VIP.com

We're seeing a concerning resurgence of older breaches resurfacing, often repackaged and resold on various dark web forums. These "vintage" breaches, while not new, still pose a risk because password reuse is rampant. Our team recently flagged a repost of a 2018 breach from the Chinese e-commerce platform VIP.com. What really struck us wasn't the volume – just over 31,000 unique email addresses – but the fact that the passwords were in plaintext. In today's threat landscape, where credential stuffing attacks are automated and widespread, plaintext passwords from even older breaches can unlock access to current accounts.

VIP.com Breach: Plaintext Passwords from 2018 Still a Threat

The VIP.com breach, which occurred in August 2018, involved the exposure of approximately 31,333 user records from the Chinese e-commerce platform. The breach was initially reported after the data appeared on a well-known hacking forum. The concerning aspect of this incident is that the exposed data included both email addresses and, critically, plaintext passwords.

We discovered this reposted breach data while monitoring a specific Telegram channel known for aggregating and selling older combolists. The volume wasn't exceptional, but the presence of plaintext passwords immediately raised a red flag. In an era where most platforms at least hash passwords, the exposure of plaintext credentials from a relatively recent breach highlights a significant security lapse at the time of the incident.

This breach matters to enterprises now because it contributes to the ever-growing pool of compromised credentials used in credential stuffing attacks. Even if users have since changed their VIP.com passwords, they may have reused those same passwords on other, more critical accounts. The availability of these plaintext passwords significantly lowers the barrier to entry for attackers seeking to compromise user accounts across various platforms.

This incident ties into broader threat themes related to the persistence of older breaches and the automation of credential-based attacks. Threat actors actively collect and trade these combolists, using automated tools to test the validity of the credentials against a wide range of online services.

Key point: Total records exposed: 31,333

Key point: Types of data included: Email Address, Plaintext Password

Key point: Sensitive content types: Credentials

Key point: Source structure: Likely a database export (details unavailable)

Key point: Leak location(s): Hacking forum, Telegram channel

Key point: Date of first appearance: August 26, 2018 (original breach), Reposted [current date]

While direct reporting on the original VIP.com breach is limited, discussions on security forums at the time confirm the incident and the presence of plaintext passwords. A post on one such forum stated, "VIP.com got pwned back in 2018. Plaintext passwords. GG." This highlights the immediate concern within the security community regarding the severity of the breach.

Email · Address · Plaintext · Password