HiChem

We've been tracking a noticeable uptick in the aggregation and sale of stealer logs across various Telegram channels. The sheer volume is one thing, but what really caught our attention was the age and variety of the compromised credentials within these logs. Many date back years, suggesting widespread credential reuse and a long tail of potential exposure. This particular log, initially surfacing in mid-December 2025, stood out not just for its size, but for the inclusion of plaintext passwords linked to a somewhat obscure chemical company, HiChem. The combination of easily-exploitable credentials and a potential target in a sector that handles sensitive materials raised immediate concerns.

HiChem's Exposed Credentials: A Chemical Reaction of Risk

The stealer log, titled @TXTLOG_ALIEN - 693.txt, initially surfaced on a Telegram channel around December 19, 2025. While these logs are common, the inclusion of data from HiChem, a company in the chemical sector, amplified the risk. The log contained approximately 51.1 million lines of data, which boiled down to 8,064,258 unique email addresses exposed alongside plaintext passwords and homepage URLs. The fact that passwords were in plaintext is an egregious security lapse, making account takeover trivial for anyone with access to the log.

Stealer logs are often compiled from malware infections on user devices, where the malware harvests credentials, cookies, and other sensitive data. The source structure in this case suggests a database breach, given the structured nature of the data points. This type of exposure is especially concerning because it provides attackers with direct access to user accounts and potentially sensitive company information. The compromised data was located on a public Telegram channel, making it easily accessible to a wide range of threat actors.

Breach Stats

Key point: Total records exposed: 8,064,258

Key point: Types of data included: Email Address, HomePage URL, Plaintext Password

Key point: Sensitive content types: Credentials

Key point: Source structure: Database

Key point: Leak location: Telegram channel

Key point: Date of first appearance: December 19, 2025

External Context & Supporting Evidence

The proliferation of stealer logs on platforms like Telegram is a well-documented trend. Security researchers have observed a growing market for these logs, with prices varying based on the size and quality of the data. These marketplaces are often used by initial access brokers (IABs) who specialize in gaining unauthorized access to corporate networks and then selling that access to other threat actors, such as ransomware groups.

BleepingComputer has reported extensively on the increasing sophistication of stealer malware and the expanding ecosystem of marketplaces where stolen data is traded. A recent article highlighted the use of Telegram bots to automate the process of searching and purchasing stealer logs, making it easier for even novice attackers to find and exploit compromised credentials. The risks posed by plaintext passwords have been repeatedly emphasized by security experts. As KrebsOnSecurity has pointed out, the use of plaintext passwords is "a security sin" that dramatically increases the risk of account takeover and further compromise.

Email · Address · Homepage · Url · Plaintext · Password