UFC Fight Club

We've been tracking a worrying trend of older breaches resurfacing in aggregated credential stuffing lists. What really struck us wasn't the size of these individual breaches, but the persistence of exposed credentials over extended periods. This particular incident, a 2017 breach of the UFC Fight Club forums, caught our eye due to the surprisingly large number of still-active email addresses and the continued use of weak hashing algorithms at the time. The data had been circulating quietly, but we noticed a spike in chatter referencing it on several dark web forums known for credential trading.

UFC Fight Club Data Breach: 239k User Records Resurface After 2017 Incident

In November 2017, the UFC Fight Club website forums (forums.ufcfightclub.com) experienced a significant data breach, compromising the data of 239,283 users. What made this incident noteworthy was the combination of its age and the inadequate security measures employed. The exposed data included:

• Total records exposed: 239,283
• Types of data included: Email Addresses, Usernames, IP Addresses, Password Hashes
• Sensitive content types: None specifically beyond standard PII
• Source structure: Database dump (likely SQL)
• Leak location(s): Various dark web forums and credential stuffing lists

The breach came to light shortly after it occurred in 2017, but it has recently resurfaced in several large-scale credential stuffing databases. What caught our attention was the fact that a significant portion of the email addresses were still active, indicating that many users hadn't updated their credentials across various platforms. The passwords, stored as MD5 hashes, or in some cases, not hashed at all, were easily cracked using readily available tools. This underscores the ongoing risk posed by legacy security vulnerabilities and the importance of proactive password management.

This breach matters to enterprises now because it highlights the enduring threat of credential reuse. Even breaches from several years ago can still be leveraged to gain unauthorized access to corporate accounts if employees use the same credentials across both personal and professional platforms. The use of weak hashing algorithms like MD5 is a stark reminder of the need for constant vigilance and adherence to modern security best practices. This incident is a prime example of how older breaches can be weaponized in automated attacks, particularly those targeting account takeover and lateral movement within corporate networks.

Troy Hunt, creator of Have I Been Pwned, added the UFC Fight Club breach to his database shortly after the incident occurred in 2017, further validating the scale and impact of the event. A search on BreachForums shows multiple threads referencing the UFC Fight Club database, with users sharing cracked password lists and discussing potential uses for the compromised credentials (archived link available upon request). One post claimed, "This DB is gold for cracking; so many simple passwords." This illustrates the active interest in this data within the cybercriminal community.