1.2TB Database with Passwords and Cookies stolen by Mystery Malware Discovered

Passwords and Cookies stolen by Mystery Malware

Security researchers have discovered an unsecured database containing millions of login credentials, files and cookies. The database contained data stolen by a mysterious malware strain that spread via pirated software and email. In total, threat actors infected more than 3.25 million computers.

Accidental Discovery of a 1.2TB Data Trove

Nordlocker’s security researchers discovered the stolen database by accident. Apparently, a hacker group didn’t properly hide the database’s location. In partnership with a third-party company, Nordlocker analyzed the data. They also notified the cloud provider hosting the database in order to take it down.

In total, the database contained 1.2 TB of credentials, text files, browser cookies, autofill data and payment information. The stash included 1.1 million unique email addresses and 26 million login credentials. Moreover, there were close to a million images and more than 650,000 Word and .pdf files, most grabbed from desktops and download folders.

Researchers say that the data was extracted between 2018 and 2020. And that there were more than 3 million PC’s involved. “It’s big”, said Nordlocker. “And the victims likely never knew their files had been stolen.” The data on the database was neatly categorized into twelve groups, based on the website type.

Malware Spread via Pirated Software

The massive trove of information had been extracted by a mysterious trojan. According to Nordlocker, this type of custom-made malware can be found all over the dark web. “Anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom-made does mean custom-made – advertisers promise that they can build a virus to attack virtually any app the buyer needs.”

The researchers also discovered that the malware spread via illegal software, such as Adobe Photo Shop, as well as Windows cracking tools and pirated games. After the infection, the malware also took a screenshot of the computer and, if possible, a photo via the webcam.

Nordlocker’s analysis revealed that 22% of the cookies were still valid when they discovered the database. Hackers can use cookies to piece together the habits and interests of their victims. And if the cookies are used for authentication, they may provide access to the person’s online accounts.

Check Have I Been Pwned

The researchers shared all 1.1 million unique email addresses with the data breach search engine Have I Been Pwned. This search engine allows users to check if their credentials have been stolen in a data breach.

Of the 1.1 million email addresses, 38% were already known to Have I Been Pwned through another data breach. Nordlocker also reported the open database to US-CERT.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using VPNOverview.com's dedicated VPN testing protocol that has been finetuned and optimized over the years.