We've been tracking a concerning trend of older breaches resurfacing in credential stuffing attacks, and this one caught our eye due to the surprising use of plaintext passwords. While not the largest breach we've seen, the blatant security lapse within Adirect Hong Kong Holdings Limited, dating back to April 2019, immediately raised red flags. The fact that these credentials – 41,747 in total – are still circulating and potentially valid makes this a relevant risk for enterprises protecting their attack surface.

The Adirect Hong Kong Holdings Limited Breach: Plaintext Passwords Fuel Credential Stuffing

This breach involved 41,747 user records from Adirect Hong Kong Holdings Limited. The data, which included email addresses and, critically, plaintext passwords, was exposed in April 2019. The fact that passwords were not hashed or salted indicates a severe lack of basic security protocols, even by the standards of that time. The breach was discovered after the data appeared in various combolists and password dumps circulating on hacking forums and Telegram channels.

What caught our attention was the simplicity of the attack surface. With plaintext passwords, attackers can directly reuse these credentials across various platforms, significantly increasing the risk of successful credential stuffing attacks. This type of breach highlights the long-term ramifications of poor security practices and the persistence of compromised data in the threat landscape. Enterprises should be aware that credentials from even seemingly insignificant breaches can be leveraged to gain unauthorized access to their systems.

This breach matters now because it serves as a stark reminder of the importance of robust password security practices and proactive credential monitoring. The ongoing proliferation of stealer logs and the automation of credential stuffing attacks mean that even older breaches can pose a significant risk to organizations. This event is also a reminder that even smaller companies can be a source of significant risk if they do not adhere to security best practices.

Key point: Total records exposed: 41,747

Key point: Types of data included: Email Addresses, Plaintext Passwords

Key point: Source structure: Combolist

Key point: Leak location(s): Telegram channels, hacking forums

Key point: Date of first appearance: April 2019

External Context & Supporting Evidence

While this specific breach hasn't received widespread media attention, the risk of plaintext password storage has been widely reported. Security researcher Troy Hunt, creator of Have I Been Pwned, has frequently highlighted the dangers of storing passwords in plaintext, emphasizing the ease with which attackers can compromise accounts when this practice is followed. The breach aligns with a broader trend of older breaches being repackaged and reused in modern attacks.

Email · Address · Plaintext · Password

We've been tracking the resurgence of older breach datasets being re-shared and re-monetized across various dark web communities. What initially seemed like routine noise took a sharper turn when we encountered a sizable database attributed to Adirect Hong Kong Holdings Limited. It wasn't just the volume of 312,357 records that caught our attention, but the age of the breach (April 2019) coupled with the continued presence of active, yet likely outdated, credentials. The combination suggests ongoing credential stuffing attacks and a failure to adequately rotate or invalidate compromised passwords.

The "Aimware" Connection: A Resurfaced Breach

The breach stems from a compromise of "Aimware," a website known for selling video game cheats. While the initial breach occurred in mid-2019, the data continues to circulate, presenting a persistent risk. The compromised database includes a variety of personally identifiable information (PII) from Aimware users, including email addresses, usernames, first and last names, birthdays, and passwords secured as salted MD5 hashes. The data was originally dumped on a popular hacking forum, where it has likely been traded and utilized in various malicious activities.

The age of this leak is significant because it highlights the longevity of compromised data in the threat landscape. Even years after an initial breach, exposed credentials can remain valid due to user password reuse and a lack of proactive security measures by affected companies. This makes older breaches a valuable resource for attackers engaged in credential stuffing, account takeover (ATO), and other forms of identity theft.

This incident underscores a broader threat theme: the continuous recycling of leaked data. As noted by security researcher Troy Hunt, many breaches are not "new" in the sense of being recently discovered, but rather re-releases or compilations of previously exposed information. This "compilation" effect increases the likelihood of credential overlap across different services, making it easier for attackers to gain unauthorized access to user accounts.

Key point: Total records exposed: 312,357

Key point: Types of data included: Email Address, Birthday, Username, First Name, Last Name, Password Hash, Salt

Key point: Sensitive content types: PII

Key point: Source structure: Database

Key point: Leak location(s): Hacking forum (specific URL unavailable)

Key point: Date leaked: 28-Apr-2019

External Context & Evidence

While specific news coverage of the Adirect Hong Kong Holdings Limited breach is limited, the underlying Aimware breach has been documented in various security communities and forums. Discussions on sites like Reddit and BreachForums confirm the existence and spread of this data. One post on BreachForums discusses the implications of using MD5 for password hashing, highlighting its vulnerability to cracking. The continued availability of the Aimware data, combined with the use of weak hashing algorithms, makes this breach a significant concern for organizations that rely on user authentication.

Email · Address · Birthday · Username · First · Name · Last · Password · Hash · Salt