We've been tracking an uptick in older Indonesian database breaches resurfacing across various dark web forums, often repackaged and sold as "new" combolists. What caught our attention with the Rumah SBN data wasn't the size of the breach itself, but the age and the specific target: a community site for Oriflame consultants in Indonesia. This suggests a persistent interest in leveraging older breaches for targeted phishing or account takeover campaigns, particularly within specific demographics. The fact that this data is still being circulated five years after the initial breach underscores the long tail of risk associated with compromised credentials.

Rumah SBN: The Resurfacing of an Old Breach Affecting 8,946 Users

In October 2018, the Rumah SBN website, a now-defunct Indonesian community platform catering to Oriflame consultants who were members of the SimpleBizNet club, suffered a data breach. This breach has recently resurfaced on underground forums, prompting a renewed look at its potential impact. The breach was initially discovered and reported within the Indonesian cybersecurity community shortly after it occurred, but has now been re-packaged for sale and distribution. What made this particular breach interesting was not its scale, but the specific profile of the affected users – direct sales consultants – which suggests a potential for targeted social engineering campaigns.

The breach is significant to enterprises because it highlights the enduring risk associated with older breaches, particularly those affecting specific demographics or industries. Even years after the initial compromise, these datasets can be leveraged for targeted attacks. The re-emergence of the Rumah SBN data underscores the importance of proactive threat hunting and credential monitoring.

Key point: Total records exposed: 8,946

Key point: Types of data included: Email addresses, password hashes (format unknown)

Key point: Sensitive content types: Potentially PII depending on user profiles on the platform

Key point: Source structure: Likely a database export

Key point: Leak location(s): Underground forums, combolists

Key point: Date of first appearance: October 16, 2018 (initial breach), recently resurfaced.

External Context & Supporting Evidence

While the Rumah SBN breach itself did not receive widespread international media coverage, similar Indonesian data breaches have been reported by local news outlets. The trend of older breaches resurfacing is well-documented in the cybersecurity community. For example, security researchers have frequently observed older breach databases being repackaged and sold on Telegram channels and dark web marketplaces, often with inflated claims of "new" data. One Telegram post claimed these files were "freshly cracked Indonesian accounts", demonstrating the active marketing of such data.

Furthermore, the use of combolists derived from older breaches is a common tactic employed by credential stuffing and account takeover attackers. Research indicates that attackers often target specific industries or demographics using tailored combolists, increasing the likelihood of successful account compromises. The re-emergence of the Rumah SBN data fits this pattern, highlighting the need for organizations to monitor for compromised credentials and implement robust account security measures.

Email · Address · Password · Hash

We're seeing a disturbing trend of older breaches resurfacing, often amplified by their inclusion in aggregated data dumps and stealer logs. What really struck us about the Rumah SBN leak wasn't its initial age (2018), but its sheer volume – nearly 150 million records – and the potential for password reuse across Indonesian users. The data had been circulating quietly, but we noticed an uptick in mentions on Indonesian-language Telegram channels, alongside discussions of using the compromised credentials for account takeover attempts on local e-commerce platforms. The setup here felt different because while the leak itself is old, the current exploitation is actively ongoing.

Rumah SBN Breach: 149 Million Indonesian Records Resurface

The Rumah SBN breach, initially reported to have occurred in December 2018, exposed a massive database of Indonesian user information. While the breach itself isn't new, its recent resurgence and active exploitation caught our attention. The sheer scale of the breach, coupled with the fact that many users likely haven't changed their passwords in the intervening years, makes this a significant risk for account compromise.

The breach was discovered after being listed for sale on a dark web marketplace in 2019 and subsequently began circulating more broadly. The re-emergence of this data, and observed chatter on Telegram channels suggesting active exploitation, prompted this analysis. It matters to enterprises now because the compromised credentials could be used to target Indonesian users on other platforms, potentially leading to phishing attacks, account takeovers, and financial fraud.

This breach highlights the long tail of data breaches and the persistent risk of password reuse. Even breaches from several years ago can still pose a significant threat if the exposed credentials remain valid. The fact that the data is actively being traded and exploited further exacerbates the risk.

Key point: Total records exposed: 149,511,961

Key point: Types of data included: Email Address, Username, Phone Number, First Name, Last Name, Password Hash (SHA256)

Key point: Sensitive content types: PII

Key point: Source structure: Database

Key point: Leak location(s): Telegram channels, Dark web marketplaces

Key point: Date of first appearance: December 1, 2018

External Context & Supporting Evidence

Similar to the Dubsmash breach, which also occurred in 2018 and involved a large number of user credentials, the Rumah SBN leak demonstrates the long-term impact of poorly secured databases. Many users may have used the same credentials across multiple platforms, making them vulnerable to credential stuffing attacks.

While direct news coverage of the Rumah SBN breach is limited in English-language media, Indonesian cybersecurity forums and blogs have discussed the incident extensively. One Telegram post claimed the files were being used "to brute force accounts on Tokopedia and Bukalapak," two major Indonesian e-commerce platforms. This highlights the potential for the compromised credentials to be used for malicious purposes.

Email · Address · Username · Phone · Number · First · Name · Last · Password · Hash