Search Your Email: The New Folder Dump Exposed 10,185 Accounts

In June 2023, HEROIC analysts identified a stealer log posted to Telegram under the name New Folder. Uploaded by an anonymous Telegram user, this log contains 10,185 records, each including an email address, a plaintext password, and the URL of the associated service. The unremarkable name is deliberate: labeling a log file with a generic title like "New Folder" is a well-known technique for disguising malicious content in file systems and making it harder for security tools to flag the package automatically.

Why the New Folder Stealer Log Is Dangerous

With 10,185 plaintext credential pairs, the New Folder log gives anyone who downloads it a ready-to-use attack toolkit. There is no decryption step, no technical barrier, and no special knowledge required. Each record maps an email address to a password and to the specific site where it was stolen. At this volume, automated credential stuffing campaigns can be launched in minutes, testing every pair across banking sites, email providers, and social media platforms simultaneously. The scale makes this log significantly more impactful than smaller stealer log releases.

What Was Exposed in New Folder

• Email addresses
• Plaintext passwords
• URLs (the specific websites and services each credential is associated with)

Why This Matters

Over 10,000 plaintext credentials in a single Telegram post means a large number of individuals are at direct risk. Because the passwords are unencrypted and paired with email addresses, victims face exposure on every service where they use the same login. Credential stuffing attacks powered by datasets like New Folder are responsible for millions of unauthorized account accesses each year. The consequences range from unauthorized purchases and drained bank accounts to identity theft and corporate data breaches when work credentials are among those exposed.

How Stealer Logs Like New Folder Work

Infostealer malware is the source of every record in the New Folder log. These programs infect devices through phishing campaigns, fake software updates, and malicious downloads. Once installed, the malware quietly harvests saved browser passwords, captures credentials as they are typed, and records the URL of each login page. The data is then packaged into a structured file and sent back to the attacker.

Operators then distribute these files through Telegram channels, sometimes for free to build credibility and channel membership, sometimes for sale. Using a generic name like "New Folder" helps the files blend into normal directory listings, evade detection on file-sharing platforms, and avoid automated takedowns. This simple obfuscation tactic shows how practiced these distribution networks have become.

Check If You Are Affected

HEROIC maintains a breach intelligence database of more than 400 billion records, including stealer logs like this one. Run a free scan to see if your email address or credentials appear in the New Folder dataset. With over 10,000 records in circulation, the chances of exposure are meaningful, and checking now is the fastest way to get ahead of the risk.