ClickitGolf

We've been tracking a resurgence of older breaches appearing in password cracking combolists, and the ClickitGolf breach from August 2018 stood out. What caught our attention wasn't the size of the breach itself, but the fact that over 58,000 records contained plaintext passwords. In an era where password hashing is a basic security practice, the exposure of plaintext credentials from a relatively recent breach highlights a continuing failure in basic security hygiene, and it underscores the risk of credential stuffing attacks.

ClickitGolf's Plaintext Password Exposure Fuels Credential Stuffing Risks

The ClickitGolf breach, which surfaced on August 26, 2018, exposed 58,951 user records. The primary concern stems from the fact that the exposed passwords were stored in plaintext. This means that anyone gaining access to the database could directly read and use the passwords without needing to crack them. The breach was likely the result of a database compromise or a combolist attack.

The presence of plaintext passwords significantly elevates the risk to users. Attackers can use these credentials to attempt logins on other websites and services, a technique known as credential stuffing. Given that many users reuse passwords across multiple platforms, a single plaintext breach can trigger a cascade of compromises. This breach matters to enterprises because it underscores the importance of educating employees about password reuse and implementing measures to detect and prevent credential stuffing attacks.

Key point: Total records exposed: 58,951

Key point: Types of data included: Email addresses, plaintext passwords

Key point: Source structure: Likely a database dump

Key point: Leak location(s): Password cracking combolists

Key point: Date of first appearance: August 26, 2018

Troy Hunt's Have I Been Pwned website includes the ClickitGolf breach in its database of known security incidents.

Email · Address · Plaintext · Password