ULP Data (URL:Login:Password)
Also known as: ULP, URL-Login-Password, URL:Login:Pass
ULP data is credential data formatted as URL:Login:Password — the login page, the username, and the password for a captured account. It is the most common way infostealer-stolen credentials are organised, searched, and sold within stealer logs and combolists.
What is ULP data?
ULP stands for URL:Login:Password. Each ULP record ties a captured credential to the specific web address where it was used, alongside the username and password. Infostealers record credentials in this format because the URL context makes the data immediately actionable — a buyer knows exactly which service each credential unlocks.
Why ULP format matters
The URL component is what makes infostealer data so much more dangerous than a raw password dump. Attackers can filter ULP data for high-value targets — corporate SSO portals, VPNs, email, banking — and go straight to working logins for specific services.
VantaPrism indexes ULP records from stealer logs so analysts can search by domain and instantly see which corporate login URLs appear in stolen credential data and how exposed each service is.
Check Your Exposure arrow_forwardFrequently Asked Questions
What does ULP stand for?
Why is the URL part of ULP data significant?
Related Terms
A stealer log is the package of data exfiltrated from a single device by infostealer malware. It typically contains s…
Compromised credentials are usernames and passwords that have been exposed to unauthorized parties — frequently throu…
A combolist is a compiled list of username/email and password combinations, aggregated from breaches and stealer logs…
Credential stuffing is an automated attack that takes username/password pairs leaked from one source and tries them e…