Skip to the content.

DIVD-2024-00022 - Millions of credentials scraped from Telegram

Our reference DIVD-2024-00022
Case lead Frank Breedijk
Researcher(s)
CVE(s)
  • n/a
Products
  • n/a
Versions
  • n/a
Recommendation We recomment CSIRTs, CERTs, and security teams to contact us, to get a list of domains found. After verfication they can get get more detailed data for the domains applicable to their constituancy.
Status Open
Last modified 21 Aug 2024 18:05 CEST

Summary

On 4 June 2024 an anonymous security researcher contacted the DIVD CSIRT to request assistance with victim notification. He and his partners had infiltrated various Telegram chat groups in which large volumes of accounts were being exchanged. These accounts largely fall into two categories: combo lists and stealer logs.

Combo lists typically contain lots of credentials, but with very little context. Typically they contain only the account name, which is often an email address and a password. Because of this lack of context, and the sheer volume of email addresses, we have decided that it would not be practical to perform victim notification on this data.

Stealer logs contain somewhat more information. Typically they contain at least a username, a password and the url of the service these credentials belong to. In this case we have a little bit of additional context, the approximate date and time when the data was scraped from Telegram.

Our source also handed over the data to Troy Hunt for inclusion in Have I Been Pwned. In Troy Hunt’s blog he describes the data and puts the volume at about 317 Million unique email addresses.

What we are doing

We have also analyzed this data, with a focus on those files that we can identify as stealer logs. The stealer logs contain approximately 1.2 billion records, which contain 68.1 million unique user accounts.

Analyzing the user accounts further, we found that those usernames that were email addresses belonged to 8.2 million unique email addresses, which together belong to over 3 million apex domains.

We also analyzed the target URLs, and for the HTTP, HTTPS, FTP, and FTPS accounts, we again counted the apex domains, which totaled over 8 million records.

For the email addresses, we have a list available of these apex domains along with the count of unique usernames and passwords. For the target URLs, we have a list available of these apex domains along with a count of the unique username/URL combinations.

We plan to contact CERTs, CSIRTs, and security teams and provide them with this list so they can supply us with a list of apex domains they want more detailed information for. To protect the individuals, we will only provide this information if the requester can be validated and if the list of requested domains makes sense. We will only provide a masked version of the password; we will NOT provide the full passwords. The list of apex domains is also available at the botton of this page. As per our stolen credentials policy we will not provide data to government agencies of countries that do not score better than 4 on the Human Rights index.

If you are a CSIRT, CERT or security team and want to get data from us:

  1. Download the apex list from the link at the bottom of this page
  2. Match these apexes to the domains in you constituency, that you own or are responsible for
  3. A list of the domains that have hits to csirt@divd.nl
  4. If we can validate that you have a legitimate interest in these domains we will send you the data back
  5. Be patient, we are a volunteer run organisation and have day jobs.
  6. Spread the word.

What you can do

If you are an individual and found out that your account is on these lists, here’s what you should do:

Timeline

Date Description
02 Jun 2024 DIVD is contacted by their source
04 Jun 2024 First data is received
04 Jun 2024-
19 Jun 2024
Data analytics
19 Jun 2024 List of email apex domains and target apex domains available
20 Jun 2024 CSIRTs, CERTs and security teams can request data
gantt title DIVD-2024-00022 - Millions of credentials scraped from Telegram dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00022 - Millions of credentials scraped from Telegram (still open) :2024-06-04, 2024-12-24 section Events DIVD is contacted by their source : milestone, 2024-06-02, 0d First data is received : milestone, 2024-06-04, 0d Data analytics (15 days) : 2024-06-04, 2024-06-19 List of email apex domains and target apex domains available : milestone, 2024-06-19, 0d CSIRTs, CERTs and security teams can request data : milestone, 2024-06-20, 0d

More information