We've been tracking a concerning trend of older breaches resurfacing in credential stuffing attacks, likely due to the long lifespan of exposed plaintext passwords. This particular incident caught our eye not for its size, but for the fact that it involved an Italian employment platform specializing in the tourism sector – a sector already heavily targeted by phishing campaigns. The data, dating back to March 2018, had been circulating quietly within underground forums, but we noticed a recent spike in mentions suggesting renewed interest from threat actors. What really struck us wasn't the volume—it was the continued presence of plaintext passwords, a security practice that should have been abandoned long ago.

Job in Tourism Breach: 68K+ Records With Plaintext Passwords Exposed

The Job in Tourism breach, impacting 68,953 unique email addresses, highlights the ongoing risk associated with poor data security practices. While the breach itself occurred in March 2018, its impact is amplified by the inclusion of plaintext passwords. This means attackers can directly reuse these credentials across other platforms, increasing the likelihood of successful account takeovers. The presence of plaintext passwords is an egregious security lapse that significantly increases the risk to affected users.

The breach was discovered through monitoring of various dark web forums and Telegram channels known for trading compromised credentials. The data initially surfaced shortly after the breach in 2018, but has recently seen a resurgence in activity, with threat actors actively sharing and discussing the data. This re-emergence suggests that the data is still considered valuable for credential stuffing attacks.

Key point: Total records exposed: 68,953

Key point: Types of data included: Email Address, Plaintext Password

Key point: Source structure: Database, Combolist

Key point: Leak location(s): Dark web forums, Telegram channels

Key point: Date leaked: 07-Mar-2018

The re-emergence of this breach underscores the importance of proactive credential monitoring and robust password security practices. The tourism sector, in particular, is a prime target for cyberattacks due to the high volume of financial transactions and sensitive customer data it handles. The use of compromised credentials from this breach could lead to unauthorized access to customer accounts, financial fraud, and other malicious activities.

External Context & Supporting Evidence

While the breach itself is not recent, the continued relevance of plaintext passwords in credential stuffing attacks is a well-documented trend. Numerous reports from cybersecurity firms highlight the persistence of older breaches being used to compromise accounts on other platforms. For example, Have I Been Pwned? lists the breach and its contents, further demonstrating the breach's impact and scope.

Email · Address · Plaintext · Password

We've observed a consistent pattern of older breaches resurfacing in aggregated data dumps, often targeting specific sectors. Our team came across one such instance while monitoring a dark web forum known for hosting large-scale credential dumps. What struck us wasn't the age of the breach itself – dating back to July 2018 – but the sheer volume of records pertaining to a single, niche job board: Job in Tourism. This suggests a focused effort to collect and repackage data from disparate sources, potentially for targeted phishing or identity theft campaigns within the hospitality industry.

Job in Tourism Breach: 16.4M Records Resurface

A database breach impacting Job in Tourism, a website focused on employment opportunities within the tourism sector, has re-emerged in circulation. The breach, which initially occurred on July 1, 2018, exposed a substantial amount of personal information belonging to job seekers. The re-emergence of this data highlights the long tail of data breaches and the persistent risk they pose to individuals. We discovered the breach data listed for sale on a popular dark web forum, advertised as a complete database dump from the Job in Tourism website. Its large size and the specific targeting of a professional sector made it noteworthy.

The fact that a breach from 2018 is still actively traded and potentially exploited underscores the importance of continuous monitoring and threat intelligence. It also highlights the vulnerability of specialized job boards, which may not have the same level of security investment as larger platforms. This breach matters to enterprises now because the exposed data can be used for targeted phishing attacks against individuals working in the tourism industry, potentially compromising company systems and data. It also feeds into the broader trend of attackers leveraging older breaches for credential stuffing and account takeover attempts.

Key point: Total records exposed: 16,458,360

Key point: Types of data included: Email addresses, IP addresses, first names, last names, genders

Key point: Sensitive content types: Personally identifiable information (PII)

Key point: Source structure: Database dump

Key point: Leak location(s): Dark web forums

Key point: Date of first appearance: July 1, 2018 (original breach); recently resurfaced on dark web forums in 2024

External Context & Supporting Evidence

While the Job in Tourism breach itself didn't receive widespread coverage in mainstream media at the time, similar breaches targeting job boards have been reported. For example, in 2019, ZDNet reported on a data breach affecting CareerBuilder, exposing the personal information of millions of job seekers. These incidents underscore the systemic vulnerabilities within the online recruitment landscape.

On a related note, security researchers have observed an increase in the use of automated tools to scrape and aggregate data from various online sources, including job boards and social media platforms. This trend is documented in numerous threat reports and security blogs. One Telegram post claimed the files were "collected from outdated databases using open-source scraping tools." This suggests that attackers are actively seeking out and exploiting older vulnerabilities to build comprehensive profiles of potential targets.

Email · Address · Ip · First · Name · Last · Gender