP aims to disrupt attackers’ economic models by making exclusive data publicly accessible [3], highlighting the persistent growth of credential-based threats and HIBP’s evolution into a vital component of modern cybersecurity [3].
Conclusion
The integration of the ALIEN TXTBASE dataset into HIBP’s database marks a significant advancement in the fight against credential theft and cybercrime. By making compromised data publicly accessible, HIBP aims to disrupt the economic models of cybercriminals and enhance global cybersecurity awareness. Organizations and individuals are encouraged to adopt robust security measures, such as multi-factor authentication and regular breach checks, to mitigate the risks associated with infostealer malware [7]. As cyber threats continue to evolve, platforms like HIBP play a crucial role in safeguarding digital identities and maintaining the integrity of online systems.
References
[1] https://www.heise.de/en/news/Data-leak-search-website-Have-I-Been-Pwned-increased-by-284-million-accounts-10296319.html
[2] https://cyberinsider.com/hibp-adds-284-million-stolen-credentials-from-infostealer-logs/
[3] https://cybersecuritynews.com/have-i-been-pwned-added-284-million-accounts-stolen/
[4] https://hackread.com/have-i-been-pwned-alien-txtbase-data-emails-passwords/
[5] https://www.infostealers.com/article/alien-txtbase-data-leak-a-deep-analysis-of-the-breach/
[6] https://www.helpnetsecurity.com/2025/02/26/240-million-login-credentials-passwords-compromised-by-infostealers/
[7] https://www.foxnews.com/tech/malware-exposes-3-9-billion-passwords-huge-cybersecurity-threat
[8] https://gbhackers.com/have-i-been-pwned-reports-huge-data-leak/
[9] https://www.troyhunt.com/processing-23-billion-rows-of-alien-txtbase-stealer-logs/
[10] https://www.infosecurity-magazine.com/news/haveibeenpwned-244-million/
