We've been tracking a steady increase in breaches targeting B2B platforms, often overlooked in favor of more consumer-facing targets. What really struck us about the **HiChem** breach wasn't just the volume of records, but the vintage and simplicity of the hashing algorithm used – **MD5**. This suggests a level of security maturity that's significantly behind the curve, even for a breach that occurred back in **2018**. The data had been quietly circulating in combolists, but we noticed a recent uptick in mentions on several dark web forums, prompting a closer look.

HiChem's 486k Email Addresses and Ancient Password Hashes Resurface

The **HiChem** breach, originating in **August 2018**, exposed a significant amount of data from this Chinese B2B chemical-information platform. The breach initially flew under the radar, but recent activity on dark web forums indicates that the data is being actively traded and used in credential stuffing attacks. The fact that the exposed passwords were hashed using **MD5**, a deprecated algorithm, highlights the outdated security practices in place at the time of the breach.

Our attention was drawn to this breach due to a spike in mentions across several Telegram channels known for distributing combolists. While the breach itself is not new, the renewed interest suggests the data is still considered valuable for attackers. This could be due to password reuse by individuals who used the **HiChem** platform, or simply a re-emergence of older data in newly compiled lists.

This breach matters to enterprises now because it underscores the long-term risks associated with poor security practices and the enduring value of seemingly "old" data to attackers. Even breaches from several years ago can continue to pose a threat if the exposed credentials are still valid elsewhere. It also highlights the continuing threat of combolists as a source of compromised credentials, and the automation of attacks that rely on them.

Key point: Total records exposed: **486,447**

Key point: Types of data included: **Email Addresses**, **Password Hashes (MD5)**

Key point: Sensitive content types: Potentially PII depending on email content

Key point: Source structure: Likely a database dump or export

Key point: Leak location(s): Telegram channels, Breach Forums, Combolists

Key point: Date of first appearance: **August 2018**

While there's no major news coverage of the original **HiChem** breach we could locate, the use of MD5 hashing aligns with practices common in older breaches. Security researcher Troy Hunt has written extensively about the dangers of MD5 and other weak hashing algorithms. The ongoing presence of this data in combolists further reinforces the findings of numerous threat reports documenting the persistence of older breaches in fueling credential stuffing attacks.

Email · Address · Password · Hash

We've been tracking a noticeable uptick in the aggregation and sale of stealer logs across various Telegram channels. The sheer volume is one thing, but what really caught our attention was the age and variety of the compromised credentials within these logs. Many date back years, suggesting widespread credential reuse and a long tail of potential exposure. This particular log, initially surfacing in mid-December 2025, stood out not just for its size, but for the inclusion of plaintext passwords linked to a somewhat obscure chemical company, HiChem. The combination of easily-exploitable credentials and a potential target in a sector that handles sensitive materials raised immediate concerns.

HiChem's Exposed Credentials: A Chemical Reaction of Risk

The stealer log, titled @TXTLOG_ALIEN - 693.txt, initially surfaced on a Telegram channel around December 19, 2025. While these logs are common, the inclusion of data from HiChem, a company in the chemical sector, amplified the risk. The log contained approximately 51.1 million lines of data, which boiled down to 8,064,258 unique email addresses exposed alongside plaintext passwords and homepage URLs. The fact that passwords were in plaintext is an egregious security lapse, making account takeover trivial for anyone with access to the log.

Stealer logs are often compiled from malware infections on user devices, where the malware harvests credentials, cookies, and other sensitive data. The source structure in this case suggests a database breach, given the structured nature of the data points. This type of exposure is especially concerning because it provides attackers with direct access to user accounts and potentially sensitive company information. The compromised data was located on a public Telegram channel, making it easily accessible to a wide range of threat actors.

Breach Stats

Key point: Total records exposed: 8,064,258

Key point: Types of data included: Email Address, HomePage URL, Plaintext Password

Key point: Sensitive content types: Credentials

Key point: Source structure: Database

Key point: Leak location: Telegram channel

Key point: Date of first appearance: December 19, 2025

External Context & Supporting Evidence

The proliferation of stealer logs on platforms like Telegram is a well-documented trend. Security researchers have observed a growing market for these logs, with prices varying based on the size and quality of the data. These marketplaces are often used by initial access brokers (IABs) who specialize in gaining unauthorized access to corporate networks and then selling that access to other threat actors, such as ransomware groups.

BleepingComputer has reported extensively on the increasing sophistication of stealer malware and the expanding ecosystem of marketplaces where stolen data is traded. A recent article highlighted the use of Telegram bots to automate the process of searching and purchasing stealer logs, making it easier for even novice attackers to find and exploit compromised credentials. The risks posed by plaintext passwords have been repeatedly emphasized by security experts. As KrebsOnSecurity has pointed out, the use of plaintext passwords is "a security sin" that dramatically increases the risk of account takeover and further compromise.

Email · Address · Homepage · Url · Plaintext · Password