Tease & Please Data Breach: 12,686 Dutch Accounts Exposed in 2018

Sensitive Category Data Exposure: The Tease & Please Breach

Tease & Please -- operated by Dutch company Moodzz BV -- produces adault-oriented board and card games, a product category that carries a sensitive personal disclosure component. When 12,686 user accounts were exposed in an August 2018 database breach with MD5-hashed passwords, the sensative nature of the platform's content category made the exposure more consequential than a typical consumer e-commerce breach.

Tease & Please (August 2018): Breach Summary

• Records Exposed: 12,686
• Data Types: Email addresses, password hashes
• Breach Type: Database breach / Combolist
• Password Hash Type: MD5 -- crackable without salt protection
• Country Affected: Netherlands
• Date Leaked: August 26, 2018

Sensitive Category Exposure: What It Means for Affected Users

Data breaches involving platforms in sensitive personal categories carry risks beyond the typical credential reuse scenario. Users who registered accounts on adult-oriented platforms may face discloser risks if their email addresses are recognized by parties who obtain the combolist and search for known contacts. Even though the exposed data is limited to email addresses and password hashes -- not explicit purchasing history or personal preferences -- the association of an email with a platform in a sensitive category is itself a form of personal information exposure.

The GDPR's definition of sensitive data does not explicitly categorize this breach's data types as special category data -- but the context of the platform matters for understanding the full impact on affected individuals.

Dutch Data Protection Context: GDPR in Its Early Months

The Tease & Please breach occurred in August 2018 -- just months after GDPR took effect. The Netherlands Authority for Data Protection (Autoriteit Persoonsgegevens) was among the more proactive EU data protection regulators in the post-GDPR period. A breach of 12,686 user records with MD5-hashed passwords would today trigger mandatory reporting requirements under GDPR Article 33 within 72 hours of discovery.

Dutch platforms operating in sensitive consumer categories bear additional reputational responsibility when user data is exposed -- and Moodzz BV's users deserved better password protection than MD5 without salting could provide.

MD5 Crackability and Combolist Risk

Tease & Please stored passwords using MD5 -- an algorithm that was already considered insufficient for password storage years before this breach. Without salt values, precomputed rainbow tables make common passwords trivially crackable. The 12,686-record dataset, once incorporated into combolists, provides attackers with a ready-made list of email/password combinations to test against other platforms.

For users who reused their Tease & Please credentials on email, banking, or other accounts, the potentail for credential stuffing attacks remains active as long as those passwords haven't been changed.

Check If Your Data Was Exposed

HEROIC's free breach scanner searches across more than 400 billion exposed records to determine whether your email address appears in known data breaches, including the Tease & Please combolist. Run a free scan at HEROIC.com to identify any ongoing credential exposure.