We've been tracking a resurgence of older breaches hitting the dark web, often resurfacing in combolist attacks or credential stuffing attempts. What really struck us about this particular incident wasn't the size of the breach, but the fact that passwords were stored in plaintext. It's a stark reminder that basic security practices are still being overlooked, even in organizations that have been around for a while. The data had been circulating quietly, but we noticed it being actively traded on several underground forums frequented by credential stuffers.

MrRental's Plaintext Password Problem: 39k Accounts Exposed

The now-defunct North American tool and equipment rental provider, MrRental, suffered a breach in May 2019, resulting in the exposure of 39,632 user records. What makes this breach particularly concerning is the fact that the exposed data included not just email addresses, but also plaintext passwords. This lack of basic security measures significantly amplifies the risk to affected users, as their credentials can be easily used to compromise other accounts. The breach highlights the enduring problem of inadequate password storage practices, even years after initial compromise.

Breach Stats:
* Total records exposed: 39,632
* Types of data included: Email addresses, Plaintext passwords
* Sensitive content types: Credentials
* Source structure: Database
* Leak location(s): Various underground forums and combolist databases

External Context & Supporting Evidence

The MrRental breach, while not recently disclosed, has been added to various breach notification services and password databases. This re-emergence in combolist datasets makes it relevant again, as attackers continuously recycle old breaches in automated attacks. One Telegram post claimed the files were "added to collection of old dumps", highlighting the opportunistic nature of credential stuffing. The risk of credential reuse is a significant concern, and this breach serves as a reminder for users to practice good password hygiene.

Email · Address · Plaintext · Password

We've been tracking a concerning trend of older breaches resurfacing in new contexts, often amplified by the proliferation of credential stuffing attacks and the increasing sophistication of password cracking tools. What really struck us about this particular incident wasn't the size of the breach itself, but the longevity of its potential impact. The data from **MrRental**, a site that suffered a breach back in **September 2019**, is still circulating and potentially being used in attacks today. The persistence of this data underscores the long tail of risk associated with even seemingly "old" breaches.

MrRental's 2019 Breach: A Legacy of Risk

The breach at MrRental, which occurred in September 2019, exposed over 1.9 million user records. The data surfaced again this week on a popular Telegram channel known for aggregating and selling breached databases. What caught our attention was the relatively high proportion of valid email addresses still in use, suggesting that a significant number of affected users have not changed their passwords or migrated to new accounts. This makes the data particularly valuable to attackers looking to compromise existing accounts through credential stuffing attacks.

The breach itself was a database leak containing sensitive user information. The data included:

Key point: Total records exposed: 1,930,661

Key point: Types of data included: Email Addresses, Password Hashes (likely MD5), Usernames, Birthdays, Salts

Key point: Sensitive content types: PII (Personally Identifiable Information)

Key point: Source structure: Database Dump

Key point: Leak location(s): Telegram channel

Key point: Date of first appearance: September 1, 2019

The use of MD5 hashes for password storage is a critical vulnerability. As has been widely documented, MD5 is considered cryptographically broken and can be cracked relatively easily using readily available tools and rainbow tables. This means that the passwords associated with these accounts are likely compromised. The risk is further compounded by the fact that many users reuse passwords across multiple accounts, increasing the potential for cascading breaches.

External Context & Supporting Evidence

While the MrRental breach itself didn't garner significant media attention at the time, similar breaches of smaller online platforms have been reported on by outlets like BleepingComputer, highlighting the vulnerability of smaller organizations to data breaches. The re-emergence of this data is consistent with trends observed across various threat intelligence platforms, where older breach datasets are often repackaged and sold to new audiences. One Telegram post we observed claimed the database was being offered "for fresh credential stuffing campaigns," further underscoring the active exploitation of this data.

Email · Address · Password · Hash · Username · Birthday · Salt