Indian Institute of Astrophysics

We've observed a consistent pattern of older breaches resurfacing in credential stuffing attacks, often targeting organizations that haven't fully rotated credentials or implemented multi-factor authentication across their user base. What really struck us about this particular incident wasn't its size, but the fact that passwords were stored in plaintext. This suggests a significant lapse in basic security hygiene, and we noticed the data is now appearing in various combolists used in automated attacks. The reemergence of this data underscores the long tail of risk associated with past security failures.

The Indian Institute of Astrophysics Breach: 89K Records Exposed

A data breach impacting the Indian Institute of Astrophysics (IIA), dating back to August 2018, has resurfaced, exposing approximately 89,060 records. The breach initially stemmed from a now-defunct platform called EnrichLivingNow, but its impact extends to the IIA due to credential reuse. The compromised data includes 89,060 unique email addresses and, critically, plaintext passwords. The presence of plaintext passwords is a significant red flag, indicating a failure to implement even basic hashing algorithms to protect user credentials. This significantly increases the risk of successful credential stuffing attacks against IIA users and other services where they may have reused these passwords.

The compromised data was discovered circulating in several combolists on various hacking forums and Telegram channels during routine Darkwatch monitoring. What caught our attention was the age of the breach combined with the sensitive nature of the institution involved – a leading research institute in astrophysics. Older breaches are often overlooked, creating a false sense of security. This incident highlights the importance of continuous monitoring for exposed credentials, even from seemingly unrelated third-party breaches. The presence of plaintext passwords amplifies the risk, as attackers can directly use these credentials without needing to crack hashes.

The reemergence of this breach underscores the persistent threat posed by credential reuse and the long-lasting impact of poor security practices. Enterprises should consider this a reminder to enforce password rotation policies, implement multi-factor authentication, and educate users about the risks of reusing passwords across multiple platforms. The incident also highlights the value of monitoring for exposed credentials and taking proactive steps to mitigate the risk of credential stuffing attacks. This breach is a stark reminder that seemingly old and forgotten security failures can still pose a significant threat.

Key point: Total records exposed: 89,060

Key point: Types of data included: Email Address, Plaintext Password

Key point: Source structure: Likely a database export from EnrichLivingNow

Key point: Leak location(s): Various hacking forums and Telegram channels (observed in combolists)

Key point: Date leaked: August 26, 2018 (initial breach), resurfacing recently.

External Context & Supporting Evidence

While the initial breach of EnrichLivingNow may not have garnered widespread media attention, the exposure of plaintext passwords and the subsequent reemergence of the data in combolists aligns with broader trends in credential stuffing attacks. Security researchers have consistently warned about the dangers of storing passwords in plaintext and the prevalence of credential reuse. Numerous reports detail the increasing sophistication and automation of credential stuffing attacks, which leverage leaked credentials from past breaches to gain unauthorized access to user accounts. For example, HaveIBeenPwned lists the EnrichLivingNow breach as containing plaintext passwords here.

Discussions on hacking forums often highlight the value of older breaches for credential stuffing, as many users fail to update their passwords after a breach is disclosed. One Telegram post observed by our team stated, "Oldie but goodie, lots of these emails still work on popular sites." This sentiment underscores the continued relevance of historical breaches and the importance of proactive security measures to mitigate the risk of credential compromise.

Email · Address · Plaintext · Password