Crush007

We're seeing a resurgence of older breaches resurface in aggregated credential dumps, and this one caught our eye due to the surprisingly clear and complete user records. The Crush007 breach, dating back to April 2016, initially seemed like another relatively small database leak. What set it apart was the high percentage of valid-looking email addresses and personal names associated with plaintext passwords. The data had been circulating quietly in smaller circles, but we noticed it appearing more frequently in recent stealer log consolidations, suggesting renewed interest by threat actors.

Crush007: The Resurfacing of 16k Dating Site Credentials

The Crush007 breach involved the exposure of 16,045 user records from the eponymous online dating platform. Discovered on April 1, 2016, the breach initially seemed contained. However, its re-emergence in recent months underscores the enduring value of even older datasets to attackers. The appeal lies in the potential for password reuse across different platforms, a common user behavior that threat actors actively exploit. This breach matters to enterprises because compromised credentials from personal accounts often provide a foothold into corporate systems if employees use the same credentials for both.

The breach is now appearing more frequently in Telegram channels and dark web forums specializing in credential stuffing attacks. This renewed activity highlights the automation of credential harvesting and testing, where attackers use tools to rapidly validate credentials against a wide range of online services. The relatively small size of the breach doesn't diminish its risk; in fact, it can make it more attractive for targeted attacks due to the lower noise level.

Key point: Total records exposed: 16,045

Key point: Types of data included: First Name, Last Name, Email Address, Passwords (plaintext)

Key point: Sensitive content types: PII

Key point: Source structure: Database

Key point: Leak location(s): Telegram channels, Breach Forums

Key point: Date of first appearance: April 1, 2016 (initial breach), recently resurfacing in 2024.

External Context & Supporting Evidence

While initial reporting on the Crush007 breach is scarce, the practice of credential stuffing using older datasets is well-documented. Security researcher Troy Hunt maintains the "Have I Been Pwned" database, which tracks breaches and allows users to check if their accounts have been compromised. This resource underscores the long tail of data breaches and the persistent risk they pose. A recent article on BleepingComputer highlighted the growing trend of attackers targeting smaller, less-publicized breaches for credential stuffing campaigns, mirroring the observed activity with the Crush007 data.

One Telegram post claimed the files were "useful for password spraying attacks against smaller companies." This suggests that attackers are actively using the leaked credentials to target organizations with weaker security postures. The reuse of credentials remains a significant vulnerability, and the resurgence of this older breach serves as a stark reminder of the importance of proactive password management and monitoring for compromised credentials.

First · Name · Last · Email · Address · Passwords