Snorlax Data Pool is an infostealer-style credential and device-log dataset containing 2,064,745 indexed records, with an indexed breach date of October 25, 2025 (leaksear.ch metadata). The available metadata does not tie the dataset to a single breached company, but its fields point to compromised accounts and infected-device context that can affect both individuals and organizations (leaksear.ch metadata).
What happened
leaksear.ch metadata describes Snorlax Data Pool as an infostealer-style credential and device log dataset. It was indexed on July 8, 2026, lists October 25, 2025, as the breach date, and includes no reporter or reference link (leaksear.ch metadata).
Public searches did not identify a separate breach notice from a named company, so the confirmed scope is the indexed dataset and fields, not a verified intrusion into one organization. Have I Been Pwned describes stealer-log breaches as large, often aggregated datasets with variable quality, typically created to monetize victims' personal information (support.haveibeenpwned.com).
The dataset type is consistent with public reporting on credential theft from infected endpoints. MITRE ATT&CK documents that adversaries may acquire credentials from web browsers by reading browser-specific files, and Recorded Future describes criminal log packages as combining credentials, IP addresses, browser fingerprints, system information, and cookies (attack.mitre.org, recordedfuture.com).
What data was exposed
leaksear.ch indexed Snorlax Data Pool for searches on address, country, email, IP address, name, password, phone, and username (leaksear.ch metadata).
Records also contain application, browser file, computer name, hardware ID, log date, machine ID, operating system, source URL, system language, timezone, and victim log ID (leaksear.ch metadata). These additional fields provide device, application, locale, and source context, but they are not listed as direct search pivots in the leaksear.ch metadata.
In plain terms, the exposed data may include contact details, account identifiers, plaintext or stored passwords, network identifiers, website or application context, browser artifacts, and device identifiers. No raw leaked records or sample values are included here.
Why this matters
Security teams should treat any match in Snorlax Data Pool as a credential-exposure event, not just a privacy issue. Email, username, password, source URL, IP address, and device context can support account takeover, credential stuffing, targeted phishing, and help attackers prioritize corporate access.
The risk is not limited to services named in a source URL. Google Cloud reported in its H2 2025 threat report that credential compromise and misconfiguration remained primary entry points for cloud intrusions, underscoring why exposed credentials should trigger rapid resets, session review, and endpoint investigation (cloud.google.com). Individuals should rotate affected passwords, avoid reuse, enable phishing-resistant MFA where available, and review active account sessions.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, password, phone, and username.
Sources
- Have I Been Pwned: I had an alert that emails on my domain were in a stealer log breach, but I don't see any stealer log entries
- MITRE ATT&CK: Credentials from Password Stores: Credentials from Web Browsers
- Recorded Future: Session Hijacking and MFA Bypass
- Google Cloud: Cloud Threat Horizons H2 2025 Report