Email passwords are among 183,000,000 leaked web account details which have been openly shared among cyber criminals for months or more, experts have found.
The massive trove of data was originally leaked from computers infected with a type of malware called infostealers, which log the email address and password used when a user logs into a website.
Chunks of this data – known as ‘stealer logs’ – were leaked online, ending up on easily-accessible platforms such as Telegram, social media sites and web forums.
Stealer logs are shared by a huge and complex ecosystem of hackers who are not working together and often copy older logs, meaning significant new breaches are very difficult to expose.
A US college student working with cybersecurity firm Synthient created a system to trawl vast amounts of data from this ecosystem dating back to April – no less than 23 billion rows of it.
Sign up for all of the latest stories
Start your day informed with Metro’s News Updates newsletter or get Breaking News alerts the moment it happens.
At peak times as many as 600 million stolen credentials were shared in a single day, the system found.
Synthient shared the data with Have I Been Pwned, a website which allows people to check if their email address has shown up in previous data leaks.
Analysis of the data by the site’s boss, web security expert Troy Hunt, found 183 million unique email addresses, many of which were paired with passwords.
Of these, 16.4 million had never appeared in any known data breach before.
Mr Hunt ran a number of tests and emailed some of the victims to confirm the account details in the stealer logs were real.
They included a Gmail user whose account details were stolen when he logged into the service through a web browser.
Addresses from all major providers, including the likes of Yahoo and Outlook, also appear, and the accounts are with a huge variety of services.
Benjamin Brundage, the student who exposed the data theft with Synthient, said its size was beyond anything they expected.
‘When we first started this project, we had no idea how much data we would process.
‘It quickly became apparent that we had neither the time nor the resources to continue, which is why we’ve donated the data to Have I Been Pwned.’
His analysis found Telegram – despite being easily accessible – was the ‘largest data driver’ for stealer logs, with millions of leaked accounts illegally shared in messaging groups every day.
Telegram dominates the space so much that the most popular ‘dark web’ network didn’t even have enough data to be worth including in Synthient’s monitoring system, Mr Brundage added.
Telegram, which has 1 billion active users worldwide, vowed to clean up its act last year after CEO Pavel Durov was arrested by French authorities.
He is accused of complicity in drug trafficking, child sexual exploitation, money laundering and other offences due to the way Telegram works.
The company later quietly changed its policy so users can now report illegal activity to moderators, and for the first time said users’ phone numbers and IP addresses can be disclosed to police if a valid court order is produced.
How to check whether your details have been leaked
You can check whether the details for any accounts you might have were shared in the data breaches collated by Have I Been Pwned.
To do so, navigate to their website and enter your email address.
This will not only show whether the email account itself was compromised but also any website or app accounts created using that email address.
The compromised details can include email addresses, passwords and other details such as your name and locations linked to the account.
To check whether any breaches linked to your account showed up in stealer logs specifically, you can create a Have I Been Pwned account here, after which you’ll be directed to a dashboard.
On this dashboard, navigate to ‘Stealer Logs’ and any instances where your email addresses were recorded in a stealer log will be displayed.
You can also see if a given password has appeared in a data breach using Pwned Passwords although details about the leaks are not shown.
Mr Hunt said a second trove of Synthient data which came from a different type of data theft will be loaded onto Have I Been Pwned in the near future, so users should check again afterwards.
What to do if your password was leaked
If your email address gives any hits, you should firstly check the date of the breach and what types of information were leaked.
If it says passwords were also leaked in that breach, and you have not changed your password since the breach occurred, then you should change your password as soon as possible.
When you go to change the password, you should also ensure that the account’s recovery email address remains your own.
Otherwise, a hacker may have changed it to an account which they have access to, allowing them to reset the password and gain access to the account again.
If a password you’ve used shows up on Pwned Passwords, their advice is to ‘change it immediately’.
It can never hurt to scan your devices with anti-virus software regardless, but if your details show up in connection with a stealer log then do so urgently as this means they were obtained by malware.
There is nothing you can do to remove the compromised information from the leak, so you may want to consider any privacy implications arising from other people being able to, for example, link your name to an account, or your name to your phone number.
You may be able to claim compensation from the organisation whose data was breached if you can show you suffered damages.
Under UK law, this includes ‘material damage’, such as losing money, or ‘non-material damage’ such as emotional distress.
The UK’s data privacy watchdog, the Information Commissioner’s Office (ICO), says victims should in the first instance complain to the company and request compensation directly from it.
If the request is denied, victims can then made a claim in court.
‘We strongly recommend you take independent legal advice on the strength of your case before taking any claim to court,’ the ICO stresses.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.