The Have I Been Pwned service now includes 441K accounts stolen by RedLine malware

The Have I Been Pwned data breach notification service now includes credentials for 441K accounts that were stolen by RedLine malware.

The Have I Been Pwned data breach notification service now allows victims of the RedLine malware to check if their credentials have been stolen. The service now includes credentials for 441K accounts stolen by the popular info-stealer.

The RedLine malware allows operators to steal several information, including credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. The malicious code can also act as a first-stage malware.

Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers.

A few days ago the data breach hunter Bob Diachenko discovered an unsecured server exposing over 6 million RedLine logs containing data harvested between August and September 2021. The server is still accessible, but the researchers pointed out that threat actors abandoned it because the the number of logs is not increasing.

The insecure server contained numerous LastPass credentials stolen using the RedLine malware.

Diachenko decided to provide the data exposed on the server to Troy Hunt, who operates the popular data breach notification service Have I Been Pwned.

“In December 2021, logs from the RedLine Stealer malware were left publicly exposed and were then obtained by security researcher Bob Diachenko. The data included usernames, email addresses and plain text passwords.” reads the announcement published on the HIBP website that announced the availability of 441,657 unique email addresses stolen by the RedLine malware.

If your email address is listed in the RedLine malware logs, you have to change the passwords associated with that email account and for any other account that share the same credentials. Users have also to change passwords for any account accessed through the infected machine. Users have also to scan the machine to remove installed malware.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]