In February 2025, a data breach of exceptional magnitude was included in the Have I Been Pwned (HIBP) database. Known as ALIEN TXTBASE, the leak originated from a Telegram channel broadcasting infostealer logs and represents one of the largest collections of compromised data ever documented. Totaling 1.5 terabytes of stolen data , the breach contained 23 billion lines of information, 493 million unique email address and website pairs, affecting 284 million unique email addresses, and introducing 244 million new passwords into the HIBP database.
We invite you to read the excellent article by Troy Hunt, cited in this article multiple times:
Origin and discovery of the leak
The discovery of ALIEN TXTBASE is the result of a collaboration between HIBP and an unidentified government agency. Troy Hunt, founder of Have I Been Pwned, reports being contacted by the agency, who reported the existence of two files totaling over 5GB, containing the word "Alien" in their names. This lead him to a Telegram channel called Alien Txtbase, which was distributing massive amounts of stolen data on a daily basis.
The channel offered a subscription-based business model: free files were used as samples to attract potential cybercriminals, and then access to more data was sold through a paid subscription. A single sample file already contained more than 36 million rows of data showing websites, email addresses, and passwords stolen by malware.
In total, the Telegram channel contained 744 files making up this massive corpus of compromised data.
How Infostealers Work
The data comes primarily from infostealers , malware designed to silently extract credentials from infected users. These programs typically install themselves without victims' knowledge, often via the download of pirated software or infected applications.
Once in place, they methodically capture login credentials, passwords, session cookies, banking information and browsing history as the user enters this data.
Troy Hunt shares a concrete example of infection: "Around October, I downloaded a pirated version of Adobe AE and after that, a Trojan horse got into my PC."
This simple action allowed the malware to install itself and start collecting all sensitive information entered by the user on different websites.
Among the most well-known infostealers, we list:
Extent and authenticity of data
The scope of ALIEN TXTBASE is considerable, but questions have been raised about the authenticity of the entire data set. According to an analysis by InfoStealers.com , the leak does not consist solely of recent infostealer logs, but rather a heterogeneous mix including old combo lists, fabricated data, and information recycled from previous leaks.
The analysis identifies several clues suggesting that some portions of the data may be problematic:
Randomly generated or non-existent email addresses mixed in with legitimate addresses previously exposed in older leaks.
Formatting errors and structural inconsistencies in many records, suggesting assembly without rigorous data integrity checking.
Similarities to malicious logs previously shared by other groups such as IGGY CLOUD and SegaCloud, indicating possible aggregation of data from multiple sources.
Despite these reservations, Hunt's team confirmed the authenticity of at least some of the data by testing password reset mechanisms for the compromised email addresses. This verification confirmed that many of the addresses were indeed associated with active accounts on the sites identified in the logs.
Impacts and implications for users
The consequences of this leak are multiple. For users whose credentials are in ALIEN TXTBASE, the main risk is the use of this information for unauthorized access attempts to their accounts. Cybercriminals can exploit this data for credential stuffing attacks, attempting to use the stolen credentials across multiple services.
The presence of information in this leak does not necessarily mean that the user was directly infected with malware. As InfoStealers.com 's analysis explains, many of the credential pairs could have come from older leaks or been fabricated. Nevertheless, anyone identified in this leak is advised to take preventative measures.
To check if an email address is in ALIEN TXTBASE, users can visit the Have I Been Pwned website and sign up for the notification service . After confirming the email address, users can see a list of websites associated with their compromised credentials. This information is not publicly available to protect their privacy, especially when using sensitive services.
Some tips regarding your email presence in the list of affected accounts
If you only see gmail.com , this reduces the risk that you have been infected. Of course, change your password to gmail.com and run an antivirus scan on your machine. The scan will probably be ineffective, and here's why:
The most likely case here is that someone with an infected machine was trying to log into Gmail (or other email provider) accounts using known email addresses and other leaked old passwords linked to those email accounts from other leaks.
The second likely case is that the ALIEN TXTBASE leakers included data from previous leaks, either passwords related to websites other than Gmail or completely made-up passwords, to inflate their numbers thus increasing their chances of selling this data. They included real passwords confirmed by Troy Hunt, however this doesn't mean anything.
If you see more domains than gmail.com , the probability that at least one of your machines has been infected is much higher . Change all of these passwords after scanning your machines. If you get any detections, completely reinstall the operating system and format all disks.
New HIBP features to address the threat
In response to this massive leak, Troy Hunt has implemented new features in HIBP to help organizations identify compromised accounts. Two new APIs now allow:
Domain owners to search their entire domain in infostealer logs.
Website operators to identify customers whose email addresses have been captured when they enter data on the site.
These APIs, which allow up to 1,000 email address lookups per minute, aim to help organizations proactively detect malicious activity and block intrusion attempts before they cause damage. Hunt explains: "The introduction of these new APIs will finally help many organizations identify the source of malicious activity and, more importantly, anticipate and block it before it causes damage."
Broader context of infostealers and combolists
ALIEN TXTBASE is part of a larger trend of infostealer and combolist proliferation. By June 2024, HIBP had already integrated data on 151 million email addresses from similar combolists. These massive collections are usually built from infostealer logs shared daily on various specialized Telegram channels.
Telegram has become a preferred platform for distributing stolen data due to its accessibility and the anonymity it offers. Hunt notes: “There has been growing concern in recent years about the use of Telegram by organized crime, particularly since the founder was arrested in France last year for failing to crack down on illegal activity on the platform.” The ease with which large amounts of data can be published and distributed en masse under the cover of anonymity makes Telegram a major vector in the cybercriminal ecosystem.
Conclusion
The ALIEN TXTBASE leak represents a significant event in the cybersecurity landscape, both in terms of its scale and the questions it raises about the authenticity and provenance of the compromised data. While some analyses suggest that it is a “chaotic jumble of unrelated datasets,” others confirm the authenticity of at least some of the exposed credentials.
This situation highlights the growing importance of infostealers as a persistent threat to the security of users and organizations. It also highlights the problematic role that certain platforms like Telegram play in facilitating the mass distribution of stolen data.
For users, this breach is a reminder of the importance of fundamental security practices: using unique passwords for each service, enabling two-factor authentication, and being vigilant when downloading software. For organizations, it underscores the need to actively monitor for potential credential leaks and implement robust mechanisms to detect and block unauthorized access attempts using compromised credentials.
This recent massive leak reminds us of the crucial importance of a proactive approach to digital security. In this context, Saferfind's services take on their full importance.
Our public information discovery platform, Saferfind, integrated into our Social Engineering bundles , allows everyone to better understand their visible digital footprint, to identify publicly accessible and potentially exploitable information. In addition, our strategic partnerships with dark web monitoring solutions provide an additional layer of protection. Thanks to these collaborations, we can potentially detect the presence of your data in dark areas of the web, such as those exposed by leaks such as ALIEN TXTBASE, and alert you quickly.
Saferfind is thus positioned as an essential ally to anticipate and mitigate the risks associated with data leaks. By combining visibility on public information and monitoring on the dark web, we offer our users a more complete vision of their exposure and the tools necessary to strengthen their security and that of their sensitive information. Faced with the constant threat of leaks, it is more than ever time to take control of your digital security with Saferfind.
Finally, the implementation of endpoint protection solutions such as EDR/XDR ( Crowdstrike is one of our partners) should be prioritized to protect against infostealer-type threats first and foremost.