We've been tracking a resurgence of older breach datasets appearing in combolists and credential stuffing attacks. What caught our attention was the consistent appearance of credentials tied to accounting software, a prime target for financially motivated threat actors. While the QuickBooks breach from August 2018 isn't new, its re-emergence highlights the long tail of risk associated with legacy breaches and the continued viability of credential reuse. The data, specifically email addresses and password hashes, is still relevant to attackers looking for access to financial accounts and related services.

QuickBooks Breach: 45k Credentials Resurface

The QuickBooks breach, which occurred in August 2018, involved the exposure of 45,205 user records. The data included email addresses and password hashes of an unknown format. This breach initially surfaced on underground forums popular for trading and selling compromised data. What makes this breach noteworthy now is its repeated inclusion in recent combolists, suggesting that these credentials are still being actively used in credential stuffing attacks targeting various online services.

Key point: Total records exposed: 45,205

Key point: Types of data included: Email Address, Password Hash

Key point: Source structure: Unknown

Key point: Leak location(s): Underground forums, Combolists

Key point: Date leaked: August 21, 2018

External Context & Supporting Evidence

While initial reporting on the QuickBooks breach was limited due to the company's relatively small size and eventual shutdown, similar breaches targeting accounting software have been widely covered. For example, breaches impacting companies like Xero and other financial platforms have been reported on by KrebsOnSecurity and BleepingComputer, highlighting the persistent threat to financial data. These reports often emphasize the importance of unique passwords and multi-factor authentication to mitigate the risk of credential stuffing attacks.

On various hacking forums and Telegram channels dedicated to credential stuffing, mentions of QuickBooks credentials have been observed. One post noted the usefulness of these credentials for targeting small business owners who often reuse passwords across multiple platforms. This underscores the broader risk of password reuse and the potential for attackers to leverage older breaches to gain access to sensitive financial information.

Email · Address · Password · Hash

We've observed a concerning trend of older breaches resurfacing in new combolists, often targeting users who may have become complacent about legacy account security. This incident came to our attention while tracking activity on a well-known hacking forum where older datasets are frequently traded and combined. What really struck us wasn't the size of the breach itself, but the fact that it involved plaintext passwords from QuickBooks, a popular financial software used by many businesses. This combination of sensitive application data and easily deciphered credentials poses an elevated risk to organizations.

QuickBooks User Credentials Exposed in Resurfaced 2018 Breach

A data breach impacting 23,880 QuickBooks users has resurfaced, highlighting the long-tail risk associated with older security incidents. The breach, which originally occurred in August 2018 at the French ecommerce platform Esistoire, exposed email addresses and, more critically, passwords stored in plaintext. This data has now been circulating on hacking forums, increasing the likelihood of credential stuffing attacks against QuickBooks accounts and potentially other services where users may have reused the same passwords.

The breach was initially identified in August 2018 when the Esistoire database was compromised. The exposed data was subsequently shared on a popular hacking forum, where it has been periodically re-shared and incorporated into larger combolists. What caught our attention was the presence of QuickBooks user credentials within this dataset. Given the sensitive nature of financial data managed through QuickBooks, the exposure of plaintext passwords represents a significant security risk for affected businesses.

This incident matters to enterprises now because it underscores the importance of proactive password management and monitoring for leaked credentials, even from seemingly unrelated or older breaches. The use of plaintext passwords is an outdated and highly insecure practice, and its presence in a breach from 2018 highlights the need for organizations to adopt modern authentication methods, such as multi-factor authentication (MFA) and password hashing algorithms. This event highlights the automation of attacks by combining older breaches with credential stuffing tools to compromise critical business accounts.

Key point: Total records exposed: 23,880

Key point: Types of data included: Email Address, Plaintext Password

Key point: Sensitive content types: Potentially financial data accessible through compromised QuickBooks accounts

Key point: Source structure: Database, Combolist

Key point: Leak location(s): Popular hacking forum

Key point: Date of first appearance: August 2018 (Esistoire breach), resurfaced recently

Security researcher Troy Hunt added the Esistoire breach to Have I Been Pwned? in 2018, noting the severity of plaintext password storage. As Hunt stated, "Storing passwords in plaintext is inexcusable, and it’s a practice that should have been eliminated years ago." The re-emergence of this data underscores the need for constant vigilance and proactive security measures, even years after an initial breach.

Email · Address · Plaintext · Password