NordLocker said it’s uncovered a database containing 1.2TB worth of files, account credentials, and other sensitive information that was stolen using custom malware that spread via illegally downloaded software.

The company said that software included “illegal Adobe Photoshop 2018, a Windows cracking tool, and several cracked games.” Those stolen programs appeared to be functional, but they also included a “Trojan-type malware” that stole the information NordLocker discovered in this publicly hosted database.

This database was said to have contained data taken from 3.25 million Windows devices between 2018 and 2020. NordLocker said the malware operator “stole nearly 26 million login credentials holding 1.1 million unique email addresses, 2 billion+ cookies, and 6.6 million files” divided into 12 distinct categories.

The stolen data reportedly included files gathered from victims’ Desktop and Downloads folders as well as “cookies, credentials, autofill data, and payment information from 48 applications.” That list includes popular browsers, such as Google Chrome and Mozilla Firefox, as well as email apps like Outlook.

NordLocker said “the malware also photographed the user if the device had a webcam.” It was also said to have assigned unique identifiers to affected devices, which means all the stolen data could be linked to a particular system. From there it probably would have been trivial to link the information to a specific person.

Unfortunately this kind of malware appears to be common: NordLocker said that “Nameless, or custom, trojans such as this are widely available online for as little as $100.” Anyone buying the malware could use it to gather sensitive data that could then be sold to other malicious actors or used in extortion schemes.

NordLocker said it contacted the cloud service provider used to host this database so it could be removed. It also shared 1.1 million unique addresses with Have I Been Pwned, a popular service that allows people to see if their personal information has been exposed in databases like the one described in this report.