What Happened
In May 2024, the “URL-LOGIN-PASS SATANIC CLOUD” data breach involved a group called SATANIC CLOUD leaking a 1.5 GB plain-text file named “22M URL-LOGIN-PASS 22.05.2024 SATANIC CLOUD.txt” on Telegram, containing over 22 million lines of URL-login-password combinations stolen primarily via infostealer malware from browsers and devices. Among these, approximately 49,340 records targeted Mexican government sites (.gob.mx domains), including 23,712 for SAT (tax authority), 961 for CDMX Government systems, 533 for ISSSTE, and 649 for empleo.gob.mx, with many credentials confirmed active as of May 22, 2025, enabling access to sensitive documents like Single Electronic Files. The breach exposed emails, passwords in plain text, and session data, likely gathered through phishing, fake downloads, or cloned sites, posing risks of account takeovers, social engineering, and identity theft despite some passwords potentially expiring.
