We've been tracking a resurgence of older breaches appearing in combolists, often targeting users who may have reused credentials across multiple platforms. We first noticed this trend when analyzing a series of credential stuffing attacks against a client's e-commerce platform. What really struck us wasn't the sophistication of the attacks, but the age of the compromised credentials being used. A significant portion originated from breaches dating back several years, including one involving a now-defunct Vietnamese personal blog or social-sharing site. The fact that these older credentials are still effective highlights the ongoing risk posed by plaintext password storage and password reuse.

Duab Hmoob Tojsiab Breach: A Reminder of Password Security's Enduring Importance

In August 2018, Duab Hmoob Tojsiab, a now-defunct Vietnamese personal blog or social-sharing site, suffered a data breach that exposed the credentials of 90,513 users. The breach, which has resurfaced in recent combolists, included email addresses and, critically, plaintext passwords. The exposure of plaintext passwords is particularly concerning because it allows attackers to easily compromise accounts on other platforms where users may have reused the same credentials. The breach itself was a database compromise, ending up in combolists used for credential stuffing attacks.

The Duab Hmoob Tojsiab breach initially caught our attention because of the surprisingly high success rate of credential stuffing attacks using these credentials. The age of the breach and the fact that the site is no longer active might lead some to believe the risk is minimal. However, the reality is that password reuse is rampant, and many individuals likely still use the same credentials they did in 2018. This breach matters to enterprises now because it underscores the need for robust password security policies, including multi-factor authentication and regular password resets. It also highlights the importance of monitoring for compromised credentials associated with your organization's domain.

This incident is tied to broader threat themes, specifically the persistence of older breaches in combolists and the ongoing exploitation of plaintext password storage. Threat actors actively collect and trade these combolists, using them to automate attacks against various online services.

Key point: Total records exposed: 90,513

Key point: Types of data included: Email Address, Plaintext Password

Key point: Sensitive content types: None beyond credentials

Key point: Source structure: Database, Combolist

Key point: Leak location(s): Various combolists

Key point: Date leaked: 26-Aug-2018

External Context & Supporting Evidence

While Duab Hmoob Tojsiab itself did not receive widespread media coverage, similar breaches involving plaintext passwords have been extensively reported. For example, KrebsOnSecurity has frequently highlighted the dangers of websites storing passwords in plaintext. The lack of encryption combined with password reuse makes these breaches particularly damaging. As Brian Krebs noted in one article, "The problem is that many people re-use passwords across multiple sites, so a breach at one site can lead to unauthorized access at many others."

Furthermore, discussions on underground forums and Telegram channels often mention the value of older combolists. One Telegram post claimed that "old lists are gold," referring to the higher success rate of credential stuffing attacks due to user complacency and password reuse over time.

Email · Address · Plaintext · Password

We've observed a persistent trend of older breaches resurfacing in new contexts, often amplified by the aggregation of data across multiple sources. This particular case caught our attention because the leaked data, originating from a relatively obscure platform called Duab Hmoob Tojsiab, revealed a vulnerability that should have been addressed years ago. What struck us wasn't the size of the breach—approximately 146,464 records—but the continued use of weak hashing algorithms like MD5, demonstrating a failure to implement basic security measures and highlighting the long tail of technical debt that continues to haunt many organizations.

The 2018 Breach of Duab Hmoob Tojsiab: A Lingering Reminder of Password Security Neglect

In August 2018, Duab Hmoob Tojsiab, a website presumably catering to the Hmong community, experienced a data breach that exposed 146,464 user records. While the breach itself isn't new, its continued presence in circulation serves as a stark reminder of the importance of robust password security practices. The data, which includes email addresses and MD5-hashed passwords, was discovered within a larger compilation of breached databases on a popular hacking forum.

The breach initially caught our attention due to the presence of easily crackable MD5 hashes. While more modern hashing algorithms have been readily available for years, the continued use of outdated methods puts user credentials at significant risk of compromise. This is particularly concerning as these credentials may be reused across multiple platforms, potentially leading to account takeovers and further downstream attacks. The persistence of this data, four years after the initial breach, highlights the need for continuous monitoring of leaked credentials and proactive password resets.

This incident underscores a broader threat theme: the long-term impact of poor security practices and the aggregation of breached data. Even breaches from smaller, less-known platforms can have significant consequences when combined with other leaks, creating a more complete picture of an individual's online identity and increasing the likelihood of successful attacks.

Key point: Total records exposed: 146,464

Key point: Types of data included: Email Address, Password Hash (MD5)

Key point: Source structure: Database

Key point: Leak location(s): Hacking forum (specific URL unavailable)

Key point: Date of first appearance: August 26, 2018

This breach has been previously reported by sites like HaveIBeenPwned, indicating its widespread awareness within the security community. However, the continued circulation of this data and the weak hashing algorithm used warrant renewed attention, highlighting the need for organizations to prioritize password security and adopt modern encryption standards.

Email · Address · Password · Hash