Rock 107

We've been tracking an uptick in older breach datasets resurfacing in underground forums, often repackaged and sold as "new" leaks. What really struck us wasn't the volume—most of these breaches are relatively small—but the persistence. The data had been circulating quietly, but we noticed an increase in threat actors using these older credentials in credential stuffing attacks, particularly targeting smaller businesses that may not have robust security measures in place. This breach, involving the now-defunct gaming platform **Wplay ISRL**, is a prime example.

Rock 107 Breach: Resurfaced 35k User Credentials Fueling Credential Stuffing

In August 2018, the Israeli gaming platform **Wplay ISRL** suffered a data breach affecting over 35,000 unique records. The exposed data, consisting of email addresses and passwords hashed with **PHPass**, recently resurfaced on several dark web forums. While the breach itself is not new, its renewed availability makes it relevant to enterprises now. The breach caught our attention due to the increased chatter on Telegram channels dedicated to credential stuffing, with several actors specifically mentioning the **Wplay ISRL** dataset as a "good source" for targeting smaller online retailers and gaming sites.

This breach matters to enterprises because it underscores the long tail of risk associated with compromised credentials. Even years after a breach occurs, the exposed data can still be weaponized in automated attacks. The relatively weak **PHPass** hashing algorithm used to protect the passwords further exacerbates the risk, as it makes it easier for attackers to crack the passwords and gain access to user accounts on other platforms.

This activity connects to broader threat themes we're observing, including the increasing automation of credential stuffing attacks and the use of Telegram marketplaces for the distribution of compromised data. By leveraging readily available breach datasets like the **Wplay ISRL** leak, attackers can efficiently target a large number of potential victims with minimal effort.

Key point: Total records exposed: 35,477

Key point: Types of data included: Email Address, Password Hash

Key point: Sensitive content types: User Credentials

Key point: Source structure: Database

Key point: Leak location(s): Dark Web Forums, Telegram Channels

Key point: Date leaked: 26-Aug-2018

The reemergence of the **Wplay ISRL** breach aligns with a broader trend of older breaches being actively exploited. As noted in a recent BleepingComputer article, threat actors are increasingly targeting outdated systems and vulnerabilities, often finding them easier to compromise than more modern defenses. This highlights the importance of continuous monitoring for compromised credentials and proactive password resets, even for services that are no longer actively used.

Email · Address · Password · Hash