A bot is circulating on Telegram claiming to have over 18 million Mexican passwords ready for sale. What’s most concerning is that more than 14,000 people already use it every month, and it offers access to all kinds of accounts: email, social media, banks, and even government platforms like SAT, ISSSTE, CFE, and Benito Juárez scholarships.
It works like an à la carte menu, where you can search by specific domain (for example, if you're interested in emails ending with a certain website, the bot will show them to you without issue).
And no, it’s not just a rumor. In fact, Publimetro México tested a free sample and confirmed that several of the passwords actually work. This means anyone who buys access could log into active accounts and view private information without the owner knowing.
This Telegram bot operates automatically and with surprising ease. You just have to type the country (for example, “mx” for Mexico) or the domain you're interested in (like that of a bank, university, or company), and within seconds it tells you how many passwords it has available. It displays details such as the URL, email, and even the password.
If someone wants full access, they only need to pay around $70 and receive a package of ready-to-use credentials.
But this isn’t just a rogue bot. It’s part of an entire criminal network. It all starts with stolen databases shared for free to attract curious users or potential buyers. Then, cybercriminals use bots like this one to offer more specific and functional access. They even provide “technical support” to teach buyers how to log into accounts or use them for fraud if they don’t know how.
These passwords don’t appear out of thin air. They’re stolen using a type of malicious software known as an infostealer. This malware infiltrates your computer or phone and begins collecting everything it can find: passwords saved in your browser, session cookies, files with personal data, and even access to your most-used platforms.
And the worst part is, infostealers don’t need to make a lot of noise. Sometimes, all it takes is clicking on a suspicious link, downloading an attachment, or installing a pirated program for the malware to start working. While you continue using your device as usual, the malware is already sending your information to servers controlled by criminal groups.
Later, that data is organized, packaged, and sold through channels like this Telegram bot. That’s how your bank account, work email, or social media profiles can end up in someone else’s hands—without you ever knowing.
Read more: Top 10 Telegram Groups and Channels on the Dark Web
What makes this leak even more serious is that thousands of the stolen passwords belong to Mexican government platforms like SAT, ISSSTE, CFE, and Benito Juárez scholarships. The worst part? Many of these websites don’t have two-factor authentication (2FA) enabled.
This means that if someone gets your email and password, they can access your account directly without you noticing. Just like that, they can view your tax, medical, or employment history, or even download official documents as if they were you.
While the situation sounds alarming, there are several steps you can take to keep your accounts more secure:
Change your passwords regularly and try to use a different one for each site or service. Yes, it can be a hassle, but it's one of the most effective barriers.
Enable two-factor authentication (2FA) whenever possible. It’s that option that asks for an extra code when you log in from a new device. Even if someone has your password, they won’t be able to access your account without that second code.
Don’t download files from shady sources or click suspicious links sent through social media, email, or WhatsApp. Many of those files hide malicious programs that steal your data without you realizing it.
A little caution makes all the difference. No one is 100% safe, but with good habits, you can greatly reduce the chances of falling into these kinds of digital traps.