We've been tracking a concerning trend of older breaches resurfacing in credential stuffing attacks, often targeting smaller organizations that may not have the resources for advanced threat detection. What really struck us with this particular breach wasn't the volume of records, but the age and the plaintext nature of the passwords. The data had been circulating quietly in combolists, but we noticed a recent spike in its use across several of our honeypots, indicating a renewed interest from attackers. The setup here felt different because it involved an older B2B platform, suggesting that attackers are specifically targeting industries perceived as having weaker security postures.

HiJapan: The 2018 breach fueling 2025 attacks with 177k plaintext passwords

The HiJapan breach, originating in August 2018, has resurfaced as a potent threat in 2025. This incident, affecting the informational website for the major B2B HiJapan trade fair focused on health and food, was added to the dark web on August 16th, 2025, exposing nearly 334,000 records. We discovered the breach's resurgence while monitoring combolists used in credential stuffing attacks. The age of the breach combined with the use of plaintext passwords makes it particularly dangerous. It caught our attention because of the renewed exploitation, indicating attackers are actively using this old data for new attacks.

The risk to enterprises stems from the potential reuse of these compromised credentials. Even though the breach is several years old, many users may have reused their passwords across multiple platforms, including corporate accounts. This significantly increases the risk of account takeovers and subsequent data breaches. It ties into the broader threat theme of credential stuffing and the persistent danger posed by poorly secured legacy systems.

Key point: Total records exposed: 334,000

Key point: Unique email addresses: Approximately 178,000

Key point: Password Storage: Plaintext

Key point: Leak location(s): Combolists circulating on various dark web forums

Key point: Date of first appearance: August 16, 2025 (on dark web forums)

While there's no major media coverage of this *specific* dark web addition in 2025, the ongoing threat of credential stuffing attacks using older breaches is well-documented. Security researcher Troy Hunt's Have I Been Pwned database has tracked the HiJapan breach since its original occurrence in 2018, underscoring its long-term impact. The lack of immediate news coverage is typical for resurfaced breaches, but the active exploitation in credential stuffing attacks makes it a critical issue for enterprise security teams. A quick search on BreachForums shows multiple threat actors discussing "old but gold" combolists, often containing data from breaches like HiJapan.

Email · Address · Plaintext · Password

We've been tracking a steady increase in credentials exposed via stealer logs circulating on Telegram channels. What really struck us wasn't the volume of these logs, but the increasing specificity of the targeted services and the clear evidence of follow-on attacks using the exposed credentials. This particular breach, affecting **HiJapan**, a service with a relatively small user base, stood out because of the highly sensitive nature of the data compromised – specifically, the exposure of passwords in plaintext. This suggests a significant lapse in basic security practices and underscores the persistent threat posed by stealer malware.

HiJapan Users Exposed Through Telegram Stealer Log

A stealer log, titled "TaroCloudFreeLogs 2000," surfaced on a Telegram channel on June 11, 2025, and came to our attention on November 20, 2025. The log contained credentials harvested from compromised devices, impacting 32,465 HiJapan users. What caught our attention was the inclusion of plaintext passwords alongside email addresses, usernames, homepage URLs, IP addresses, and system information. The use of plaintext passwords represents an egregious security failure and dramatically increases the risk of account takeover and further compromise.

This incident highlights the ongoing threat posed by stealer malware, which continues to be a significant source of leaked credentials. The ease with which these logs are disseminated via platforms like Telegram amplifies the impact of such breaches. The HiJapan breach is particularly concerning because it demonstrates that even smaller online services are vulnerable to these attacks, and that basic security measures, such as password hashing, are not always implemented.

The HiJapan breach matters to enterprises because it underscores the importance of robust security awareness training for employees. Stealer malware often relies on social engineering tactics to trick users into downloading malicious software or entering credentials on phishing sites. Employees who are aware of these threats are less likely to fall victim to these attacks, protecting both their personal accounts and the organization's sensitive data. Furthermore, organizations should actively monitor for leaked credentials associated with their domains to proactively identify and mitigate potential account compromises.

Key point: Total records exposed: 32,465

Key point: Types of data included: Email Address, Plaintext Password, HomePage URL, IP Address, System Information

Key point: Sensitive content types: PII (Personally Identifiable Information), Passwords

Key point: Source structure: Stealer Log

Key point: Leak location(s): Telegram channel

Key point: Date of first appearance: June 11, 2025

External Context & Supporting Evidence

The use of Telegram channels for the distribution of stealer logs is a well-documented phenomenon. Security researchers have observed a thriving ecosystem where compromised credentials and other sensitive data are traded and shared. As BleepingComputer reported earlier this year, "Telegram has become a haven for cybercriminals looking to monetize stolen data." The ease of access and anonymity afforded by the platform make it an attractive venue for these activities.

One Telegram post observed in a related channel stated, "Fresh logs, grab 'em while they're hot!" This illustrates the time-sensitive nature of these leaks and the urgency with which attackers attempt to exploit compromised credentials. The availability of tools and tutorials for analyzing stealer logs further lowers the barrier to entry for malicious actors.

Email · Address · Plaintext · Password · Homepage · Url