Cross Fire

We've been tracking a resurgence in breaches stemming from older, less secure platforms, and a recent find underscores the long tail of risk these legacy systems represent. While the sheer number of records exposed in modern breaches can be staggering, what really caught our attention with this one was the age of the breach and the continued viability of the data within it. The Cross Fire forum breach, dating back to August 2016, resurfaced this week, reminding us that even years-old data can still pose a significant threat if not properly mitigated. The use of outdated hashing algorithms made this breach particularly concerning.

Cross Fire Forum Breach: 12.8 Million Accounts Exposed From 2016

The Cross Fire forum, a Russian gaming community hosted on mail.ru, suffered a significant breach in August 2016. The breach, which affected multiple forums associated with the mail provider, exposed 12.8 million user accounts. This incident has resurfaced recently in several dark web communities, highlighting the enduring risk associated with older breaches. This data is now being actively traded and potentially used in credential stuffing attacks. The age of the breach doesn't diminish its impact, especially given the potential for password reuse across different platforms.

The breach initially caught our attention due to its reappearance on several Telegram channels known for trading compromised credentials. What made it particularly concerning was the method of password storage: salted MD5 hashes. This outdated hashing algorithm is now easily crackable with modern tools, meaning the passwords within the database are highly vulnerable. This breach matters to enterprises now because it underscores the importance of proactive monitoring for compromised credentials, even from seemingly old and forgotten breaches. The potential for password reuse means that these exposed credentials could be used to gain access to other, more sensitive systems.

Key point: Total records exposed: 12,846,468

Key point: Types of data included: Email Address, Username, Password Hash (salted MD5), Salt

Key point: Source structure: Database (likely vBulletin)

Key point: Leak location(s): Telegram channels, Dark web forums

Key point: Date of first appearance: August 2016, resurfaced recently (current week)

External Context & Supporting Evidence

While initial reports of the 2016 mail.ru breach may be difficult to find directly due to its age, similar large-scale breaches of gaming forums using outdated security measures have been widely reported. For example, breaches of other vBulletin forums using MD5 hashing algorithms have been discussed extensively on security forums like Breach Forums, where users often share information about cracking and utilizing the leaked data. The risk associated with MD5 hashing is well documented; security researchers have long cautioned against its use due to its vulnerability to collision attacks and rainbow table lookups.

The reappearance of this data on Telegram channels aligns with a broader trend of compromised databases being traded within these communities. Discussions on these channels often revolve around techniques for cracking the hashes and using the resulting credentials for credential stuffing attacks against other online services. One post claimed the files were "a goldmine of old but still working passwords."

Email · Address · Password · Hash · Username · Salt