Inside 1 Million+ Stolen Credentials
Info-stealer logs are text/CSV files of credentials paired with their URLs, usually formatted username:password or url:username:password.
During research I found platforms where huge collections of stealer logs circulate: some free, some behind paid subscriptions; some general user data, some from privileged accounts.
Two samples analysed: 5,000+ Valorant username:password combos, and 1,000,000+ compiled browser-stored credentials.
# sample format: stealer log line url:username:password https://auth.riotgames.com:player_one:hunter2! https://www.facebook.com:victim.name:Summer2024 https://accounts.google.com:victim@gmail.com:qwerty123
Valorant credentials
Tested random credentials via Burp Suite as an intermediary; most were valid and current. Many accounts had MFA enabled, which blocked access. One account lacked MFA, so I accessed it, then immediately terminated the session to avoid misuse.
Browser-stored credentials
The 1M+ set spanned Facebook, Gmail, Instagram, Microsoft, Netflix, PayPal, Epic Games, online banking, and OnlyFans. Filtering surfaced:
- 10,000+ unique victim Instagram credentials
- 17,000+ Facebook credentials
And that was within this single log file.
Recommendations
- Enable MFA.
- Use strong, unique passwords per account.
- Monitor account activity.
- Be cautious with links and downloads.
- Stay informed about emerging threats.
// NOTE: Conducted for educational and defensive security research only. The single account accessed without MFA was logged out immediately and no data was exfiltrated.