50,030 Plaintext Passwords From Pegasus Cloud Just Surfaced on Telegram

Stealer log activity on Telegram has been climbing steadily, but this particular drop stood out immediately. The file was tied to Pegasus Cloud, a cloud infrastucture provider, and the exposed data went well beyond basic usernames. Plaintext passwords, API host details, and internal endpoint URLs were all included, raising the risk level considerably for any organization that relies on the service. The breach was not massive by modern standards, but the quality of what was exposed made it a high-priority incident.

Why This Is Dangerous

Plaintext passwords require zero cracking. Anyone with access to this file can attempt logins immediately across any service where a victim reused their password. Combined with API host URLs and endpoint data, attackers have everything needed to target cloud infrastructure directly. Credential stuffing tools can process tens of thousands of these records in minutes, meaning the window for damage opens the moment the file goes public.

What Was Exposed

• 50,030 total records
• Email addresses tied to Pegasus Cloud accounts
• Plaintext passwords with no hashing or encryption
• API host URLs and internal infrastructure endpoints
• File uploaded to Telegram on October 4, 2025
• Source country: United States

Why This Matters

Cloud credentails are among the most sought-after items on dark web markets. When a provider like Pegasus Cloud is compromised through a stealer infection, the blast radius extends beyond individual users. Any enterprise that granted employees access to Pegasus Cloud services may now have exposed API tokens and login paths sitting in a Telegram channel. Password reuse across corporate tools amplifies the risk further, as a single leaked credential can become the key to email, VPN, and SaaS platforms simultaneously.

How Stealer Log Breaches Work

Stealer malware is typically delivered through phishing emails, cracked software, or malicious browser extensions. Once installed on a device, it silently harvests saved passwords, cookies, and autofill data from browsers and applications. The collected records are then packaged into log files and sold or distributed through Telegram channels. Unlike traditional database breaches, stealer logs reflect real, recently active sessions, which means the credentials they contain are more likely to still be valid at the time of exposure.

Check If You Are Affected

HEROIC's free dark web scanner checks your email address against over 400 billion leaked records, including stealer log dumps like this one. If your credentials appeared in the Pegasus Cloud leak or any related breach, you will see it immediately. Run a free scan now to find out whether your data is circulating on dark web marketplaces or Telegram channels used by threat actors.