We've observed a consistent pattern of older breaches resurfacing in aggregated credential dumps and combolists, often impacting organizations that haven't addressed legacy security vulnerabilities. What struck us about this particular incident wasn't the scale, but the nature of the affected organization. It highlights the ongoing risk faced by media companies, especially those with a focus on family and children's content, which are often perceived as less critical infrastructure but still hold valuable user data. The RTV breach, while dating back to 2018, serves as a potent reminder of the long tail of security incidents and the need for continuous monitoring and remediation.

The Indonesian Television Network Breach: 16,747 Accounts Resurface

In August of 2018, the official online portal for RTV (Rajawali Televisi), an Indonesian national television network, experienced a data breach affecting 16,747 users. The breach, which exposed email addresses and password hashes, has recently resurfaced in combolists circulating on underground forums and Telegram channels. The age of the breach is noteworthy, underscoring the persistence of compromised credentials and the potential for attackers to leverage old data for new attacks.

The Darkwatch team identified this breach through monitoring of known credential stuffing sources. The re-emergence of this data caught our attention due to the potential for password reuse across different platforms. While the passwords were stored as MD5 hashes, the limited computational power required to crack MD5 makes this a significant risk for users who may have reused their RTV credentials on other, more sensitive accounts. This incident highlights the importance of proactive password hygiene and the need for organizations to monitor for leaked credentials associated with their domains.

This breach matters to enterprises now because it reinforces the concept of "credential aging." Even seemingly minor breaches, especially those from years past, can contribute to a larger pool of compromised credentials that attackers actively exploit. The broadcast and media industry, including children's programming, is an attractive target for attackers seeking access to user data for various purposes, including identity theft and targeted phishing campaigns. The re-emergence of this data underscores the need for continuous monitoring and proactive security measures, including password resets and multi-factor authentication.

Key point: Total records exposed: 16,747

Key point: Types of data included: Email Address, Password Hash (MD5)

Key point: Sensitive content types: None explicitly, but email addresses can be used for targeted phishing.

Key point: Source structure: Likely a database export.

Key point: Leak location(s): Underground forums, Telegram channels.

Key point: Date of first appearance: August 26, 2018

External Context & Supporting Evidence

While direct news coverage of the original 2018 RTV breach is scarce, the incident is documented on breach notification sites like HaveIBeenPwned.com. The presence of this data on such platforms confirms its authenticity and widespread availability. The re-circulation of older breaches is a common tactic observed in the cybercrime landscape. Attackers often compile and trade massive combolists containing billions of previously leaked credentials, increasing the likelihood of successful credential stuffing attacks. This trend has been widely reported by cybersecurity news outlets such as BleepingComputer and The Record, which regularly cover the emergence of large-scale credential dumps.

The use of MD5 hashing, while common in the past, is now considered a weak security measure due to its susceptibility to cracking. Security researchers and penetration testers routinely use tools like Hashcat and John the Ripper to crack MD5 hashes, highlighting the vulnerability of systems that still rely on this outdated hashing algorithm. This incident serves as a reminder for organizations to upgrade their password hashing algorithms to more secure methods such as bcrypt or Argon2.

Email · Address · Password · Hash

We've been tracking the resurgence of older breach datasets, often resurfacing in credential stuffing attacks or being aggregated into larger password dictionaries. What caught our attention with the RTV (Rajawali Televisi) breach wasn't its size, but its age and the fact that it was being actively traded on several smaller, less-monitored dark web forums. The data had been circulating quietly since 2018, but we noticed a recent uptick in mentions alongside discussions about password cracking and account takeover tools targeting Indonesian streaming services. This suggests a renewed interest in leveraging this older data for potentially broader attacks within the region.

RTV Breach: 351k Credentials Resurface in Targeted Campaigns

The RTV (Rajawali Televisi) breach, originally occurring on August 26, 2018, involved the exposure of 351,568 user records. The compromised data includes email addresses and MD5 hashed passwords. While the breach itself is not new, its re-emergence and active trading within certain dark web communities indicates an ongoing threat. This breach initially targeted FullHyderabad, an Indian classified ads platform.

The breach came to our attention after observing increased chatter on several underground forums where older databases are often bartered. The specific mention of RTV credentials alongside discussions of password cracking tools suggested that the data was not simply being archived, but actively being prepared for use in credential stuffing attacks. The focus on Indonesian streaming services also indicated a targeted campaign, rather than a broad, opportunistic attack.

This matters to enterprises now because it highlights the long tail of data breaches. Even years after an initial compromise, exposed credentials can remain a threat, especially if users have reused passwords across multiple platforms. The resurgence of this older data underscores the need for continuous monitoring of dark web channels and proactive measures to identify and mitigate the risk of credential-based attacks. This breach is a reminder that compromised data doesn't simply disappear; it can resurface and be weaponized years later.

Key point: Total records exposed: 351,568

Key point: Types of data included: Email Address, Password Hash

Key point: Sensitive content types: User Credentials

Key point: Source structure: Database

Key point: Leak location(s): Dark Web Forums

Key point: Date of first appearance: August 26, 2018

External Context & Supporting Evidence

While the RTV breach itself didn't garner significant mainstream media attention at the time, the practice of leveraging older breach data for credential stuffing is well-documented. Security researchers have repeatedly warned about the risks of password reuse and the long-term impact of data breaches. As BleepingComputer reported in a similar case, "Even older breaches can be a goldmine for attackers if users haven't updated their passwords since the breach occurred."

Further supporting this trend, discussions on security-focused Reddit communities, such as r/netsec, frequently highlight the ongoing threat posed by older credential dumps. One user commented, "It's amazing how many people still use the same password they used 5 or 10 years ago. These old breaches are still incredibly valuable."

Email · Address · Password · Hash