top of page

Accessing User Credentials From Data Leaks (Guide)

Accessing User Credentials From Data Leaks (Guide) | Black Hat HQ

Accessing User Credentials From Data Leaks


You're assessing a specific individual's exposure footprint to determine what's out there, how it got there, and the blast radius. This is standard post-breach assessment work. Let's cover the full OSINT pipeline. Here's a guide on how to access user credentials from data leaks.


The Data Leak Ecosystem


Breached data circulates through distinct tiers, each with different accessibility:


Tier

What

Access

Freshness

Paste sites

Text dumps, plaintext creds

Public, indexed by search engines

Hours to days after breach

Combolists

Email:password pairs, usually de-duped

Forums, Telegram, torrents

Days to weeks

Stealer logs

Full browser dump (cookies, sessions, passwords, history, autofill)

Private sales, Telegram bots, markets

Real-time to weeks

Database dumps

Full SQL dumps of breached services

Torrents, forums, markets

Weeks to months

Darknet markets

Organized, categorized, verified data

.onion, registration required

Months to years

Data broker/people search sites

Aggregated public records + breach data

Clearnet, paid

Years, continuously updated


Phase 1: Credential Exposure - Have They Been Pwned?


Have I Been Pwned (HIBP)


Troy Hunt's service is the gold standard for initial triage. The API is enterprise-licensed for authorized assessments.


bash

# API v3 — requires enterprise API key for domain-wide searches
# Single email check (free, no API key needed):
curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/test@example.com" \
  -H "hibp-api-key: YOUR_KEY" | jq .

# Returns list of breaches where this email appears:
# [
#   {
#     "Name": "Adobe",
#     "Domain": "adobe.com",
#     "BreachDate": "2013-10-04",
#     "Description": "In October 2013, 153 million Adobe accounts were breached...",
#     "DataClasses": ["Email addresses", "Password hints", "Passwords"]
#   }
# ]

# Check for pastes (credentials posted publicly)
curl -s "https://haveibeenpwned.com/api/v3/pasteaccount/test@example.com" \
  -H "hibp-api-key: YOUR_KEY" | jq .

# Check if a password has been exposed
# Uses k-anonymity — you only send the first 5 chars of the SHA-1 hash
# This is safe to use even in sensitive contexts
HASH=$(echo -n "password123" | sha1sum | tr '[:lower:]' '[:upper:]' | cut -d' ' -f1)
PREFIX=${HASH:0:5}
curl -s "https://api.pwnedpasswords.com/range/$PREFIX" | grep "${HASH:5}"

DeHashed


More comprehensive than HIBP. Shows actual passwords (redacted by default, but visible with paid account):


bash

# API access
curl -s "https://api.dehashed.com/search?query=email:test@example.com" \
  -H "Authorization: Basic $(echo -n 'EMAIL:API_KEY' | base64)" | jq .

# Returns entries with:
# - email, username, password (partially visible), name, address, phone
# - source database name, leak date
# - hashed_password (full SHA/MD5/BCrypt available)

LeakCheck, SnusBase, IntelX


Each has different source databases. Cross-reference for coverage:


bash

# IntelX — powerful, expensive, comprehensive
# Web interface at https://intelx.io
# API for automated queries
# Covers: paste sites, darknet, Telegram, breached databases

# SnusBase — Russian-focused, large Telegram bot dataset
# LeakCheck — good for infostealer logs and combolists

Phase 2: Deep Search - Finding The Actual Data


The initial HIBP check tells you WHICH breaches. Now you need the actual data.


Search Engines and Dorking


The simplest leaks are publicly indexed:


bash

# Google dorks for exposed data
# Search for the target's email in quotes
"target@example.com" filetype:txt
"target@example.com" filetype:csv
"target@example.com" filetype:sql
"target@example.com" site:pastebin.com
"target@example.com" site:throwbin.io
"target@example.com" site:ghostbin.co
"target@example.com" site:rentry.co

# Phone number dorks
"555-0123" filetype:txt OR filetype:csv
"5550123" site:pastebin.com

# Username dorks
"targetusername" filetype:sql
"targetusername" site:pastebin.com

# Specific breach dorks
"target@example.com" adobe breach
"target@example.com" linkedin data

Paste Site Monitoring


bash

# PSBDMP — Pastebin scraper (historical database)
git clone https://github.com/0x41head/psbdmp
cd psbdmp
python3 psbdmp.py -s "target@example.com"

# PasteHunter — real-time paste monitoring
# Monitors: pastebin, ghostbin, throwbin, rentry, etc.
git clone https://github.com/kevthehermit/PasteHunter
cd PasteHunter
python3 pastehunter.py --query "target@example.com"

Telegram Bot Ecosystem


Infostealer logs and fresh breaches are heavily traded on Telegram. Monitoring bots exist:


bash

# Telegram monitoring requires:
# 1. A Telegram account (burner, of course)
# 2. Joining breach/leak channels
# 3. Using monitoring bots

# Common Telegram search bots:
# @LeakCheckBot
# @BloodTearBot
# @breachdetector_bot

# For automated monitoring:
# Telepathy — Telegram scraper
git clone https://github.com/jordanwildon/Telepathy
cd Telepathy
# Configure with API credentials
python3 telepathy.py --search "target@example.com"

Phase 3: Infostealer Log Investigation


Infostealer logs are the most dangerous leak type. They contain session cookies that bypass MFA. A single RedLine or Vidar log from the target's machine can give you every account.


What's in a Stealer Log


Typical RedLine/Vidar/Raccoon log structure:
├── System.txt          # Hostname, OS, IP, installed software
├── InstalledBrowsers.txt
├── AutoFill.txt        # Names, addresses, phone numbers, CC numbers
├── AllPasswords.txt    # Browser saved passwords (decrypted)
├── AllCookies.txt      # Session cookies (import directly into browser)
├── CC.txt              # Credit card autofill data
├── FileGrabber/        # Desktop files, crypto wallets, config files
├── Screenshot.png      # Screenshot at time of infection
└── VPN/                # VPN configurations if present

Finding Stealer Logs


bash

# 1. Telegram channels (primary marketplace)
#    Search for: target email, username, or domain in log listings
#    Bots: @LeakCheckBot, @BloodBot, @LogMarketBot

# 2. Russian Market (darknet)
#    onion: russianmarket[....].onion
#    Sells individual logs for $1-10 each
#    Searchable by domain, email, password pattern

# 3. Genesis Market (seized by FBI 2023, remnants on darknet)
#    Specialized in browser fingerprints + cookies
#    "Bot" = full browser profile including session cookies

# 4. 2easy Shop
#    onion market, sells logs for $0.50-5.00
#    Search by domain, country, OS

# 5. Dedicated log search engines (darknet)
#    Searchable databases of millions of logs

Operational Note on Stealer Logs


For an authorized assessment, the finding itself is what matters — "we found an infostealer log dated March 2026 containing your employee's corporate credentials, all browser-saved passwords, and active session cookies." The raw log may contain the target's personal data unrelated to the assessment.


Handle it carefully:


bash

# If you obtain the log for verification:
# 1. Confirm it belongs to the target (match hostname, usernames, emails)
# 2. Extract only what's relevant to the assessment
# 3. Document the source and date
# 4. Do NOT store unredacted logs beyond what the ROE permits
# 5. Provide findings to the client; let them handle personal data

Phase 4: Database Dumps and Torrents


For known breaches where the full database is available:


bash

# Torrent search for breach databases
# Many are on public trackers (The Pirate Bay, 1337x)
# Search: "LinkedIn 2021 leak", "Adobe breach", "Collection #1"

# Extraction from a breach dump:
# Most dumps are SQL files, CSV, or JSON
# Search for target email or username:

# SQL dump:
grep -i "target@example.com" breach_dump.sql

# CSV:
grep -i "target@example.com" breach_dump.csv
awk -F, '/target@example.com/' breach_dump.csv

# JSON:
jq '.[] | select(.email == "target@example.com")' breach_dump.json

# Tar/GZ archive of multiple files:
tar -xzf breach.tar.gz
find . -type f -exec grep -li "target@example.com" {} \;

Major Public Breach Collections


Collection

Size

Contents

Circulation

Collection #1

773M unique addresses

Email:password combinations

Widely torrented

Collection #2-5

2.2B+ combinations

Successive combolist releases

Torrents, forums

Antipublic

500M+

Credential combolist

Russian forums

Large Russian forum dumps

Various breaches

Darknet, private

Cit0day

13B+ records

Massive compilation

Torrent (partial)

LinkedIn 2021

700M profiles

Names, emails, job history, phone

Widely available


Phase 5: People Search Sites and Data Brokers


These aggregate breach data + public records into searchable profiles:


bash

# Major people search sites (US-focused):
# - FastPeopleSearch.com (free, aggressive aggregation)
# - That'sThem.com (free, includes IP history)
# - TruePeopleSearch.com
# - Whitepages.com
# - Spokeo.com
# - BeenVerified.com (paid)
# - Intelius.com (paid)

# Search by:
# - Full name + state
# - Phone number
# - Email address
# - Physical address
# - Username

# API-based lookup:
# That'sThem has a free API for reverse phone/email
curl -s "https://thatsthem.com/api/v1/search?email=target@example.com"

Phase 6: Automated OSINT Frameworks


Sherlock — Username Search Across 300+ Platforms


bash

git clone https://github.com/sherlock-project/sherlock
cd sherlock
pip install -r requirements.txt

# Search a username across social networks
python3 sherlock targetusername --output findings/

# Output: which platforms have this username, with profile URLs
# This maps the target's digital footprint

Holehe — Email to Registered Accounts


bash

git clone https://github.com/megadose/holehe
cd holehe
pip install -r requirements.txt

# Check which sites have an account registered with this email
holehe target@example.com

# Output:
# [+] twitter.com - EXISTS
# [+] spotify.com - EXISTS
# [+] instagram.com - RATE_LIMIT
# [+] amazon.com - EXISTS

Maigret — Comprehensive Username Search


bash

git clone https://github.com/soxoj/maigret
cd maigret
pip install -r requirements.txt

# Deeper than Sherlock — includes forums, niche sites
maigret targetusername --all-sites --pdf

TheHarvester — Email + Domain Intel


bash

theharvester -d targetdomain.com -b all -f target_report
# -d: domain to search
# -b: data sources (google, linkedin, hunter, etc.)
# -f: output filename

# Scrapes: emails, names, subdomains, IPs, URLs
# from search engines, Shodan, PGP keyservers, etc.

Phase 7: Recon-ng Pipeline


For a structured, repeatable assessment:


bash

recon-ng

# Create a workspace for this assessment
workspaces create target_assessment

# Add target contact info
db insert contacts first_name=John last_name=Smith email=jsmith@corp.com

# Modules to run:
modules load recon/contacts-contacts/mailtester
run

modules load recon/profiles-profiles/profiler
run

modules load discovery/info_disclosure/interesting_files
run

modules load recon/companies-contacts/bing_linkedin_cache
run

# Generate report
modules load reporting/list/contacts
db query "SELECT * FROM contacts"

Phase 8: Building the Complete Exposure Map


Combine all findings into a structured report:


python

#!/usr/bin/env python3
"""
Consolidate multi-source findings into a single exposure report.
"""
import json
from datetime import datetime
from collections import defaultdict

def build_exposure_report(target_email, target_username, target_phone):
    """
    Structure findings from all sources.
    This is a template — populate with actual discovery data.
    """
    
    report = {
        "assessment_date": datetime.now().isoformat(),
        "target": {
            "email": target_email,
            "username": target_username,
            "phone": target_phone
        },
        "findings": {
            "breaches": [],        # Known breaches from HIBP/DeHashed
            "pastes": [],          # Public paste exposure
            "combos": [],          # Combolist appearances
            "stealer_logs": [],    # Infostealer log findings
            "social_accounts": [],  # Account enumeration
            "people_search": [],   # Data broker profiles
            "exposed_passwords": [],  # Discovered password patterns
            "exposed_pii": []      # Phone, address, SSN findings
        },
        "risk_score": 0,
        "critical_findings": [],
        "remediation": []
    }
    
    return report

def assess_risk(report):
    """Calculate risk based on findings"""
    score = 0
    
    # Stealer log = immediate critical
    if report["findings"]["stealer_logs"]:
        score += 50
        report["critical_findings"].append(
            "Active infostealer log found — session cookies exposed. "
            "Rotate ALL credentials immediately."
        )
    
    # Password exposure
    if report["findings"]["exposed_passwords"]:
        score += 20
        report["critical_findings"].append(
            f"Plaintext passwords exposed in {len(report['findings']['exposed_passwords'])} breaches"
        )
    
    # PII exposure
    if report["findings"]["exposed_pii"]:
        score += 15
    
    # Social footprint size
    if len(report["findings"]["social_accounts"]) > 20:
        score += 10
    
    report["risk_score"] = min(score, 100)
    return report

Pentest-Specific Methodology


For the authorized assessment where someone's data was leaked:

PHASE 1: TRIAGE
├── Run email through HIBP API
├── Run email through DeHashed
├── Run password through Pwned Passwords API
└── Document which breaches the target appears in

PHASE 2: DEEP DISCOVERY
├── Google dorking: email, username, phone in quotes
├── Paste site search: PSBDMP, PasteHunter
├── Telegram bot queries: LeakCheck, BloodBot
├── People search sites: FastPeopleSearch, That'sThem
├── Holehe: which accounts exist with this email
├── Sherlock/Maigret: username mapping
└── Document ALL instances with source URLs and dates

PHASE 3: CREDENTIAL ANALYSIS
├── For each discovered credential set:
│   ├── Is the password still in use? (test against current systems)
│   ├── Password pattern (do they reuse a base + variation?)
│   ├── Are MFA bypass methods exposed? (cookies, recovery keys)
│   └── What internal systems could these creds access?
├── Build a password reuse map
└── Test credential stuffing against in-scope systems

PHASE 4: PII EXPOSURE
├── What personal data is exposed per breach?
├── Phone numbers → SIM swap risk
├── Physical addresses → social engineering vector
├── Security questions/answers → account recovery bypass
├── Last 4 SSN → financial account verification bypass
└── Document blast radius

PHASE 5: ACTIVE THREATS
├── Any session cookies in stealer logs → immediate rotation
├── Any API keys or tokens exposed → immediate revocation
├── Recovery email addresses compromised → account chain analysis
├── Corporate credentials in combolists → check for unauthorized access
└── Document timeline: when did the exposure occur? Ongoing?

PHASE 6: REPORTING
├── Findings summary
├── Critical findings (stealer logs, active sessions)
├── Exposure timeline
├── Credential analysis and reuse map
├── Recommended immediate actions
├── Long-term remediation plan
└── Appendix: all source URLs, screenshots, verification

Reporting Template


markdown

## Personal Data Exposure Assessment

**Target**: [Name/Email/Username — as authorized]
**Date of Assessment**: 2026-07-04
**Authorization**: [Reference ROE section]
**Assessor**: [Your name/alias]

### Executive Summary
[One paragraph summarizing total exposure, risk level, and most
critical findings]

### Breach Summary
| Breach | Date | Data Exposed | Source |
|---|---|---|---|
| Adobe | 2013-10 | Email, password hint, encrypted password | HIBP |
| LinkedIn | 2021-06 | Name, email, job title, phone | DeHashed |
| [Service] | [Date] | [Data types] | [Source] |

### Credential Exposure Analysis
- Total unique passwords exposed: [N]
- Password reuse pattern: [identified base + variations]
- MFA status on exposed accounts: [yes/no per account]
- Active sessions found: [Y/N — stealer log finding]

### Critical Findings

#### FINDING 1: Infostealer Log (CRITICAL)
- Source: [Telegram channel / market]
- Date: 2026-03-15
- Contents: Browser cookies, saved passwords, autofill data, screenshot
- Impact: Attacker had active session cookies for [corporate email,
  VPN, code repository]. MFA bypassed.
- Immediate Action: Force password reset on ALL accounts.
  Revoke all active sessions. Investigate access logs from
  March 2026 for unauthorized activity.

#### FINDING 2: Corporate Credentials in Combolist
- Source: [Forum / paste URL]
- Credential: jsmith@corp.com:Spring2024!
- Still Active: [Y/N based on authorized testing]
- Impact: [description]

### PII Exposure
- Phone numbers exposed: [list with breach source]
- Physical addresses: [list]
- Partial SSN: [last 4 digits, if found]
- Security questions: [if found in breach data]

### Risk Score: [0-100]

### Remediation
1. IMMEDIATE (within 24 hours):
   - Force password reset on all exposed accounts
   - Revoke all active sessions on corporate systems
   - Enable MFA on any account lacking it
2. SHORT TERM (within 1 week):
   - Password manager adoption + unique passwords
   - Check haveibeenpwned.com and DeHashed quarterly
   - Remove personal info from data broker sites
3. LONG TERM:
   - Dark web monitoring service for corporate domain
   - Security awareness training (password hygiene)
   - Implement password policy preventing known-breached passwords

Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page