A tip-off from a government agency has resulted in 284 million unique email addresses and plenty of passwords snarfed by credential-stealing malware being added to privacy-breach-notification service Have I Been Pwned (HIBP).

HIBP founder Troy Hunt said an un-named agency alerted him to the existence of the trove after he published an analysis of a separate massive collection of info-stealer logs he encountered and incorporated into his site in mid-January.

“After loading the aforementioned corpus of data, someone in a government agency reached out and pointed me in the direction of more data by way of two files totaling just over 5GB,” Hunt wrote this week.

The name of both files provided to Hunt contained the word “Alien”, a clue that led him to a Telegram channel called Alien Txtbase that peddled a huge amount of stolen website credentials quietly collected by info-stealer malware running on people’s infected devices.

One file alone contained more than 36 million rows of data listing websites, email addresses, and passwords siphoned by malware. The Telegram channel operator was offering that dataset under a subscription plan.

In total, Alien Txtbase offered 1.5TB of stolen data in files that contain 23 billion rows of info-stealer logs and list 493 million unique website and email address pairs. The trove includes 284 million unique email addresses. They’re called logs because they are records of private information literally logged by hidden malware as users type in their details and credentials on infected PCs and other devices; this sensitive info is then sent to criminals to sell and exploit.

Hunt parsed the trove and added 244 million new compromised passwords to Pwned Passwords and updated frequency counts for an additional 199 million passwords already in the database.

Also today, HIBP added two APIs that allow paid users to query stealer logs by email domain and website domain. “Both these new APIs are orientated towards larger organisations and can return vast volumes of data,” Hunt wrote.

HIBP offers a five-tier subscription scheme to access the APIs. Prices range from $3.95 a month/$39.50 a year to $274/$2,740.The more you pay, the more you can use the API.

How stealers work

Criminals steal personal info by first tricking victims into downloading info-stealer malware that is often disguised as legitimate software updates or apps. Sometimes they go on phishing trips and send documents threatening legal action.

When a victim opens the phony attachment or software, usually on a Microsoft Windows PC, it downloads and executes the stealer, which lurks in the background and watches as users enter credentials, bank account info, and other sensitive info as they surf the web. The info-stealer malware records that info and sends it to crooks who bundle it up for sale.

Buyers use the harvested creds for other criminal activities including ransomware attacks, data theft, and cryptomining on hijacked cloud compute resources.

Hayden Evans, cyber threat intelligence analyst at ReliaQuest, told The Register in an earlier interview, criminals want an “easy button”, and credentials obtained by info-stealer logs make it as easy for crims to login to a service as anyone else.

“The main takeaway for defenders is the ongoing sentiment: Attackers don’t hack in, they log in,” Evans said. “Essentially, attackers aim for the path of least resistance that has a higher chance of success.” ®