We've been tracking a sharp uptick in stealer log uploads to Telegram channels focused on credential harvesting. What really struck us wasn't the volume of these dumps, but the increasing specificity of the targets. Instead of generic "combo lists," we're seeing logs tailored to particular software platforms and services, suggesting a more focused and potentially sophisticated attacker. The data had been circulating for a few days, but we noticed it due to its distinct targeting: a log file claiming to be from a site called **NEW_DAISYCLOUD-CHAMPIONING**.

The DaisyCloud Breach: 8.5k Records Exposed Via Telegram Stealer Log

This breach, surfacing in mid-March 2024, highlights the ongoing threat posed by stealer logs and their proliferation on platforms like Telegram. The compromised data, numbering 8,545 records, appears to originate from systems interacting with or belonging to NEW_DAISYCLOUD-CHAMPIONING. This wasn't a traditional database dump or misconfigured S3 bucket; it was a stealer log, suggesting compromised endpoints actively harvesting credentials.

The breach came to light on March 20, 2024, when a Telegram user uploaded the stealer log file. What caught our attention was the clear labeling of the data source. This level of specificity is unusual, indicating the attacker knew the origin and value of the stolen information. The data's appearance on Telegram, a common platform for trading stolen credentials, underscores the monetization aspect of these attacks.

This incident matters to enterprises because it underscores the persistent threat of endpoint compromise. Stealer logs often contain a wealth of information, including not only usernames and passwords but also API keys, cookies, and other sensitive data that can be used to gain unauthorized access to internal systems. The plaintext storage of passwords is also a significant concern.

Key point: Total records exposed: 8,545

Key point: Types of data included: Email Addresses, Plaintext Passwords, URLs, API host

Key point: Sensitive content types: Potentially PII depending on the contents of the URLs

Key point: Source structure: Stealer log file

Key point: Leak location(s): Telegram channel

Key point: Date of first appearance: 20-Mar-2024

The rise of stealer logs as a threat vector has been well-documented. As BleepingComputer reported in February 2024, malware like Vidar and RedLine Stealer are actively used to harvest credentials and other sensitive data from infected systems. These logs are then often sold or traded on underground forums and Telegram channels, making them readily accessible to malicious actors.

The fact that passwords were stored in plaintext is a critical failure. Security best practices dictate hashing and salting passwords to prevent them from being easily compromised in the event of a breach. This breach serves as a stark reminder of the importance of implementing robust security measures to protect sensitive data, including educating employees about the risks of malware and phishing attacks, and enforcing strong password policies.

Email · Addresses · Plaintext · Password · Urls

We've observed a persistent trend of scraped or leaked datasets appearing on Telegram channels, often repackaged and resold multiple times. What caught our attention with the **NEW_DAISYCLOUD-CHAMPIONING** dataset wasn't the volume, but the apparent recency and the clear structure, suggesting a direct database export. The data had been circulating quietly since late March, and its re-emergence now warrants a closer look, particularly given the nature of the exposed data elements. This breach highlights the ongoing risk of data exfiltration and the need for robust monitoring of data sharing platforms like Telegram.

The "NEW_DAISYCLOUD-CHAMPIONING" Dataset: Leaked User Data from an Unidentified Source

This dataset, labeled NEW_DAISYCLOUD-CHAMPIONING – 20_MARCH_0342_ON_CHANNEL, appeared on Telegram around March 27, 2024. While the specific origin of the data remains unclear, the file name suggests a potential timestamp of March 2024. Our team identified it through routine monitoring of Telegram channels known for hosting and distributing leaked datasets. The dataset immediately stood out due to its size and the types of data contained within: email addresses, first names, last names, and phone numbers. The combination of these elements makes the dataset valuable for malicious actors engaged in phishing campaigns, identity theft, and other forms of fraud. The structured nature of the data suggests a direct database export, potentially from a compromised system or a misconfigured cloud storage instance.

Key point: Total records exposed: 4,985,787

Key point: Types of data included: Email Address, First Name, Last Name, Phone Number

Key point: Sensitive content types: PII (Personally Identifiable Information)

Key point: Source structure: Unknown database format (implied by the file name)

Key point: Leak location(s): Telegram channel

Key point: Date of first appearance: March 27, 2024

The provided description ties this leak to Lookiero, an online styling service, and references a data breach in August 2024 involving 5 million unique email addresses. While the record count is similar, and the data types overlap, it's crucial to verify if the NEW_DAISYCLOUD-CHAMPIONING dataset is directly related to the Lookiero breach or represents a separate incident. The description also mentions that the breach dated back to March 2024, which aligns with the timestamp in the filename. This connection, while not definitive, raises concerns about the potential re-circulation of data from previously reported breaches, or potentially data from a similar timeframe that has not yet been publicly attributed.

The re-emergence of this dataset underscores the persistent threat of data breaches and the challenges in controlling the spread of stolen information. The ease with which data can be shared on platforms like Telegram amplifies the risk to individuals and organizations. Monitoring these channels and proactively searching for exposed credentials and sensitive data are critical steps in mitigating the potential damage from such leaks.

Email · Address · First · Name · Last · Phone · Number