TL;DR: A number of discussions have been had regarding the stealer log data dump known as Alien_Txtbase. A followup analysis was performed by myself here on April 27, 2025. You can use that writeup to compare to the new data. The alleged shutdown of Breachforums that occured a couple of weeks ago did remove some risk; however, a user named LEAKGOD on another security forum has started sharing new dumps of logs in excess of 100m rows. This data was not explicitly mentioned as more Alien_Txtbase data, however the files were named the appropriate filename, with the Alien_Txtbase header, consistent with previous releases. We will now perform an analysis of the data to investigate how real the threat is (and discuss the records therein).
The files have the following headers, advertising the telegram channel; as the intent of these datasets is to drive paying traffic to closer to real-time log purchases:
|=====================================================================================|
| ___ _ _____ _____ _ _ _______ _____________ ___ _____ _____ |
| / _ \ | | |_ _| ___| \ | | |_ _\ \ / /_ _| ___ \/ _ \ / ___| ___| |
| / /_\ \| | | | | |__ | \| | | | \ V / | | | |_/ / /_\ \\ `--.| |__ |
| | _ || | | | | __|| . ` | | | / \ | | | ___ \ _ | `--. \ __| |
| | | | || |_____| |_| |___| |\ | | | / /^\ \ | | | |_/ / | | |/\__/ / |___ |
| \_| |_/\_____/\___/\____/\_| \_/ \_/ \/ \/ \_/ \____/\_| |_/\____/\____/ |
| |
| JOIN TELEGRAM TXTBASE: |
| JOIN TELEGRAM TXTBASE: SNIP |
| JOIN TELEGRAM TXTBASE: |
| _________________________________________________________________ |
| ▼ BUY PRIVATE SUBSCRIPTION ON OUR 7/24 ONLINE SHOP BOT ▼ |
| |
| |
SNIP
So uh, that’s not overly hard to determine attribution. One interesting pattern is that:
- again, the filenames match consistent with previous similar dumps
- the user LEAKGOD was registered on April 18, after the loss of Breachforums on April 15 2025; it’s likely safe to assume this move is due to the shutdown of Breachforums
It can’t be stated with 100% confidence, but it is a fun coincidence.
The Delta
As we are interested in the passwords, and the patterns therein, we split the passwords off the records into its own file (most records are the format url:username:password, with some ~ username:password:url; we’ll simply discard the latter for speed of processing).
Since it’s clear that the data is from the same source, a delta was taken between the previous dataset known as Alien_Txtbase and these new 126m records, resulting in a count of 115,052,049; representing ~ 115m passwords that were not in the previous release as consumed by HIBP. This will allow us to discuss only the new records.
The Base Words
| Base Word | Count |
|---|---|
| https | 571172 |
| not_saved | 443457 |
| admin | 171592 |
| empty | 158080 |
| null | 101519 |
| password | 95953 |
| http | 87172 |
| qwerty | 70506 |
| abcd | 60078 |
| pass | 58566 |
We can disregard a couple of the records due to simply the result of dealing with the always clobbered formatting of credential lists that get posted on forums such as breached; they’re always clobbered to shit. But once you disregard those, you see a pretty standard set of base words (where basewords are the special characters and numbers stripped off); ie a baseword of admin could come from a password admin123. Nothing exciting here, given it’s stealer logs, and people are garbo at generating their own memorable passwords, you get what you see here.
Password Lengths
| Length | Count (and percentage) |
|---|---|
| 0 | 27016547 (23.48%) |
| 8 | 14646744 (12.73%) |
| 10 | 13222738 (11.49%) |
| 9 | 12364743 (10.75%) |
| 11 | 9986999 (8.68%) |
| 12 | 7868279 (6.84%) |
| 15 | 5865040 (5.1%) |
| 13 | 5018872 (4.36%) |
| 6 | 4107552 (3.57%) |
| 14 | 3643896 (3.17%) |
| 7 | 2178896 (1.89%) |
| 16 | 1760288 (1.53%) |
| 5 | 1379197 (1.2%) |
This collection spread across a couple of days of datasets trended closer to realistic lengths, which is nice. That may be better processing on the part of the person that’s processing the logs and posting the credential sets. You still get a number of email addresses from clobbered layout, so it kinda throws a wrench in some of the data; but it’s trending towards good stuff.
Some Domain Samples
For curiosity’s sake we’ll take some samples of the domains that are impacted to highlight what organizations should be concerned about rotating credentials.
| Domain | Count |
|---|---|
| irs.gov | 11297 |
| pornhub.com | 112152 |
| proton.me | 51444 |
| onlyfans.com | 72780 |
| ashleymadison.com | 9961 |
Since stealer logs pull their content from the saved credential store of browsers, the involved domains obviously trend towards erm, consumer-facing sites. You’ll see odd pockets of government, financial, and so on when a user didn’t have good security posture and saved a work account’s credentials; but generally it’s consumer, which leads to it also being a little spicy. This does however also reduce the risk of impact down to reasonably inconsequential personal accounts, which is great news.
This trends very similar to the last set; but you’d expect that from stealer logs.
Conclusion
The.. what seems like it might be the, ironically, last stealer logs from this forum, demonstrates the same trend, and establishes a pattern we can lean on in the future. This forum in question has now also been down for a day now, so we’ll see if that comes back up.
For an organization or application that’s following NIST 800-63B as they should and forcing complexity and a correct 12+ characters minimum length (and hopefully using a breached corpus) you’d just dodge any re-use of these common passwords. Strong MFA (preferably multiple factors, ala Specops Authentication) should be enabled where possible, and users should be taught never to share a multi-factor code with another user or their servicedesk.
Same old poorly processed crap scraped from personal machines. Stop using browser password stores, and use a password manager such as Bitwarden instead.
On shutting down dark forums
This blog post ends up with good timing for some thoughts on the act of shutting down vs monitoring dark forums. The problem with shutting them down; as much as we have to chase down these groups and appropriately deal with the people running them, it does create a chicken and egg problem where threat hunters and other security volitions need to chase the ball and find them when they move on. It’s a similar problem to how software piracy was in the days of ThePirateBay.
There is something to be said for the devil you know, and having a central location for agencies and threat hunters to monitor and process data from, such as using the data to add to a breached corpus for users to block leaked passwords. Bad actors will always find a way to share their ‘work’ with each other, it’s upt to the good guys to find them.
So with this likely further shutdown, off we go to find where they scattered to! I have a different topic to discuss next week regarding some infosec advertising trends, but stay tuned for that. We’ll relax on the stealer log data for a bit while we chase down the next one.
Also RIP GiantBomb and Polygon. Venture Capital is the worst. <>