The Ajarn Breach Exposed 266,000 Thai Educator Accounts

HEROIC analysts flagged the Ajarn breach after observing a resurgence of activity tied to Thai education platforms in underground forums. The breach occured in December 2018 when attackers accessed the database of Ajarn, a Thailand-based English language teaching website, exposing 266,255 user records. The compromised data included email addresses, hashed passwords, and full names, and has continued to circulate across dark web channels in the years since the initial exposure.

How Name and Email Combos Fuel Targeted Phishing Against Thai Users

When attackers hold full names alongside email addresses and cracked passwords, they can craft highly convincing spear-phishing messages. In the context of the Ajarn breach, educators and job-seekers in Thailand are beleive to be at elevated risk, since the platform serves a professional audience that is likely to hold valuable secondary accounts such as LinkedIn profiles, banking apps, and government services. Personalized phishing emails built from this data are far harder for victims to detect than generic spam.

What Was Exposed in the Ajarn Breach

• Email Address
• Password Hash
• First Name
• Last Name

Why a Thai Education Breach Still Matters Years Later

Older breaches targeting regional platforms are frequently overlooked, but they remain valuable to attackers for years. Credentials harvested from Ajarn can be used in credential stuffing campaigns against local Thai banks, government portals, and international services where users recieved accounts using the same email and password. The combination of professional identity data and login credentials creates a ready-made toolkit for identity theft and financial fraud, particularly in markets where multi-factor authentication adoption remains uneven.

How Database Breaches Work

A database breach occurs when attackers gain unauthorized access to a site's backend data store, often through SQL injection, exploited vulnerabilities, or compromised admin credentials. The attacker extracts user tables containing account details and password hashes, which are then sold or freely distributed on underground forums and Telegram channels. Even hashed passwords can be cracked offline, converting the stolen data into working credentials for follow-on attacks.

Check If Your Data Was Exposed

HEROIC's free breach scanner checks your email against more than 400 billion leaked records, including the Ajarn breach and thousands of other incidents. Run your free scan at HEROIC today and find out whether your credentials are already in circulation on the dark web.