Credential‑stuffing botnet left exposed

Credential stuffing is a login attack that replays stolen username-and-password pairs across other sites, betting that some people reused the same password. The Open Web Application Security Project says the method relies on breached credentials rather than guessing new ones. (owasp.org) In this case, researchers said the operators of a live Twitter or X credential-stuffing botnet left their control panel open on the public internet with no authentication at all. GBHackers, citing GHOST researchers, reported on April 14, 2026 that the exposed panel revealed the botnet’s command server, worker nodes and plaintext root access details. (gbhackers.com) The exposed panel reportedly ran on a Windows Server 2019 host at Hetzner in Falkenstein, Germany, and used a Python Flask dashboard to manage attacks against Twitter or X login endpoints. The same report said remote desktop protocol, server message block and Windows Remote Management services were also exposed on the server. (gbhackers.com) Researchers said one unauthenticated application programming interface call returned the internet protocol address, root secure shell password, health status and install state for each worker in plaintext. The worker fleet included 18 Linux servers in the 31.58.245.0/24 range tied in the report to Komuta Savunma Yuksek Teknoloji Limited Sirketi in Ankara, Turkey. (gbhackers.com) During a 12-minute observation window on April 10, 2026, the panel showed 722,763 credential pairs tested and 18 new account takeovers added to the hit list, according to the report. Lifetime counters displayed 4,862,580 accounts checked and 138 successful takeovers, a success rate of about 0.0028 percent. (gbhackers.com) The same telemetry showed 4,163,790 of the tested accounts, or about 85.6 percent, hit a two-factor authentication prompt and were dropped by the tool. Only 211,662 accounts were listed as having valid passwords without two-factor authentication, and 138 were fully compromised. (gbhackers.com) That pattern matches how credential stuffing usually works at scale: millions of low-cost login attempts produce a small pool of real account takeovers. The Open Web Application Security Project says attackers automate the testing of known credentials across many sites because password reuse lets one breach spill into unrelated services. (owasp.org) Security vendors have described the trade as organized and commercialized rather than ad hoc. Kasada said on February 12, 2025 that its team infiltrated 22 credential-stuffing groups and found subscription tools, customer support and other fraud services sold to lower-skilled buyers. (kasada.io) Large credential collections are still feeding that pipeline. Troy Hunt wrote on November 5, 2025 that Have I Been Pwned processed a corpus with 1,957,476,021 unique email addresses and 1.3 billion unique passwords, and said credential-stuffing lists are commonly repackaged from older breaches and reused against other accounts. (troyhunt.com) The botnet operators in this case appear to have built an industrial login-testing system and then left the front door open. The exposed panel showed how a password-reuse attack can be both highly automated and undone by weak operational security. (gbhackers.com)