Skip to content

Massive Telegram data dump adds 151 million new emails to HIBP

  • by
  • 3 min read

A massive data breach uncovered about 361 million unique email addresses, including 151 million previously unseen in any database. This enormous trove, totalling 122 GB of data extracted from 518 Telegram channels, was recently integrated into Have I Been Pwned (HIBP) after a security researcher discovered it.

Alongside the email addresses, the data set includes 1.7k files containing over 2 billion lines of information, including passwords and, in many cases, the website URL, revealing a troubling landscape of exposed online credentials.

The breached data, often called ‘combolists,’ is a collection of email addresses or user names paired with passwords. These combinations are gold mines for cybercriminals who use them in credential-stuffing attacks. By trying these combinations across various services, attackers try to gain unauthorised access to accounts.

Combomist files containing email addresses, user names, and passwords on Telegram. | Source: Troy Hunt

Cybersecurity researchers who wish to remain anonymous shared the data with Troy Hunt, who uploaded it to HIBP. Some files were empty, while others were massive, containing tens of millions of rows. For instance, the largest file appears to result from info stealer malware, capturing credentials as they entered into websites on compromised websites.

To verify the legitimacy of the data, HIBP conducted extensive checks. this included testing email addresses against login pages of well-known services like Nike and Footlocker. For instance, when an email from the breach was entered into Nike’s login page, it confirmed the existence of an account, validating the data’s authenticity.

Further validation came from HIBP subscribers, who were asked to verify the details. One subscriber, already in 13 different breaches, confirmed the accuracy of the data. Another, with a history of seven breaches, highlighted the repeated exposure to credential stuffing attacks.

A sample of a large file containing combolists on Telegram. | Source: Troy Hunt

The breach has significant implications for millions of individuals whose data was exposed. Many will be puzzled by their inclusion, especially if they have never used Telegram. The confusion is compounded by the nature of combolists, which mix data from various sources, making it hard to pinpoint the exact origin of the breach.

“With a dataset this large, no site that allows logins is unaffected by these leaked credentials, including BleepingComputer,” notes Bleeping Computer. “The data shared with BleepingComputer includes the username, password, and URL that a member used to log into our forums, which was then saved in their browser’s password manager.”

Telegram, renowned for its simplicity, privacy and security, has inadvertently become a fertile ground for sharing compromised data. The platform’s design, which allows users to create channels and disseminate information anonymously, has made it attractive for those looking to share sensitive data, including data breaches.

Cybersecurity experts have suggested users keep devices patched and updated, use strong and unique passwords, and enable two-factor authentication for additional security. They have also warned against using repetitive patterns in passwords, such as the date of birth, addresses, or anything publicly available.

In the News: John Oliver’s Indian elections episode blocked on Jio Cinema and YouTube

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: