Call Carl

We're constantly tracking the movement of breached data across various channels, and one pattern that's become increasingly clear is the long tail of older breaches resurfacing in new contexts. This particular incident caught our attention not because of its scale, but because of the sensitive nature of the exposed data combined with the surprising persistence of plaintext passwords. The Call Carl breach, dating back to August 2018, involved a relatively small number of records, but the cleartext credentials made it a significant risk, even years later. The data had been circulating quietly, but we noticed a recent spike in chatter referencing it on a prominent hacking forum.

Call Carl Real Estate Platform Breach: 19.5k Records with Plaintext Passwords Resurface

The Call Carl breach, affecting approximately 19,531 records, involved the exposure of email addresses and, critically, plaintext passwords. This breach initially occurred in August 2018, impacting users of the US-based real estate platform. The data's reappearance on a well-known hacking forum suggests that it's being actively leveraged for credential stuffing attacks and other malicious activities. The lack of password hashing or salting, a basic security practice, is particularly concerning, even for a breach of this age.

Our team flagged this breach because the combination of plaintext passwords and the recent uptick in forum mentions indicated renewed interest from threat actors. While many older breaches are considered "stale," the presence of usable credentials makes this one a persistent threat. The exposed data was structured as a database or combolist, making it easily searchable and exploitable.

This incident is a stark reminder of the lasting impact of poor security practices. Even years after a breach, exposed credentials can be used to compromise accounts on other platforms if users have reused their passwords. This breach matters to enterprises now because it highlights the ongoing risk associated with legacy systems and the importance of proactive credential monitoring.

Key point: Total records exposed: 19,531

Key point: Types of data included: Email Address, Plaintext Password

Key point: Source structure: Database, Combolist

Key point: Leak location: Prominent hacking forum

Key point: Date leaked: 21-Aug-2018

External Context & Supporting Evidence

While Call Carl didn't receive widespread media coverage at the time of the initial breach, similar incidents involving plaintext passwords have been highlighted by security researchers and news outlets. For example, KrebsOnSecurity has repeatedly emphasized the dangers of storing passwords in plaintext, noting that it significantly increases the risk of credential stuffing and account takeover attacks.

On various hacking forums and Telegram channels, mentions of "Call Carl" have been observed, often in the context of discussions about password cracking and credential reuse. While specific URLs are difficult to archive reliably due to the ephemeral nature of these platforms, the chatter suggests that the leaked data is actively being traded and used for malicious purposes. One post we observed referenced the data as a "useful combolist for real estate targets."

Email · Address · Plaintext · Password