DIVD-2024-00022 - Millions of credentials scraped from Telegram
| Our reference | DIVD-2024-00022 |
| Case lead | Frank Breedijk |
| Researcher(s) | |
| CVE(s) |
|
| Products |
|
| Versions |
|
| Recommendation | We recomment CSIRTs, CERTs, and security teams to contact us, to get a list of domains found. After verfication they can get get more detailed data for the domains applicable to their constituancy. |
| Status | Open |
| Last modified | 21 Aug 2024 18:05 CEST |
Summary
On 4 June 2024 an anonymous security researcher contacted the DIVD CSIRT to request assistance with victim notification. He and his partners had infiltrated various Telegram chat groups in which large volumes of accounts were being exchanged. These accounts largely fall into two categories: combo lists and stealer logs.
Combo lists typically contain lots of credentials, but with very little context. Typically they contain only the account name, which is often an email address and a password. Because of this lack of context, and the sheer volume of email addresses, we have decided that it would not be practical to perform victim notification on this data.
Stealer logs contain somewhat more information. Typically they contain at least a username, a password and the url of the service these credentials belong to. In this case we have a little bit of additional context, the approximate date and time when the data was scraped from Telegram.
Our source also handed over the data to Troy Hunt for inclusion in Have I Been Pwned. In Troy Hunt’s blog he describes the data and puts the volume at about 317 Million unique email addresses.
What we are doing
We have also analyzed this data, with a focus on those files that we can identify as stealer logs. The stealer logs contain approximately 1.2 billion records, which contain 68.1 million unique user accounts.
Analyzing the user accounts further, we found that those usernames that were email addresses belonged to 8.2 million unique email addresses, which together belong to over 3 million apex domains.
We also analyzed the target URLs, and for the HTTP, HTTPS, FTP, and FTPS accounts, we again counted the apex domains, which totaled over 8 million records.
For the email addresses, we have a list available of these apex domains along with the count of unique usernames and passwords. For the target URLs, we have a list available of these apex domains along with a count of the unique username/URL combinations.
We plan to contact CERTs, CSIRTs, and security teams and provide them with this list so they can supply us with a list of apex domains they want more detailed information for. To protect the individuals, we will only provide this information if the requester can be validated and if the list of requested domains makes sense. We will only provide a masked version of the password; we will NOT provide the full passwords. The list of apex domains is also available at the botton of this page. As per our stolen credentials policy we will not provide data to government agencies of countries that do not score better than 4 on the Human Rights index.
If you are a CSIRT, CERT or security team and want to get data from us:
- Download the apex list from the link at the bottom of this page
- Match these apexes to the domains in you constituency, that you own or are responsible for
- A list of the domains that have hits to csirt@divd.nl
- If we can validate that you have a legitimate interest in these domains we will send you the data back
- Be patient, we are a volunteer run organisation and have day jobs.
- Spread the word.
What you can do
If you are an individual and found out that your account is on these lists, here’s what you should do:
- Don’t panic! Just because your account appeared on this list does not mean that you have been hacked. Lots of the data circulating in criminal communities have been there for a long while and are of poor quality.
- However, this is your reminder to practice safe password practices:
- Use a unique and random, strong password or passphrase for every individual account.
- We know that means you will end up with hundreds or thousands of unique and difficult-to-remember passwords. This does not fit a normal human brain, so get a reputable password manager.
- A lot of sites offer multi factor authentication (MFA). With MFA, access to a service or account doesn’t solely rely on username and password, but requires a number from or a button click in an app on your phone, which is much harder to steal and trade for criminals.
Timeline
| Date | Description |
|---|---|
| 02 Jun 2024 | DIVD is contacted by their source |
| 04 Jun 2024 | First data is received |
|
04 Jun 2024- 19 Jun 2024 |
Data analytics |
| 19 Jun 2024 | List of email apex domains and target apex domains available |
| 20 Jun 2024 | CSIRTs, CERTs and security teams can request data |