We've observed a concerning trend of older breaches resurfacing in new contexts, often amplified by their inclusion in larger combolists and credential stuffing attacks. The HMP breach, originally dating back to August 2018, recently caught our attention not because of its size—approximately 49,000 unique email addresses—but due to the sensitive nature of the site and the passwords being stored in plain text. The fact that such a large number of credentials from an adult video site were circulating in plain text indicates a significant failure in basic security practices and a potential goldmine for malicious actors.

HMP's 2018 Plaintext Password Problem: 49k Exposed

The HMP breach, impacting approximately 48,686 accounts, involved the exposure of email addresses and, critically, plaintext passwords. The data was reportedly leaked on August 26, 2018. What made this breach particularly alarming was the complete lack of password hashing, a basic security measure that has been standard practice for many years. The simplicity of the exposed data—email addresses paired directly with their corresponding passwords—makes it highly valuable for credential stuffing attacks across other platforms.

Our team discovered the re-emergence of this data while monitoring activity on several dark web forums known for trading in leaked credentials. While the breach itself is not new, its continued presence in combolists and its potential use in automated attacks against other services makes it relevant to enterprises today. The breach highlights the ongoing risk posed by older vulnerabilities and the importance of monitoring for compromised credentials associated with corporate email domains.

Key point: Total records exposed: 48,686

Key point: Types of data included: Email addresses, plaintext passwords

Key point: Source structure: Likely a database dump or export

Key point: Leak location(s): Various dark web forums, combolists

Key point: Date of first appearance: August 26, 2018

External Context & Supporting Evidence

While direct news coverage of the initial HMP breach in 2018 is limited, the incident is listed on several breach aggregation sites like Have I Been Pwned?, confirming its validity. The discussion around plaintext password storage is extensive, with numerous security blogs and reports emphasizing the risks. For example, Troy Hunt, the creator of Have I Been Pwned?, has consistently highlighted the dangers of storing passwords in plaintext or using weak hashing algorithms. The OWASP (Open Web Application Security Project) also provides comprehensive guidance on password storage best practices, underscoring the importance of strong hashing algorithms like Argon2 or bcrypt.

The re-emergence of this data aligns with a broader trend of attackers leveraging older breaches for credential stuffing attacks. As security researcher Brian Krebs noted in a recent article on KrebsOnSecurity, "Credential stuffing attacks remain a persistent threat, as many people reuse the same passwords across multiple online services." This breach serves as a stark reminder of the long-term consequences of poor security practices and the need for organizations to proactively monitor for compromised credentials.

Email · Address · Plaintext · Password

We've been tracking an uptick in older breaches resurfacing in combolists, often with outdated hashing algorithms like MD5. These legacy leaks, while not new, still pose a risk because password reuse is rampant. We noticed a specific case involving HMP, a Czech business entity operating in real estate, directory publications, travel, and bookkeeping-related services. What really struck us wasn't the size of the breach, but the presence of MD5 password hashes, a clear indicator of outdated security practices that, even years later, could lead to account takeovers on other platforms. This highlights the long tail of risk associated with older breaches and the continued need for password hygiene.

HMP Breach: Resurfaced Credentials Fueling Account Takeovers

The HMP breach, which occurred in August 2018, exposed the credentials of 45,847 users. The data included email addresses and MD5 password hashes. While the breach itself is not recent, its reappearance in combolists amplifies the risk to individuals who may have reused their passwords across multiple services. The use of MD5, a weak hashing algorithm, makes password cracking relatively easy, even with modern hardware. This breach caught our attention due to the age of the data and the outdated security practices it reveals, which can still have significant consequences for affected users.

The breach matters to enterprises now because it underscores the persistent threat of credential stuffing and account takeover. Even if organizations have implemented robust security measures, their employees may be vulnerable if they reuse passwords exposed in older breaches. This incident highlights the need for ongoing password monitoring, employee education, and the enforcement of strong, unique passwords across all corporate accounts. The reappearance of this data also points to the effectiveness of threat actors' long-term data collection and aggregation strategies, where older breaches are combined with newer ones to maximize their impact.

Key point: Total records exposed: 45,847

Key point: Types of data included: Email Address, Password Hash

Key point: Sensitive content types: Credentials

Key point: Source structure: Not specified in provided summary

Key point: Leak location(s): Combolists

Key point: Date of first appearance: 26-Aug-2018

The HMP breach was reported in various security news outlets at the time of its occurrence. BleepingComputer, for example, covered the breach as part of a larger roundup of data breaches impacting various online services. These reports emphasized the importance of using strong, unique passwords and enabling two-factor authentication where available. The reemergence of this data in combolists serves as a reminder of the long-term consequences of data breaches and the need for continued vigilance.

Email · Address · Password · Hash