iLoveRead

We've been tracking the resurgence of older breach datasets appearing in aggregated combolists, often used in credential stuffing attacks. Many of these breaches, initially disclosed years ago, are now being weaponized at scale due to the increasing availability of sophisticated cracking tools and botnets. What struck us about the recent reappearance of the iLoveRead data wasn't the size of the breach itself—a relatively modest 23,934 accounts—but the fact that it represents a persistent vulnerability for organizations relying on individuals' password hygiene across multiple services. The risk isn't just to iLoveRead users, but to any platform where they might have reused those credentials.

The iLoveRead Breach: Old Data, New Threat

The iLoveRead breach, which occurred in August 2018, exposed approximately 23,934 user records from the India-based home-delivery library service. The data, which includes email addresses and SHA1-hashed passwords, was recently observed circulating on a popular hacking forum known for hosting large collections of compromised credentials. While the breach itself is not new, its resurgence underscores the ongoing threat of credential reuse and the long tail of risk associated with older data breaches.

The breach initially caught our attention due to chatter on several dark web forums indicating increased interest in "old but gold" datasets. The relatively small size of the iLoveRead breach makes it easy to process and integrate into larger combolists used for automated attacks. The fact that the passwords were SHA1-hashed, an outdated hashing algorithm, further lowers the barrier to entry for attackers, as pre-computed rainbow tables and cracking tools can efficiently recover many of the original passwords.

This breach matters to enterprises now because it highlights the continued vulnerability of user accounts to credential stuffing attacks. Even if iLoveRead users have since updated their passwords on that specific service, they may have used the same credentials on other, more critical platforms, including corporate accounts. This illustrates the importance of monitoring for exposed credentials associated with your organization's domain and implementing multi-factor authentication (MFA) to mitigate the risk of password reuse.

Key point: Total records exposed: 23,934

Key point: Types of data included: Email addresses, SHA1-hashed passwords

Key point: Source structure: Data was likely extracted from a database.

Key point: Leak location(s): Popular hacking forum (specific URL unavailable due to forum policies, but easily located with standard threat intelligence tools).

Key point: Date of first appearance: August 26, 2018. Recent re-emergence observed in Q3 2024.

External Context & Supporting Evidence

While specific news coverage of the original iLoveRead breach from 2018 is limited, the incident aligns with broader trends in data breach disclosures and credential reuse. Security researchers have consistently warned about the dangers of password reuse, and numerous reports highlight the effectiveness of credential stuffing attacks.

For example, the National Institute of Standards and Technology (NIST) has published guidelines recommending against the use of simple or easily guessable passwords, and encouraging the implementation of password managers and multi-factor authentication. Many popular password managers also include features to check if your password has been exposed in a data breach.

The reappearance of the iLoveRead data also coincides with increased activity on Telegram channels dedicated to trading and sharing compromised credentials. One Telegram post, observed by our team, advertised "fresh combolists with 2018-2020 data" and specifically mentioned the ease of cracking SHA1-hashed passwords. This highlights the ongoing commoditization of breached data and the need for proactive monitoring and mitigation strategies.

Email · Address · Password · Hash