ALIEN TXTBASE, a stealer-log credential compilation distributed through Telegram, has been indexed by leaksear.ch with 1.09 billion records containing URLs, email addresses, usernames and plaintext passwords (leaksear.ch metadata). The breach date in the indexing metadata is February 15, 2025 (leaksear.ch metadata).
What happened
Have I Been Pwned describes ALIEN TXTBASE as a stealer-log breach in which 23 billion rows were obtained from a Telegram channel in February 2025, with data tied to websites where credentials were entered and passwords used (haveibeenpwned.com). Troy Hunt reported that the broader corpus was about 1.5 TB, spread across 744 Telegram-posted files, and affected 284 million unique email addresses in HIBP's processing (troyhunt.com).
This is not a conventional breach of a single service. Public reporting frames ALIEN TXTBASE as a compilation of stealer logs, where malware on compromised devices captured credentials as victims entered them into websites, after which the logs were aggregated and circulated through Telegram (troyhunt.com).
HIBP notes that the data is searchable there by both email domain and the domain of the target website, while also cautioning that stealer-log data can include junk or fabricated entries because it is collected from malware output rather than from one authoritative system of record (haveibeenpwned.com, troyhunt.com).
What data was exposed
The leaksear.ch index for ALIEN TXTBASE contains email addresses, usernames and plaintext passwords as searchable fields (leaksear.ch metadata). Records also include URL context showing where credentials were captured, plus source-file context from the indexed compilation (leaksear.ch metadata).
The presence of plaintext passwords is the central risk. Unlike hashed password dumps, stealer logs can expose credentials in a form that may be immediately reusable if the victim has not changed them or has reused them on other services (leaksear.ch metadata).
Why this matters
Credential pairs with website context can support account takeover, credential stuffing and targeted phishing against both individuals and organizations. For security teams, employee or contractor credentials in stealer logs should be treated as a possible initial-access risk, especially where the affected accounts touch VPNs, SaaS tools, email, finance systems or privileged workflows.
The Australian Signals Directorate's cyber security guidance warns that info stealers collect usernames, passwords, browser data and other sensitive information, and that stolen corporate credentials can be used for initial access leading to ransomware, extortion, business email compromise and theft of intellectual property (cyber.gov.au). Readers who want to know whether their data appears in this leak should use the exposure-check block below to search the supported pivots.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include email, password, and username.