Full Report
In February 2025, data allegedly obtained from an earlier Adpost breach surfaced. The dataset contained 3.3M records including email addresses, usernames, and display names. Multiple attempts to contact Adpost regarding the incident received no response.
Analysis Summary
# Incident Report: Adpost 2025 Data Leak
## Executive Summary
A dataset containing 3.3 million records, allegedly originating from an earlier breach at Adpost, surfaced in February 2025. The compromised data included user email addresses, usernames, and display names. The incident was surfaced publicly (added to HIBP) in October 2025, and the affected organization did not respond to contact attempts.
## Incident Details
- Discovery Date: October 7, 2025 (Date added to HIBP)
- Incident Date: February 2025 (When data allegedly originated/was obtained)
- Affected Organization: Adpost
- Sector: Classified (Information potentially personal data service)
- Geography: Not disclosed
## Timeline of Events
### Initial Access
- Date/Time: Prior to February 2025
- Vector: Previous system compromise (implied)
- Details: Data was obtained from an "earlier Adpost breach," suggesting initial access occurred before February 2025. The data surfaced in February 2025.
### Lateral Movement
- Not detailed in source material.
### Data Exfiltration/Impact
- Data involving 3.3 million records was exfiltrated/obtained.
- Impacted information: Email addresses, usernames, and display names.
### Detection & Response
- Detection: Public surfacing of the dataset (October 7, 2025).
- Response actions taken: Multiple attempts were made to contact Adpost regarding the incident, but yielded no response.
## Attack Methodology
- Initial Access: Not explicitly detailed, presumed system compromise from an "earlier breach."
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed, though usernames and emails suggest access to user account databases.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Collection of user account data (emails, usernames, names).
- Exfiltration: Data was packaged and shared publicly (via Telegram channel indicated by attribution source).
- Impact: Exposure of user registration information.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: 3.3 million user records, including email addresses, usernames, and display names.
- Operational: Not disclosed, but potential trust issues if users cannot contact the organization.
- Reputational: Negative, due to data exposure and lack of organizational response.
## Indicators of Compromise
- **Network indicators:** Attribution source mentioned was a Telegram channel (defanged: `hxxps://t[.]me/all3in`).
- **File indicators:** Not applicable (data listing).
- **Behavioral indicators:** Attributed to a known threat actor/group sharing breach data.
## Response Actions
- **Containment measures:** None explicitly described as the data appeared post-breach.
- **Eradication steps:** None explicitly described.
- **Recovery actions:** Public recommendation for users to change passwords if they have not since 2025 and enable 2FA.
## Lessons Learned
- The organization appears to have suffered multiple security incidents or failed to adequately secure prior breach data.
- Critical failure in stakeholder communication, as the organization did not respond to attempts to notify them of the data surfacing.
## Recommendations
- Immediately implement password resets and force MFA enrollment for all users affected by the 2025 data profile exposure.
- Conduct a comprehensive audit of all access controls and data retention policies to ensure data from previous incidents is properly destroyed or secured.
- Establish clear incident communication protocols to ensure timely engagement when potential data exposures are identified.