Ipsos Training Center

We've been tracking a worrying trend of older breaches resurfacing in credential stuffing attacks. What really struck us wasn't the novelty of the data itself, but the aggressive way it's being weaponized years after the initial compromise. This particular breach, from the Ipsos Training Center, a French e-learning platform for Ipsos employees, caught our eye due to the sheer volume of accounts being actively tested against various online services. The data had been circulating quietly, but we noticed a significant uptick in its use within automated attack scripts targeting corporate VPNs and cloud infrastructure.

Ipsos Training Center Breach: 33k Employee Records Fueling Credential Stuffing

In August 2018, the Ipsos Training Center experienced a data breach that exposed 33,378 unique records. What made this breach notable was not just the number of exposed accounts, but the fact that it contained employee email addresses paired with SHA1 hashed passwords. The breach surfaced on several dark web forums known for trading in credential lists, and its reappearance now suggests it's being actively used in credential stuffing campaigns. This indicates the data is still considered valuable by attackers, likely due to password reuse across personal and professional accounts.

The breach was discovered through our routine monitoring of underground forums and Telegram channels where compromised data is bought, sold, and traded. We observed multiple posts referencing the Ipsos data alongside lists from other, more recent breaches, indicating it was being bundled into larger "combolists" for automated attacks. What caught our attention was the explicit mention of the Ipsos data being "good for corporate logins" in several of these posts. This suggests attackers are specifically targeting Ipsos employees and potentially related organizations to gain unauthorized access to internal systems.

This breach matters to enterprises now because it highlights the long tail of risk associated with older data breaches. Even though the breach occurred several years ago, the compromised credentials remain a threat if employees have reused those passwords on other platforms, especially corporate accounts. This incident underscores the importance of proactive password resets, multi-factor authentication, and continuous monitoring for suspicious login activity. The incident ties into the broader threat theme of credential harvesting and the automation of attacks, where stolen credentials are systematically tested against various online services to identify valid login combinations.

Key point: Total records exposed: 33,378

Key point: Types of data included: Email Address, Password Hash (SHA1)

Key point: Sensitive content types: Employee PII

Key point: Source structure: Database breach, likely a SQL export

Key point: Leak location(s): Multiple Telegram channels, Breach Forums

Key point: Date of first appearance: 26-Aug-2018 (initially), with a resurgence in activity in late 2023/early 2024

External Context & Supporting Evidence

While there was minimal initial media coverage of the Ipsos Training Center breach in 2018, its re-emergence in underground forums aligns with reporting on the increasing prevalence of credential stuffing attacks. BleepingComputer has frequently covered the impact of older breaches being used in modern attacks, highlighting the need for organizations to continuously monitor for compromised credentials. Additionally, numerous threat intelligence reports detail the use of Telegram channels as marketplaces for stolen data, further corroborating the observed leak locations.

OSINT sources indicate discussions on various hacking forums referencing tools and scripts specifically designed for credential stuffing attacks. These tools often incorporate older breach datasets like the Ipsos data, demonstrating the continued value of this information to attackers. One Telegram post claimed the files were "gold for finding VPN access," suggesting a direct link between the compromised credentials and attempts to gain unauthorized access to corporate networks.

Email · Address · Password · Hash