inMatri

We've been tracking a noticeable uptick in breaches stemming from legacy systems and abandoned online properties. These incidents often fly under the radar due to their age, but still pose a risk if the data remains accessible. We first noticed this pattern when a seemingly minor breach from an inactive domain surfaced on a popular hacking forum. What really struck us wasn't the size of the breach, but the reminder that forgotten digital assets can still harbor sensitive data and create unexpected exposure.

The Dormant Basketball Club Website That Exposed 61K Accounts

A breach impacting the defunct website inMatri, associated with the former Spanish basketball club Vive Menorca, has recently come to light. The data, dating back to the club's active period around 2006-2010, exposed the records of 61,585 users. The compromised data includes email addresses and MD5 password hashes. This incident highlights the risks associated with neglecting the proper decommissioning of online assets.

The breach was reportedly discovered on August 26, 2018, though it only recently gained wider attention after being circulated on a hacking forum. The age of the data and the inactive status of the inMatri domain are precisely what made this breach noteworthy. Organizations often overlook these types of dormant assets during security audits, creating a blind spot that attackers can exploit. The use of weak MD5 hashing further compounds the risk, as these passwords can be cracked relatively easily with modern tools.

This incident matters to enterprises now because it underscores the importance of comprehensive asset management and data retention policies. Even if a website or application is no longer in use, the data it once held can still be a target for attackers. The breach also ties into the broader threat theme of credential stuffing, as exposed email addresses and passwords can be used to attempt to gain access to other online accounts. Furthermore, the lack of proper security practices on older systems can serve as a gateway to an organization's current infrastructure.

Key point: Total records exposed: 61,585

Key point: Types of data included: Email Address, Password Hash

Key point: Sensitive content types: Potentially PII depending on the data provided during registration

Key point: Source structure: Database

Key point: Leak location(s): Hacking forum

Key point: Dates of first appearance: August 26, 2018

External Context & Supporting Evidence

The breach was added to the Have I Been Pwned database shortly after discovery, indicating its recognition as a valid and significant data exposure. This also allows users to check if their email address was among those compromised. Several security blogs have also highlighted the breach as an example of the dangers of neglecting legacy systems. The incident is a reminder that even seemingly insignificant data can have serious consequences if not properly protected. The lack of press coverage likely stems from the age of the breach and the relatively small number of affected users, but the underlying principle remains relevant to all organizations.

Email · Address · Password · Hash