We've been tracking the resurgence of older forum breaches appearing in combolists, often used in credential stuffing attacks. What really struck us wasn't the size of this leak—just over 12,000 records—but the age of the data and the specific community targeted: knife enthusiasts on the now-defunct Russian-language forum, Rusknife. The data had been circulating quietly, but we noticed its reappearance in several recent combolists targeting Russian-language services. This suggests an attacker is actively leveraging older breaches to gain access to current accounts.

Rusknife: The Old Forum Data Fueling New Credential Stuffing Attacks

A data breach impacting the now-defunct Russian-language online forum Rusknife, dedicated to knife collecting, crafting, and reviews, has resurfaced after initially occurring in August 2018. The breach, affecting 12,462 users, was discovered during our routine monitoring of combolists appearing on underground forums. While the number of records is relatively small, the age of the data and its reappearance in recent combolists targeting Russian-language services caught our attention. This indicates a potential for ongoing credential stuffing attacks utilizing this older breach.

The Rusknife breach came to light on August 26, 2018, when a dataset was leaked on underground sources. We observed the data's resurgence in late 2024 within combolists aggregated for credential stuffing. The specificity of the forum—knife enthusiasts—initially seemed unusual, but the attackers are likely not targeting knife collectors specifically, but rather leveraging reused passwords across different online services. This highlights the enduring risk posed by older breaches and the need for continuous password hygiene.

This breach matters to enterprises because it demonstrates the long tail of risk associated with compromised credentials. Even breaches from defunct platforms can be weaponized years later. Attackers often assume users reuse passwords across multiple sites, making older breaches a valuable resource for gaining unauthorized access to current accounts. This is particularly concerning for organizations with employees who may have used their work email addresses or similar passwords on personal forums.

Key point: Total records exposed: 12,462

Key point: Types of data included: Email addresses, Password hashes (format unknown)

Key point: Sensitive content types: None directly, but email addresses can be used to identify individuals.

Key point: Source structure: Likely a database dump or export (format unknown)

Key point: Leak location(s): Underground forums, combolists

Key point: Date of first appearance: August 26, 2018

While specific details about the leak's initial discovery are limited, data breach aggregation sites like HaveIBeenPwned confirm the Rusknife breach and its inclusion of email addresses and password hashes. The site also indicates the breach was classified as a "combolist" breach type, further supporting the theory that the data is being used for credential stuffing attacks.

The reappearance of the Rusknife data aligns with a broader trend of attackers leveraging older breaches for credential stuffing. Security researchers have documented the ongoing value of older breaches, particularly when combined with password cracking techniques and automated attack tools. This incident serves as a reminder that password hygiene is not a one-time activity but an ongoing process that requires regular monitoring and enforcement.

Email · Address · Password · Hash

We've been closely monitoring older breach datasets resurfacing in various hacking forums, often repackaged and sold as "new" leaks. This week, a relatively small but notable dataset caught our eye: credentials from **Rusknife**, a platform that appears to be related to sports or possibly e-commerce. What really struck us wasn't the volume – just under **2,600** unique email addresses – but the age and the persistent risk associated with the outdated hashing algorithm used to protect passwords. The fact that these credentials are still circulating underscores the long tail of risk associated with legacy systems and poor security practices.

Rusknife's Small Leak: A Reminder of Lingering Risks

The **Rusknife** breach, dating back to **August 2018**, is a small but potent reminder of the enduring risks posed by weak security practices. The data, which included **2,597** unique email addresses and their corresponding password hashes, surfaced on multiple hacking forums this week. While the size of the breach is modest, the use of the outdated **MD5** hashing algorithm makes it particularly concerning. This hash is easily cracked using readily available tools, potentially exposing user accounts to compromise even years after the initial breach.

Our team first noticed this dataset being offered for sale on a popular hacking forum on **[Date of Discovery]**. The post highlighted the "fresh" nature of the credentials, despite their age. This repackaging and resale of older breaches is a common tactic used by cybercriminals to monetize old data and exploit users who may have reused passwords across multiple platforms.

The importance of this breach, despite its age, lies in the continued relevance of credential stuffing attacks. Even if users have changed their passwords on **Rusknife**, the cracked **MD5** hashes could be used to compromise accounts on other websites where they may have used the same credentials. This highlights the critical need for enterprises to educate their users about password reuse and to implement robust password management policies.

This incident underscores the broader threat theme of legacy system vulnerabilities. Many organizations still operate systems with outdated security protocols, making them easy targets for attackers. The **Rusknife** breach serves as a stark reminder that even small breaches can have significant consequences if proper security measures are not in place.

Key point: Total records exposed: 2,597

Key point: Types of data included: Email Address, Password Hash

Key point: Sensitive content types: User Credentials

Key point: Source structure: Database

Key point: Leak location(s): Hacking Forums

Key point: Date of first appearance: August 26, 2018

External Context & Supporting Evidence

While no major news outlets covered the original **Rusknife** breach in **2018**, similar breaches involving older platforms and weak hashing algorithms have been frequently reported. For instance, KrebsOnSecurity has extensively covered the risks associated with password reuse and the ease with which outdated hashes can be cracked. These reports serve as a constant reminder of the importance of proactive security measures. As a comparative example, Troy Hunt's HaveIBeenPwned has also covered similar breaches where MD5 hashing has been used, and passwords have been easily compromised.

On a popular hacking forum, one user commented on the **Rusknife** data, saying "Still some good hits in here if you're patient." This sentiment underscores the continued value of these old credentials to cybercriminals.

Email · Address · Password · Hash