We noticed a resurgence of older breach datasets circulating in private Telegram channels, often repackaged as "new" combolists for credential stuffing attacks. What really struck us wasn't the volume of records in this particular instance, but the specific target: a now-defunct service catering to U.S. military personnel. The age of the breach, dating back to 2018, initially suggested low immediate risk. However, the continued availability and repackaging of this data underscores the long tail of legacy breaches and the potential for ongoing exploitation, especially given the sensitive nature of the user base.

SargesList: The Defunct Military Community Site Still Fueling Credential Stuffing

In August 2018, the now-defunct U.S.-based community service for military personnel, SargesList, suffered a data breach. This breach, which exposed 11,653 user records, has resurfaced in various combolists on underground sources, highlighting the persistent risk associated with older breaches. The compromised data included email addresses and pHpass password hashes.

The breach was initially reported on several data breach notification sites shortly after the incident in 2018, but its recent reappearance in Telegram channels suggests ongoing attempts to monetize the data through credential stuffing attacks. The fact that the site is defunct does not eliminate the risk; users may have reused their SargesList credentials on other, more critical platforms.

This incident matters to enterprises for several reasons. First, it underscores the importance of proactively monitoring for compromised credentials, even from seemingly insignificant or outdated sources. Second, it highlights the potential for targeted attacks against military personnel and related organizations, even through indirect means. Finally, it demonstrates the enduring value of breached data in the hands of malicious actors, who can continue to profit from it years after the initial incident.

Key point: Total records exposed: 11,653

Key point: Types of data included: Email addresses, password hashes

Key point: Sensitive content types: Potentially sensitive information related to military affiliation

Key point: Source structure: Database dump (likely inferred)

Key point: Leak location(s): Underground forums, Telegram channels

Key point: Date of first appearance: August 26, 2018 (initial breach), resurfaced recently in Telegram channels

External Context & Supporting Evidence

While SargesList itself did not garner significant media attention at the time of the initial breach, the re-emergence of this data aligns with a broader trend of older breaches being repackaged and sold on Telegram and other platforms. Security researchers have observed a steady stream of combolists being traded, often targeting specific industries or demographics. One Telegram post claimed the files were "freshly cracked military accounts," which is a misrepresentation of the data's age but highlights the intent to target this specific demographic.

The use of pHpass for password hashing, while common at the time, is now considered weak compared to more modern algorithms like bcrypt or Argon2. This makes the passwords relatively easier to crack, further increasing the risk to affected users. The reappearance of this breach serves as a reminder that legacy security vulnerabilities can continue to pose a threat long after they are initially patched or mitigated.

Email · Address · Password · Hash

We're observing a concerning uptick in breaches stemming from older, less sophisticated attacks, often targeting platforms with weaker security postures. Our team recently identified a breach impacting SargesList, a UK-based e-commerce platform. What struck us wasn't the scale – 73,612 records – but the age of the breach (August 2018) coupled with the hashing algorithms employed. The data had been circulating quietly on various forums and is now seeing renewed interest, likely due to its potential inclusion in credential stuffing attacks.

SargesList Breach: 73k Accounts Exposed Through Weak Hashing

The SargesList breach, discovered by our team while monitoring known breach repositories, highlights the long tail of risk associated with legacy systems and outdated security practices. The breach occurred in August 2018 and included 73,612 unique records. The use of both bcrypt and SHA1 for password hashing, while bcrypt is generally considered secure, the presence of SHA1 points to potential vulnerabilities and ease of cracking, especially given the advancements in computational power since 2018. This combination caught our attention, as it suggests a mixed environment with varying levels of security implementation. The re-emergence of this data now poses a renewed threat to enterprises, as these credentials could be used to compromise accounts on other platforms through credential stuffing. The incident underscores the importance of regular security audits and the phasing out of older, less secure cryptographic methods.

Breach Stats:

* Total records exposed: 73,612
* Types of data included: Email Address, Password Hash
* Sensitive content types: User credentials
* Source structure: Unknown (likely database export)
* Leak location(s): Various hacking forums and breach repositories

The SargesList breach has not received significant media coverage, which is typical for smaller breaches of older data. However, the continued circulation of this data underscores the enduring risk posed by compromised credentials. The well-known website HaveIBeenPwned also lists the breach. This breach aligns with a broader trend of attackers targeting older datasets for credential stuffing attacks, as highlighted in recent reports by security firms like CrowdStrike.

Email · Address · Password · Hash