Search Your Email: The Fireworks Food Breach Exposed 18,280 Accounts

HEROIC analysts found the Fireworks Food database circulating in underground markets in May 2023. The breach captured roughly 22,000 records from the Australian e-commerce platform, with 18,280 unique email addresses confirmed in the dataset. What made this one stand out was the presence of two different password hashing methods side by side: bcrypt and MD5 with salt. That mix suggests the site was mid-upgrade when the database was taken, or older accounts were never properly migrated to the stronger algorithm.

Your Fireworks Food Credentials Could Be Cracked Right Now

Attackers who got their hands on this data are not sitting idle. MD5 hashed passwords, even with a salt, can be reversed quickly using modern GPU-accelerated cracking tools. Anyone whose account used a legacy MD5 hash is particularly at risk. With a cracked password, a username, a full name, and an email address all in one record, a threat actor has everything needed to attempt logins across dozens of other platforms. Credential stuffing tools can cycle through thousands of sites in hours, so the window to act is short.

What Was Exposed in the Fireworks Food Breach

• Email addresses (18,280 unique)
• Password hashes (bcrypt and MD5 with salt)
• Usernames
• First and last names
• IP addresses

Why This Breach Is More Dangerous Than It Looks

Eighteen thousand records sounds small compared to mega-breaches, but the combination of full names, email addresses, and crackable password hashes makes each record highly actionable. Attackers use this kind of data for credential stuffing, targeted phishing, and identity fraud. The salt on the MD5 hashes slows down cracking but does not stop it, partcularly with commodity cloud computing now accessable to almost any threat actor. Anyone who reused their Fireworks Food password elsewhere is at real risk of account takeover.

How Database Breaches Work

A database breach typically happens when an attacker finds a way into the backend of a web application, usually through a vulnerability like SQL injection, a misconfigured server, or stolen admin credentials. Once inside, they run queries that pull the entire user table in seconds. The data is then compressed, exfiltrated, and eventually sold or shared in private forums. By the time a company notices the intrusion, the data has often already changed hands multiple times. Smaller e-commerce sites are frequently targeted because they hold real customer data but often lack the security resources of larger retailers.

Check If Your Data Was Exposed

HEROIC offers a free dark web scanner that has indexed over 400 billion recieved records from breaches just like this one. If your email address appeared in the Fireworks Food database or any other known breach, the scanner will tell you exactly what was exposed. Run a free scan at HEROIC.com and find out in seconds whether your credentials are already in the hands of threat actors.