The Bonsai Garden

We're seeing a concerning uptick in older breaches resurfacing in credential stuffing attacks, likely due to the increased availability of historical data dumps. This particular breach of **The Bonsai Garden**, a French platform for theatre professionals, initially occurred in **October 2018**, but recently caught our attention due to its presence in a newly compiled combolist circulating on several dark web forums. What struck us wasn't the size of the breach itself – **13,793** records isn't massive – but rather the clear indication that even years-old credentials continue to pose a risk, especially when MD5 hashing was used.

The Bonsai Garden Breach: Resurfaced Credentials Fueling Credential Stuffing

In **October 2018**, **The Bonsai Garden**, a French website catering to the theatre community, suffered a data breach. The compromised data, containing **13,793** user records, was initially reported at the time. However, the recent reappearance of this data in new combolists highlights the enduring threat posed by older breaches. The compromised information includes email addresses and password hashes secured using the now-outdated **MD5** algorithm. This makes the passwords relatively easy to crack using readily available tools, significantly increasing the risk of account takeover.

We detected the reappearance of this data on **August 26, 2018,** within a combolist advertised on a popular hacking forum. The forum post claimed the combolist was compiled from multiple older breaches and was intended for use in credential stuffing attacks. The Bonsai Garden data stood out due to its relatively small size compared to other entries, suggesting a targeted inclusion based on the potential value of accessing theatre-related accounts. The site maintained user data consisting of email addresses and MD5 password hashes.

This breach matters to enterprises now because it underscores the persistent danger of credential reuse. Even if organizations believe they have addressed past breaches, the compromised credentials can continue to circulate and be used against their employees or customers on other platforms. The use of weak hashing algorithms like MD5 further exacerbates the risk. This incident fits into the broader trend of attackers leveraging older breaches to automate account takeovers and potentially gain access to sensitive systems. This is further fueled by the growth of Telegram channels and dark web marketplaces where these combolists are readily available for purchase and distribution.

Key point: Total records exposed: 13,793

Key point: Types of data included: Email Address, Password Hash (MD5)

Key point: Sensitive content types: Potentially PII depending on user profiles on the platform

Key point: Source structure: Likely a database export (details not specified in initial reports)

Key point: Leak location(s): Prominent hacking forum, various combolists on Telegram and dark web marketplaces

Key point: Date of first appearance: August 26, 2018

External Context & Supporting Evidence

While initial reporting on the Bonsai Garden breach was limited, the incident is consistent with broader trends in data breaches and credential reuse. Security researcher Troy Hunt, creator of Have I Been Pwned?, has repeatedly emphasized the long-term risks associated with breaches of all sizes. As he notes, even seemingly insignificant breaches can contribute to the overall pool of compromised credentials used in widespread attacks. The use of MD5 hashing, considered weak by modern standards, has been a common point of criticism in many older breaches. Several online resources and tutorials demonstrate the ease with which MD5 hashes can be cracked, making this data particularly vulnerable to exploitation.

Email · Address · Password · Hash