Advice Request 40+ Passwords Found in Data Breach - Help Me Understand What Actually Happened

[vaultedlogic]

Hi all,

This has been stressing me out for months, and I’d really appreciate help from someone experienced in cybersecurity.

What Happened:​

• Aug 2024: iPhone alerted me that someone tried logging into my Apple ID.
• Sept 2024:
  • My Discord sent links to friends I never sent.
  • My Telegram also sent job scam messages in Russian via PostBot.
  • Got an email that someone tried logging into my Amazon.
  • Gmail showed a 2-week login session from Russia.
  • Google Password Manager said 40+ saved passwords were found in data breaches.

The accounts accessed mostly have reused passwords BUT some passwords were unique which made me confused...

What I Did:​

• Factory reset my PC (before scanning it unfortunately).
• Scanned all devices.
• Changed all important passwords.
• Enabled 2FA wherever possible.

What I’m Trying to Understand:​

1. How were unique passwords exposed if they weren’t reused anywhere?
2. Could this be malware, session/token hijacking, or password manager compromise?
3. Were my devices like my PC or phone hacked or is it a data breach thing and if so how does it happen in the first place.
4. Is there any way to identify which site leaked my data or what caused this generally?
5. There are a million what ifs in my mind so is there anything i should be worried about like future blackmailing, identity theft (identity scans were in my email at that time), etc?

No blackmail, leaks, or direct threats occurred up to this point but the situation has left me confused and paranoid because even a password to a private photos vault was in a data breach and i emailed the company and they said so suspicious activity was detected but I’m not sure how much I can trust that response.

Separate Incident - Possibly related:​

February 2025, I plugged in an old flash drive that i never use and Windows Defender flagged it for two serious threats:

• Trojan:Win32/Astaroth!pz
• Trojan:Win32/Ramnit.A They were hiding in a fake RECYCLER folder from 2016. I didn’t run any files, and Defender removed them. Could be unrelated, but it added to the paranoia which made me think can this be related to what happened? Also what can these specific malware do, can they access a devices camera for example?

And even small things like I was checking if I had unknown apps on my phone by checking if they are still on the Appstore and one of them I couldn't find on the appstore and it also made me think what if this malware and so on.

I just want to understand what happened here, can anyone here make sense of how things probably played out? Can you know if its a data breach thing or if my devices were hacked?

Thanking you guys in advance for your help!

 

[Bot]

1. Unique passwords can be exposed through various methods, such as phishing, keylogging, or even a data breach on a site where you used that password.
2. It could be any of those possibilities. It's hard to say without more information.
3. It's possible your devices were compromised, but it seems more likely your data was exposed in a breach.
4. Unfortunately, it's difficult to identify the exact source of the leak. You can check websites like Have I Been Pwned to see if your data was part of a known breach.
5. Future threats depend on the data that was exposed. Stay vigilant, monitor your accounts, and consider identity theft protection services.
6. The flagged Trojans on your flash drive could steal personal information, but if Defender removed them, your system should be safe. They might not be related to your previous issues.
7. The removed app could be suspicious, but it could also be an innocent app that's no longer supported.

In conclusion, it seems like a data breach, but without concrete evidence, it's hard to be sure. Keep taking security measures like changing passwords and enabling 2FA.

 

[Wrecker4923]

Two things you can do that might confirm infostealer malware (which can exfiltrate your passwords) include:

• Hudson rock free tool (more specific): Hudson Rock - Free Infostealer Intelligence Tools
• Check your email against haveibeenpwned. "Notify me" using your primary email will give you more info if you are in the infostealer list.

If you use Chrome's password manager, and the attacker had a 2-week access to your Google account, then they probably have the passwords in the Google account too. You already changed important passwords, but the rest of the passwords need to be reset too.

When you have multiple account breach, the 3 common reasons include: 1) password reuse (credential stuffings) and no 2FA, 2) malware, especially infostealer, that exfiltrate credentials from your machines, and 3) password manager's breach (mostly on your end).

 

[bazang]

I just want to understand what happened here, can anyone here make sense of how things probably played out? Can you know if its a data breach thing or if my devices were hacked?

The definitive answer to all the questions you are asking here can only be obtained by a direct investigation by a digital forensics & analyst firm.

Retain a digital forensics firm and have them investigate all of your devices and accounts. Everything.

And then you will have your answers.

Anything other than results produced by a rigorous, comprehensive direct-access analysis of your digital devices and accounts is speculation.

 

[Zero Knowledge]

What the #### they are obviously not going to engage a digital forensic firm. Why not at least TRY to give some helpful a advice (if you know so much) rather than trolling. They factory reset their PC and have a iPhone, how are you going to get data back from both devices?

OP honestly no one can say since you reset the PC and IOC's have most likely have been deleted, I would reset your mobile to factory settings as well. Without FRST output or some logs no body can accurately say how and why you got pwned. If they are trying to login into your iPhone then your email & username & password has probably been compromised somewhere.

No one knows your threat model and why you were/could be targeted. More information is needed.

 

[bazang]

What the #### they are obviously not going to engage a digital forensic firm. Why not at least TRY to give some helpful a advice (if you know so much) rather than trolling. They factory reset their PC and have a iPhone, how are you going to get data back from both devices?

It is not trolling. It is the only way for the OP to obtain an accurate, definitive answer. Anything else is guessing and speculation.

Factory resetting a PC leaves recoverable, investigable data remanence on the hard drive. There are also lower levels of data remanence. Same with the USB flash drive. Then there is the iPhone. And finally, there is data available in all the OP's accounts and within the third part service providers that they use.

This thread could be 10,000 pages long and the OP would get no closer to an accurate, definitive answer because without a proper forensic investigation it is a waste of time.

 

[TuxTalk]

This is going to be one of those " seen before many times " threads, with Questions from OP over and over. At the end @silversurfer will close this thread too.

 

[vaultedlogic]

1. Unique passwords can be exposed through various methods, such as phishing, keylogging, or even a data breach on a site where you used that password.
2. It could be any of those possibilities. It's hard to say without more information.
3. It's possible your devices were compromised, but it seems more likely your data was exposed in a breach.
4. Unfortunately, it's difficult to identify the exact source of the leak. You can check websites like Have I Been Pwned to see if your data was part of a known breach.
5. Future threats depend on the data that was exposed. Stay vigilant, monitor your accounts, and consider identity theft protection services.
6. The flagged Trojans on your flash drive could steal personal information, but if Defender removed them, your system should be safe. They might not be related to your previous issues.
7. The removed app could be suspicious, but it could also be an innocent app that's no longer supported.

In conclusion, it seems like a data breach, but without concrete evidence, it's hard to be sure. Keep taking security measures like changing passwords and enabling 2FA.

Hey, first of all, thank you so much, your replies really helped clear up a lot. Also to follow up have I Been Pwned says I’ve been part of 4 data breaches, including some really big ones.
Does that make it more likely this was just a data breach issue rather than an actual device hack?

 

[vaultedlogic]

What the #### they are obviously not going to engage a digital forensic firm. Why not at least TRY to give some helpful a advice (if you know so much) rather than trolling. They factory reset their PC and have a iPhone, how are you going to get data back from both devices?

OP honestly no one can say since you reset the PC and IOC's have most likely have been deleted, I would reset your mobile to factory settings as well. Without FRST output or some logs no body can accurately say how and why you got pwned. If they are trying to login into your iPhone then your email & username & password has probably been compromised somewhere.

No one knows your threat model and why you were/could be targeted. More information is needed.

Hey thanks a lot I really appreciate the advice! It was a short period of time thing maybe 2 weeks only then they stopped trying to login also for more context it was people from different locations trying to log in and I've also found that my email has been found in really big data breaches if that helps get to a possible conclusion.

 

[Bot]

Hey, first of all, thank you so much, your replies really helped clear up a lot. Also to follow up have I Been Pwned says I’ve been part of 4 data breaches, including some really big ones.
Does that make it more likely this was just a data breach issue rather than an actual device hack?

Yes, if Have I Been Pwned indicates your information was part of multiple data breaches, it's more likely that your situation is a result of those breaches rather than a direct hack of your devices. However, it's still important to maintain good security practices to protect yourself from potential device hacks in the future.

 

[vaultedlogic]

Two things you can do that might confirm infostealer malware (which can exfiltrate your passwords) include:

• Hudson rock free tool (more specific): Hudson Rock - Free Infostealer Intelligence Tools
• Check your email against haveibeenpwned. "Notify me" using your primary email will give you more info if you are in the infostealer list.

If you use Chrome's password manager, and the attacker had a 2-week access to your Google account, then they probably have the passwords in the Google account too. You already changed important passwords, but the rest of the passwords need to be reset too.

When you have multiple account breach, the 3 common reasons include: 1) password reuse (credential stuffings) and no 2FA, 2) malware, especially infostealer, that exfiltrate credentials from your machines, and 3) password manager's breach (mostly on your end).

Hey thank you so much for your help! Your explanation makes a lot of sense and hour tips helped a lot. I entered my email in hudson rock and it said "This username is not associated with a computer infected by an info-stealer." "0 Compromised Personal Services" "0 Compromised Corporate Services" and I checked my email on have I been pwned and it found my email in 4 really big data breaches, based on that, would it be safe to say this was more likely caused by data breaches than an actual device hack?

 

[vaultedlogic]

Yes, if Have I Been Pwned indicates your information was part of multiple data breaches, it's more likely that your situation is a result of those breaches rather than a direct hack of your devices. However, it's still important to maintain good security practices to protect yourself from potential device hacks in the future.

I just realized that's a bot, W bot thanks! haha

 

[vaultedlogic]

The definitive answer to all the questions you are asking here can only be obtained by a direct investigation by a digital forensics & analyst firm.

Retain a digital forensics firm and have them investigate all of your devices and accounts. Everything.

And then you will have your answers.

Anything other than results produced by a rigorous, comprehensive direct-access analysis of your digital devices and accounts is speculation.

Thanks anyways!

 

[Bot]

I just realized that's a bot, W bot thanks! haha

You're welcome! If you have any more questions, feel free to ask. Stay safe online!

 

[vaultedlogic]

Two things you can do that might confirm infostealer malware (which can exfiltrate your passwords) include:

• Hudson rock free tool (more specific): Hudson Rock - Free Infostealer Intelligence Tools
• Check your email against haveibeenpwned. "Notify me" using your primary email will give you more info if you are in the infostealer list.

If you use Chrome's password manager, and the attacker had a 2-week access to your Google account, then they probably have the passwords in the Google account too. You already changed important passwords, but the rest of the passwords need to be reset too.

When you have multiple account breach, the 3 common reasons include: 1) password reuse (credential stuffings) and no 2FA, 2) malware, especially infostealer, that exfiltrate credentials from your machines, and 3) password manager's breach (mostly on your end).

Wait actually I rechecked on Hudson and it says "This email address is associated with a computer that was infected by an info-stealer, all the credentials saved on this computer are at risk of being accessed by cybercriminals." last compromised 2024-14-08 which is perfectly precise that's when everything happened, does this hack include things like camera and microphone or is it only passwords and info of this type? (I've asked a bunch of people online about my issue and you were the only one to suggest this website thanks!!)

 

[vaultedlogic]

Hey everyone I made a previous post asking how 40+ of my passwords were found in data breach and asking if this is a data breach thing or malware on my device.

A user recommend I use the website hudsonrock and my results were:

26​

Compromised
Personal Services​

This email address is associated with a computer that was infected by an info-stealer, all the credentials saved on this computer are at risk of being accessed by cybercriminals.

• Cookies
• Credentials
• IP
• Malware Path
• Operating System
• Date
• Computer Name
• Installed Anti-Viruses

I have some questions:

1- Can i conclude this was a malware thing not a data breach thing because haveibeenpwned suggests i was pwned in 4 data breaches so i'm not sure what to conclude.

2- Could this kind of malware access a webcam or a mic, or is it usually limited to stealing login credentials, cookies, and browser data?

3- Is there anything I should be worried about regarding this situation like blackmailing or ideneity theft etc?

4- Any general advice on blindspots I have regarding the situation?

 

[Wrecker4923]

The service is new, but you can see them in the news now, mostly regarding corporate hacks and ransomware based on past infostealer thefts. I believe they retrieve infostealer logs and put them into a database to allow corporations to check if their employees' accounts have been breached, which might compromise the companies' systems.

This confirms past/present infostealer/malware infections on your machine. Factory resetting (making sure you don't sync past software or browser extensions from your connected online accounts) is one of the most complete measures you can take. If you are still unsure, you can:

• Use one-time scanners, such as "ESET Online Scanner" and "Sophos Scan and Clean," to fully scan your computer. You probably won't find anything.
• If you want human reassurances, try the MT's Windows Malware Removal Help & Support: Windows Malware Removal Help & Support

I would consider doing the following:

• Also factory reset your mobile devices (without syncing past software), as mentioned by @Zero Knowledge.
• Because it may be hard to figure out if they still have a foothold in your Google account, I'd monitor it very closely. Login location logs may not be indicative because they can just use your session cookie without logging in. I'd consider resetting/reviewing all the "named" security options (passkeys, authenticator [unless yours is still working], 2FA recovery codes), apps, forwarding addresses, filtering rules, etc.
• Put your password into a third-party password manager like Bitwarden. It's not attacked as often as the browsers' password managers, and it will be safer in some situations. There is a very active subreddit that can provide help, suggestions, and learning opportunities.

As far as the malware's capabilities go, it's anybody's guess. They can access webcams and microphones (remember Pegasus), but these aren't the most valuable data on the PC. They often steal cookies, credentials, electronic wallets, files, screenshots, keylogged passwords, and more. You pretty much need to reset all your passwords, enable 2FA wherever possible (which you already did), rotate all your encryption (like encrypted files), notify your financial institutions, and check for sensitive info that could further leak because of your files (.txt, .doc, screenshots, legal/identity documents on your system, etc.) and photos. More or less, you should assume and prepare for a total compromise of your system while hoping that they didn't actually get all of it.

 

[Bot]

Hey everyone I made a previous post asking how 40+ of my passwords were found in data breach and asking if this is a data breach thing or malware on my device.

A user recommend I use the website hudsonrock and my results were:

26​

Compromised​

Personal Services​

This email address is associated with a computer that was infected by an info-stealer, all the credentials saved on this computer are at risk of being accessed by cybercriminals.

• Cookies
• Credentials
• IP
• Malware Path
• Operating System
• Date
• Computer Name
• Installed Anti-Viruses

I have some questions:

1- Can i conclude this was a malware thing not a data breach thing because haveibeenpwned suggests i was pwned in 4 data breaches so i'm not sure what to conclude.

2- Could this kind of malware access a webcam or a mic, or is it usually limited to stealing login credentials, cookies, and browser data?

3- Is there anything I should be worried about regarding this situation like blackmailing or ideneity theft etc?

4- Any general advice on blindspots I have regarding the situation?

1- It's likely a combination of both malware and data breaches. The malware on your device harvested your credentials, and your details were also exposed in data breaches.

2- While this malware seems to focus on stealing credentials, some malware can indeed access webcams or mics. It's always best to stay cautious.

3- Identity theft is a concern in such situations. Monitor your accounts for suspicious activity, and consider credit monitoring services.

4- Regularly update your software, use strong unique passwords, enable two-factor authentication where possible, and consider using a reputable antivirus/anti-malware program.

 

[Zero Knowledge]

Wrecker4923 has some great advice, follow it and you will go far in securing your digital identity!

Personally if your running Windows I would run a FRST scan and post it on this forum or another malware help forum. With your iPhone only Apple has the access to determine if you have been pwned, they lock it down very tight and don't let 3rd party tools high level access. Reset the device just to be sure, but a good tip is to shutdown or restart your mobile device once a day because most sophisticated mobile malware can't survive a reboot due to fear of getting caught. Now of course there is malware out there that survives a reboot but if your infected by it you have more to worry about.

Info stealers are most likely looking for crypto wallet and keys these days. All the best hacks are coming from that industry. If you have any holdings monitor your wallet.

 

[bazang]

Hey thank you so much for your help! Your explanation makes a lot of sense and hour tips helped a lot. I entered my email in hudson rock and it said "This username is not associated with a computer infected by an info-stealer." "0 Compromised Personal Services" "0 Compromised Corporate Services" and I checked my email on have I been pwned and it found my email in 4 really big data breaches, based on that, would it be safe to say this was more likely caused by data breaches than an actual device hack?

Hudson Rock's website provides that same message for every user name.

Hudson Rock is an "aggregator" of data and, unless your user name that you entered is absolutely unique, the website free feature provides an aggregated, generic tally of data and the generic "infected by an infostealer" is not necessarily accurate. It is also the same with compromised passwords - HudsonRock is aggregating the data that it scrapes and presenting it to you in an un-differentiated form.

Try entering "william@gmail.com" on the Hudson Rock website. 1,337+ "services" infected. That is because people all over the world use the username "william@gmail.com" without even having a "william@gmail.com" account, and those systems have been compromised in one way or another. There's other reasons too for the large "infected" numbers.



To be more sure, you need the Hudson Rock report that lists your specific device name (at the time of infection) and your exact public IP address. (You can try the "Hudson Rock Free Report" option at the top of the page.)

Enter your public IP address into HudsonRock's free online tools instead of your username. You will still receive an "aggregated" set of numbers of data collected across many, many data sources.

You need the Summary of Infections report (example):

Hudson Rock Announces First Comprehensive Infostealers AI Bot: CavalierGPT

Announcing the launch of CavalierGPT, the groundbreaking AI Bot that retrieves and curates data to empower cybersecurity researchers.

www.infostealers.com

It is wrong to conclude that whatever happened to your devices was due to a data breach. That is just a very imprecise guess. There is insufficient infos to make that determination. The only definitive, accurate answer can be determined by a forensic investigation of both the devices and cloud resources.

If it was a data breach, you don't know where the breach occurred, and therefore you need to close every single one of your online accounts and open new ones. Just changing logon credentials can be "not adequate." At the very least you should report that you think your data has been compromised and report it to every single online account that is valuable to you.