Search Your Email: The LeakBase 18Kk Ulp by Farmagol Exposed 1.6 Million Accounts

In November 2024, a stealer log labeled 18Kk Ulp was posted to the LeakBase underground forum by a threat actor identified as farmagol. The post referenced approximately 18 million total records. Analysis of the dataset confirmed 1,647,896 unique entries, each consisting of an email address, a plaintext password, and a homepage URL pointing to the login page where the credential was captured. With nearly 1.65 million verified unique credentials in plaintext, this is one of the larger individual ULP dumps in the LeakBase ecosystem.

Why This Is Dangerous

Stealer log credentials are uniquely hazardous compared to hashed database leaks. There is no cracking step required. An attacker receives the email, the exact password, and the URL of the service it belongs to. Automated credential stuffing tools can begin testing these combinations against other platforms within minutes of obtaining the file. For anyone who reused the same password elsewhere, every linked account is at immediate risk.

What Was Exposed

• Email Address — 1,647,896 unique addresses confirmed
• Plaintext Password — live credentials captured at the moment of infection, no cracking needed
• HomePage URL — identifies the exact login portal where each credential was active

Why This Matters

The 18Kk Ulp dataset creates direct pathways to multiple forms of harm:

• Credential stuffing — the email and plaintext password are tested across banking, retail, healthcare, and email platforms automatically
• Account takeover — attackers gain full access, change recovery options, and lock out the legitimate user
• Identity theft — inbox access enables password resets and identity document requests across government and financial services
• Fraud — stored payment methods, loyalty balances, and linked bank accounts are drained or sold

How Stealer Log Breaches Work

ULP stands for URL:Login:Password, the three-field format that makes stealer logs immediately usable. Infostealer malware — distributed via phishing, cracked software, and malicious ads — reads saved passwords directly from browser credential stores on infected machines. It then records which website URL the password belongs to and uploads all three fields to an attacker-controlled server. The farmagol 18Kk Ulp log is the result of this automated process applied across thousands of infected devices, with the aggregated output posted to LeakBase for distribution.

Check If You Are Affected

Heroic indexes over 400 billion breach records, including stealer log collections like this one. Search your email address now to find out whether your credentials appear in known leaks.

Search your email in Heroic's 400B+ record database

Related LeakBase ULP Dumps

The 18Kk Ulp is one of many ULP credential packages posted to the LeakBase forum. Other documented dumps include:

• LeakBase 40M Ulp by wheatball
• LeakBase Vulcan 1.6M ULP by 19890036580