Buffy Forums

We've been tracking a concerning trend of older forum breaches resurfacing in aggregate dumps, often targeting niche communities. These breaches, initially dismissed as low-impact due to their size or obscurity, can collectively pose a significant threat when credentials are reused across more critical platforms. What struck us about the recent surfacing of the Buffy Forums breach from August 2020 wasn't the number of records—around 27,000—but the longevity of the forum and the potential for password reuse among its dedicated user base. The data had been circulating quietly, but we noticed an uptick in mentions across several dark web forums known for credential stuffing activity. This suggests the breach is being actively used in attempts to compromise other accounts.

Buffy Forums Breach: 27k User Records Resurface, Fueling Credential Stuffing

The Buffy Forums, a community dedicated to discussions about "Buffy the Vampire Slayer," "Angel," and other Whedonverse-related topics, suffered a data breach in August 2020. The breach exposed sensitive user data including email addresses, usernames, birthdays, IP addresses, and password hashes. The passwords were stored as MD5 hashes with salting, an outdated security measure that is now easily cracked with modern tools. This breach caught our attention due to the age of the forum and the likelihood that users may have reused these credentials on other, more critical platforms. The re-emergence of this data underscores the persistent risk posed by legacy breaches and the ongoing threat of credential stuffing attacks against enterprises.

• Total records exposed: 27,253
• Types of data included: Email Address, Username, Password Hash (MD5 with salt), IP Address, Birthday
• Sensitive content types: PII (Personally Identifiable Information)
• Source structure: Database export (likely SQL)
• Leak location(s): Various dark web forums and Telegram channels known for trading breached credentials.
• Date of first appearance: August 11, 2020 (date of breach), with resurfacing observed in Q1 2024.

Security researcher Troy Hunt added the breach to Have I Been Pwned? on August 12, 2020, confirming the details of the incident and its impact. This breach highlights the importance of using strong, unique passwords across all online accounts, even those associated with seemingly low-risk forums. The ease with which MD5 hashes can be cracked underscores the need for modern password storage techniques such as bcrypt or Argon2. The re-emergence of this data years after the initial breach serves as a stark reminder of the long-term consequences of poor security practices and the ongoing threat of credential reuse.