Dark Web Intel: LeakBase ULP #Free1 Drops 95,231 Stolen Passwords

HEROIC analysts identified a stealer log release on August 4, 2024, in which the threat actor known as "moi geroi" posted a credential file labeled "ULP #Free1" on a prominent hacking forum. The log contains approximately 785,296 total records, with 95,231 unique entries. The exposed data includes email addresses, homepage URLs, and plaintext passwords collected by information-stealing malware from infected devices. This release is part of a multi-part series by the same actor -- see also: LeakBase ULP #Free by moi geroi.

Why This Is Dangerous: Plaintext passwords are immediately operational weapons. Every email-and-password pair in this log can be tested against banks, email services, and e-commerce platforms within seconds using automated tools. The accompanying homepage URLs tell attackers exactly which services each victim was actively using, enabling them to focus credential stuffing attempts where they are most likely to succeed. Combined across both releases in this series, the actor distributed nearly 190,000 unique compromised accounts.

What Was Exposed

• Email Address
• HomePage URL
• Plaintext Password

Why This Matters

Stealer logs containing plaintext passwords create an immediate, multi-platform threat. Victims who reuse the same password across accounts lose access to every service where that password was used the moment attackers begin testing. Email account takeover is often the first domino to fall, since email access allows password resets on every other linked service. From there, attackers can commit financial fraud, drain accounts, sell access to other criminals, or use compromised accounts to spread phishing campaigns to the victim's contacts.

How Stealer Logs Work

Stealer logs are credential archives produced by information-stealing malware. The malware infects a victim's device -- often through phishing links, trojanized software downloads, or malicious browser extensions -- and immediately begins harvesting saved passwords from browsers, password managers, and login forms. It also records the URLs of sites the victim visits while logged in. All of this data is silently transmitted to attacker-controlled infrastructure. The assembled logs are then packaged and distributed on dark web forums as free samples to attract buyers for larger private collections.

Check If You Are Affected

If your email address is among the 95,231 unique records in this log, your password for at least one online service is exposed. Use the HEROIC free identity scanner to check whether your credentials appear in this release or any of the 400 billion+ records in our database. Change exposed passwords immediately and activate two-factor authentication on all important accounts.

Related Parts of This Breach

• LeakBase ULP #Free by moi geroi -- 95,333 unique records, August 4, 2024