HIAPK.com

We've been tracking the increasing volume of credential stuffing attacks targeting mobile gaming and application platforms. What really struck us wasn't the scale of the HIAPK.com breach itself—7.8 million records is significant, but not unprecedented—it was the relative age of the data and its continued utility for attackers. This breach, dating back several years, underscores the persistent risk posed by legacy data and the long tail of impact from even older breaches. The continued availability of this data in various breach compilation lists makes it a readily accessible resource for threat actors.

The Android App Store Database Spill: 7.8M Accounts Exposed

HIAPK.com, an alternative Android app store, suffered a database breach that exposed 7,881,078 user records. The breach, which appears to have occurred some time ago, was recently brought to our attention through its reappearance in multiple popular breach aggregation services, including Telegram channels dedicated to credential stuffing. This re-emergence prompted a deeper investigation into the nature and potential impact of the exposed data.

The compromised data includes email addresses, password hashes, and salts. While the presence of salts provides a degree of protection against straightforward password cracking, the age of the data means that many users likely haven't updated their passwords since the breach occurred. Furthermore, the use of older or weaker hashing algorithms in the past may make the passwords easier to crack using modern techniques. The leak was structured as a database dump, making it easy for attackers to ingest and process the information.

The re-emergence of the HIAPK.com data underscores a growing trend: the weaponization of older breaches. Threat actors are increasingly leveraging historical data to conduct credential stuffing attacks against a wide range of online services. The assumption is that password reuse is rampant, and that even old credentials can provide access to current accounts.

Key point: Total records exposed: 7,881,078

Key point: Types of data included: Emails, Password Hashes, Salts

Key point: Sensitive content types: User account credentials

Key point: Source structure: Database dump

Key point: Leak location(s): Telegram channels, Breach Forums

External Context & Supporting Evidence

Similar breaches of Android app stores and gaming platforms have been reported previously. For example, in 2020, security researcher Alon Gal highlighted a massive database of mobile gaming accounts being sold on the dark web (source: *BleepingComputer*). This highlights the ongoing vulnerability of these platforms and the value that attackers place on user credentials within these ecosystems. Discussions in several hacking forums suggest that older breach datasets are actively traded and used for "spray and pray" credential stuffing campaigns, targeting everything from e-commerce sites to cryptocurrency exchanges.

Email · Passwordhash · Salt