LeakBase 120M+ ULP by FFish Put 15.8 Million Stolen Logins Online

On November 20, 2024, a threat actor known as FFish posted a massive stealer log to LeakBase titled "Url Login Pass 120Million+" -- a collection containing more than 120 million raw records and 15,795,724 unique email addresses, each paired with a plaintext password and the exact website URL where the credential was captured. This is one entry in an ongoing series of large-scale ULP dumps by FFish on LeakBase, representing a sustained and prolific credential distribution operation.

FFish has posted multiple related dumps on LeakBase. See also:

• LeakBase FISHULP 140M ULP by FFish
• LeakBase 80M+ ULP by FFish
• LeakBase 140M+ ULP by FFish
• LeakBase 220M+ ULP Part 1 by FFish -- 23.5M credentials
• LeakBase 220M+ ULP Part 2 by FFish -- 17.2M credentials

Why This Is Dangerous

With nearly 16 million unique email-password pairs in a single file, this dump is a high-volume, immediately exploitable credential arsenal. The plaintext format means no decryption or cracking is needed. The inclusion of matching URLs makes it trivially easy to know which service each password unlocks. At this scale, credential stuffing bots can process millions of login attempts per day across thousands of websites simultaneously.

What Was Exposed

• 15,795,724 unique email addresses -- a massive verified pool of real user accounts
• Plaintext passwords -- ready to use, no cracking required
• Homepage URLs -- site-specific context for each credential pair, enabling targeted login attempts

Why This Matters

A dump of this scale accelerates every downstream attack vector:

• Credential stuffing: 15.8 million email-password pairs provide an enormous attack surface. Automated bots run these against banking portals, email providers, and streaming services within minutes.
• Account takeover: Gaining access to one email account often unlocks every other account connected to it through password reset flows.
• Identity theft: Millions of verified identities with confirmed web activity give attackers material for fraud, impersonation, and social engineering at scale.
• Fraud: Financial, e-commerce, and subscription accounts in the dump are immediately targeted for unauthorized charges and resale of access.

How Stealer Logs Work

ULP stealer logs are the output of information-stealing malware that silently harvests saved credentials from infected devices. Programs like RedLine Stealer, Raccoon, and Vidar extract browser-saved passwords, autofill data, and session cookies, then format them into URL-Login-Password lists. These lists are aggregated by actors like FFish into large batches and distributed on forums like LeakBase, where other criminals download them for use in automated account compromise campaigns.

Check If You Are Affected

At nearly 16 million unique addresses, the odds that your email appears in this dump are significant. HEROIC monitors 400 billion+ compromised records across thousands of breaches. Run a free scan now to find out if your credentials are exposed here or in any of FFish's other LeakBase dumps.

Search the HEROIC Database -- Free Scan

Related Parts

• LeakBase FISHULP 140M ULP by FFish
• LeakBase 80M+ ULP by FFish
• LeakBase 140M+ ULP by FFish
• LeakBase 220M+ ULP Part 1 by FFish -- 23.5M credentials
• LeakBase 220M+ ULP Part 2 by FFish -- 17.2M credentials