The LeakBase 40M Ulp by Wheatball Contains 834,209 Exposed Email and Password Pairs

In November 2024, a stealer log identified as 40M Ulp appeared on a prominent underground hacking forum, posted by a threat actor known as wheatball. The dataset claims approximately 40 million total records. Forensic analysis confirms 834,209 unique entries, each consisting of an email address, a plaintext password, and an associated homepage URL. Because the passwords are in plaintext and paired directly with login-linked URLs, these credentials are immediately actionable for account takeover without any cracking step.

Why This Is Dangerous

Stealer logs differ from traditional database breaches. The data was not lifted from a company server; it was harvested in real time from infected endpoint devices using infostealer malware. That means the credentials were valid and active at the moment of capture. Even if a user has since changed a password on one service, the same plaintext password may still unlock accounts on other platforms where it was reused.

What Was Exposed

• Email Address — 834,209 unique addresses confirmed
• Plaintext Password — captured live from browser sessions or saved credentials
• HomePage URL — identifies the specific service or login page targeted

Why This Matters

Plaintext credentials from stealer logs fuel a specific and well-documented attack chain:

• Credential stuffing — automated bots test the email and password pair across hundreds of services simultaneously
• Account takeover — successful logins give attackers access to banking, email, and subscription accounts
• Identity theft — access to email accounts enables password resets on financial and government services
• Fraud — hijacked accounts are used to make purchases, drain balances, or sell access on secondary markets

How Stealer Log Breaches Work

Infostealer malware is typically delivered through phishing emails, malicious downloads, or cracked software. Once installed on a device, it silently reads saved passwords from browsers such as Chrome and Firefox, captures active login sessions, and logs the associated URLs. The resulting file, called a log, is then sold or shared on underground forums. The wheatball 40M Ulp log follows this exact pattern: a bulk collection of endpoint-harvested credentials distributed through LeakBase, a well-known credential trading forum.

Check If You Are Affected

Heroic's breach database indexes over 400 billion records, including stealer log data. You can search your email address right now to see whether your credentials appear in known leaks.

Search your email in Heroic's 400B+ record database

Related LeakBase ULP Dumps

The LeakBase forum hosts numerous ULP (URL:Login:Password) credential packages. Other dumps from the same platform include:

• LeakBase Vulcan 1.6M ULP by 19890036580
• LeakBase 18Kk Ulp by farmagol