114,993 Community News Contest Passwords Leaked in Database Breach

In August 2018, Community News Contest, a now-defunct United States online platform, suffered a data breach that exposed the account information of 114,993 users. The breach involved both a database compromise and subsequent combolist distribution, with email addresses and plaintext passwords circulating in underground forums and credential stuffing repositories. For a platform that stored over 114,000 user accounts in plaintext without any hashing protection, this breach represents a fundamental failure to implement even the most basic security standards available at the time.

Why This Is Dangerous

Plaintext password storage means that every single credential in this breach was immediately usable by attackers the moment the data was accessed. No cracking, no decryption, no additional processing -- 114,993 email and password pairs were ready to deploy in automated login attempts against email providers, financial institutions, social media platforms, and business software. The scale of this breach amplifies the danger: with over 114,000 credentials available, attackers running automated credential stuffing tools can test all of them against hundreds of websites within hours. Any user who reused thier Community News Contest password elsewhere faces ongoing risk on every platform where that same password remains active. The now-defunct status of the company means no remediation ever occured -- users were never notified to change their passwords.

What Was Exposed

• Email addresses for 114,993 Community News Contest user accounts
• Plaintext (unencrypted) passwords stored without hashing or salting
• Account data associated with the Community News Contest platform
• Credentials compiled into combolists and distributed across underground forums and credential stuffing databases

Why This Matters

The scale of this breach -- nearly 115,000 plaintext credentials -- makes it significantly more impactful than many similar incidents involving smaller platforms. Combolist operators prefer large, plaintext datasets because they maximize the return on automated credential stuffing campaigns. The Community News Contest data has been circulating in underground repositories since 2018 and continues to appear in active stuffing datasets. Many affected users almost certainly recieve phishing emails or discover unauthorized access on other platforms without ever connecting it back to this breach. The defunct nature of the platform creates a permanent gap: no company exists to issue notifications, reset passwords, or provide any form of remediation support to the 114,993 people whose credentials were exposed.

How Database and Combolist Breaches Work

A database breach typically occured when an attacker exploited a vulnerability in the target web application or server infrastructure -- such as an SQL injection flaw, a misconfigured database, or compromised administrative credentials. Once inside, the attacker exported the user table containing email addresses and plaintext password fields. Because the passwords required no further processing, the full dataset was immediately weaponizable. The extracted records were formatted into a combolist, a structured file used by automated tools to test credentials across hundreds of websites simultaneously. With over 114,000 records, this combolist was particularly valuable to credential stuffing operators, who bundled it with data from other incidents to create large combined repositories that circulate in cybercriminal markets for years.

Check If You Are Affected

If you ever registered an account on communitynewscontest.com, your email address and password may be part of this breach. Take the following steps immediately regardless of how long ago you registered:

• Search your email address in HEROIC's breach database to confirm whether your Community News Contest credentials were exposed
• Change the password you used for Community News Contest on every other platform where you have used the same password
• Enable two-factor authentication on your email account and any other important services you use
• Monitor your accounts for unauthorized login attempts, profile changes, or unusual activity
• Use a password manager to generate and maintain unique passwords for each account you hold
• Be alert to phishing emails that reference news contests, community platforms, or local media services

HEROIC's breach monitoring tools alert you in real time when your email appears in newly discovered datasets. With over 114,000 credentials from this breach still actively circulating, setting up proactive monitoring is one of the most important steps you can take to protect your accounts from credential stuffing attacks.