Inside the LeakBase ULP #Free Stealer Log: 95,333 Plaintext Passwords Exposed

HEROIC analysts identified a stealer log release on August 4, 2024, in which a threat actor posting under the handle "moi geroi" shared a credential file labeled "ULP #Free" on a prominent hacking forum. The post contained approximately 742,113 records, of which 95,333 are unique entries. The exposed data includes email addresses, homepage URLs, and plaintext passwords harvested by malware from compromised user devices. This release is part of a multi-part series by the same actor -- see also: LeakBase ULP #Free1 by moi geroi.

Why This Is Dangerous: Plaintext passwords require no cracking. An attacker can immediately test every email-and-password pair against banking portals, email providers, and social media platforms in automated credential stuffing attacks. The inclusion of homepage URLs reveals which services the victim was logged into at the time of infection, allowing attackers to prioritize the highest-value targets first.

What Was Exposed

• Email Address
• HomePage URL
• Plaintext Password

Why This Matters

Plaintext password exposure is among the most severe credential leak scenarios. Unlike hashed passwords that require time and computing power to crack, plaintext credentials are immediately usable. With 95,333 unique email-and-password pairs available, attackers can conduct large-scale credential stuffing across hundreds of services within hours. Victims who reuse passwords across accounts face account takeover on every service where the same password is used, opening pathways to financial fraud, identity theft, and further malware distribution.

How Stealer Logs Work

Stealer logs are collections of credentials harvested by information-stealing malware installed on victims' computers. The malware -- typically delivered through phishing emails, malicious downloads, or compromised software -- silently scans the infected device for saved browser passwords, autofill data, session cookies, and active login URLs. It then packages this data and transmits it to a command-and-control server controlled by the attacker. The compiled logs are later sold or shared on dark web forums, where other criminals purchase or freely download them to conduct follow-on attacks.

Check If You Are Affected

If your email address appears in this stealer log, your password for one or more services may be in attackers' hands right now. Use the HEROIC free identity scanner to check whether your credentials appear in this release or any of the 400 billion+ records in our database. Change any exposed passwords immediately and enable two-factor authentication wherever possible.

Related Parts of This Breach

• LeakBase ULP #Free1 by moi geroi -- 95,231 unique records, August 4, 2024