We've been tracking an uptick in older breaches resurfacing on various dark web forums, often bundled into larger "combolists" targeting specific demographics or interests. What really struck us about the recent reappearance of the Polizeiautos breach wasn't its size, but its specific focus on a niche community in the German-speaking world. The data had been circulating quietly since 2018, but its re-emergence suggests continued relevance for threat actors targeting this specific user base. The details, while limited, point to a need for vigilance, even with older incidents.

The German Police Vehicle Archive Leak: 18k Credentials Exposed

The Polizeiautos breach, dating back to February 2018, involved the compromise of 18,484 user accounts. The breach was discovered when the database appeared on several underground forums known for trading and selling compromised credentials. What caught our attention was the website's specific focus: it's a long-standing German-language archive dedicated to police vehicles. This niche focus suggests that the compromised credentials might be valuable for threat actors interested in intelligence gathering or targeting individuals with connections to law enforcement.

The exposed data included email addresses and bcrypt password hashes. While bcrypt is considered a robust hashing algorithm, the age of the breach means that some users may have reused those passwords across other, potentially more sensitive, accounts. The re-emergence of this data in combolists increases the risk of credential stuffing attacks against related online services.

Breach Stats:

Key point: Total records exposed: 18,484

Key point: Types of data included: Email Address, Password Hash

Key point: Sensitive content types: None directly, but potential links to individuals with law enforcement interests

Key point: Source structure: Database

Key point: Leak location(s): Dark web forums, combolists

Key point: Date of first appearance: 07-May-2018

The Have I Been Pwned? data breach directory has a record of this breach as well. Have I Been Pwned?

External Context & Supporting Evidence

While there hasn't been widespread media coverage of this specific breach, the re-emergence of older data breaches in combolists is a known trend. Security researchers have observed an increase in threat actors compiling and selling large collections of compromised credentials, often targeting specific industries or demographics. These combolists are then used in automated attacks, such as credential stuffing, to gain unauthorized access to user accounts.

The focus on a German-language website suggests that the threat actors may be targeting individuals or organizations in Germany. This could be part of a larger campaign to gather intelligence or conduct espionage. It's worth noting that German law enforcement agencies have been increasingly targeted by cyberattacks in recent years.

Email · Address · Password · Hash

We've been tracking the re-emergence of older breach datasets on various dark web marketplaces, often repackaged and sold to new audiences. What really caught our eye wasn't the age of this particular dataset, but its size and the specific combination of Personally Identifiable Information (PII) it contained. While many older breaches contain email addresses and passwords, the Zoomcar breach also included phone numbers and IP addresses, creating a richer profile for potential malicious actors. The fact that it was sold on a dark web marketplace in 2020, two years after the initial leak, highlights the longevity and persistent value of compromised data.

Zoomcar breach: 3.5M records resurface, fueling identity theft risks

The Zoomcar data breach, initially occurring in July 2018, has resurfaced with the sale of the compromised data on a dark web marketplace in 2020. The breach exposed a substantial amount of user data, making it a significant event even years later. The combination of identifiable data points creates an elevated risk for identity theft and targeted phishing campaigns. The use of bcrypt hashing for passwords offers some protection, but the re-emergence of this data underscores the need for users to update their passwords and monitor their accounts for suspicious activity.

The breach came to light following its appearance on a dark web marketplace in 2020, two years after the initial incident. The sheer volume of records – over 3.5 million – and the inclusion of phone numbers and IP addresses alongside email addresses and password hashes, distinguished it from more common breaches containing only basic login credentials. This comprehensive dataset allows for more sophisticated social engineering attacks and potentially even SIM swapping attempts.

This breach matters to enterprises now because it serves as a stark reminder of the long-term risks associated with data breaches. Compromised data can continue to circulate and be exploited years after the initial incident. Furthermore, the Zoomcar breach highlights the potential for data aggregation and enrichment, where attackers combine data from multiple sources to create more complete profiles of individuals. This incident aligns with broader threat themes related to the persistence of compromised data on dark web marketplaces and the ongoing risk of identity theft and fraud.

Key point: Total records exposed: 3,588,582

Key point: Types of data included: Email Address, IP Address, Phone Number, First Name, Last Name, Password Hash

Key point: Sensitive content types: PII

Key point: Source structure: Database

Key point: Leak location(s): Dark web marketplace (2020)

While specific details regarding the marketplace are scarce, similar datasets are commonly found on platforms like Breach Forums and various Telegram channels dedicated to the trade of stolen data. News outlets did not widely cover the 2018 breach at the time, likely due to the limited scope of reporting on data breaches originating from smaller companies outside of the US and Europe. However, the subsequent sale of the data on the dark web would have increased its visibility within threat intelligence communities.

Email · Address · Ip · Phone · Number · First · Name · Last · Password · Hash