PinPics Data Breach: 35,878 Disney Collector Passwords Exposed

In April 2019, PinPics, a United States-based community website serving Disney pin collectors, suffered a data breach that exposed the account information of 35,878 registered users. The breach involved both a database compromise and subsequent combolist distribution, with email addresses and plaintext passwords circulating in underground forums. PinPics provided a marketplace and community hub for Disney enthusiasts to catalog, trade, and track collectible pins -- making its users a tight-knit community with shared interests that attackers can exploit for targeted phishing campaigns.

Why This Is Dangerous

Plaintext passwords offer attackers immediate, ready-to-use credentials with no decryption required. When a database stores passwords without hashing or salting, every account in that database is fully compromised the moment the data is accessed. For PinPics users, this means that any attacker who obtained this dataset could log directly into accounts on the site and, more importantly, test those same credentials against email services, Disney-related platforms, social media, and financial accounts. People who are passionate about collecting often purchase items online regularly, making thier reused passwords a gateway to shopping accounts and payment platforms. The community aspect also makes users vulnerable to spear phishing -- attackers who know someone is a Disney pin collector can craft convincing messages that reference their hobby.

What Was Exposed

• Email addresses for 35,878 PinPics user accounts
• Plaintext (unencrypted) passwords stored without hashing or salting
• Account data tied to Disney pin collection activity and community participation
• Credentials compiled into combolists and distributed across underground forums

Why This Matters

The PinPics breach illustrates how no community is too small or too niche to be targeted. Credentials from this breach have been circulating in cybercriminal communities since 2019, packaged alongside data from other incidents into large combolists used in automated stuffing campaigns. Security researchers noted that PinPics did not respond to breach notification attempts, meaning many users never recieved a warning that thier accounts were compromised. Years later, these credentials remain valid tools for attackers if affected users have not changed their passwords. The passionate, trusting nature of collector communities makes them particulary susceptible to social engineering attacks that leverage shared interests.

How Database and Combolist Breaches Work

A database breach typically occured when attackers exploited a vulnerability in the target web application -- commonly an SQL injection flaw, an unpatched software component, or weak administrative credentials. Once inside, attackers export the user table containing email addresses and password fields. In PinPics' case, the passwords were stored in plaintext, meaning no further processing was needed before the data could be weaponized. The extracted records were then formatted into a combolist, a structured credential file used by automated tools to test logins across hundreds of websites simultaneously. Combolists from incidents like the PinPics breach get merged with data from dozens of other events, creating massive repositories that persist in criminal markets for years after the original compromise.

Check If You Are Affected

If you ever created an account on pinpics.com to catalog or trade Disney pins, your email address and password may be part of this breach. Take action now regardless of how long ago you registered:

• Search your email address in HEROIC's breach database to confirm whether your PinPics data was exposed
• Change the password you used for PinPics on every other site where you reused that same password
• Enable two-factor authentication on your email account and any Disney or shopping accounts you use
• Review your accounts for unauthorized purchases, profile changes, or login activity
• Use a password manager to maintain unique passwords for each account you hold
• Be alert to phishing messages that reference Disney pins, collectibles, or trading communities

HEROIC monitors breach data continuously to alert you when your credentials appear in newly discovered datasets. Proactive monitoring gives you the fastest possible response time when your data is compromised, reducing the window for attackers to exploit your accounts.