How the Amazon 4 Stealer Log Led to 5,613 Stolen Account Credentials

HEROIC analysts identified the Amazon 4 stealer log in August 2023, when a Telegram user distributed the file across threat actor channels. The dataset contained 5,613 records pulled directly from infected devices, each entry pairing an email address and plaintext password with the specific URL where those credentials were active. Given that Amazon is one of the most widely used shopping and cloud platforms in the world, the presence of Amazon-related credentials in a stealer log carries serious consequences for account security and financial safety.

Why This Is Dangerous

Amazon accounts store a significant amount of sensitive information: saved payment methods, home addresses, purchase histories, and in many cases access to Amazon Web Services or Prime subscriptions. When an attacker obtains an email address, a working plaintext password, and the associated Amazon URL from a stealer log, they can attempt to log in directly without any additional work. There is no hashing to crack, no guessing required. The credentials are already formatted for immediate use, and attackers often move quickly before victims notice anything is wrong.

What Was Exposed

• Email addresses
• Plaintext passwords
• URLs (specific sites where credentials were captured)

Why This Matters

Access to an Amazon account is access to a person's financial life. Attackers who gain entry can place fraudulent orders using saved payment methods, redirect deliveries, harvest stored card details, or use the account as a stepping stone into other services that share the same email and password combination. Credential stuffing tools can test these pairs across dozens of platforms in minutes, meaning a single entry in this dataset could unlock accounts far beyond Amazon itself. Identity theft and financial fraud are direct downstream risks for anyone whose credentials appear in this log.

How Stealer Logs Work

A stealer log originates from malware installed on a victim's computer, typically through a phishing link, a fake software download, or a compromised installer. Once the malware is running, it silently harvests saved login data from browsers, including the stored usernames, passwords, and the websites they belong to. All of this is packaged into a structured log file and sent back to the attacker. From there, logs are sold, traded, or shared on platforms like Telegram, where they reach a wide audience of cybercriminals. The infected user typically sees nothing out of the ordinary while all of this happens in the background.

Check If You Are Affected

If your Amazon credentials or any other login information may have been captured by a stealer, HEROIC's free breach scanner can check your email address against a database of over 400 billion compromised records. Finding out early gives you time to change passwords, enable two-factor authentication, and protect your accounts before attackers act. Run a free check at HEROIC today.