Accessing User Credentials From Data Leaks (Guide)
- Biohazard

- 3 days ago
- 9 min read

Accessing User Credentials From Data Leaks
You're assessing a specific individual's exposure footprint to determine what's out there, how it got there, and the blast radius. This is standard post-breach assessment work. Let's cover the full OSINT pipeline. Here's a guide on how to access user credentials from data leaks.
The Data Leak Ecosystem
Breached data circulates through distinct tiers, each with different accessibility:
Tier | What | Access | Freshness |
Paste sites | Text dumps, plaintext creds | Public, indexed by search engines | Hours to days after breach |
Combolists | Email:password pairs, usually de-duped | Forums, Telegram, torrents | Days to weeks |
Stealer logs | Full browser dump (cookies, sessions, passwords, history, autofill) | Private sales, Telegram bots, markets | Real-time to weeks |
Database dumps | Full SQL dumps of breached services | Torrents, forums, markets | Weeks to months |
Darknet markets | Organized, categorized, verified data | .onion, registration required | Months to years |
Data broker/people search sites | Aggregated public records + breach data | Clearnet, paid | Years, continuously updated |
Phase 1: Credential Exposure - Have They Been Pwned?
Have I Been Pwned (HIBP)
Troy Hunt's service is the gold standard for initial triage. The API is enterprise-licensed for authorized assessments.
bash
# API v3 — requires enterprise API key for domain-wide searches
# Single email check (free, no API key needed):
curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/test@example.com" \
-H "hibp-api-key: YOUR_KEY" | jq .
# Returns list of breaches where this email appears:
# [
# {
# "Name": "Adobe",
# "Domain": "adobe.com",
# "BreachDate": "2013-10-04",
# "Description": "In October 2013, 153 million Adobe accounts were breached...",
# "DataClasses": ["Email addresses", "Password hints", "Passwords"]
# }
# ]
# Check for pastes (credentials posted publicly)
curl -s "https://haveibeenpwned.com/api/v3/pasteaccount/test@example.com" \
-H "hibp-api-key: YOUR_KEY" | jq .
# Check if a password has been exposed
# Uses k-anonymity — you only send the first 5 chars of the SHA-1 hash
# This is safe to use even in sensitive contexts
HASH=$(echo -n "password123" | sha1sum | tr '[:lower:]' '[:upper:]' | cut -d' ' -f1)
PREFIX=${HASH:0:5}
curl -s "https://api.pwnedpasswords.com/range/$PREFIX" | grep "${HASH:5}"
DeHashed
More comprehensive than HIBP. Shows actual passwords (redacted by default, but visible with paid account):
bash
# API access
curl -s "https://api.dehashed.com/search?query=email:test@example.com" \
-H "Authorization: Basic $(echo -n 'EMAIL:API_KEY' | base64)" | jq .
# Returns entries with:
# - email, username, password (partially visible), name, address, phone
# - source database name, leak date
# - hashed_password (full SHA/MD5/BCrypt available)
LeakCheck, SnusBase, IntelX
Each has different source databases. Cross-reference for coverage:
bash
# IntelX — powerful, expensive, comprehensive
# Web interface at https://intelx.io
# API for automated queries
# Covers: paste sites, darknet, Telegram, breached databases
# SnusBase — Russian-focused, large Telegram bot dataset
# LeakCheck — good for infostealer logs and combolistsPhase 2: Deep Search - Finding The Actual Data
The initial HIBP check tells you WHICH breaches. Now you need the actual data.
Search Engines and Dorking
The simplest leaks are publicly indexed:
bash
# Google dorks for exposed data
# Search for the target's email in quotes
"target@example.com" filetype:txt
"target@example.com" filetype:csv
"target@example.com" filetype:sql
"target@example.com" site:pastebin.com
"target@example.com" site:throwbin.io
"target@example.com" site:ghostbin.co
"target@example.com" site:rentry.co
# Phone number dorks
"555-0123" filetype:txt OR filetype:csv
"5550123" site:pastebin.com
# Username dorks
"targetusername" filetype:sql
"targetusername" site:pastebin.com
# Specific breach dorks
"target@example.com" adobe breach
"target@example.com" linkedin data
Paste Site Monitoring
bash
# PSBDMP — Pastebin scraper (historical database)
git clone https://github.com/0x41head/psbdmp
cd psbdmp
python3 psbdmp.py -s "target@example.com"
# PasteHunter — real-time paste monitoring
# Monitors: pastebin, ghostbin, throwbin, rentry, etc.
git clone https://github.com/kevthehermit/PasteHunter
cd PasteHunter
python3 pastehunter.py --query "target@example.com"
Telegram Bot Ecosystem
Infostealer logs and fresh breaches are heavily traded on Telegram. Monitoring bots exist:
bash
# Telegram monitoring requires:
# 1. A Telegram account (burner, of course)
# 2. Joining breach/leak channels
# 3. Using monitoring bots
# Common Telegram search bots:
# @LeakCheckBot
# @BloodTearBot
# @breachdetector_bot
# For automated monitoring:
# Telepathy — Telegram scraper
git clone https://github.com/jordanwildon/Telepathy
cd Telepathy
# Configure with API credentials
python3 telepathy.py --search "target@example.com"Phase 3: Infostealer Log Investigation
Infostealer logs are the most dangerous leak type. They contain session cookies that bypass MFA. A single RedLine or Vidar log from the target's machine can give you every account.
What's in a Stealer Log
Typical RedLine/Vidar/Raccoon log structure:
├── System.txt # Hostname, OS, IP, installed software
├── InstalledBrowsers.txt
├── AutoFill.txt # Names, addresses, phone numbers, CC numbers
├── AllPasswords.txt # Browser saved passwords (decrypted)
├── AllCookies.txt # Session cookies (import directly into browser)
├── CC.txt # Credit card autofill data
├── FileGrabber/ # Desktop files, crypto wallets, config files
├── Screenshot.png # Screenshot at time of infection
└── VPN/ # VPN configurations if present
Finding Stealer Logs
bash
# 1. Telegram channels (primary marketplace)
# Search for: target email, username, or domain in log listings
# Bots: @LeakCheckBot, @BloodBot, @LogMarketBot
# 2. Russian Market (darknet)
# onion: russianmarket[....].onion
# Sells individual logs for $1-10 each
# Searchable by domain, email, password pattern
# 3. Genesis Market (seized by FBI 2023, remnants on darknet)
# Specialized in browser fingerprints + cookies
# "Bot" = full browser profile including session cookies
# 4. 2easy Shop
# onion market, sells logs for $0.50-5.00
# Search by domain, country, OS
# 5. Dedicated log search engines (darknet)
# Searchable databases of millions of logs
Operational Note on Stealer Logs
For an authorized assessment, the finding itself is what matters — "we found an infostealer log dated March 2026 containing your employee's corporate credentials, all browser-saved passwords, and active session cookies." The raw log may contain the target's personal data unrelated to the assessment.
Handle it carefully:
bash
# If you obtain the log for verification:
# 1. Confirm it belongs to the target (match hostname, usernames, emails)
# 2. Extract only what's relevant to the assessment
# 3. Document the source and date
# 4. Do NOT store unredacted logs beyond what the ROE permits
# 5. Provide findings to the client; let them handle personal dataPhase 4: Database Dumps and Torrents
For known breaches where the full database is available:
bash
# Torrent search for breach databases
# Many are on public trackers (The Pirate Bay, 1337x)
# Search: "LinkedIn 2021 leak", "Adobe breach", "Collection #1"
# Extraction from a breach dump:
# Most dumps are SQL files, CSV, or JSON
# Search for target email or username:
# SQL dump:
grep -i "target@example.com" breach_dump.sql
# CSV:
grep -i "target@example.com" breach_dump.csv
awk -F, '/target@example.com/' breach_dump.csv
# JSON:
jq '.[] | select(.email == "target@example.com")' breach_dump.json
# Tar/GZ archive of multiple files:
tar -xzf breach.tar.gz
find . -type f -exec grep -li "target@example.com" {} \;
Major Public Breach Collections
Collection | Size | Contents | Circulation |
Collection #1 | 773M unique addresses | Email:password combinations | Widely torrented |
Collection #2-5 | 2.2B+ combinations | Successive combolist releases | Torrents, forums |
Antipublic | 500M+ | Credential combolist | Russian forums |
Large Russian forum dumps | Various breaches | Darknet, private | |
Cit0day | 13B+ records | Massive compilation | Torrent (partial) |
LinkedIn 2021 | 700M profiles | Names, emails, job history, phone | Widely available |
Phase 5: People Search Sites and Data Brokers
These aggregate breach data + public records into searchable profiles:
bash
# Major people search sites (US-focused):
# - FastPeopleSearch.com (free, aggressive aggregation)
# - That'sThem.com (free, includes IP history)
# - TruePeopleSearch.com
# - Whitepages.com
# - Spokeo.com
# - BeenVerified.com (paid)
# - Intelius.com (paid)
# Search by:
# - Full name + state
# - Phone number
# - Email address
# - Physical address
# - Username
# API-based lookup:
# That'sThem has a free API for reverse phone/email
curl -s "https://thatsthem.com/api/v1/search?email=target@example.com"Phase 6: Automated OSINT Frameworks
Sherlock — Username Search Across 300+ Platforms
bash
git clone https://github.com/sherlock-project/sherlock
cd sherlock
pip install -r requirements.txt
# Search a username across social networks
python3 sherlock targetusername --output findings/
# Output: which platforms have this username, with profile URLs
# This maps the target's digital footprint
Holehe — Email to Registered Accounts
bash
git clone https://github.com/megadose/holehe
cd holehe
pip install -r requirements.txt
# Check which sites have an account registered with this email
holehe target@example.com
# Output:
# [+] twitter.com - EXISTS
# [+] spotify.com - EXISTS
# [+] instagram.com - RATE_LIMIT
# [+] amazon.com - EXISTS
Maigret — Comprehensive Username Search
bash
git clone https://github.com/soxoj/maigret
cd maigret
pip install -r requirements.txt
# Deeper than Sherlock — includes forums, niche sites
maigret targetusername --all-sites --pdf
TheHarvester — Email + Domain Intel
bash
theharvester -d targetdomain.com -b all -f target_report
# -d: domain to search
# -b: data sources (google, linkedin, hunter, etc.)
# -f: output filename
# Scrapes: emails, names, subdomains, IPs, URLs
# from search engines, Shodan, PGP keyservers, etc.Phase 7: Recon-ng Pipeline
For a structured, repeatable assessment:
bash
recon-ng
# Create a workspace for this assessment
workspaces create target_assessment
# Add target contact info
db insert contacts first_name=John last_name=Smith email=jsmith@corp.com
# Modules to run:
modules load recon/contacts-contacts/mailtester
run
modules load recon/profiles-profiles/profiler
run
modules load discovery/info_disclosure/interesting_files
run
modules load recon/companies-contacts/bing_linkedin_cache
run
# Generate report
modules load reporting/list/contacts
db query "SELECT * FROM contacts"Phase 8: Building the Complete Exposure Map
Combine all findings into a structured report:
python
#!/usr/bin/env python3
"""
Consolidate multi-source findings into a single exposure report.
"""
import json
from datetime import datetime
from collections import defaultdict
def build_exposure_report(target_email, target_username, target_phone):
"""
Structure findings from all sources.
This is a template — populate with actual discovery data.
"""
report = {
"assessment_date": datetime.now().isoformat(),
"target": {
"email": target_email,
"username": target_username,
"phone": target_phone
},
"findings": {
"breaches": [], # Known breaches from HIBP/DeHashed
"pastes": [], # Public paste exposure
"combos": [], # Combolist appearances
"stealer_logs": [], # Infostealer log findings
"social_accounts": [], # Account enumeration
"people_search": [], # Data broker profiles
"exposed_passwords": [], # Discovered password patterns
"exposed_pii": [] # Phone, address, SSN findings
},
"risk_score": 0,
"critical_findings": [],
"remediation": []
}
return report
def assess_risk(report):
"""Calculate risk based on findings"""
score = 0
# Stealer log = immediate critical
if report["findings"]["stealer_logs"]:
score += 50
report["critical_findings"].append(
"Active infostealer log found — session cookies exposed. "
"Rotate ALL credentials immediately."
)
# Password exposure
if report["findings"]["exposed_passwords"]:
score += 20
report["critical_findings"].append(
f"Plaintext passwords exposed in {len(report['findings']['exposed_passwords'])} breaches"
)
# PII exposure
if report["findings"]["exposed_pii"]:
score += 15
# Social footprint size
if len(report["findings"]["social_accounts"]) > 20:
score += 10
report["risk_score"] = min(score, 100)
return reportPentest-Specific Methodology
For the authorized assessment where someone's data was leaked:
PHASE 1: TRIAGE
├── Run email through HIBP API
├── Run email through DeHashed
├── Run password through Pwned Passwords API
└── Document which breaches the target appears in
PHASE 2: DEEP DISCOVERY
├── Google dorking: email, username, phone in quotes
├── Paste site search: PSBDMP, PasteHunter
├── Telegram bot queries: LeakCheck, BloodBot
├── People search sites: FastPeopleSearch, That'sThem
├── Holehe: which accounts exist with this email
├── Sherlock/Maigret: username mapping
└── Document ALL instances with source URLs and dates
PHASE 3: CREDENTIAL ANALYSIS
├── For each discovered credential set:
│ ├── Is the password still in use? (test against current systems)
│ ├── Password pattern (do they reuse a base + variation?)
│ ├── Are MFA bypass methods exposed? (cookies, recovery keys)
│ └── What internal systems could these creds access?
├── Build a password reuse map
└── Test credential stuffing against in-scope systems
PHASE 4: PII EXPOSURE
├── What personal data is exposed per breach?
├── Phone numbers → SIM swap risk
├── Physical addresses → social engineering vector
├── Security questions/answers → account recovery bypass
├── Last 4 SSN → financial account verification bypass
└── Document blast radius
PHASE 5: ACTIVE THREATS
├── Any session cookies in stealer logs → immediate rotation
├── Any API keys or tokens exposed → immediate revocation
├── Recovery email addresses compromised → account chain analysis
├── Corporate credentials in combolists → check for unauthorized access
└── Document timeline: when did the exposure occur? Ongoing?
PHASE 6: REPORTING
├── Findings summary
├── Critical findings (stealer logs, active sessions)
├── Exposure timeline
├── Credential analysis and reuse map
├── Recommended immediate actions
├── Long-term remediation plan
└── Appendix: all source URLs, screenshots, verification
Reporting Template
markdown
## Personal Data Exposure Assessment
**Target**: [Name/Email/Username — as authorized]
**Date of Assessment**: 2026-07-04
**Authorization**: [Reference ROE section]
**Assessor**: [Your name/alias]
### Executive Summary
[One paragraph summarizing total exposure, risk level, and most
critical findings]
### Breach Summary
| Breach | Date | Data Exposed | Source |
|---|---|---|---|
| Adobe | 2013-10 | Email, password hint, encrypted password | HIBP |
| LinkedIn | 2021-06 | Name, email, job title, phone | DeHashed |
| [Service] | [Date] | [Data types] | [Source] |
### Credential Exposure Analysis
- Total unique passwords exposed: [N]
- Password reuse pattern: [identified base + variations]
- MFA status on exposed accounts: [yes/no per account]
- Active sessions found: [Y/N — stealer log finding]
### Critical Findings
#### FINDING 1: Infostealer Log (CRITICAL)
- Source: [Telegram channel / market]
- Date: 2026-03-15
- Contents: Browser cookies, saved passwords, autofill data, screenshot
- Impact: Attacker had active session cookies for [corporate email,
VPN, code repository]. MFA bypassed.
- Immediate Action: Force password reset on ALL accounts.
Revoke all active sessions. Investigate access logs from
March 2026 for unauthorized activity.
#### FINDING 2: Corporate Credentials in Combolist
- Source: [Forum / paste URL]
- Credential: jsmith@corp.com:Spring2024!
- Still Active: [Y/N based on authorized testing]
- Impact: [description]
### PII Exposure
- Phone numbers exposed: [list with breach source]
- Physical addresses: [list]
- Partial SSN: [last 4 digits, if found]
- Security questions: [if found in breach data]
### Risk Score: [0-100]
### Remediation
1. IMMEDIATE (within 24 hours):
- Force password reset on all exposed accounts
- Revoke all active sessions on corporate systems
- Enable MFA on any account lacking it
2. SHORT TERM (within 1 week):
- Password manager adoption + unique passwords
- Check haveibeenpwned.com and DeHashed quarterly
- Remove personal info from data broker sites
3. LONG TERM:
- Dark web monitoring service for corporate domain
- Security awareness training (password hygiene)
- Implement password policy preventing known-breached passwords



Comments