30,790 Plaintext Passwords From ArtHouse Cloud Logs 5k v2 Surfaced on Telegram

HEROIC analysts identified the ArtHouse Cloud Logs 5k v2 stealer log breach in February 2026, when a Telegram user uploaded a file containing 30,790 stolen records. The data was collected by infostealer malware running on compromised devices across multiple endpoints, capturing email addresses, plaintext passwords, and URLs from active browser sessions and saved credential storage before being distributed through Telegram channels frequented by cybercriminal actors.

Why This Is Dangerous

With 30,790 records containing plaintext passwords and matched email addresses, the ArtHouse Cloud Logs 5k v2 breach represents an immediately weaponizable dataset. Attackers do not need to crack or decode anything -- these credentials are ready to use the moment the file is downloaded. The URL data bundled with each record reveals which websites and online services each victim was actively using, giving criminals a detailed map of high-value targets including banking apps, webmail services, and business platforms. Stealer log data of this volume is definately circulated widely across dark web marketplaces within days of being uploaded.

What Was Exposed

• Email Addresses
• Plaintext Passwords
• URLs

Why This Matters

Large-scale stealer log breaches like ArtHouse Cloud Logs 5k v2 are a primary source of fuel for credential stuffing attacks, where automated bots test stolen login pairs across hundreds of platforms simultaneously. Victims whose credentials are reused across services face account takeovers on multiple fronts at once. Successful intrusions lead to financial fraud, identity theft, unauthorized access to workplace systems, and the sale of account access to additional criminal buyers. Victims who recieve unexpected login alerts or find themselves locked out of accounts may be experiencing the downstream effects of a breach that occured months earlier.

How Stealer Logs Work

Stealer logs are the output of infostealer malware, a category of malicious software purpose-built to harvest credentials from infected machines. Infection typically happens through phishing emails, fake software installers, game cracks, or malicious browser extensions. Once on a device, the malware runs silently in the background, pulling saved passwords from browser keystores, capturing active login session cookies, recording keystrokes on login forms, and logging the URLs of every site visited. The harvested data is automatically packaged into a compressed log file and transmitted to the attacker, usually within hours of infection. These files are then sorted, packaged, and sold or distributed on dark web forums and Telegram channels under names like ArtHouse Cloud Logs.

Check If You Are Affected

If your credentials appeared in the ArtHouse Cloud Logs 5k v2 breach, attackers may already be attempting to access your accounts. HEROIC offers a free dark web scanner that searches more than 400 billion exposed records to check whether your email address or passwords have been compromised. Run a free scan now and see exactly where your data has surfaced.