Combolist Iran From CrackingSpace.com

We’ve been tracking the increased targeting of Iranian infrastructure and online communities, and a recent leak from **CrackingSpace.com** caught our eye. While the volume of records – **137,849** – isn't massive compared to other breaches, the specific targeting and potential use of the data for follow-on attacks is concerning. The setup here felt different because it wasn't a grab-bag of stealer logs; it was a focused database dump from a site specifically catering to cracking and "combolist" enthusiasts within Iran. The data had been circulating quietly, but we noticed increased chatter referencing it on Telegram channels known for doxxing and account takeovers.

Combolist Iran: 137k Records From CrackingSpace.com

This breach involves a database dump from CrackingSpace.com, a website catering to individuals interested in "combolists" – collections of usernames and passwords used to attempt account takeovers. The breach was discovered on [Date Redacted] by our team during routine monitoring of Telegram channels known for the distribution of leaked credentials. While the leak itself doesn't contain passwords, the exposure of usernames associated with this community raises concerns about targeted attacks and social engineering.

What caught our attention was the specific focus on Iranian users within the cracking community. This suggests a deliberate targeting effort, potentially for purposes ranging from financial fraud to politically motivated account compromises. The data's presence on Telegram channels frequented by malicious actors further amplifies the risk.

This breach matters to enterprises now because it highlights the continued vulnerability of online communities to data exfiltration and the subsequent use of that data to target individuals and organizations. Even without passwords, exposed usernames can be used to craft targeted phishing campaigns or to identify potential targets for social engineering attacks.

Key point: Total records exposed: 137,849

Key point: Types of data included: Usernames

Key point: Sensitive content types: None (usernames only)

Key point: Source structure: Database dump

Key point: Leak location(s): Telegram channels

While specific details of the breach origin are still under investigation, the incident aligns with a broader trend of increased cyber activity targeting Iranian online communities. Several threat actors have been observed actively scraping and exfiltrating data from Iranian websites and forums. As reported by various security researchers, Telegram channels are increasingly used for the distribution and sale of stolen credentials and other sensitive information. For example, researchers at Group-IB have documented the prevalence of credential stuffing attacks originating from Telegram channels (reference Group-IB reports on Telegram-based cybercrime).

None