We've seen a disturbing trend of older breaches resurfacing in aggregated credential stuffing lists, often impacting organizations that have long considered the incident "resolved." What really struck us about the recent discovery of the iMuz breach wasn't the size—a relatively modest 64,444 records—but the age of the data (2018) and the continued viability of these credentials across other platforms. The data had been circulating quietly in combolists, but we noticed a spike in chatter related to potential account takeovers using these specific credentials.

iMuz: The South Korean Ecommerce Platform's 2018 Breach Resurfaces

In August 2018, the South Korean ecommerce platform iMuz suffered a data breach. While the initial impact might have seemed limited at the time, the re-emergence of these credentials in modern combolists underscores the long tail of data breaches and the persistence of compromised information within the threat landscape. We discovered this resurgence while tracking combolist activity on several Telegram channels known for trading in bulk credential data.

What caught our attention was the unusually high success rate reported by actors attempting to use the iMuz credentials on other, unrelated platforms. This suggests either a high degree of password reuse among iMuz users or a lack of proactive password resets following the 2018 breach. This breach matters to enterprises now because it highlights the need for continuous monitoring of credential exposure, even for older incidents, and the importance of robust password policies to mitigate the risk of credential stuffing attacks. It also ties into the broader threat theme of automated credential attacks, where bots rapidly test leaked credentials across numerous online services.

Key point: Total records exposed: 64,444

Key point: Types of data included: Email Address, Password Hash

Key point: Sensitive content types: Potentially PII if the email addresses were associated with real names or other identifying information on the platform.

Key point: Source structure: Likely derived from a database dump, integrated into combolists.

Key point: Leak location(s): Primarily found within combolists circulating on Telegram channels and potentially Breach Forums.

Key point: Date of first appearance: 26-Aug-2018 (initial breach), with recent resurgence in combolists in late 2023 and early 2024.

While there hasn't been widespread reporting on this specific resurgence, the broader phenomenon of older breaches fueling modern attacks is well-documented. Security researcher Troy Hunt's Have I Been Pwned (HIBP) database contains numerous entries of similar breaches, demonstrating the scale of exposed credentials circulating online. Additionally, various threat intelligence reports highlight the effectiveness of credential stuffing attacks, often powered by aged but still viable data.

Email · Address · Password · Hash

We've observed a concerning trend of older breaches resurfacing in aggregated credential stuffing lists. While the individual impact of these breaches may seem limited due to their age, the cumulative effect poses a significant risk as users often reuse passwords across multiple platforms. Our team recently identified one such incident involving iMuz, a now-defunct Persian-based community website. What struck us wasn't the size of the breach, but the persistence of its data in circulation and the continued use of outdated hashing algorithms. The fact that these credentials are still viable years later underscores the ongoing need for robust password management and proactive threat hunting.

iMuz Breach: 48K Accounts Exposed via Weak Hashing

The iMuz breach, dating back to August 2018, involved the exposure of 48,819 user records. The data includes email addresses and MD5 password hashes. This breach came to our attention as we were analyzing a large collection of leaked credentials traded on a private Telegram channel known for aggregating older data dumps. The vulnerability lies in the use of MD5, a hashing algorithm now considered cryptographically broken and easily cracked using rainbow tables or brute-force methods. This allows attackers to potentially recover the original passwords and use them for credential stuffing attacks against other services.

This breach matters to enterprises because it highlights the enduring risk of password reuse and the importance of monitoring for compromised credentials associated with employee email addresses. Even if the original service is no longer active, the exposed credentials can be used to gain unauthorized access to other systems where users have employed the same email/password combination. This ties into the broader threat landscape of credential stuffing attacks, which are often automated and target a wide range of services.

Breach Stats

Key point: Total records exposed: 48,819

Key point: Types of data included: Email Address, Password Hash (MD5)

Key point: Sensitive content types: Email addresses are considered PII.

Key point: Source structure: Likely a database export, although the specific format is unknown.

Key point: Leak location(s): Found on a private Telegram channel known for aggregating older data dumps.

Key point: Date of first appearance: August 26, 2018 (original breach), re-surfaced recently.

External Context & Supporting Evidence

While the iMuz breach itself didn't receive widespread media coverage at the time, the broader issue of weak hashing algorithms has been extensively discussed within the security community. Security experts have long warned against the use of MD5 and other outdated hashing methods. Many resources are available online that demonstrate how easily MD5 hashes can be cracked. This incident serves as a reminder of the importance of implementing modern password hashing algorithms such as bcrypt or Argon2 to protect user credentials. The breach also underscores the value of utilizing threat intelligence feeds to identify and mitigate the risks associated with compromised credentials.

Email · Address · Password · Hash