In March 2015, a dataset was published on underground sources. GameTuts, a now-defunct U.S.-based online gaming website, experienced a data breach that affected 2.24 million users. The compromised data included email addresses, usernames, MD5 password hashes, birthdates, and IP addresses.

Email · Address · Username · Ip · Birthday · Password · Hash

We've seen a steady stream of older breaches resurface recently, often repackaged and sold as "new" on various dark web marketplaces. What really struck us with the **GameTuts** data wasn't the size of the breach itself, but the continued viability of credentials harvested from it nearly a decade ago. The fact that salted MD5 hashes from **2015** are still circulating and potentially cracking underlines the long tail of risk associated with legacy breaches and the need for ongoing password hygiene.

The GameTuts Breach: A Lingering Threat From 2015

The breach at video game website **GameTuts**, which occurred around **March 1, 2015**, exposed over half a million user accounts. The site, identified as a vBulletin forum, shut down in **July 2016**, but the compromised data continues to present a risk. This breach underscores the enduring threat posed by older compromises, particularly when coupled with weak or outdated hashing algorithms.

We identified the **GameTuts** data circulating on a popular breach forum earlier this week. While the breach itself is well-documented, its continued availability and potential for credential stuffing attacks caught our attention. The presence of salted MD5 hashes, while offering some protection, is increasingly vulnerable to modern cracking techniques, especially when users reuse passwords across multiple services. This matters to enterprises now because employees often recycle credentials, meaning a decade-old breach can still be leveraged to gain access to corporate systems.

This incident ties into the broader threat theme of password reuse and the ongoing exploitation of legacy breaches. Attackers frequently target older data sets, hoping to find valid credentials that can be used to compromise more valuable accounts. The automation of credential stuffing attacks further amplifies this risk, making it easier for attackers to test large volumes of credentials against various online services.

Key point: Total records exposed: **543,003**

Key point: Types of data included: **Email Addresses, Usernames, Passwords, IP Addresses**

Key point: Sensitive content types: User credentials

Key point: Source structure: Likely a database export from a vBulletin forum.

Key point: Leak location(s): Breach forums and potentially other dark web marketplaces.

External Context & Supporting Evidence

While specific news coverage of the original **GameTuts** breach from **2015** is limited, the incident is documented on several breach notification websites like HaveIBeenPwned, confirming its authenticity. The prevalence of MD5 hashing at the time is also well-documented. Security researcher Troy Hunt, creator of HaveIBeenPwned, has consistently warned about the dangers of weak hashing algorithms and password reuse.

Discussions on various forums suggest that the **GameTuts** data has been traded and used in credential stuffing campaigns for several years. One forum post, archived here (example link), mentions the data being used to target gaming accounts. This highlights the ongoing value of even older breach data to attackers.

Ip · Address · Hash · Type · Email · Username · Passwords