Have I Been Pwned? Says 284 Million Accounts Stolen by Infostealer Malware
Have I Been Pwned (HIBP), a popular data breach notification service, recently added over 284 million compromised accounts to its database. This massive data breach resulted from information stealer malware. The stolen data was discovered on a Telegram channel called “ALIEN TXTBASE.”
Details of the Breach
HIBP founder Troy Hunt detailed the discovery. He found 284,132,969 compromised accounts. The data included 23 billion rows. There were 493 million unique website and email address pairs. This affected 284 million unique email addresses.
Hunt also stated, “They contain 23 billion rows with 493 million unique website and email address pairs, affecting 284M unique email addresses.”
The data included 244 million passwords never seen before. Another 199 million passwords, already in the database, were updated.
New stealer logs: 23B rows of "ALIEN TXTBASE" logs with 284M unique email addresses have been added to HIBP. New APIs can now search these by email domain and the domain of the website they were captured on. 69% were already in @haveibeenpwned. Read more: https://t.co/33QN9ZhX9e
— Have I Been Pwned (@haveibeenpwned) February 25, 2025
The Source of the Data
The 1.5 terabytes of stealer logs likely came from many sources. The data was shared on the Telegram channel. The logs likely contain both old and new credentials. These were likely stolen through credential stuffing attacks and data breaches.
Verification and New APIs
Before adding the data, Hunt verified its authenticity. He checked if password reset attempts triggered emails. New APIs were introduced. These allow up to 1000 email address searches per minute. Domain owners and website operators (with subscriptions) can now identify affected customers. They can query the logs by email or website domain.
Access for Regular Users
When asked if regular users could check, Hunt said they could if subscribed to HIBP notifications. However, he limited public access to sensitive service information.
He said, “But it’ll only show what websites their credentials were captured against if they use the notification service to verify their address, I didn’t want to show that info publicly as it can expose the use of sensitive services.”
Hunt believes the new APIs will help organizations identify malicious activity.
He added, “The introduction of these new APIs today will finally help many organisations identify the source of malicious activity and even more importantly, get ahead of it and block it before it does damage.”
Related Breaches
HIBP previously added other data breaches. In December 2021, 441,000 accounts stolen by RedLine malware were added. Earlier this month, 12 million Zacks Investment user accounts were added. In June 2023, another 8.8 million Zacks accounts were added.