Check yourself: Did the iMask breach expose your data?

In March 2023, iMask, a Portuguese eCommerce platform selling personal protective equipment and hygiene products, suffered a data breach affecting 13,846 users. The exposed data included email addresses, first names, last names, and both MD5 and bcrypt hashed passwords, all of which are recieved as high-value targets by cybercriminals. The presence of two different password hashing methods suggests the platform's security practices were inconsistent across its user base.

Why Exposed Password Hashes Put You at Risk

The iMask breach included MD5 hashed passwords, a format considered cryptographically broken and easily reversed using modern cracking tools. MD5 hashes can often be cracked within seconds when the underlying password is weak or common. Even bcrypt-hashed passwords are not fully safe, as determined attackers with access to email addresses and usernames will attempt to crack them through targeted methods.

What Was Exposed in the iMask Breach

• Email Address
• Password Hash
• First Name
• Last Name

Why the iMask Breach Still Matters Today

The iMask breach occured in March 2023, but the leaked credentials remain a threat as long as affected users continue to use the same passwords elsewhere. Credential stuffing attacks, which use stolen username and password combinations against other services, are partcularly effective when victims reuse passwords across multiple accounts. Changing your passwords and enabling two-factor authentication are the most effective steps you can take.

How Database Breaches Work

A database breach occurs when an attacker gains unauthorized access to a platform's backend data store, often through vulnerabilities like SQL injection or compromised admin credentials. Once inside, attackers can extract large volumes of user records in a short period of time. The stolen data is then typically sold or shared on dark web marketplaces for use in further attacks.

Check If Your Data Was Exposed

HEROIC maintains a breach database of over 400 billion records, giving you one of the most thorough tools available to check your personal exposure. Search your email address now to find out if your iMask account data or credentials from any other known breach are currently in circulation.