Researchers Track the LeakBase FISHULP Dump to 21.5 Million Stolen Email Credentials

Threat intelligence analysts tracking underground forum activity flagged a significant stealer log dataset posted on November 17, 2024, under the name "FISHULP 140M ULP" and attributed to a threat actor operating as FFish. The log appeared on LeakBase, a platform frequently used to distribute large-scale credential dumps. The dataset contained approximately 126 million total records, with analysts confirming 21,475,305 unique email addresses, each paired with a plaintext password and a homepage URL. The size of this dump and the direct usability of its contents put it among the more consequential infostealer log releases catalogued from the period.

Why This Is Dangerous

The FISHULP dataset carries a specific characteristic that elevates its threat level: all passwords are stored in plaintext. In breach datasets where passwords have been hashed, attackers must invest significant time and computing resources to crack them. Here, no such barrier exists. Every credential in the file can be tested against live accounts immediately. Combined with the scale of the exposure, over 21 million unique email addresses, this represents a large pool of instantly actionable login credentials available to anyone who accessed the post on LeakBase.

What Was Exposed

• Email addresses: 21,475,305 unique accounts confirmed in the dataset
• Plaintext passwords: Directly usable against live accounts without any cracking required
• Homepage URLs: Indicating the specific websites from which each credential set was harvested
• Total raw records: Approximately 126 million lines across the full log
• Date of leak: November 17, 2024
• Platform: LeakBase
• Attributed actor: FFish

Why This Matters

A dataset of this size containing plaintext credentials creates cascading risk across multiple attack vectors:

• Credential stuffing: At 21.5 million email-password pairs, automated credential stuffing tools can systematically target every major platform, financial service, and enterprise login portal, finding reused passwords at scale.
• Account takeover: Even a fraction of successful logins translates to thousands of compromised accounts, enabling financial theft, data exfiltration, and lateral movement within corporate environments.
• Identity theft: Email account access unlocks cascading password resets across banks, healthcare providers, and government portals, allowing attackers to take over a victim's full digital identity.
• Targeted fraud: Homepage URLs in the dataset expose which services each victim used, enabling precisely targeted phishing and social engineering tailored to known account relationships.

How Stealer Malware Works

Stealer logs like FISHULP are produced by infostealer malware, a category of malicious software designed to silently harvest credentials from infected user devices. Infostealers commonly reach victims through phishing emails, trojanized downloads, malicious browser extensions, and compromised software update channels. Once running on a device, the malware accesses browser credential stores, saved logins, session cookies, and autofill data, packaging everything into structured log files. These logs are transmitted to attacker-controlled servers and then sold or posted on underground forums, where they are purchased or downloaded by additional threat actors for use in follow-on campaigns.

Check If You Are Affected

With over 400 billion records indexed, the Heroic Data Breach Search Engine provides one of the most thorough lookups available for checking credential exposure across stealer logs and traditional breach datasets. If your email address appears in the LeakBase FISHULP dump or any related dataset, a search at Heroic.com will surface it immediately, giving you the information you need to act before attackers do.

Search your email at Heroic.com right now to check if your credentials are in this dataset.