The MetaCloudVipNew Breach Gave Hackers 12,039 Plaintext Passwords to Use

HEROIC analysts identified a stealer log file uploaded to Telegram in February 2026, part of a campaign labeled MetaCloudVipNew targeting 4,000 compromised PCs. This fifth installment alone exposed 12,039 records. The data was harvested by infostealer malware running on infected machines, capturing email addresses, plaintext passwords, and the URLs of services victims logged in to. Anyone with access to the Telegram channel where it was shared could immediatly weaponize this information.

What Attackers Can Do With MetaCloudVipNew Stealer Data

This type of data is a direct key to victims' online lives. Attackers can take a stolen email address and its corresponding plaintext password and log in to that exact service within seconds. The URLs in the log tell them which platforms matter most to each victim, from banking portals to corporate VPNs to email providers. There is no guesswork involved. Criminals can drain accounts, impersonate victims, intercept password reset emails, and pivot across every service where the same credentials were reused.

What Was Exposed

• Email Addresses
• Plaintext Passwords
• URLs (login destinations captured from infected devices)

Why This Matters

Credential stuffing attacks powered by stealer logs are responsible for a huge share of account takeovers every year. Because passwords are already in plaintext, attackers do not need to crack anything. They simply test credentials across popular services using automated tools. Financial fraud, identity theft, and corporate data breaches can all flow from a single exposed log file like this one. The MetaCloudVipNew series represents thousands of real people whose devices were silently compromised.

How Stealer Logs Are Created

Infostealer malware is typically delivered through phishing emails, malicious downloads, or cracked software. Once installed on a device, it runs in the background without any visible sign to the user. It harvests saved passwords from browsers, records keystrokes, captures session cookies, and logs the URLs tied to each credential. Everything is bundled into a structured log file and sent back to the attacker. These logs are then sold or shared in bulk on Telegram and dark web forums, often as part of large collections like this MetaCloudVipNew series targeting thousands of PCs.

Check If You Are Affected

HEROIC's free scanner searches over 400 billion exposed records to tell you if your credentials appeared in this breach or any other known leak. Do not wait to find out the hard way. Check your exposure now and recieve an instant alert if your data has been compromised.