Executive Summary

Troy Hunt's Have I Been Pwned (HIBP) service has ingested two major data breaches, adding a total of 16.6 million user records to its searchable database. The breaches originate from the Indian music streaming service Raaga (10.2 million records) and the French Government's Pass'Sport program (6.4 million records). Both breaches reportedly occurred in December 2025. The Raaga breach is particularly concerning as it includes passwords hashed with the obsolete and insecure MD5 algorithm, making them trivial to crack. This exposes affected users to a high risk of credential stuffing attacks across other online services. The Pass'Sport breach exposed personally identifiable information (PII), including dates of birth, increasing the risk of identity theft and targeted phishing campaigns.

Threat Overview

Two distinct data breach incidents have been publicly cataloged, affecting a large number of users in India and France.

Raaga Data Breach

• Affected Organization: Raaga (Indian music streaming service)
• Records Exposed: 10,200,000
• Date of Breach: December 2025
• Data Compromised: Usernames, email addresses, and passwords stored as MD5 hashes.
• Primary Threat: The use of MD5 for hashing passwords is a critical failure. MD5 is not collision-resistant and is susceptible to rainbow table attacks, meaning most of these hashed passwords can be quickly converted back to plaintext. Attackers will use these cracked credentials in large-scale credential stuffing campaigns, attempting to log in to other popular services (banking, social media, email) where users may have reused the same password.

Pass'Sport Data Breach

• Affected Organization: Pass'Sport (French Government sports program)
• Records Exposed: 6,400,000
• Date of Breach: December 2025
• Data Compromised: Names, dates of birth, and email addresses.
• Primary Threat: The exposed PII is a goldmine for identity fraud and highly personalized phishing attacks. Attackers can use the combination of name, date of birth, and email to impersonate victims, bypass security questions, or craft convincing phishing emails that appear to be from official sources.

Technical Analysis

While the root causes of the breaches were not detailed in the reports, the outcomes point to common security failures.

• Insecure Credential Storage (Raaga): The use of MD5 is a direct violation of modern security best practices. Secure password storage requires strong, salted hashing algorithms like Argon2 or bcrypt. This failure indicates a lack of fundamental security hygiene.
• PII Exposure (Pass'Sport): The breach of a government database containing PII suggests potential vulnerabilities in the web application, such as SQL injection (T1190 - Exploit Public-Facing Application), or a misconfigured database that was exposed to the internet.

MITRE ATT&CK Mapping (Inferred):

• T1555 - Credentials from Password Stores: Implied by the exfiltration of hashed passwords from Raaga's database.
• T1530 - Data from Cloud Storage Object: A likely vector for a breach of this scale, involving misconfigured cloud storage.
• T1566 - Phishing: The primary follow-on attack that will leverage the stolen PII from both breaches.

Impact Assessment

• For Raaga Users: High risk of account takeover on any other service where the same email and password combination was used. Financial loss and identity theft are possible if banking or email accounts are compromised.
• For Pass'Sport Users: Increased risk of being targeted by sophisticated phishing and social engineering campaigns. The data could be used for identity theft, opening fraudulent accounts, or other forms of fraud.
• For the Organizations: Significant reputational damage, potential regulatory fines (especially for the French government under GDPR), and loss of user trust.

Detection & Response

For individuals, detection is straightforward:

1. Visit Have I Been Pwned and enter your email address to see if you were part of these or other breaches.
2. If your data is found in the Raaga breach, immediately change your password on any site where you might have reused it. Prioritize critical accounts like email, banking, and social media.
3. If your data is in the Pass'Sport breach, be extremely vigilant for phishing emails. Scrutinize any message asking for personal information or login credentials.

For organizations, this incident is a reminder to audit their own security practices.

Mitigation

This incident provides clear mitigation lessons for all organizations handling user data:

1. Secure Password Hashing: NEVER use MD5 or SHA1 for passwords. Implement a modern, salted, and strong hashing algorithm like Argon2, scrypt, or at a minimum, bcrypt. This is a fundamental aspect of D3FEND's Strong Password Policy.
2. Multi-Factor Authentication (MFA): Enforce MFA wherever possible. MFA is the single most effective control to defeat credential stuffing attacks, as a stolen password alone is not enough to gain access.
3. Data Minimization: Only collect and store the user data that is absolutely necessary for the service to function. Regularly purge data that is no longer needed.
4. Regular Security Audits: Conduct regular penetration tests and security audits of public-facing applications and databases to identify and remediate vulnerabilities before they can be exploited.