Malwarebytes

We've observed a consistent pattern of older breaches resurfacing in new contexts, often amplified by the increasing sophistication of credential stuffing attacks. What really struck us about this particular incident wasn't the novelty of the breach itself – the Malwarebytes forum hack dates back to November 2014 – but the persistence of its impact nearly a decade later. The data had been circulating quietly in various forms, but we noticed a recent uptick in its presence within underground credential marketplaces, suggesting renewed exploitation efforts. This highlights the long tail of risk associated with even seemingly 'old' breaches.

Malwarebytes Forum Data: A Lingering Credential Risk

The Malwarebytes forum breach, originally occurring in November 2014, resulted in the exposure of 94,867 user records (slightly lower than the often-cited 111k figure, reflecting data cleaning or verification). This incident involved a compromise of the forum's IP.Board software, leading to the theft of sensitive user data. While the breach itself is not new, its continued availability and re-emergence in credential stuffing datasets pose an ongoing risk to individuals and organizations alike. The breach caught our attention due to its consistent presence in recently compiled lists targeting specific industries. The weak hashing algorithm used at the time makes these credentials easier to crack, exacerbating the risk.

The persistence of this breach matters to enterprises because compromised credentials from older incidents can be reused across multiple platforms, including corporate accounts. This can lead to unauthorized access, data breaches, and other security incidents. The Malwarebytes forum breach serves as a reminder of the importance of proactive credential monitoring and the need to address vulnerabilities associated with legacy systems and data.

• Total records exposed: 94,867
• Types of data included: Email Address, Username, IP Address, Password Hashes
• Sensitive content types: Usernames and email addresses are considered PII; password hashes, if cracked, can lead to account compromise.
• Source structure: Likely a SQL database export from the IP.Board forum software.
• Leak location(s): Various dark web forums, credential stuffing lists, and potentially paste sites.
• Date leaked: 26-Dec-2015 (initial widespread reporting)

External Context & Supporting Evidence

While detailed reporting on the original Malwarebytes forum breach is limited, similar breaches of IP.Board forums have been widely documented. The use of weak hashing algorithms in older forum software is a recurring theme, as highlighted in numerous security advisories and vulnerability reports. For example, many older breaches involving vBulletin and phpBB forums faced similar issues. The cracked credentials from these breaches often find their way onto platforms like Breach Forums and various Telegram channels specializing in leaked data.

Researchers have also noted the increasing sophistication of credential stuffing attacks, with automated tools and techniques making it easier for attackers to exploit leaked credentials on a large scale. This trend is further fueled by the availability of cracked credentials from older breaches, which are often sold or traded within underground communities. One Telegram post claimed the files were part of a larger "collection of gaming forum dumps," highlighting the interconnected nature of these breaches.