HEROIC Found ArtHouse Cloud Logs v2: 5,375 Email and Password Records

HEROIC analysts uncovered a second stealer log collection tied to ArtHouse Cloud infrastructure, designated version 2 and shared on Telegram in March 2026. This discovery followed closely on the heels of the ArtHouse Cloud Logs v1 release, and the scale was notably larger: 5,375 records containing email addresses, plaintext passwords, and URLs pointing to the specific systems where credentials were captured. Finding a second batch from the same source in the same month tells analysts this was not a one-time event, it was part of an ongoing operation targeting ArtHouse Cloud users.

Why the ArtHouse Cloud Logs v2 Discovery Is Especially Concerning

The combination of two releases from the same source within weeks suggests a persistant compromise. This is not a case of a single infected machine. The volume and the repeat nature of these uploads point to a threat actor who had consistent access to a pipeline of infected devices connected to ArtHouse Cloud services. For anyone who uses ArtHouse Cloud, that means their credentials may have been harvested multiple times, from multiple machines, and distributed across criminal networks through at least two separate Telegram uploads. Plaintext passwords in this leak need no cracking, they are ready to use the moment someone downloads the file.

What Was Exposed in ArtHouse Cloud Logs v2

• Email Addresses: Real login identities tied directly to user accounts
• Plaintext Passwords: Fully readable passwords requiring no decryption or cracking tools
• URLs: Specific endpoints and service addresses revealing which ArtHouse Cloud systems were actively targeted

Why Back-to-Back Stealer Log Releases Multiply the Risk

When HEROIC finds two releases from the same source in close succession, the threat landscape changes. Credentials from v1 and v2 can be cross-referenced by attackers to build more complete profiles of individual victims. Combined, the two ArtHouse Cloud log files account for nearly 10,000 exposed records. That combined dataset becomes far more valueable to criminals running credential stuffing campaigns, phishing operations, or identity theft schemes than either file alone. Each exposed URL also hands attackers a map of which services the victims rely on, making follow-on attacks more accurate and more convincing.

How Stealer Logs Are Built and Distributed

An infostealer is a type of malware that hides on a victim's device, sometimes for weeks or months, harvesting data in the background. It reads saved passwords from browsers, captures active login sessions, and logs the URLs of sites the user visits. The collected data is packaged into a structured log file and sent back to the attacker. Operators then sort these logs by category or target, package them into named collections like the ArtHouse Cloud Logs v1 and v2, and distribute them on Telegram or dark web forums. The victim never sees a ransom note or a warning. The theft happens completely silently, in the backround of normal computer use.

Find Out If Your ArtHouse Cloud Credentials Were Exposed

HEROIC's free breach scanner searches across more than 400 billion records, including both versions of the ArtHouse Cloud logs and thousands of other stealer log collections. If your email appears in this March 2026 leak, you will see it immediately. Head to heroic.com, enter your email address, and get your results in seconds. There is no cost and no signup required to check whether your data has already reached criminal networks.