Skip to content

All incidents

Every catalogued cyberattack, filterable by attack type, sector, country, and year.

Attack
Sector
Data breachOngoing

Nintendo employee survey data stolen via third-party TinyPulse platform

Nintendo of America confirmed that threat actors stole internal employee survey data from TinyPulse, a third-party HR engagement platform it used, after the SHADOWBYT3$ group claimed to have exfiltrated about 859 MB of data and demanded a US$2 million ransom — while stressing that Nintendo's own systems and customer data were not affected.

Victim
Nintendo of America
Credential stuffingOngoing

FortiBleed: leaked dataset exposes VPN credentials for ~74,000 Fortinet firewalls

A dataset dubbed FortiBleed exposed valid Fortinet FortiGate VPN credentials — including plaintext passwords — for 73,932 firewall URLs across 194 countries, the product of a Russian-speaking crew that reused passwords from earlier breaches and infostealer logs rather than any new Fortinet vulnerability.

Victim
Organizations running Fortinet FortiGate firewalls worldwide
EspionageContained

UNC6508 PRC-nexus medical & defense research espionage campaign

Google's Threat Intelligence Group disclosed that PRC-nexus actor UNC6508 spent more than a year inside U.S. and Canadian medical, academic and military-health research environments, compromising legacy REDCap servers, deploying custom INFINITERED malware and abusing Google Workspace email compliance rules to silently exfiltrate research and defense data.

Victim
U.S. and Canadian medical, academic and military-health research institutions
Supply chainContained

OptinMonster, TrustPulse and PushEngage WordPress plugins backdoored in Awesome Motive CDN supply-chain attack

Attackers stole a CDN API key from Awesome Motive and tampered with JavaScript served to the OptinMonster, TrustPulse and PushEngage WordPress plugins, silently creating rogue administrator accounts and planting backdoors on sites whose logged-in admins loaded the malicious code.

Victim
Awesome Motive (OptinMonster, TrustPulse, PushEngage)
MalwareContained

152 'live wallpaper' Chrome extensions caught harvesting user data and faking Google search traffic

Socket's Threat Research Team uncovered a coordinated family of 152 new-tab 'live wallpaper' Chrome extensions, spread across 38 publisher accounts and three brands, that secretly logged user telemetry and laundered extension-generated visits into fake Google organic search traffic despite declaring they collected no data.

Victim
Google Chrome Web Store users
Supply chainOngoing

'Atomic Arch' supply-chain attack hijacks 400+ Arch Linux AUR packages to deploy a credential stealer and eBPF rootkit

Sonatype researchers uncovered 'Atomic Arch,' a supply-chain campaign in which attackers adopted hundreds of orphaned Arch User Repository packages and rewrote their build scripts to install a malicious npm package that drops a Linux credential stealer with optional eBPF rootkit capabilities.

Victim
Arch User Repository (AUR)
Data breachOngoing

FulcrumSec leaks Global Schools Foundation data, exposing 33,000+ children's and parents' passports

The extortion group FulcrumSec claimed it stole roughly 4.8 terabytes of data from Singapore-based Global Schools Foundation after exploiting database credentials left unchanged since a 2022 breach, leaking 33,088 passport numbers belonging to children and parents and around 9.4 million internal messages when ransom negotiations collapsed.

Victim
Global Schools Foundation
Data breachResolved

Atlas Menu data breach (2026)

In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository.

Victim
Atlas Menu
Records
63.9K
Data breachResolved

BCD Travel data breach (2026)

In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses.

Victim
BCD Travel
Records
396.3K
Data breachOngoing

1,528 contacts at Nature & Cie, claimed leak

In late May 2026, a B2B commercial database attributed to French organic-food distributor Nature & Cie surfaced on a cybercriminal forum, exposing roughly 5,635 stores, over 1,500 professional contacts and around 1,500 sales-visit reports covering Biocoop, Naturalia and La Vie Claire partners.

Victim
Nature & Cie
Records
1.5K
Supply chainContained

Leak at Alan (via Almerys)

On 23 May 2026, French digital health insurer Alan warned members that a cyberattack on its third-party claims processor Almerys had exposed their personal data — names, dates of birth, social security numbers and insurance contract details — though payment, password and health data were spared.

Victim
Alan
Data breachResolved

Charter data breach (2026)

In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign.

Victim
Charter
Records
4.9M
Data breachUnknown

23,685 records: claimed leak at ATOA

A threat actor put a database from ATOA — a French real-estate tokenization and fractional-investment fintech — up for sale on a dark web forum, exposing roughly 23,685 user and financial records plus 326 full KYC archives containing passports, ID cards and banking details.

Victim
ATOA
Records
23.7K
Vulnerability exploitContained

Leak at Maeva

In May 2026, Maeva — the holiday-rental brand of Pierre & Vacances-Center Parcs — disclosed a breach in which an attacker scraped up to ten years of booking data, exposing names, dates of birth, phone numbers and stay details for around 4.5 million customers across 1.6 million reservations.

Victim
Maeva
Data breachOngoing

Leak at Once for all (via Actradis)

On 11 May 2026, Once For All disclosed unauthorized access to its Actradis B2B compliance platform, exposing professional contact data (names, professional emails, phone and contact details); a leaked database circulating since early May reportedly held about 305,000 records.

Victim
Once for all
Data breachOngoing

Leak at La France Insoumise

In May 2026, France's La France Insoumise party had data from its Action Populaire activist platform stolen and posted on a hacking forum, exposing some 120,000 email addresses, 20,000 phone numbers, postal addresses and member activity spanning 2017-2026.

Victim
La France Insoumise
Data breachContained

Leak at Bilov

In May 2026, Bilov — operator of the French Boulangeries Ange bakery chain — disclosed a data breach exposing the personal details (name, city, phone number) of around 812,000 customers after an active authentication token allowed unauthorized API access.

Victim
Bilov
Records
812.0K
Data breachResolved

Cushman & Wakefield data breach (2026)

In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with…

Victim
Cushman & Wakefield
Records
310.4K
Data breachContained

Leak at French Basketball Federation

In April 2026 the French Basketball Federation (FFBB) suffered a data breach after an attacker abused a compromised user account in its licensee-management tool, exposing identity and contact details of up to ~2 million licensees and ~900,000 legal representatives.

Victim
French Basketball Federation
Data breachOngoing

Leak at Interrail

A December 2025 cyberattack on Eurail B.V., operator of the Interrail and Eurail rail passes, exposed personal data of roughly 308,000 travellers — including names, contact details, dates of birth and passport numbers — which by 2026 was being sold on the dark web.

Victim
Interrail
Records
308.8K
Data breachRansom paid

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim
Instructure (Canvas LMS)
Loss
$10.0M
Records
275.0M
Data breachResolved

Reborn Gaming data breach (2026)

In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned.

Victim
Reborn Gaming
Records
126
Data breachContained

Acrimed: online shop hit by a cyberattack

On 29 April 2026, French media-criticism association Acrimed disclosed a cyberattack on its online shop that exposed customers' email addresses, encrypted passwords and order history; names, postal addresses, phone numbers and banking details were said to be unaffected.

Victim
Acrimed
Data breachResolved

Vimeo data breach (2026)

In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.

Victim
Vimeo
Records
119.2K
Data breachResolved

CTT data breach (2026)

In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel.

Victim
CTT
Records
468.1K
Data breachUnknown

Leak at Céram Décor

On 25 April 2026, a confirmed data leak exposed customer personal data — names, email addresses, phone numbers, postal addresses and hashed passwords — from French ceramic and tile decoration retailer Céram Décor.

Victim
Céram Décor
Data breachContained

Leak at Agence Nationale des Fréquences

ANFR, France's national frequency agency, disclosed that an intrusion into its Radiomaritime online service exposed the personal data — names, postal addresses, phone numbers, emails and dates of birth — of roughly 330,000 users; a sample was put up for sale online.

Victim
Agence Nationale des Fréquences
Records
330.0K
Data breachContained

Data leak at Système U

In April 2026, French retail cooperative Système U disclosed a breach of its magasins-u.com loyalty portal in which attackers gained unauthorized access to customer accounts, exposing names, contact details and loyalty-card numbers but no banking data.

Victim
Système U
Data breachResolved

Udemy data breach (2026)

In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors.

Victim
Udemy
Records
1.4M
Data breachContained

Data leak at Magasins U - unspecified volume

In April 2026, French retail cooperative Magasins U notified loyalty-card holders that unauthorized access to its magasins-u.com customer area exposed personal data including names, contact details and loyalty-card numbers, though banking data was not affected.

Victim
Magasins U
Data breachResolved

ADT data breach (2026)

In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses.

Victim
ADT
Records
5.5M
Data breachResolved

Aman data breach (2026)

In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses.

Victim
Aman
Records
215.6K
Data breachContained

12 million people in the ANTS data leak

France Titres (ANTS), the French government agency issuing secure identity documents, disclosed a breach of its moncompte.ants.gouv.fr portal via an IDOR API flaw; officials confirmed 11.7 million accounts exposed (names, dates of birth, emails, addresses), while a hacker claimed up to 19 million records.

Victim
ANTS (France titres)
Records
11.7M
Data breachResolved

Canada Life data breach (2026)

In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group. The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets.

Victim
Canada Life
Records
237.8K
Data breachResolved

Pitney Bowes data breach (2026)

In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations.

Victim
Pitney Bowes
Records
8.2M
Data breachResolved

Carnival data breach (2026)

In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked.

Victim
Carnival
Records
7.5M
Data breachOngoing

Moulin Roty: customer data exposed after a cyberattack

On 18 April 2026 French toy and baby-goods brand Moulin Roty emailed customers to warn that a cyberattack on its shared Magento e-commerce platform may have exposed identity, contact, account-login, purchase-history and marketing data, though no compromise was confirmed and banking details were not affected.

Victim
Moulin Roty
Supply chainContained

Leak at Jeu Jouet

French online toy retailer JeuJouet.com warned customers in April 2026 that its Magento e-commerce platform was compromised in a mass exploitation campaign, potentially exposing names, email addresses, account credentials and order data; no banking details were affected.

Victim
Jeu Jouet
Data breachResolved

Kemper data breach (2026)

In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign.

Victim
Kemper
Records
269.3K
Data breachResolved

Zara data breach (2026)

In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their "pay or leak" campaign.

Victim
Zara
Records
197.4K
Data breachResolved

Abrigo data breach (2026)

In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo…

Victim
Abrigo
Records
711.1K
Supply chainOngoing

Leak at IAE Grenoble (via AlumnForce)

In April 2026, alumni of IAE Grenoble were exposed in a breach of AlumnForce, the third-party platform managing its alumni network; the stolen dataset spanned ~2.7M profiles across 49 French institutions and included names, contact details and full professional/education histories.

Victim
IAE Grenoble
Data breachResolved

Marcus & Millichap data breach (2026)

In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group.

Victim
Marcus & Millichap
Records
1.8M
Data breachResolved

Mytheresa data breach (2026)

In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses.

Victim
Mytheresa
Records
84.1K
Data breachOngoing

DB Telecom: a 40k-customer database put up for sale

Around 10 April 2026, a threat actor put DB Telecom (Service Telecom) — a Marseille-based IP-telephony operator on the Orange/Or-Tel network — up for sale, leaking a database of roughly 41,470 customers and 2,835,372 records including names, contacts, plaintext passwords and internal emails.

Victim
DB Telecom
Records
2.8M
Supply chainOngoing

Leak at ENSAI Network (via AlumnForce)

ENSAI Network alumni data was exposed in the April 2026 breach of its platform provider AlumnForce, which leaked some 2.7 million student and graduate profiles from 49 French institutions — including names, emails, phone numbers, locations, career history and education details — now offered for sale on cybercrime forums.

Victim
ENSAI Network
Supply chainOngoing

Leak at Lilagora (via AlumnForce)

In April 2026, Lilagora — the University of Lille's alumni network — saw its members' data exposed in a breach of its third-party platform provider AlumnForce, part of a wider incident affecting 2.7 million profiles across 49 French institutions, with names, contact details and professional histories leaked.

Victim
Lilagora
Data breachResolved

McGraw Hill data breach (2026)

In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt. Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platform".

Victim
McGraw Hill
Records
13.5M
Data breachResolved

7-Eleven data breach (2026)

In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers.

Victim
7-Eleven
Records
185.3K
Data breachResolved

My Lovely AI data breach (2026)

In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames.

Victim
My Lovely AI
Records
106.3K
Data breachResolved

LegionProxy data breach (2026)

In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases.

Victim
LegionProxy
Records
10.1K
Supply chainContained

Leak at Contrat d'intégration républicaine

France's OFII immigration agency notified signatories of the Contrat d'intégration républicaine that a January 2026 breach via a compromised subcontractor exposed the names, emails, phone numbers and postal addresses of roughly 2.1 million people.

Victim
Contrat d'intégration républicaine
Records
2.1M
Data breachResolved

Amtrak data breach (2026)

In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak. The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly.

Victim
Amtrak
Records
2.1M
Data breachContained

Data leak at La Quiberonnaise

In early April 2026, the French cannery La Quiberonnaise confirmed that unauthorized access to its systems exposed customer personal data — names, postal addresses, email addresses and phone numbers — with the company notifying affected clients by email and reporting the breach to the CNIL.

Victim
La Quiberonnaise
Data breachResolved

SongTrivia2 data breach (2026)

In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt…

Victim
SongTrivia2
Records
291.7K
Data breachResolved

Hallmark data breach (2026)

In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming…

Victim
Hallmark
Records
1.7M
Supply chainContained

Homair: customer data exposed after a cyberattack

On 31 March 2026, French camping and holiday-village operator Homair disclosed a data breach traced to a compromised third-party technical provider, exposing customers' names, email addresses, phone numbers and booking details (destination, stay dates, amount paid), while bank data, passwords and postal addresses were said to be unaffected.

Victim
Homair
Supply chainContained

Leak at La Mine Bleue (via Vivaticket)

On 31 March 2026, French tourist attraction La Mine Bleue notified customers that their personal data — names, postal code/country, email and purchase history — was exposed in the ransomware breach of its ticketing provider Vivaticket; no banking data was affected.

Victim
La Mine Bleue
Data breachUnknown

Leak at GDQuest

On 30 March 2026, a database from GDQuest — a French e-learning platform for the Godot game engine — surfaced on a hacking forum, exposing learners' email addresses, usernames/account slugs and the titles and prices of purchased courses.

Victim
GDQuest
Data breachContained

Le Petit Vapoteur: 3.3 million customers exposed

In late March 2026, French e-cigarette retailer Le Petit Vapoteur was hit by a data breach after a hacker using the alias 'undef' put its customer database up for sale, exposing names, emails, phone numbers, postal addresses and IP logs for a claimed 3.3 million customers and 599 employees spanning 2012-2026.

Victim
Le Petit Vapoteur
Records
3.3M
Data breachResolved

ZenBusiness data breach (2026)

In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform.

Victim
ZenBusiness
Records
5.1M
Data breachResolved

BreachForums Version 5 data breach (2026)

In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed. The incident exposed 340k unique email addresses along with usernames and argon2 password hashes.

Victim
BreachForums Version 5
Records
339.8K
Data breachUnknown

Leak at Les Champs Libres

On 26 March 2026, a breach at Les Champs Libres — the public cultural complex in Rennes — exposed user account data including names, email addresses, phone numbers and plain-text passwords.

Victim
Les Champs Libres
Data breachResolved

Addi data breach (2026)

In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised".

Victim
Addi
Records
34.5M
Data breachResolved

Sound Radix data breach (2026)

In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP. The incident impacted 293k unique email addresses and names.

Victim
Sound Radix
Records
293.0K
Supply chainContained

Leak at Crunchyroll

On 24 March 2026, anime streaming service Crunchyroll confirmed a data breach traced to a compromised third-party support vendor (Telus), exposing customer support-ticket data — names, emails, IP addresses and partial payment-card details — with a hacker claiming ~8M ticket records and ~6.8M unique email addresses.

Victim
Crunchyroll
Supply chainContained

Leak at Europa (European Commission)

In March 2026, the European Commission's Europa.eu web-hosting infrastructure was breached via a stolen AWS key (Trivy supply-chain compromise); ~91.7 GB of data covering 30+ EU entities — names, emails, email content and documents — was exfiltrated and leaked by ShinyHunters.

Victim
Europa (European Commission)
Data breachContained

62,511 records in the SIA data leak

In late March 2026, a hacker put up for sale data on 62,511 firearms registered in France's Système d'Information sur les Armes (SIA), exposing owners' names, postal addresses, emails, phone numbers, weapon details and transaction histories.

Victim
Système d'Information sur les Armes (SIA)
Records
62.5K
Vulnerability exploitContained

Leak at I-Cad

I-Cad, France's national dog, cat and ferret identification registry, disclosed in March 2026 that a September 2025 software vulnerability had allowed automated querying of its database, exposing users' email addresses and fuelling phishing campaigns against pet owners.

Victim
I-Cad
Data breachUnknown

109,302 CMF members: data leak claimed

On 20 March 2026, a database of the Confédération Musicale de France (CMF) — France's federation of amateur music ensembles and schools — was put up for sale by the actor HexDex, allegedly exposing 109,302 members including many minors, with identities, contact details, school records and disability notes.

Victim
Confédération Musicale de France (CMF)
Records
109.3K
Data breachContained

Data leak at Mingat

On 19 March 2026, French vehicle-rental company Mingat confirmed a data leak affecting its customers, notifying them of a security incident that exposed personal information held in its rental records.

Victim
Mingat
Supply chainOngoing

10,816 Canada Goose customers in a data leak

French customers of luxury outerwear brand Canada Goose were caught up in a data leak by the ShinyHunters extortion group, with 10,816 records in the France-related subset of a broader corpus of roughly 600,000 customer records traced to a third-party payment processor.

Victim
Canada Goose
Records
10.8K
Supply chainOngoing

Leak at Musée des Arts et Métiers

Disclosed on 18 March 2026, the Musée des Arts et Métiers was caught up in the Vivaticket supply-chain ransomware breach, exposing online shop and ticketing customers' names, email addresses, account details and order history.

Victim
Musée des Arts et Métiers
Supply chainContained

Leak at Bibliothèque Nationale de France

A March 2026 ransomware attack on the Bibliothèque Nationale de France's third-party online ticketing provider exposed the names and email addresses of users who had booked cultural events; banking data, handled by a separate vendor, was not affected.

Victim
Bibliothèque Nationale de France
Data breachResolved

Divine Skins data breach (2026)

In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email…

Victim
Divine Skins
Records
105.8K
Data breachOngoing

476,282 customers affected by a claimed leak at Intersport Rent

On 11 March 2026, a database belonging to INTERSPORT Rent — the ski- and snowboard-equipment rental arm of the Intersport sports retail group — was dumped on a hacker forum, exposing roughly 1.2 million rows covering about 476,282 unique customers, including names, emails, phone numbers, loyalty numbers and rental order histories.

Victim
Intersport Rent
Records
476.3K
Data breachUnknown

Leak at Pronote

A claimed leak of Pronote login credentials (email addresses and passwords) belonging to French students and parents was reported circulating for sale on the dark web; publisher Index Education stated its own systems were not breached, the credentials stemming from phishing and account theft.

Victim
Pronote
Data breachContained

Data leak at Vatel Capital

On 9 March 2026, French AMF-regulated asset manager Vatel Capital emailed its clients to disclose an accidental exposure of files that occurred between 21 February and early March 2026, affecting personal data held by the firm.

Victim
Vatel Capital
Data breachResolved

Baydöner data breach (2026)

In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords.

Victim
Baydöner
Records
1.3M
Data breachResolved

Aura data breach (2026)

In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected.

Victim
Aura
Records
903.1K
Supply chainOngoing

Data leak at Centre des Monuments Nationaux

In early March 2026, France's Centre des Monuments Nationaux disclosed a data leak stemming from a ransomware attack on its online ticketing provider, exposing visitors' emails, names, postal addresses, purchase history and hashed passwords, but no banking data.

Victim
Centre des Monuments Nationaux
Data breachUnknown

15,000 employees affected by claimed data leak at ANCT

On 4 March 2026, a threat actor claimed on a hacking forum to be selling a database tied to France's Agence Nationale de la Cohésion des Territoires (ANCT), allegedly exposing professional and contact details of around 15,000 employees and administrative contacts, with a sample posted as proof.

Victim
Agence Nationale de la Cohésion des Territoires (ANCT)
Data breachResolved

SUCCESS data breach (2026)

In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes.

Victim
SUCCESS
Records
253.5K
Data breachResolved

Woflow data breach (2026)

In March 2026, the AI-driven merchant data platform Woflow was named as a victim by the ShinyHunters data extortion group. The group subsequently published tens of thousands of files allegedly obtained from the company, comprising more than 2TB of data.

Victim
Woflow
Records
447.6K
Data breachResolved

Ameriprise data breach (2026)

In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure,…

Victim
Ameriprise
Records
502.6K
Data breachContained

Leak at Cloud Imperium Games

Cloud Imperium Games, developer of Star Citizen and Squadron 42, disclosed in March 2026 that a January attack on its backup systems gave intruders read-only access to player account data including names, usernames, dates of birth and contact details.

Victim
Cloud Imperium Games
RansomwareContained

Leak at Lisi

In early March 2026, French aerospace and automotive fastener manufacturer LISI Group was hit by the Qilin ransomware gang, which exfiltrated a limited set of corporate data — bank account/IBAN details, supply contracts, confidentiality agreements and employee information — from two ancillary sites.

Victim
Lisi
Data breachResolved

Leak at MDPH 92

In early March 2026, MDPH 92 — the Hauts-de-Seine disability services agency — accidentally exposed around 500 beneficiaries' email addresses by sending a mass post-cyberattack notice with recipients in CC instead of BCC.

Victim
MDPH 92
Records
500
Supply chainContained

Leak at Palais de la Porte Dorée

On 2 March 2026, the Palais de la Porte Dorée was among 40+ French cultural institutions affected by a ransomware attack on shared ticketing provider Vivaticket, potentially exposing visitors' names, contact details, dates of birth, purchase histories and encrypted passwords.

Victim
Palais de la Porte Dorée
Data breachContained

Leak at Paris Adult Courses Platform

On 2 March 2026, the City of Paris confirmed a data breach affecting the Cours d'Adultes de Paris (adult education) platform, exposing names, dates of birth, emails, postal addresses and phone numbers of users registered before May 2025; no passwords or banking data were affected.

Victim
Paris Adult Courses Platform
RansomwareUnknown

Data leak at Tactis

In early 2026, French digital-infrastructure consultancy Tactis was hit by the Qilin ransomware gang, which listed the firm on its leak site and threatened to publish exfiltrated internal data covering its telecom and smart-city projects for public and private clients.

Victim
Tactis
Data breachContained

Data leak at Union Nationale du Sport Scolaire

France's school-sport federation UNSS disclosed in late February 2026 that intruders accessed its OPUSS membership platform and leaked personal data and roughly 1.5 million ID photos of student athletes (11-18) on the darknet, spanning ~668,000 current and ~889,000 former members.

Victim
Union Nationale du Sport Scolaire
Data breachContained

3 million students: claimed data leak at UNSS #2

On 28 February 2026, the group DumpSec claimed it had exfiltrated about 65 GB of data and roughly 1.5 million student identity photos from the French school sports federation UNSS, after breaching its OPUSS intranet; names, birth dates, schools and contact details were exposed.

Victim
UNSS #2
Data breachContained

Leak at ESPCI

In late February 2026, ESPCI Paris (a PSL University engineering and research school) disclosed that an access-control flaw let unidentified actors harvest its internal directory, exposing identity and contact details of students, staff and external personnel; passwords were not affected.

Victim
ESPCI
Data breachContained

Leak at French Gymnastics Federation

In late February 2026, France's gymnastics federation (FFGym) disclosed a breach of its FFGym Licence system via a phished club account, exposing data on roughly 2.9 million current and former licensees registered since 2004.

Victim
French Gymnastics Federation
Records
2.9M
Supply chainContained

Leak at Sports and Cultural Federation of France

The Sports and Cultural Federation of France (FSCF) had the personal data of roughly 1.33 million members exposed after a third-party licence-management provider was compromised, leaking names, dates of birth, postal addresses, contact details and licence/membership records.

Victim
Sports and Cultural Federation of France
Records
1.3M
Data breachResolved

KomikoAI data breach (2026)

In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.

Victim
KomikoAI
Records
1.1M
Data breachResolved

Lovora data breach (2026)

In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of the app.

Victim
Lovora
Records
495.6K
Data breachContained

80,000 documents: claimed leak at Unis Cité

On 23 February 2026, the civic-service association Unis Cité was hit by a data breach exposing roughly 80,000 people and around 40 GB of data, including national ID cards, photos, IBANs and other sensitive documents on young volunteers, claimed by the DumpSec group.

Victim
Unis Cité
Records
80.0K
Data breachContained

Data leak at the French Badminton Federation

The French Badminton Federation disclosed that an unauthorized export from its internal Poona membership platform, traced to a compromised administrator account and discovered in September 2025, exposed personal data on roughly 300,000 licensed members, including names, dates of birth, contact details and parents' names.

Victim
French Badminton Federation
Records
300.0K
Supply chainOngoing

Claimed leak at MaSalleDeSport - unspecified volume

On 22 February 2026, a hacker known as "84City" claimed to have breached MaSalleDeSport, a CRM and management provider for 2,000+ French gyms (Basic-Fit, Fitness Park, ON AIR Fitness, L'Orange Bleue), exposing member names, phone numbers, SMS and addresses for a potential 1M+ people.

Victim
MaSalleDeSport (Basic-Fit, Fitness Park..)
Data breachUnknown

8,861 staff - data leak at the French Ministries of the Interior & Armed Forces

On 20 February 2026, a compilation of personal data covering 8,861 staff of the French Ministries of the Interior and Armed Forces — including names, dates of birth, contact details and internal identifiers — surfaced on underground forums, part of a wider aggregate of leaks affecting French public agents.

Victim
French Ministries of the Interior & Armed Forces
Records
8.9K
Data breachOngoing

2,393 officials affected by a Police, Gendarmerie, CNIL data leak

On 20 February 2026, a compiled database exposing 2,393 French state agents — from the Police, Gendarmerie, Defence ministry, DGSI, DGSE, Customs and the CNIL (including 86 CNIL staff) — was published on underground forums, leaking identity, contact and professional details aggregated from hundreds of prior breaches.

Victim
Police, Gendarmerie, CNIL (officials)
Records
2.4K
Data breachUnknown

Leak at FFCK and Paddle Sports

In February 2026, the French Canoe Kayak and Paddle Sports Federation (FFCK) had a member database covering decades of licence-holders leaked and offered for sale, exposing the names, dates of birth, postal addresses, phone numbers, emails and club/licence details of roughly 393,374 people.

Victim
FFCK and Paddle Sports
Records
393.4K
Data breachContained

Leak at the French Ministry of Sports, Youth and Community Life

In February 2026, the French Ministry of Sports, Youth and Community Life had data on roughly 450,000 candidates exfiltrated from its FORÔMES sports/youth training platform after a legitimate training organisation's account was compromised, exposing names, contact details and dates and places of birth.

Victim
French Ministry of Sports, Youth and Community Life
Records
450.0K
Data breachContained

450,000 FOROM users hit by a data leak

On 19 February 2026 the French Ministry of Sports disclosed that data on roughly 450,000 candidates was exfiltrated from its FORÔMES training and diploma platform after a legitimate training-organisation account was compromised, exposing names, contact details and dates and places of birth.

Victim
French Ministry of Sports (FOROM platform)
Records
450.0K
Data breachContained

Leak at Direction Générale des Finances Publiques

France's tax authority (DGFiP) disclosed on 18 Feb 2026 that an attacker who hijacked a civil servant's credentials accessed FICOBA, the national bank-account registry, exposing identity, address, IBAN and in some cases tax-ID data for about 1.2 million account holders.

Victim
Direction Générale des Finances Publiques
Records
1.2M
Data breachUnknown

Leak at Espace CE

In February 2026, personal data belonging to thousands of employees was found circulating on the dark web after a breach of Espace CE (Espace CSE), a French platform managing benefits for Works Councils; exposed fields included names, contact details, dates of birth and hashed passwords.

Victim
Espace CE
Data breachContained

1.2 million bank accounts: data leak at FICOBA

France's Ministry of the Economy and Finance disclosed that an intruder who usurped a civil servant's credentials had illegitimately accessed the national bank-account registry FICOBA from late January 2026, exposing the IBAN/RIB details, identity, address and in some cases tax ID of holders of about 1.2 million accounts.

Victim
FICOBA (French Ministry of the Economy and Finance)
Records
1.2M
Supply chainContained

358,000 Réglo Mobile (Leclerc) customers affected by a data leak

On 18 February 2026, Réglo Mobile — the E.Leclerc/SFR-backed mobile virtual operator — disclosed that a subcontractor breached from 13 February exposed data on about 358,000 customers, including identity, contact details, dates of birth, PUK codes, call records and partial banking data, with the database offered for sale by actor "84City".

Victim
Réglo Mobile (Leclerc)
Records
358.0K
Data breachResolved

Quitbro data breach (2026)

In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time.

Victim
Quitbro
Records
22.9K
Supply chainContained

Data leak at Voyage Privé - upcoming bookings exposed

Voyage Privé, the French flash-sale travel platform, confirmed in February 2026 that a compromised third-party partner exposed reservation data for customers with upcoming trips — including names, country of residence, emails, phone numbers and, in some cases, passport numbers — fuelling a wave of WhatsApp phishing.

Victim
Voyage Privé
Data breachOngoing

14,753 people affected by a claimed leak at EPITA

On 15 February 2026, the Lapsus$ group listed a database allegedly stolen from French engineering school EPITA on BreachForums, claiming records on 14,753 students and staff including names, email addresses, graduation years and profile photos.

Victim
EPITA (École Pour l'Informatique et les Techniques Avancées)
Records
14.8K
Data breachResolved

CarGurus data breach (2026)

In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings,…

Victim
CarGurus
Records
12.5M
Supply chainOngoing

Leak at Grain de Malice (via Socloz)

Customer data of French womenswear retailer Grain de Malice was exposed in February 2026 through a breach of its omnichannel retail provider Socloz, leaking names, email addresses and phone numbers as part of a dataset of up to ~31 million records.

Victim
Grain de Malice
Data breachContained

3,600 Gustave-Auto customers affected by a claimed data leak

Gustave-Auto, a French automotive services platform (vehicle convoyage, fleet management and repairs), disclosed in February 2026 that an access anomaly exposed partner data — names, postal and email addresses, phone numbers, IBAN/BIC banking details and SIRET/VAT numbers — with a tracker claim citing around 3,600 records.

Victim
Gustave-Auto
Records
3.6K
Data breachContained

Cyberattack at Les Restos du Cœur

On 11 February 2026, French food-aid charity Les Restos du Cœur suffered a cyberattack on an internal system, exposing the personal data of its employees and volunteers, including names, roles, departments, email addresses and phone numbers.

Victim
Les Restos du Cœur
Data breachResolved

Odido data breach (2026)

In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days.

Victim
Odido
Records
6.1M
Data breachContained

Leak at Commune de Bourg-Achard

The town hall of Bourg-Achard (Eure, Normandy) disclosed a cyberattack dating to 29 January 2026 that led to a data leak, with municipal room-reservation records among the information exposed; the CNIL, gendarmerie and ANSSI/Normandie Cyber were notified.

Victim
Commune de Bourg-Achard
Supply chainContained

Data leak at Safran Group: supply chain exposed

In February 2026, a database tied to French aerospace and defense group Safran surfaced on a hacking forum, exposing roughly 718,716 order records — names, emails, phone numbers, ERP references and logistics data — leaked through a third-party provider rather than Safran's own systems.

Victim
Safran Group
Records
718.7K
Data breachContained

Leak at La Carte Avantage Jeune

A January 2026 breach of Info Jeunes Bourgogne-Franche-Comté's Carte Avantages Jeunes platform exposed the personal data of roughly 283,000 cardholders, including names, dates of birth, addresses, phone numbers and identity documents, later put up for sale on the dark web.

Victim
La Carte Avantage Jeune
Data breachUnknown

Data leak at Prozon, volume not specified

In February 2026, French company Prozon disclosed a data breach affecting its customers after an attacker gained unauthorised access to one of its infrastructure tools; the company confirmed the incident and notified France's data-protection regulator, the CNIL, though the volume of affected records was not specified.

Victim
Prozon
Data breachContained

Data leak at Sumsub

In February 2026, identity-verification (KYC) provider Sumsub disclosed a 2024 breach — undetected for ~18 months — in which an attacker reached a customer-support environment and exposed the names, email addresses and phone numbers of clients of crypto and fintech platforms it serves.

Victim
Sumsub
Data breachContained

Leak at the French Office for Biodiversity

In early February 2026 the French Office for Biodiversity (OFB) disclosed that an intrusion into its national hunting-licence application exposed personal data of licence candidates, applicants and holders — including full identity, contact details, nationality and licence numbers.

Victim
French Office for Biodiversity
Data breachContained

Leak at French Table Tennis Federation

The French Table Tennis Federation (FFTT) disclosed a cyberattack in which a compromised account was used to bulk-extract licence-holder records — names, dates and places of birth, nationality, licence numbers and contact details for an estimated 210,000–254,000 members; no banking or health data was affected.

Victim
French Table Tennis Federation
Data breachContained

Leak at French Sailing Federation

In early February 2026, France's national sailing federation (FFVoile) disclosed a data breach of its licence-management platform via a compromised club account, exposing personal data of several hundred thousand licensees including names, birthdates, addresses, emails, phone numbers and disability status.

Victim
French Sailing Federation
Data breachOngoing

Leak at the City of Paris

A leaked file from the City of Paris's municipal adult-education platform (Cours municipaux pour adultes) exposed the personal data of 320,292 registered users, including names, dates of birth, postal addresses, phone numbers and email addresses; no passwords or banking data were involved.

Victim
City of Paris
Records
320.3K
Data breachResolved

Toy Battles data breach (2026)

In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.

Victim
Toy Battles
Records
1.0K
Data breachOngoing

Leak at ADMR

On 5 February 2026, the threat group RavenSec claimed a breach of France's ADMR home-care network, leaking member data — names, email and postal addresses and organisation details — with over 10,000 people initially affected and a claimed underlying database of millions.

Victim
ADMR
Data breachUnknown

813,983 FFRandonnée members - claimed data leak

On 5 February 2026, the French Hiking Federation (FFRandonnée) was named in a claimed data leak said to expose the personal records of 813,983 members, part of the 2026 wave of breaches hitting French sports federations through shared licensee-management systems.

Victim
French Hiking Federation
Records
814.0K
Data breachUnknown

Data leak at Protexia France

In early February 2026, Protexia France — the legal-protection insurance subsidiary of Allianz France — was reported to have suffered a data breach exposing personal information belonging to its policyholders and contacts.

Victim
Protexia France
Supply chainContained

828,000 stop-points exposed in data leak at Loxam

On 4 February 2026, French equipment-rental group Loxam disclosed a breach of a third-party delivery-planning system that exposed roughly 60 GB of logistics data — 94,735 delivery routes and about 828,000 geolocated stop-points covering 2020-2026, plus customer, driver and vehicle details.

Victim
Loxam
Data breachContained

377,418 jobseekers - data leak at Choisir le service public

France's state recruitment portal Choisir le service public disclosed in early February 2026 a breach exposing the application profiles of 377,418 candidates after attackers abused a compromised manager account; names, contact details, birth dates and career data were leaked and offered for sale.

Victim
Choisir le service public (Gouv.fr)
Records
377.4K
Data breachContained

697,313 Substack records exposed in data leak

Substack disclosed in February 2026 that an unauthorized third party scraped its systems, exposing roughly 697,313 user records including email addresses, phone numbers, names, user and Stripe IDs, and profile metadata; passwords and financial data were not affected.

Victim
Substack
Records
697.3K
Data breachUnknown

Leak at French Army

In late January 2026, a hacker claimed to have exfiltrated 2,971 files (about 4.5 GB, including 1,533 PDFs) from the French Army (Armée de Terre) via a compromised account, with documents marked 'Diffusion Restreinte' (restricted distribution) and internal technical guides.

Victim
French Army
Data breachUnknown

21,647 people affected by a data leak at Inria

Disclosed on 31 January 2026, a confirmed data leak at France's Inria research institute exposed personal records of about 21,647 staff and collaborators from Inria, IRISA and partner research units, including names, dates of birth, postal addresses and household details.

Victim
Inria (Institut National de Recherche en Informatique et en Automatique)
Records
21.6K
Data breachContained

Leak at Code Rousseau

In late January 2026, French driving-education company Codes Rousseau disclosed unauthorized access to its Easysystème platform, exposing learner identity and contact details, ID photos, signatures and NEPH driving-licence numbers; ~30,000 records were later put up for sale.

Victim
Code Rousseau
Data breachUnknown

Leak at OpQuast

On 30 January 2026, a data leak at Opquast — the French web-quality assurance and certification company based in Mérignac — exposed the email addresses of around one hundred people.

Victim
OpQuast
Data breachResolved

Provecho data breach (2026)

In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed.

Victim
Provecho
Records
712.9K
Data breachOngoing

Leak at 11 real estate agencies

On 28 January 2026, a leak of roughly 1.18 million files (500+ GB) affecting 11 French real estate agencies — including Marteau Immobilier (Orpi), AFG Immobilier and Trenta Immobilier — was put up for sale on a cybercrime forum, exposing IDs, IBANs, contracts and credentials of an estimated 20,000+ owners, tenants and co-owners.

Victim
11 real estate agencies
Data breachUnknown

Leak at Puteaux Medical Imaging Centre

On 28 January 2026, patient personal data from the Centre d'Imagerie Médicale de Puteaux — a radiology and medical imaging centre in the Hauts-de-Seine — was exposed in a confirmed data breach, including names, dates of birth, contact details and appointment history.

Victim
Puteaux Medical Imaging Centre
Data breachResolved

Figure data breach (2026)

In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth.

Victim
Figure
Records
967.2K
Data breachUnknown

Leak at Le CNAM

A dataset tied to the Conservatoire National des Arts et Métiers (CNAM), the French public higher-education institution, was reported leaked around 28 January 2026, exposing personal records for roughly 10,000 people including names, contact details, dates of birth and job information.

Victim
Le CNAM
Data breachUnknown

Leak at Lovys

On 28 January 2026, a data leak was claimed against Lovys, a French 100% digital neo-insurer, allegedly exposing customer records; the scale and exact data categories remain unverified.

Victim
Lovys
Data breachUnknown

Data leak at UGSEL

On 28 January 2026, a dataset exposing personal details of roughly 600 students linked to UGSEL — the French Catholic-schools sports federation — surfaced online, including names, gender, dates of birth and class/category information.

Victim
UGSEL
Supply chainUnknown

Data leak at Wemind (via Allianz)

On 28 January 2026, a data leak affecting Wemind, the French neo-insurer for freelancers and small businesses, exposed members' contact details — names, postal addresses, email addresses and phone numbers — through its Allianz insurance/back-office channel.

Victim
Wemind
Data breachUnknown

Leak at French Sports for All Federation

On 25 January 2026, the Fédération Française Sports pour Tous saw the personal data of 1,493 of its members exposed, including names, postal addresses, phone numbers, member status, affiliated club, qualifications and activities.

Victim
French Sports for All Federation
Records
1.5K
Data breachUnknown

Leak at Sciences Po

On 25 January 2026, a SQL dump of internal databases belonging to Sciences Po — the Paris Institute of Political Studies — surfaced online, exposing data held by the higher-education institution as part of a broader wave of French data leaks that month.

Victim
Sciences Po
Data breachResolved

CarMax data breach (2026)

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Victim
CarMax
Records
431.4K
Data breachResolved

Edmunds data breach (2026)

In January 2026, the automotive research and car-shopping platform Edmunds was listed by the ShinyHunters hacking group as having been breached. Data purportedly obtained in the incident was later published publicly and included 178k unique email addresses, usernames, passwords, IP addresses, phone…

Victim
Edmunds
Records
177.9K
Data breachContained

950,000 people affected by data leak at FFESSM

On 24 January 2026, France's underwater diving federation FFESSM disclosed a personal-data breach after unauthorised access to one of its IT systems exposed identity and contact details of members and licence holders, with roughly 950,000 people affected and data offered for sale on the dark web.

Victim
FFESSM (French Federation of Underwater Studies and Sports)
Records
950.0K
Data breachUnknown

Leak at Guiot de Bourg

On 24 January 2026, a customer database from French silver-jewelry brand Guiot de Bourg covering some 90,000 e-commerce accounts surfaced online, exposing names, emails, dates of birth, hashed passwords and order/payment metadata.

Victim
Guiot de Bourg
Data breachUnknown

Leak at Movida

Customer data from French vehicle-rental company Movida was exposed in a breach disclosed on 24 January 2026, including names, contact details and bank account numbers (IBANs).

Victim
Movida
Data breachUnknown

Leak at Panorama Banques

On 24 January 2026, a database attributed to French bank-comparison and credit-brokerage service Panorama Banques (Panorabanques) surfaced online, exposing personal, contact and detailed financial-profile data on roughly 2.34 million customers.

Victim
Panorama Banques
Records
2.3M
Supply chainUnknown

Leak at French Fencing Federation

On 23 January 2026, the French Fencing Federation (FFE) had its licensee database leaked as part of a wave of attacks on French sports federations, exposing members' names, contact details, postal addresses, nationality and licence/club information.

Victim
French Fencing Federation
Data breachContained

Leak at French Hunting Federation

On 23 Jan 2026 the Fédération Nationale des Chasseurs disclosed a breach of its hunting-permit validation portal, exposing names, dates of birth, postal/email addresses, phone numbers, federal IDs and licence details of roughly 1.4 million hunters.

Victim
French Hunting Federation
Records
1.4M
Data breachOngoing

1,200,000 people exposed in data leak at FFVolley

The French Volleyball Federation (FFVolley) confirmed a breach of its membership database affecting roughly 1.2 million licensees, with about 23 GB of highly sensitive files — including national ID cards, passports and birth certificates — exfiltrated and offered for sale.

Victim
French Volleyball Federation (FFVolley)
Records
1.2M
Data breachUnknown

Leak at French Firefighters Federation

On 23 January 2026, the French Firefighters Federation suffered a data breach exposing the personal records of roughly 822,449 firefighters, including names, email addresses, phone numbers and postal addresses.

Victim
French Firefighters Federation
Records
822.4K
Data breachUnknown

Leak at Grand Froid

On 23 January 2026, a customer database from French frozen-food home-delivery company Grand Froid (Saint-Nabord, Vosges) surfaced online, exposing customers' names, postal addresses and order dates.

Victim
Grand Froid
Data breachOngoing

Leak at Orpi

In January 2026, a database from the French real-estate network Orpi's owner/tenant extranet surfaced online, exposing names, postal addresses, IBANs, rent receipts and extranet logins with passwords stored in plain text.

Victim
Orpi
Data breachUnknown

Data leak at Too Easy

On 23 January 2026, a data leak attributed to Too Easy was reported, exposing customer personal data including names, email addresses, phone numbers and IP addresses. The full scale of the incident has not been publicly confirmed.

Victim
Too Easy
Data breachUnknown

Data leak at Valorissimo

Disclosed on 23 January 2026, a leak from Valorissimo — the French B2B new-build real estate marketplace owned by Bouygues Immobilier — exposed account data of platform users, including logins, email addresses, names, phone numbers, postal addresses and company affiliations.

Victim
Valorissimo
Data breachContained

Data leak at Waltio

In January 2026, French crypto-tax platform Waltio disclosed a breach exposing data from around 50,000 users — email addresses and 2024 tax-report summaries (gains/losses and year-end balances) — followed by an extortion attempt the company refused to pay.

Victim
Waltio
Records
50.0K
Data breachContained

1,416,000 records in the FNC and OFB data leak

In January 2026, the French National Hunters Federation (FNC) and the French Office for Biodiversity (OFB) suffered linked data breaches exposing personal data of roughly 1.4 million hunting-permit holders, with a 27 GB dataset offered for sale on the dark web.

Victim
French National Hunters Federation (FNC) & OFB
Records
1.4M
Data breachContained

822,499 FNSPF members affected by data leak

Around 822,499 members of France's National Firefighters Federation (FNSPF) had their personal data exposed in a January 2026 leak tied to a wider campaign of French federation breaches, with names, dates of birth, postal and email addresses and phone numbers harvested and resold on underground forums.

Victim
French National Firefighters Federation (FNSPF)
Records
822.5K
Data breachContained

Claimed leak at École nationale supérieure d'arts et métiers (volume not specified)

On 21 January 2026, French engineering grande école ENSAM (Arts et Métiers) disclosed a personal-data breach resulting from external malicious activity, exposing students' names, social security numbers, scholarship decisions and amounts, and work-stoppage dates; the total volume was not specified.

Victim
École nationale supérieure d'arts et métiers (ENSAM)
Data breachContained

Leak at ENSAM

ENSAM, a French public engineering school (Arts et Métiers), reported a data breach caused by a malicious external act, exposing students' names, social security numbers, scholarship award decisions and amounts, and sick-leave dates.

Victim
ENSAM
Data breachUnknown

Leak at ConseilJuridique.net

On 20 January 2026, a data leak affecting ConseilJuridique.net — a French online legal-consultation platform connecting individuals with lawyers — was reported, exposing customer account data; the precise scale and exposed fields were not publicly detailed.

Victim
ConseilJuridique.net
RansomwareUnknown

Claimed data leak at Delko - Ransomware

Delko, a French automotive repair and spare-parts franchise network, was hit by the Sinobi ransomware group around December 2025; the gang published the company on its leak site on 5 January 2026, with the claim relayed to affected customers and publicly on 20 January 2026.

Victim
Delko
Data breachContained

Leak at Info Jeunes Bourgogne Franche-Comté

In January 2026, Info Jeunes Bourgogne Franche-Comté, the regional youth information service running the Carte Avantages Jeunes, had identity data on some 282,906 cardholders stolen and offered for sale on the dark web; exposed fields were limited to identification and contact details.

Victim
Info Jeunes Bourgogne Franche-Comté
Records
282.9K
Data breachUnknown

Leak at Lire Demain

On 15 January 2026, French children's and educational book publisher Lire Demain (Auzou group) suffered a data breach exposing the personal details and order history of around 4,616 customers.

Victim
Lire Demain
Data breachContained

Leak at Eurail

In January 2026, Eurail B.V. — operator of the Interrail and Eurail rail-pass schemes — disclosed a data breach exposing personal and passport details of customers, with up to ~309,000 travellers reportedly affected and stolen data later offered for sale on the dark web.

Victim
Eurail
RansomwareOngoing

Data leak at Zurflüh-Feller

The Akira ransomware group listed French roller-shutter component manufacturer Zurflüh-Feller as a victim in early 2026, threatening to publish around 66 GB of stolen corporate data, including employee identity documents, financials, contracts and NDAs.

Victim
Zurflüh-Feller
Data breachUnknown

Leak at Blackstore

On 12 January 2026, French streetwear and sneaker retailer Blackstore had a customer database leaked exposing the personal and order details of 101,979 people, including names, email addresses, phone numbers, store locations and order records.

Victim
Blackstore
Records
102.0K
Data breachOngoing

Leak at Instagram

In January 2026 a dataset of about 17.5 million Instagram records — usernames, full names, email addresses, phone numbers and partial location data — went up for sale on a dark-web forum, reportedly harvested via a 2024 API scraping leak.

Victim
Instagram
Records
17.5M
Supply chainOngoing

Leak at monlogicielmedical.com

Breach of the MonLogicielMedical (MLM) practice software by Cegedim Santé, disclosed to affected doctors in early January 2026, exposing patient administrative records — name, date of birth, address, social-security scheme — for up to 11–15 million patients via compromised doctor accounts.

Victim
monlogicielmedical.com
Data breachUnknown

Claimed leak at ACRV.FR (web agency)

On 10 January 2026, a threat actor claimed a data leak at French digital agency ACRV.FR, alleging it had exfiltrated archives and databases tied to several client sites the agency hosts or maintains; the claim is unverified and the scale is unconfirmed.

Victim
ACRV.FR (web agency)
Data breachResolved

Betterment data breach (2026)

In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an…

Victim
Betterment
Records
1.4M
Data breachContained

561,502 licence holders affected by data leak at FFME

In January 2026 the French Federation of Mountaineering and Climbing (FFME) disclosed a data breach in which a fraudulently used member account gave illegitimate access to contact data — names, dates of birth, addresses, licence types — for its licence holders, a leak tracked at 561,502 records.

Victim
French Federation of Mountaineering and Climbing (FFME) #2
Records
561.5K
Data breachUnknown

599,797 licence holders: claimed data leak at FSGT

In January 2026, the Fédération Sportive et Gymnique du Travail (FSGT), a French workers' multisport federation, was hit by a claimed data leak exposing the personal records of its licence holders, with the claim referencing a database of roughly 600,000 accounts.

Victim
Workers' Sports and Gymnastics Federation (FSGT)
Records
599.8K
Data breachContained

Leak at EasyCash

A threat actor put a customer database stolen from second-hand retailer EasyCash up for sale on a hacking forum, exposing roughly 14 million records — names, dates of birth, postal addresses, phone numbers and email addresses — apparently extracted via a compromised internal/partner account.

Victim
EasyCash
Data breachContained

393,374 members affected in the data leak at FFCK

On 7 January 2026, a database of the French Canoe-Kayak Federation (FFCK) holding 31 years of member records was leaked, exposing the personal data of 393,374 members, including 392,892 postal addresses, 212,342 phone numbers and 158,434 unique emails.

Victim
French Canoe-Kayak Federation (FFCK)
Records
393.4K
Supply chainContained

599,797 FFRS licence holders affected by data leak

Roughly 600,000 licence holders of France's Roller and Skateboard Federation (FFRS) had their personal data exposed after the Rolskanet membership-management platform run by a shared third-party provider was breached, leaking names, contact details, and birth information.

Victim
French Roller and Skateboard Federation (FFRS) #2
Records
599.8K
Data breachResolved

Panera Bread data breach (2026)

In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses.

Victim
Panera Bread
Records
5.1M
Data breachContained

78,133 members affected by claimed data leak at FFPLUM

On 8 January 2026 the French Microlight Federation (FFPLUM) disclosed that an attacker had fraudulently accessed an administrator account on its licence-management platform, exposing the personal data of roughly 78,000 members, including names, dates of birth, postal addresses, emails and phone numbers.

Victim
French Microlight Federation (FFPLUM)
Records
78.1K
Supply chainUnknown

133,297 members affected by Lions Clubs of France data leak

In early January 2026, a member database of the Fondation des Lions de France (Lions Clubs of France) was published on BreachForums, exposing 133,297 deduplicated individuals — including full civil status, home addresses, phone numbers and profile photos — in a leak traced to the MyAssoc club-management platform.

Victim
Lions de France Foundation (Lions Clubs of France)
Records
133.3K
Data breachContained

Data leak at DCE Conseil and partners (prisons, armed forces, luxury)

French engineering consultancy DCE Conseil suffered a breach after an employee's cloud account was compromised with stolen credentials, exposing roughly 844 GB of sensitive technical files — including plans of prisons, a military base and luxury and corporate clients — later offered for sale on BreachForums.

Victim
DCE Conseil (Various partners: prisons, armed forces, luxury, etc.)
Data breachOngoing

800,000 records in Adecco data leak

In early January 2026, staffing agency Adecco was hit by a data leak after a threat actor put a database of roughly 800,000 candidate profiles — including about 750,000 CVs with names, contact details and work histories — up for sale, claiming extraction from an internal Adecco tool.

Victim
Adecco
Records
800.0K
Data breachContained

Data leak at AgroParisTech

In January 2026, AgroParisTech — France's leading graduate school of agronomy and life sciences — suffered a cyberattack in which an intruder claimed to have exfiltrated around 211 GB of data, exposing HR and personal records of staff, students and external contributors.

Victim
AgroParisTech
Supply chainOngoing

2.1 million: data leak at OFII / ANEF

On 1 January 2026, a database of around 2.1 million records belonging to France's OFII / ANEF "Étrangers en France" immigration portal was put up for sale on BreachForums, exposing foreign nationals' identities, contact details, family situation and residence-permit data after a subcontractor was compromised.

Victim
OFII / ANEF ("Étrangers en France" portal – French Ministry of the Interior)
Records
2.1M
Data breachContained

Leak at French Speleology Federation

On 31 December 2024 the French Speleology Federation (FFS) disclosed a data leak from its insurance-subscription portal, exposing members' identity, contact details, nationality, profession and licence numbers as part of a wider wave of attacks on French sports federations.

Victim
French Speleology Federation
Data breachContained

Leak at Grenoble School of Management

On 29 December 2025, an actor calling themselves CZX leaked a 1.35 GB database of more than 400,000 Grenoble École de Management students, alumni and prospects on BreachForums, exposing names, contact details and academic records.

Victim
Grenoble School of Management
Data breachOngoing

Data leak at Université de Lille

On 29 December 2025, a record of 7,244 Université de Lille students — reportedly from an IUT Informatique internship database — was posted on BreachForums by an actor using the LAPSUS$ name, exposing names, dates of birth, postal addresses, emails and phone numbers.

Victim
Université de Lille
Records
7.2K
Data breachResolved

WhiteDate data breach (2025)

In December 2025, the dating website "for a Europid vision" WhiteDate suffered a data breach that was subsequently leaked online, initially exposing 6.1k unique email addresses. The leaked data included extensive personal information such as physical appearance, income, education and IQ.

Victim
WhiteDate
Records
20.4K
Data breachOngoing

Leak at Allegro Musique

On 28 December 2025, a database of 161,412 members of French at-home music-lesson provider Allegro Musique was leaked, exposing names, postal addresses, emails, phone numbers, social security numbers and registration details.

Victim
Allegro Musique
Records
161.4K
Data breachContained

Leak at Batterie de Portable

On 28 Dec 2025, French e-commerce retailer Batteriedeportable (Aubagne) disclosed a November cyberattack that exposed customer identity and contact data — names, dates of birth, postal/email addresses and phone numbers. It claims over a million European customers.

Victim
Batterie de Portable
Data breachUnknown

Leak at Europages

On 28 December 2025, a database of 205,403 B2B prospects from European business directory Europages was reported leaked, exposing contact and company-registration details (names, job titles, employers, postal and email addresses, phone numbers, SIRET and VAT identifiers).

Victim
Europages
Records
205.4K
Data breachOngoing

Leak at ENI

In December 2025, the French operations of Italian energy group ENI suffered a data breach claimed by the Lapsus$ group, exposing professional contact details for tens of thousands of business customers; ENI confirmed the incident and notified the CNIL.

Victim
ENI
Data breachContained

Leak at HelloWork

In late December 2025, French recruitment platform HelloWork disclosed that data on roughly 2.8 million jobseekers — names, emails and professional-profile details — was scraped from its CV library via a fraudulently used recruiter account and offered for sale online.

Victim
HelloWork
Records
2.8M
Data breachUnknown

Leak at PayTrip

On 27 December 2025, French money-transfer fintech PayTrip suffered a data breach exposing data on 74,877 customers, including names, contact details, IBANs and account balances, later circulated online by a threat actor.

Victim
PayTrip
Records
74.9K
RansomwareContained

Leak at Commune de Lens

In late December 2025, the town hall of Lens (Pas-de-Calais, France) disclosed an intrusion into its information system that paralysed municipal services for about a week, blocking staff software and telephone lines; the attack vector was undisclosed and data theft was not confirmed.

Victim
Commune de Lens
Data breachUnknown

Leak at French Kick Boxing Federation

In late December 2025, the French Kick Boxing Federation (FFKMDA) had its member database leaked on BreachForums, exposing 361,321 licensees' names, dates of birth, nationalities, contact details, postal addresses and licence records across 2015-2026 seasons.

Victim
French Kick Boxing Federation
Records
361.3K
Data breachContained

Leak at Mondial Relay

In December 2025, French parcel-delivery firm Mondial Relay disclosed a cyberattack in which attackers accessed customer and shipment data — names, emails, postal addresses, phone numbers and parcel-tracking details; a dark-web actor claimed roughly 25.7 million records.

Victim
Mondial Relay
Data breachUnknown

Leak at Nouvelle Lune

On 26 December 2025, a customer database from French online boutique Nouvelle Lune was leaked, exposing personal data for roughly 161 customers, including names, email and postal addresses, and order history.

Victim
Nouvelle Lune
Data breachContained

Leak at French Swimming Federation

Data on roughly 1.3 million members of the French Swimming Federation (FFN) was put up for sale on BreachForums on 23 December 2025 after its Extranat management platform was breached, exposing identity details, contact information and licence numbers.

Victim
French Swimming Federation
Records
1.3M
Data breachUnknown

Leak at 123 casting

On 22 December 2025, a database of roughly 240,000 users of French casting platform 123casting was published on BreachForums, exposing identities, contact details, MD5-hashed passwords, physical measurements, ethnic origin, photo/video books, private messages and payment data.

Victim
123 casting
Records
240.0K
Data breachContained

Leak at Altitude Infra

Altitude Infra, a major French independent fiber-optic infrastructure operator, had ~5.76 GB (52 files) stolen from a partner extranet and offered for sale online, exposing network documentation, ISP-partner files and end-customer eligibility data across its 3M+ connected locations.

Victim
Altitude Infra
Data breachUnknown

Leak at justice.fr

On 22 December 2025 a database attributed to the French justice system (justice.fr) recirculated online, exposing personal, professional and banking data — including IBAN/BIC — of 1,100+ magistrates, judges, lawyers and judicial staff.

Victim
justice.fr
Data breachContained

Leak at Chronopost

In December 2025, a 680 MB dataset on ~860,000 Chronopost customers — names, emails and parcel details scraped from the La Poste Pickup relay-point network — was published on BreachForums; the data covered shipments from spring 2025.

Victim
Chronopost
Records
860.0K
Data breachUnknown

Leak at La Licra

On 19 December 2025, a data leak at French anti-racism association La Licra (LICRA) exposed the email addresses and hashed passwords of 186 website subscribers and 8 administrators.

Victim
La Licra
Data breachContained

Leak at the French Ministry of Sports

On 19 December 2025 France's Ministry of Sports confirmed a breach of a system tied to the Pass'Sport aid scheme, exposing data on about 3.5 million households — names, dates of birth, contact details, social security, INE and CAF numbers — published on a criminal forum.

Victim
French Ministry of Sports
Data breachContained

Leak at Red by SFR

In December 2025, French telecom operator SFR disclosed a data breach affecting Red by SFR customers, exposing names, postal and email addresses, phone numbers and customer reference numbers after an internal fiber-connection management tool was compromised.

Victim
Red by SFR
Data breachUnknown

Leak at Parashop

On 17 December 2025, a leak of customer data from French parapharmacy retailer Parashop was disclosed, exposing personal records including full names, dates of birth and postal addresses.

Victim
Parashop
Data breachResolved

Pass'Sport data breach (2025)

In December 2025, data from France's Pass'Sport program was posted to a popular hacking forum. Initially misattributed to CAF (the French family allowance fund), the data contained 6.5M unique email addresses affecting 3.5M households.

Victim
Pass'Sport
Records
6.4M
Data breachResolved

APOIA.se data breach (2025)

In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum. In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.

Victim
APOIA.se
Records
450.8K
Supply chainOngoing

Leak at PornHub

On 16 December 2025, adult-content platform Pornhub disclosed that historical analytics data on select Premium users — including email addresses and search/viewing history — was stolen via third-party provider Mixpanel; ShinyHunters claimed ~200 million records and demanded a ransom.

Victim
PornHub
Data breachContained

Data leak at SoundCloud

In December 2025, music-streaming platform SoundCloud disclosed a breach in which an attacker abused an internal system to map roughly 29.8 million private email addresses to public profile data — about 20% of its users; no passwords or payment data were taken.

Victim
SoundCloud
Records
29.8M
Data breachResolved

Raaga data breach (2025)

In December 2025, data allegedly breached from the Indian streaming music service "Raaga" was posted for sale to a popular hacking forum. The data contained 10M unique email addresses along with names, genders, ages (in some cases, full date of birth), postcodes and passwords stored as unsalted MD5…

Victim
Raaga
Records
10.2M
Data breachContained

Leak at the French Ministry of the Interior

In December 2025, attackers compromised professional email accounts at France's Ministry of the Interior and accessed sensitive police files including the TAJ criminal-records and FPR wanted-persons databases; the ministry confirmed a few dozen files were exfiltrated while attackers claimed data on 16.4 million people.

Victim
French Ministry of the Interior
Data breachUnknown

Leak at Euromatik

On 12 December 2025, customer data from French roller-shutter and home-automation retailer Euromatik was exposed in a breach, including names, postal and email addresses, phone numbers, order and contract details, and hashed passwords.

Victim
Euromatik
Data breachUnknown

Leak at France Ventilation

On 12 December 2025, France Ventilation, a French ventilation and air-treatment specialist, disclosed a data breach that exposed customers' payment card details — card number, expiration date and CVV — raising a direct risk of banking fraud.

Victim
France Ventilation
Data breachContained

Leak at French Cycling Federation

On 10 December 2025, the Fédération Française de Cyclisme detected an intrusion (via stolen credentials/infostealers, no MFA) exposing licensees' names, dates of birth, nationality, postal addresses, emails and phone numbers; group Dumpsec also claimed to hold ID documents.

Victim
French Cycling Federation
RansomwareOngoing

Leak at Résidence du Parc (Champdeniers-Saint-Denis)

In December 2025, the EHPAD Résidence du Parc nursing home in Champdeniers-Saint-Denis (Deux-Sèvres, France), home to around 90 residents, was hit by a ransomware attack that encrypted files and dropped a $5 million ransom note; administrative data and possibly scanned ID documents were exposed.

Victim
Résidence du Parc (Champdeniers-Saint-Denis)
Supply chainContained

Data leak at UFOLEP (via Exalto)

On 10 December 2025, UFOLEP — the French multi-sport federation — disclosed that a compromised account on its third-party licence-management provider Exalto exposed at least 3,624 member records, including identity, contact and legal-guardian details.

Victim
UFOLEP
Records
3.6K
Data breachResolved

Dragonica Lunaris data breach (2025)

In December 2025, the European Dragonica private server Dragonica Lunaris suffered a data breach. The incident exposed 126k email addresses, usernames, dates of birth and bcrypt password hashes. The service operator confirmed the breach and advised it has since been fixed.

Victim
Dragonica Lunaris
Records
126.3K
Supply chainContained

Leak at ASAF & AFPS (via Itelis)

Members of insurer ASAF & AFPS had personal data exposed after a breach at Itelis, the optical-care network processing their claims; names, dates of birth, social security numbers, claim records and vision-correction data from 2020-2022 were affected.

Victim
ASAF & AFPS
Data breachContained

Leak at Cuisinella

In December 2025, French kitchen retailer Cuisinella (Schmidt Groupe) disclosed that an unauthorized third party accessed customer contact details — title, first name, last name, phone number and email address — for thousands of customers; no bank, address or password data was exposed.

Victim
Cuisinella
Data breachContained

Leak at French Handball Federation (via GestHand)

In early December 2025, the French Handball Federation (FFHandball) disclosed that its GestHand administrative platform — used by some 2,400 clubs, committees and leagues — was breached via compromised credentials, exposing licensees' names, gender, dates of birth, emails and phone numbers.

Victim
French Handball Federation
Data breachContained

Leak at Schmidt

In early December 2025, French kitchen and home-furnishing group Schmidt (brands Schmidt and Cuisinella) disclosed that an unauthorized third party had accessed the contact details of thousands of customers and prospects — title, name, first name, phone number and email address.

Victim
Schmidt
Data breachContained

Leak at Médecin Direct

MédecinDirect, the French teleconsultation platform (a Teladoc Health subsidiary), disclosed on 3 December 2025 a data breach detected on 28 November exposing the personal and health data of around 285,000 patients, with a threat actor claiming up to 323,069 records.

Victim
Médecin Direct
Data breachContained

Leak at Leroy Merlin

In December 2025, French DIY retailer Leroy Merlin disclosed a cyberattack that exposed the loyalty-program data of several hundred thousand French customers, including names, contact details, postal addresses and dates of birth; no banking data or passwords were affected.

Victim
Leroy Merlin
Data breachContained

Leak at France Travail

On 1 December 2025, France Travail and the Missions Locales network disclosed that an attacker who hijacked a local-mission agent's account accessed records of about 1.6 million young people, exposing names, dates of birth, social security numbers and contact details.

Victim
France Travail
Records
1.6M
RansomwareOngoing

Leak at La Centrale du Financement

A threat actor exfiltrated around 387 GB of data (some 411,000 files) from French mortgage and credit broker La Centrale de Financement, exposing highly sensitive customer KYC documents, financial records and internal files, then offered the dataset for sale after failed extortion negotiations.

Victim
La Centrale du Financement
Data breachContained

Leak at French Football Federation (via Footclub)

In late November 2025, the French Football Federation disclosed that attackers used a compromised account to access its Footclubs club-management software and exfiltrate licensees' personal data, including names, dates and places of birth, addresses, contact details and license numbers.

Victim
French Football Federation
Supply chainContained

Leak at La Rochelle (via Synbird)

Personal data of 394 La Rochelle residents who booked civil-status appointments was exposed after an attacker exploited a flaw in Synbird, the town hall's third-party appointment-scheduling provider, which serves roughly 1,300 French communes.

Victim
La Rochelle
Records
394
Supply chainContained

Leak at AG2R la Mondiale (via Itelis)

Disclosed in November 2025, a cyberattack on Itelis — the optical-care third-party network used by insurer AG2R la Mondiale — exposed beneficiaries' names, dates of birth, social security numbers, reimbursement records and vision-correction data for optical coverage handled between 2020 and early 2022.

Victim
AG2R la Mondiale
Supply chainContained

Leak at Clinique du Millénaire (via Weda)

Clinique du Millénaire in Montpellier was exposed when its medical-records software vendor Weda was breached in November 2025, putting patient identity, contact details and health data at risk among the millions of records handled across Weda's ~23,000 affected practitioners.

Victim
Clinique du Millénaire
Data breachContained

Leak at French Dance Federation

In November 2025, the French Dance Federation (FFDanse) suffered a cyberattack on its extranet that damaged the server and exposed licence-holders' personal data, including names, dates of birth, contact details, licence numbers and hashed passwords; no medical or banking data was affected.

Victim
French Dance Federation
Data breachContained

Leak at Itelis

In November 2025, Itelis — a French optical health-care network linked to AXA — disclosed a breach exposing roughly 1.6 million beneficiaries' identity and optical-reimbursement data, including names, dates of birth and social security numbers.

Victim
Itelis
Data breachUnknown

Leak at ProxiServe

On 25 November 2025, a database belonging to French residential maintenance firm ProxiServe surfaced on a hacker forum, exposing personal and service data on 294,639 customers, including names, emails, postal addresses and details of home interventions.

Victim
ProxiServe
Records
294.6K
Supply chainContained

Leak at APRS (via Itelis)

APRS members were exposed in the November 2025 breach of Itelis, AXA's third-party optical-care platform, after an attacker posed as a partner optician; leaked data included names, dates of birth, social security numbers, optical reimbursement records and vision-correction details.

Victim
APRS
Supply chainContained

Leak at Quimper town hall (via RDV360)

In November 2025, the city of Quimper (France) was caught in a supply-chain breach of appointment-booking provider RDV360, exposing roughly 12,000 contact records (name, postal code, email, phone) of residents who booked ID-card or passport renewals since April 2024.

Victim
Quimper town hall
Records
12.0K
Data breachContained

Leak at Colis Privé

In November 2025, French parcel-delivery firm Colis Privé disclosed unauthorized access to part of its systems that exposed customer contact data — names, postal and email addresses and phone numbers. A threat actor advertised a dataset reportedly running to tens of millions of rows; no passwords or banking data were affected.

Victim
Colis Privé
RansomwareOngoing

Leak at Michelin

In November 2025, the Cl0p extortion gang listed French tyre maker Michelin on its leak site, claiming to have stolen internal manufacturing, engineering, supply-chain, financial and HR files via the Oracle E-Business Suite zero-day (CVE-2025-61882).

Victim
Michelin
Data breachContained

Leak at Murfy

In November 2025, French home-appliance repair and refurbishment company Murfy disclosed a data breach exposing the personal data of around 294,000 customers — names, email and postal addresses, phone numbers and service-history details — but no banking data or passwords.

Victim
Murfy
Records
294.1K
Supply chainContained

Data leak at Suzuki

Suzuki France disclosed that a cyberattack on one of its third-party partner systems exposed a customer file containing names, email addresses, postal addresses and phone numbers; no financial data or passwords were affected.

Victim
Suzuki
Data breachOngoing

Leak at Resana

On 18 November 2025, users of Resana — France's interministerial collaborative platform run by DINUM — were notified of a data exfiltration after attackers logged in with a compromised account. Up to roughly one million public agents were potentially exposed, triggering ransom emails to civil servants.

Victim
Resana
Supply chainContained

Data leak at Synbird

In November 2025, Synbird — the SaaS provider handling municipal appointment bookings for around 1,300 French communes — disclosed a breach in which an attacker abused a weakly-secured PDF export to exfiltrate residents' contact details and appointment information.

Victim
Synbird
Data breachContained

Leak at Eurofiber

In November 2025, Dutch fibre-network operator Eurofiber's French unit was breached via an SQL-injection flaw in its outdated GLPI ticketing system, exposing technical and credential data tied to more than 3,600 customer organisations, including major firms and public bodies.

Victim
Eurofiber
Data breachContained

Leak at Pajemploi

In November 2025, Pajemploi — the Urssaf service used by French households to declare and pay childcare workers — disclosed a data theft affecting up to 1.2 million employees, exposing names, social security numbers, dates/places of birth, postal addresses and Pajemploi/accreditation numbers.

Victim
Pajemploi
Records
1.2M
Data breachResolved

Under Armour data breach (2025)

In November 2025, the Everest ransomware group claimed to have stolen 343GB of data from apparel maker Under Armour. After no ransom was paid, customer data was leaked in January 2026, exposing roughly 72.7 million unique email addresses with names, dates of birth, genders, locations and purchase histories. This is a separate incident from the 2018 MyFitnessPal breach.

Victim
Under Armour
Records
72.7M
Data breachResolved

CodeStepByStep data breach (2025)

In November 2025, the online coding practice tool CodeStepByStep suffered a data breach that exposed 17k records which were subsequently published online. The following month, a further corpus of data was released bringing the total to 103k.

Victim
CodeStepByStep
Records
103.1K
Data breachResolved

Operation Endgame 3.0 data breach (2025)

Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol's headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in…

Victim
Operation Endgame 3.0
Records
2.0M
Data breachContained

Data leak at Weda

On 12 November 2025, French medical-software publisher Weda disclosed a cyberattack in which compromised practitioner credentials (stolen by infostealer malware) gave attackers unauthorized access to its patient-record platform, potentially exposing sensitive medical data for tens of thousands of healthcare professionals.

Victim
Weda
Data breachContained

Leak at French Cardiology Federation

Around 11 November 2025, the Fédération Française de Cardiologie disclosed that an unauthorized intrusion into its IT systems exposed members' personal data — including names, postal and email addresses, phone numbers and passwords. No banking or medical data was compromised.

Victim
French Cardiology Federation
Data breachResolved

International Kiteboarding Organization data breach (2025)

In November 2025, the International Kiteboarding Organization suffered a data breach that exposed 340k user records. The data was subsequently listed for sale on a hacking forum and included email addresses, names, usernames and in many cases, the user's city and country.

Victim
International Kiteboarding Organization
Records
340.3K
Data breachUnknown

Leak at Oui Heberg

On 10 November 2025, French web-hosting and VPS provider OuiHeberg was reported to have leaked customer contact records — names, email addresses, phone numbers and postal addresses — following a security incident affecting its infrastructure.

Victim
Oui Heberg
Data breachResolved

Beckett Collectibles data breach (2025)

In November 2025, Beckett Collectibles experienced a data breach accompanied by website content defacement. The stolen data was later advertised for sale on a prominent hacking forum, with portions subsequently released publicly.

Victim
Beckett Collectibles
Records
1.0M
Data breachUnknown

Leak at MYM

In November 2025, a database of around 5 million records from French adult-content subscription platform MYM was published on a cybercrime forum, exposing creators' and subscribers' names, emails, postal addresses, phone numbers, IP addresses, birthdates and MD5-hashed passwords; the data traces back to a 2021 compromise.

Victim
MYM
Records
5.0M
Data breachResolved

Zilvia.net data breach (2025)

In November 2025, data breached from the Zilvia.net Nissan 240SX Silvia and Z Fairlady car forum was leaked. The breach exposed 288k unique email addresses along with usernames, IP addresses and salted MD5 password hashes sourced from the vBulletin based platform.

Victim
Zilvia.net
Records
287.9K
Data breachResolved

University of Pennsylvania data breach (2025)

In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand, largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims.

Victim
University of Pennsylvania
Records
623.8K
Credential stuffingOngoing

Leak at France Travail

In late October 2025, France Travail — France's public employment agency — disclosed a breach in which attackers used credentials harvested by infostealer malware to access job-seeker accounts and exfiltrate sensitive personal, identity and financial data; about 16,479 affected records were catalogued.

Victim
France Travail
RansomwareContained

Leak at Poltronesofa

On 27 October 2025, Italian sofa and furniture retailer Poltronesofà suffered a ransomware attack that encrypted its servers and exposed personal data of thousands of customers, including names, postal addresses, emails, phone numbers and tax identification numbers; no banking data was affected.

Victim
Poltronesofa
Data breachResolved

MyVidster (2025) data breach (2025)

In October 2025, the data of almost 4M MyVidster users was posted to a public hacking forum. Separate to the 2015 breach, this incident exposed usernames, email addresses and in a small number of cases, profile photos.

Victim
MyVidster (2025)
Records
3.9M
Data breachContained

Leak at French Shooting Federation (via ITAC)

An intrusion into the French Shooting Federation's ITAC information system between 18-20 October 2025 exposed personal data of its licensees — including licence numbers, civil status and contact details — with up to around 274,000 members potentially affected.

Victim
French Shooting Federation
Data breachResolved

Substack data breach (2025)

In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as…

Victim
Substack
Records
663.1K
Data breachOngoing

Leak at Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie

A September 2025 cyberattack on regional health-identity platforms used by several French Regional Health Agencies (ARS) exposed patient identity data; an attacker claimed roughly 35 million patient records across 130+ public hospitals, later offered for sale by the DumpSec group.

Victim
Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie
RansomwareOngoing

Leak at Haute-Comté intercommunal hospital centre

On 19 October 2025, the Centre Hospitalier Intercommunal de Haute-Comté in Pontarlier (France) was hit by a Cryptolocker ransomware attack that encrypted part of its data, forcing a full IT shutdown and a return to paper-based care; attackers demanded a 5 million euro ransom.

Victim
Haute-Comté intercommunal hospital centre
Supply chainContained

Leak at Mango

In October 2025, Spanish fashion retailer Mango disclosed that an external marketing service provider was breached, exposing customers' first name, country, postal code, email address and phone number; no passwords or banking data were affected.

Victim
Mango
Data breachContained

Leak at Agence Régionale de Santé des Hauts-de-France

A cyberattack on the shared regional health platform (Prédice/GIP Inéa) hosting patient identity data from public hospitals in Hauts-de-France exposed records such as names, dates and places of birth, contact details and, in some cases, social security numbers; medical records were not affected.

Victim
Agence Régionale de Santé des Hauts-de-France
RansomwareOngoing

Leak at Hauts-de-France high schools

Ransomware group Qilin attacked the IT systems of public high schools run by France's Hauts-de-France region in October 2025, paralysing some 80% of around 269 schools and claiming over 1 TB of stolen data including students' ID documents, CVs and academic transcripts.

Victim
Hauts-de-France high schools
Data breachContained

Leak at France Travail

On 6 October 2025, France Travail — France's national public employment agency — was hit by one of several 2025 data leaks, with personal records of roughly 5,500 job seekers exposed, including names, France Travail IDs, registration categories, email addresses, RSA welfare status and CIR identifiers.

Victim
France Travail
Data breachResolved

TISZA Világ data breach (2025)

In late October 2025, data breached from the Hungarian political party TISZA was published online before being extensively redistributed. Stemming from a compromise of the TISZA Világ service earlier in the month, the breach exposed 200k records of personal data including email addresses along with…

Victim
TISZA Világ
Records
198.5K
Supply chainContained

Leak at Discord

On 4 October 2025 Discord disclosed a breach of a third-party customer-support provider that exposed support-ticket data and roughly 70,000 government-ID photos (submitted for age-verification appeals), plus names, emails, IP addresses and partial billing details.

Victim
Discord
Records
70.0K
Data breachResolved

Canadian Tire data breach (2025)

In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses.

Victim
Canadian Tire
Records
38.3M
RansomwareContained

Asahi Group Holdings Qilin ransomware (2025)

Qilin ransomware operators encrypted servers across Asahi's Japanese data centres, halting ordering, shipment, and production at 30 factories, leaking 27 GB of internal data, and exposing personal information of approximately 1.5 million customers, employees, and contacts.

Victim
Asahi Group Holdings
Loss
$31.4M
Records
1.5M
Data breachUnknown

Leak at France Travail

On 25 September 2025, a leak attributed to France Travail, France's public employment agency, exposed the personal data of about 9,971 job seekers, including their email addresses, names and the email address of their assigned advisor.

Victim
France Travail
Records
10.0K
Supply chainContained

Leak at La Nef

In September 2025, French ethical cooperative bank La Nef notified shareholders that their email addresses were exposed after a cyberattack on third-party voting provider SLIB; only email addresses were affected, with no banking data, IDs or passwords compromised.

Victim
La Nef
Supply chainContained

Leak at Inovie Labosud

On 23 September 2025, French medical-lab group Inovie Labosud disclosed a breach exposing administrative and medical data of an estimated 3.2 million patients after attackers used a third-party provider's stolen credentials.

Victim
Inovie Labosud
Records
3.2M
Data breachContained

Leak at Digital Charging Solutions

In September 2025, EV-charging billing provider Digital Charging Solutions disclosed that a contracted third-party service provider had accessed customer records without authorization, exposing names and email addresses of an initial single-digit number of affected users.

Victim
Digital Charging Solutions
Data breachOngoing

Leak at French Table Tennis Federation

On 19 September 2025, the French Table Tennis Federation (FFTT) disclosed a data breach in which an attacker used a compromised account to bulk-extract member records, exposing the personal data of as many as 254,000 licensees, though no banking or health data.

Victim
French Table Tennis Federation
Data breachContained

Leak at Clarins

French luxury skincare group Clarins confirmed in September 2025 that the Everest extortion gang had exfiltrated contact details of customers in France, the US and Canada; the actor claimed over 600,000 records, with no financial data affected.

Victim
Clarins
Records
600.0K
Data breachContained

Leak at Plex

On 9 September 2025, media-streaming software company Plex disclosed that an unauthorized third party had accessed one of its databases, exposing user emails, usernames, securely hashed passwords and authentication data, and forcing an account-wide password reset.

Victim
Plex
Data breachResolved

WIRED data breach (2025)

In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online. The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number,…

Victim
WIRED
Records
2.4M
Data breachUnknown

Leak at Eklo

On 3 September 2025, a data leak was claimed affecting Eklo, a French budget and eco-friendly hotel chain. Details on the volume and exact categories of exposed customer data remain unverified.

Victim
Eklo
Data breachUnknown

Data leak at Syma Mobile

In September 2025, a database of 117,963 Syma Mobile customers — exposing names, dates of birth, postal and email addresses, phone numbers and ID-document details — was put up for sale on a dark-web forum alongside other French datasets.

Victim
Syma Mobile
Records
118.0K
Data breachResolved

Prosper data breach (2025)

In September 2025, Prosper announced that it had detected unauthorised access to their systems, which resulted in the exposure of customer and applicant information. The data breach impacted 17.6M unique email addresses, along with other customer information, including US Social Security numbers.

Victim
Prosper
Records
17.6M
Data breachResolved

Artists&Clients data breach (2025)

In August 2025, the "marketplace that connects artists to prospective clients" Artists&Clients, suffered a data breach and subsequent ransom demand of US$50k.

Victim
Artists&Clients
Records
95.4K
Data breachResolved

Miljödata data breach (2025)

In August 2025, the Swedish system supplier Miljödata was the victim of a ransomware attack. Following the attack, data was subsequently published on the dark web and included 870k unique email addresses across various compromised files.

Victim
Miljödata
Records
870.1K
Data breachContained

Leak at Auchan

In August 2025, French retailer Auchan disclosed a breach exposing personal data of several hundred thousand Waaoh loyalty-program customers — names, titles, postal and email addresses, phone numbers and loyalty card numbers; bank data and PINs were not affected.

Victim
Auchan
Social engineeringContained

Leak at Google

In August 2025, Google confirmed that a Salesforce CRM instance holding contact data for small-business Google Ads prospects was breached by ShinyHunters (UNC6040) via a vishing attack, exposing roughly 2.55 million records of business names, emails and phone numbers.

Victim
Google
Records
2.5M
RansomwareUnknown

Leak at Partner Immo

On 13 August 2025, Partner Immo, a French provider of online property- and condominium-management software, was reported as the target of a ransomware/data-leak incident; the exact scope and exposed data were not publicly confirmed.

Victim
Partner Immo
Supply chainContained

Leak at Alltricks

In August 2025, French online cycling and sports retailer Alltricks had its Sendinblue/Brevo email-marketing system compromised; attackers sent customers convincing phishing emails from the brand's own infrastructure, exposing names, email addresses and purchase history.

Victim
Alltricks
Data breachContained

Leak at France Travail

On 12 August 2025, France Travail, France's public employment agency, disclosed unauthorized access to its employer-facing job portal that exposed the contact details of business users — names, email addresses, phone numbers and an internal technical identifier.

Victim
France Travail
Data breachResolved

BreachForums (2025) data breach (2025)

In October 2025, a reincarnation of the hacking forum BreachForums, which had previously been shut down multiple times, was taken offline by a coalition of law enforcement agencies.

Victim
BreachForums (2025)
Records
672.2K
Data breachResolved

Giglio data breach (2025)

In August 2025, over 1M unique email addresses appeared in a breach allegedly obtained from Italian fashion designer Giglio. The data also included names, phone numbers and physical addresses. Giglio did not respond to repeated attempts to disclose the incident.

Victim
Giglio
Records
1.0M
Data breachContained

Leak at Optic 2000

In early August 2025, French optician chain Optic 2000 was hit by a cyberattack — confirmed on 30 July 2025 and affecting four stores around Paris — that exposed customer records including names, social security numbers, dates of birth, postal addresses, phone numbers and optician details.

Victim
Optic 2000
Supply chainContained

Leak at Air France

In August 2025, Air France-KLM disclosed that attackers accessed customer data — names, contact details, Flying Blue loyalty numbers and status, and customer-service request subjects — via a compromised third-party customer-service platform.

Victim
Air France
Data breachContained

Leak at Bouygues Telecom

On 6 August 2025, French telecom operator Bouygues Telecom disclosed a cyberattack that exposed personal data of 6.4 million customer accounts, including contact details, contractual data, civil status and IBANs (no card numbers or passwords).

Victim
Bouygues Telecom
Records
6.4M
Supply chainContained

Leak at Pandora

In August 2025, Danish jewelry maker Pandora disclosed a breach of a third-party CRM platform (Salesforce) in which attackers stole customer contact data — names, email addresses and birth dates — while stating no passwords or payment data were taken.

Victim
Pandora
Data breachResolved

Pi-hole data breach (2025)

In July 2025, a vulnerability in the GiveWP WordPress plugin exposed the names and email addresses of approximately 30k donors to the Pi-hole network-wide ad blocking project. Pi-hole subsequently self-submitted the list of impacted donors to HIBP.

Victim
Pi-hole
Records
29.9K
Data breachResolved

Hello Cake data breach (2025)

In July 2025, the sexual healthcare product maker Hello Cake suffered a data breach. The data was subsequently posted on a public hacking forum and included 23k unique email addresses along with names, phone numbers, physical addresses, dates of birth and purchases.

Victim
Hello Cake
Records
22.9K
RansomwareContained

Leak at Orange

On 25 July 2025, French telecom group Orange detected unauthorized access to one of its information systems; the Warlock ransomware group later claimed the attack and published about 4 GB of data, which Orange described as outdated or low-sensitivity.

Victim
Orange
Supply chainContained

Leak at France Travail

France Travail disclosed on 22 July 2025 that an intrusion via its Kairos platform exposed the personal data of around 340,000 job seekers, including names, postal and email addresses, phone numbers, France Travail IDs and jobseeker status; passwords and bank details were not affected.

Victim
France Travail
Records
340.0K
RansomwareOngoing

Leak at Groupe 5àSec

The DragonForce ransomware group claimed a July 2025 attack on French dry-cleaning chain 5àSec, exfiltrating roughly 290 GB of data — SQL production and test databases spanning the group's France, Switzerland, Luxembourg, Spain and Portugal operations — and published it after the company declined to pay.

Victim
Groupe 5àSec
Data breachResolved

Allianz Life data breach (2025)

In July 2025, Allianz Life was the victim of a cyber attack which resulted in millions of records later being leaked online. Allianz attributed the attack to "a social engineering technique" which targeted data on Salesforce and resulted in the exposure of 1.1M unique email addresses, names,…

Victim
Allianz Life
Records
1.1M
Data breachContained

Leak at Centre National de la Fonction Publique Territoriale

In July 2025, France's CNFPT — the national training body for local-government staff — disclosed a targeted intrusion into its trainers' portal that exposed personal files of about 34,000 external instructors, including ID documents, bank details (RIB), contracts, diplomas and CVs.

Victim
Centre National de la Fonction Publique Territoriale
Records
34.0K
Data breachContained

Leak at Louis Vuitton

In July 2025, French luxury brand Louis Vuitton disclosed that an unauthorized third party had accessed customer data — names, contact details, postal addresses, dates of birth and purchase history — as part of a global breach affecting clients in France, South Korea and other markets; no payment data was exposed.

Victim
Louis Vuitton
Data breachResolved

Canada Goose data breach (2025)

In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly. The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card…

Victim
Canada Goose
Records
581.9K
Social engineeringContained

C&M Software Pix heist (Brazil, 2025)

A junior developer at C&M Software — a Central Bank-authorized provider of Pix instant-payment connectivity — was paid roughly R$5,000 to hand over credentials. Attackers used the access to drain approximately R$800 million ($148 million) from reserve accounts at six Brazilian financial institutions in 2.5 hours.

Victim
C&M Software (Pix payment infrastructure provider)
Loss
$148.0M
Data breachResolved

TheSqua.re data breach (2025)

In June 2025, 107k unique customer email addresses were allegedly obtained from TheSqua.re, the "easiest way to find your next serviced apartment". The data also included names, phone numbers and cities which were subsequently posted to a popular hacking forum.

Victim
TheSqua.re
Records
107.0K
Data breachResolved

MaReads data breach (2025)

In June 2025, MaReads, the website for readers and writers of Thai-language fiction and comics suffered a data breach that exposed 74k records. The breach included usernames, email addresses, phone numbers and dates of birth. MaReads is aware of the breach.

Victim
MaReads
Records
74.5K
RansomwareOngoing

Leak at Disneyland

In June 2025, the Anubis ransomware gang claimed a 64GB leak of ~39,000 confidential files from Disneyland Paris — engineering plans and behind-the-scenes photos/videos of park attractions — said to be stolen via a compromised third-party contractor.

Victim
Disneyland
Data breachContained

Leak at Hôpital privé de la Loire

A cyberattack on Hôpital privé de la Loire (Ramsay Santé) in Saint-Étienne, France exposed personal data of up to 530,000 patients, including identity details, social-security numbers (NIR), ID documents and consultation records, after a hacker used stolen physician credentials.

Victim
Hôpital privé de la Loire
Data breachResolved

Data Troll Stealer Logs data breach (2025)

In June 2025, headlines erupted over a "16 billion password" breach. In reality, the dataset was a compilation of publicly accessible stealer logs, mostly repurposed from older leaks, with only a small portion of genuinely new material.

Victim
Data Troll Stealer Logs
Records
109.5M
Data breachResolved

Catwatchful data breach (2025)

In June 2025, spyware maker Catwatchful suffered a data breach that exposed over 60k customer records. The breach was due to a SQL injection vulnerability that enabled email addresses and plain text passwords to be extracted from the system.

Victim
Catwatchful
Records
61.6K
Data breachResolved

Omnicuris data breach (2025)

In June 2025, the Indian CME platform Omnicuris suffered a data breach that exposed approximately 200k records of healthcare professionals. The data included names, email addresses, phone numbers, geographic locations and other data attributes relating to professional expertise and training…

Victim
Omnicuris
Records
215.3K
Data breachContained

Leak at Cartier

In June 2025, luxury jeweller Cartier (Richemont) disclosed a data breach in which attackers accessed customer records — names, email addresses and country of residence — though no passwords, payment or banking data were exposed.

Victim
Cartier
Data breachUnknown

Leak at Kaviari

On 3 June 2025, a customer database belonging to Kaviari, the Paris-based luxury caviar and premium seafood house, was reported leaked, exposing shoppers' names, contact details, dates of birth, account credentials and order histories.

Victim
Kaviari
Data breachinvestigating

Morocco ANCFCC land registry data leak

Weeks after the CNSS breach, the hacktivist Jabaroot leaked roughly 4 terabytes of data — millions of property certificates, title deeds, ID cards, passports, and banking documents — from Morocco's national land conservation agency ANCFCC.

Victim
Agence Nationale de la Conservation Foncière, du Cadastre et de la Cartographie (ANCFCC)
Records
4.0M
EspionageResolved

Czech Ministry of Foreign Affairs APT31 cyber-espionage

The Czech government publicly attributed a years-long cyber-espionage campaign against an unclassified network of its Ministry of Foreign Affairs to APT31, a group linked to China's Ministry of State Security. The intrusion, active since at least 2022, targeted designated critical national infrastructure.

Victim
Czech Ministry of Foreign Affairs
Data breachContained

Leak at Autosur

Autosur, a major French vehicle-inspection network, suffered a data breach exposing personal and vehicle records of millions of customers — names, emails, postal addresses, phone numbers, license plates and vehicle details — advertised for sale on a cybercrime forum.

Victim
Autosur
Data breachResolved

ColoCrossing data breach (2025)

In May 2025, hosting provider ColoCrossing identified a data breach that impacted customers of their ColoCloud virtual server product. ColoCrossing advised the incident was isolated to their cloud/VPS platform and stemmed from a single sign-on vulnerability.

Victim
ColoCrossing
Records
7.2K
Data breachResolved

Operation Endgame 2.0 data breach (2025)

In May 2025, a coalition of law enforcement agencies took down the criminal infrastructure behind the malware used to launch ransomware attacks in a new phase of "Operation Endgame".

Victim
Operation Endgame 2.0
Records
15.4M
Data breachContained

Leak at Dior

On 13 May 2025, luxury fashion house Christian Dior Couture (LVMH) began notifying customers — first in Asia — that an intrusion discovered on 7 May exposed names, contact details, purchase histories and marketing preferences; no bank or payment-card data was affected.

Victim
Dior
Data breachUnknown

Leak at Pulsy

Patient data managed by Pulsy, the regional e-health operator (GRADeS) for France's Grand Est region, was reported leaked on 13 May 2025, exposing identity details, contacts and sensitive health information including care pathways and hospitalisation records.

Victim
Pulsy
Data breachResolved

Ualabee data breach (2025)

In May 2025, the South American mobility services platform Ualabee had hundreds of thousands of records scraped from an interface on their platform. The data included 472k unique email addresses along with names, profile photos, dates of birth and phone numbers.

Victim
Ualabee
Records
472.3K
Data breachResolved

Creams Cafe data breach (2025)

In May 2025, 160k records of customer data was allegedly obtained from Creams Cafe, "the UK's favourite dessert parlour". The data included email and physical addresses, names and phone numbers.

Victim
Creams Cafe
Records
159.7K
Data breachContained

Leak at Carrefour Mobile

In April 2025, Carrefour Mobile, the Belgian MVNO of the Carrefour retail group, suffered a data breach exposing personal data of about 64,000 customers, including names, contact details, home addresses, portal passwords and, for some, passport numbers.

Victim
Carrefour Mobile
Records
64.0K
Data breachContained

Leak at Easy Cash

In April 2025, French second-hand retail chain Easy Cash disclosed a breach exposing the names, first names and dates of birth of around 92,000 customers, traced to a compromised in-store workstation.

Victim
Easy Cash
Records
92.0K
Data breachContained

Leak at Indigo

In April 2025, French parking operator Indigo disclosed a breach after attackers accessed its information systems and stole customer names, postal and email addresses, phone numbers and vehicle license plates; no banking data or passwords were affected.

Victim
Indigo
Supply chainContained

Leak at Afflelou

In April 2025, French optical and hearing-aid retailer Alain Afflelou disclosed a breach caused by a vulnerability at a third-party CRM provider, exposing the personal and commercial data of thousands of customers and prospects.

Victim
Afflelou
Supply chainResolved

Leak at Hertz

On 15 April 2025, car-rental company Hertz disclosed a data breach stemming from the late-2024 zero-day exploitation of Cleo's file-transfer software by the CL0P group, exposing customer names, contact details, dates of birth, driver's licences, credit-card and passport data.

Victim
Hertz
RansomwareOngoing

Leak at Harvest

Harvest, a French wealth-management software editor, was hit by a Run Some Wares ransomware double-extortion attack disclosed in April 2025; internal and client files were exfiltrated and published, reportedly exposing data on tens of thousands of individuals and thousands of companies.

Victim
Harvest
Data breachResolved

Synthient Stealer Log Threat Data data breach (2025)

During 2025, Synthient aggregated billions of records of "threat data" from various internet sources. The data contained 183M unique email addresses alongside the websites they were entered into and the passwords used.

Victim
Synthient Stealer Log Threat Data
Records
183.0M
Data breachResolved

Morocco CNSS social security data leak

A hacktivist using the alias Jabaroot leaked more than 53,000 PDF files and CSV databases from Morocco's National Social Security Fund, exposing national ID numbers, salaries, and banking details for nearly 2 million employees across some 500,000 companies.

Victim
Caisse Nationale de Sécurité Sociale (CNSS)
Loss
$4.0M
Records
2.0M
Data breachUnknown

Leak at Reporterre

A data leak disclosed on 1 April 2025 exposed personal contact details of people associated with Reporterre, the French independent environmental news outlet, including last names, first names, email addresses and postal addresses.

Victim
Reporterre
Data breachResolved

Samsung Germany Customer Tickets data breach (2025)

In March 2025, data from Samsung Germany was compromised in a data breach of their logistics provider, Spectos. Allegedly due to credentials being obtained by malware running on a Spectos employee's machine, the breach included 216k unique email addresses along with names, physical addresses, items…

Victim
Samsung Germany Customer Tickets
Records
216.3K
Supply chainContained

Leak at MAIF & BPCE

A ransomware attack on French wealth-management software vendor Harvest (Run Some Wares group, detected 27 Feb 2025) exposed personal and financial data of customers of insurer MAIF and banking group BPCE (Banque Populaire / Caisse d'Épargne) in a supply-chain breach.

Victim
MAIF & BPCE
Data breachResolved

German Doner Kebab data breach (2025)

In March 2025, data allegedly sourced from German Doner Kebab was published on a popular hacking forum. The data included 162k unique email addresses alongside names, phone numbers and physical addresses. German Doner Kebab subsequently sent a disclosure notice to impacted individuals.

Victim
German Doner Kebab
Records
162.4K
Vulnerability exploitContained

Leak at Oracle Cloud

In late March 2025, a threat actor known as 'rose87168' claimed to have stolen roughly 6 million authentication records from an Oracle Cloud SSO/LDAP endpoint, potentially affecting over 140,000 tenants; Oracle initially denied any breach before privately confirming a compromise to customers.

Victim
Oracle Cloud
Records
6.0M
Data breachUnknown

Leak at Centrale Nantes

On 26 March 2025, internal data from Centrale Nantes, a French public engineering grande école, was reported leaked, including private reports and projects, user logins with password hashes, source code, and administrative documents.

Victim
Centrale Nantes
Data breachResolved

TehetségKapu data breach (2025)

In March 2025, almost 55k records were breached from the Hungarian education office website TehetségKapu. The data was subsequently published to a popular hacking forum and included email addresses, names and usernames.

Victim
TehetségKapu
Records
54.4K
Data breachContained

Leak at Cerballiance

In late March 2025, French medical-laboratory network Cerballiance disclosed a data breach traced to a February intrusion on an IT provider's server, exposing administrative and some health data of patients in the PACA region, including names, social security numbers and certain test reports.

Victim
Cerballiance
Data breachResolved

Troy Hunt's Mailchimp List data breach (2025)

In March 2025, a phishing attack successfully gained access to Troy Hunt's Mailchimp account and automatically exported a list of people who had subscribed to the newsletter for his personal blog.

Victim
Troy Hunt's Mailchimp List
Records
16.6K
Data breachResolved

ADDA data breach (2025)

In March 2025, data allegedly breached from the ADDA housing societies service was posted to a public hacking forum. The data contained over 1.8M unique email addresses along with names, phone numbers and MD5 password hashes.

Victim
ADDA
Records
1.8M
Data breachContained

Leak at Autosur & Diagnosur

In March 2025, French vehicle-inspection network Autosur (Diagnosur brand) disclosed a breach exposing data on roughly 10.7 million customers — names, postal and email addresses, phone numbers, and detailed vehicle records including registration plates and VINs — later offered for sale online.

Victim
Autosur & Diagnosur
Data breachResolved

Cuties AI data breach (2025)

In March 2026, the NSFW AI companion platform Cuties AI suffered a data breach that was subsequently published to a public hacking forum. The incident exposed 144k unique email addresses along with display names, avatars, prompts and descriptions used to generate AI adult images, as well as URLs to…

Victim
Cuties AI
Records
144.3K
Data breachUnknown

Leak at Éclaireuses et Éclaireurs de France

On 20 March 2025, the French scouting and guiding association Éclaireuses et Éclaireurs de France had personal data on roughly 44,000 members exposed, including names, dates and places of birth, postal addresses, professions, emails and phone numbers.

Victim
Éclaireuses et Éclaireurs de France
Records
44.0K
Data breachContained

Leak at Intersport

In March 2025, French sporting-goods retailer Intersport had data on roughly 3.4 million customers stolen via a compromised FTP server and put up for sale on BreachForums, exposing names, contact details, addresses, PayPal references and transaction history (no banking credentials).

Victim
Intersport
Records
3.4M
Supply chainContained

Leak at Direct Assurance

In March 2025, French direct insurer Direct Assurance (an AXA subsidiary) suffered a breach via its partner Run Assurance: attackers exploited a flaw in the data exchanges between the two firms to access customer personal data, raising identity-theft and phishing risks.

Victim
Direct Assurance
Data breachUnknown

Leak at Laforêt

In March 2025, rental-application files held by French real estate network Laforêt were exposed, leaking tenants' identity documents and bank account details (RIB) along with the rest of their dossiers.

Victim
Laforêt
Data breachContained

Yale New Haven Health data breach (2025)

Suspicious network activity at Yale New Haven Health led to the largest U.S. healthcare data breach of 2025: 5.5 million patients had names, contact details, dates of birth, medical record numbers, and Social Security numbers stolen. The health system later agreed to an $18 million class-action settlement.

Victim
Yale New Haven Health System
Loss
$18.0M
Records
5.6M
Data breachContained

Data leak at UTwin

On 5 March 2025, French borrower-insurance broker UTwin notified clients that an intrusion into its IT system had temporarily exposed identity details, email addresses and phone numbers; the company said no banking, medical or contract data was affected.

Victim
UTwin
Data breachOngoing

Leak at Côté Sushi

In March 2025, French sushi-delivery chain Côté Sushi had the personal data of roughly 1.1 million customers — names, dates of birth, emails and phone numbers — scraped from its loyalty/delivery database and offered for sale on a cybercrime forum.

Victim
Côté Sushi
Records
1.1M
Data breachContained

Leak at La Poste

In March 2025, French postal operator La Poste disclosed a breach of its 'Élection du Timbre' platform exposing personal data of about 50,000 users — names, year of birth, email, phone and postal addresses — which was put up for sale online by an attacker.

Victim
La Poste
Records
50.0K
Data breachUnknown

Leak at École Nationale de la Sécurité

Disclosed on 28 February 2025, a data breach at France's École Nationale de la Sécurité, a private-security and VTC training school, exposed the personal records of roughly 30,000 trainees, including national ID numbers, social security numbers, VTC licence numbers and contact details.

Victim
École Nationale de la Sécurité
Records
30.0K
Data breachUnknown

Leak at EDF DPIH

On 28 February 2025, a threat actor claimed to have stolen a database from EDF's hydraulic generation division (DPIH), exposing power-plant intervention and maintenance plans, security inspection results and maintenance staff IDs; EDF and researchers disputed the actor's nuclear claims.

Victim
EDF DPIH
Data breachUnknown

Data leak at Zephir

On 28 February 2025, a data leak attributed to Zephir (France) exposed personal records of roughly 67,000 people, including names, email addresses, phone numbers and bank account details (IBAN).

Victim
Zephir
Data breachUnknown

Leak at Nord Emploi

On 26 February 2025, Nord Emploi — the Nord department's RSA return-to-employment support platform — was hit by a data leak exposing personal and social-support records of roughly 200,000 benefit recipients, including identity, contact, CAF/RSA and detailed welfare-accompaniment data.

Victim
Nord Emploi
Records
200.0K
Data breachContained

Leak at French Football Federation

In February 2025 the French Football Federation (FFF) suffered a data breach via a compromised account on its licensee-management platform; at least ~43,000 users had personal data exposed, including names, contact details, and copies of ID documents.

Victim
French Football Federation
Data breachUnknown

Data leak at Sport Découverte

On 17 February 2025, French sports-experience e-commerce retailer Sport Découverte (sport-decouverte.com) was reported breached, with a database of roughly 488,000 customer accounts — names, dates of birth, phone numbers and email addresses — exposed.

Victim
Sport Découverte
Records
488.0K
Data breachResolved

ALIEN TXTBASE Stealer Logs data breach (2025)

In February 2025, 23 billion rows of stealer logs were obtained from a Telegram channel known as ALIEN TXTBASE. The data contained 284M unique email addresses alongside the websites they were entered into and the passwords used.

Victim
ALIEN TXTBASE Stealer Logs
Records
284.1M
Data breachResolved

Adpost data breach (2025)

In February 2025, data obtained from an earlier Adpost breach surfaced. The dataset contained 3.3M records including email addresses, usernames, and display names. Adpost later published a disclosure notice and advised they'd forced a credential refresh, among other actions.

Victim
Adpost
Records
3.3M
Data breachResolved

Cocospy data breach (2025)

In February 2025, the spyware service Cocospy suffered a data breach along with sibling spyware service, Spyic. The Cocospy breach alone exposed almost 1.8M customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs,…

Victim
Cocospy
Records
1.8M
Data breachResolved

Spyic data breach (2025)

In February 2025, the spyware service Spyic suffered a data breach along with sibling spyware service, Cocospy. The Spyic breach alone exposed almost 876k customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs,…

Victim
Spyic
Records
876.0K
Data breachContained

Leak at Mutuelle des Motards

In February 2025, French motorcycle insurer Mutuelle des Motards suffered a breach of a marketing contact database, exposing names, email addresses, phone numbers and postal codes of more than 1.3 million members.

Victim
Mutuelle des Motards
Records
1.3M
Credential stuffingContained

Leak at Caisse des dépôts et des consignations

In February 2025, France's Caisse des dépôts disclosed that attackers used stolen login credentials to access the Ircantec pension platform and steal the personal data of about 70,000 public-sector contract workers, hospital practitioners and roughly 1,000 local elected officials.

Victim
Caisse des dépôts et des consignations
Records
70.0K
Data breachContained

Leak at Chronopost

Chronopost, the French express parcel carrier, confirmed in February 2025 that an intrusion detected on 29 January 2025 exposed personal data of around 210,000 customers, including names, postal addresses, phone numbers and delivery signatures.

Victim
Chronopost
Records
210.0K
Data breachContained

Leak at King Jouet

In February 2025, French toy retailer King Jouet was hit by a breach of its online order-tracking interface; a hacker claimed 4.3 million records, but the company said fewer than 25,000 customers across two stores had names, contact details and order information exposed.

Victim
King Jouet
Data breachResolved

Lexipol data breach (2025)

In February 2025, the public safety policy management systems company Lexipol suffered a data breach. Attributed to the self-proclaimed "Puppygirl Hacker Polycule", the breach exposed an extensive number of documents and user records which were subsequently published publicly.

Victim
Lexipol
Records
672.5K
Supply chainContained

Leak at Espace-Recettes.fr Vorwerk

In early February 2025, Vorwerk's Thermomix recipe community Espace-Recettes.fr (Rezeptwelt) was breached via a compromised third-party server, exposing names, postal addresses, emails, phone numbers, dates of birth and cooking preferences of roughly 3.3 million users across several countries.

Victim
Espace-Recettes.fr Vorwerk
Data breachinvestigating

Business Registration Service data breach

Attackers exfiltrated Kenya's national company-registry data from the Business Registration Service — including ownership and beneficial-owner records touching President Ruto and the Kenyatta family's firms — and offered it for sale on the dark web.

Victim
Business Registration Service (BRS)
Data breachResolved

Thermomix Recipe World Forum data breach (2025)

In January 2025, the Rezeptwelt (German for "recipe world") forum for Thermomix owners suffered a data breach. The incident exposed 3.1M registered users' details including names, email and physical addresses, phone numbers, dates of birth and bios (usually cooking related).

Victim
Thermomix Recipe World Forum
Records
3.1M
Data breachContained

Leak at AIDES

On 27 January 2025, French HIV/hepatitis-prevention charity AIDES disclosed a breach of a secured file-sharing server, exposing supporters' identity, contact and banking details (IBAN) and, for some, health-related information.

Victim
AIDES
Data breachResolved

Doxbin Scrape data breach (2025)

In January 2025, 435k email addresses were scraped from the "doxing" service Doxbin. Posts to the service are usually intended to disclose the personal information of non-consensually third parties.

Victim
Doxbin Scrape
Records
435.8K
Data breachContained

Leak at E.Leclerc

In January 2025, E.Leclerc's Prime énergie (energy-rebate) platform was hit by fraudulent account access, exposing customers' names, email addresses, login credentials, file numbers, rebate amounts and service descriptions; the breach was disclosed to affected users on 24 January 2025.

Victim
E.Leclerc
Supply chainContained

Leak at French Archery Federation (via ITAC)

On 20 January 2025 the French Archery Federation (FFTA) disclosed a breach stemming from a flaw at its shared license-management provider; a dataset of 625,434 accounts (names, dates of birth, postal addresses, phones, emails, profile photos) was offered for sale online.

Victim
French Archery Federation
Data breachResolved

Frame & Optic data breach (2025)

In January 2025, the eyewear seller Frame & Optic suffered a data breach. The incident exposed almost 16k unique email addresses along with names, phone numbers and geolocation data including country, state and postcode.

Victim
Frame & Optic
Records
15.7K
Supply chainUnknown

Leak at French Strength Federation

In January 2025, the Fédération Française de Force (FFForce) had personal data of 64,512 members exposed via a compromised shared sports-licensing IT provider; records (names, dates of birth, emails, postal addresses, phone numbers) were later sold on BreachForums.

Victim
French Strength Federation
Records
64.5K
Supply chainContained

Leak at French Roller Skateboard Federation

In January 2025, the Fédération Française de Roller et Skateboard had the personal data of roughly 577,000 members exposed after a shared sports-federation IT provider was compromised; names, dates of birth, email/postal addresses and phone numbers were leaked.

Victim
French Roller Skateboard Federation
Records
577.1K
Credential stuffingContained

Leak at Kiabi

In January 2025, French clothing retailer Kiabi disclosed a credential-stuffing attack on its secondhand site (secondemain.kiabi.com) that exposed the names, dates of birth, contact details and IBANs of about 20,000 customers.

Victim
Kiabi
Records
20.0K
Data breachResolved

Stealer Logs, Jan 2025 data breach (2025)

In January 2025, stealer logs with 71M email addresses were added to HIBP. Consisting of email address, password and the website the credentials were entered against, this breach marks the launch of a new HIBP feature enabling the retrieval of the specific websites the logs were collected against.

Victim
Stealer Logs, Jan 2025
Records
71.0M
Data breachResolved

LandAirSea data breach (2025)

In January 2025, the GPS tracking service LandAirSea suffered a data breach that exposed 337k unique customer email addresses alongside names, usernames and password hashes.

Victim
LandAirSea
Records
337.4K
Data breachContained

Telefónica Hellcat infostealer-to-Jira breach (Spain, 2025)

Infostealer malware on the endpoints of 15+ Telefónica employees gave the Hellcat ransomware group credentials into the company's internal Jira ticketing system. Social-engineering escalated the access to SSH. The group did not extort — it publicly published 2.3 GB including 24,000 employee emails, 470,000 internal Jira tickets, and 5,000 internal documents.

Victim
Telefónica
Records
500.0K
Data breachResolved

Scholastic data breach (2025)

In January 2025, a data breach of the publishing company Scholastic surfaced. The breach contained 4.2M unique email addresses with many of the records also including name, phone number and physical address.

Victim
Scholastic
Records
4.2M
RansomwareUnknown

Leak at Cogitis

On 31 December 2024, the DragonForce ransomware gang listed Cogitis — a French inter-municipal IT syndicate serving local authorities — on its leak site, claiming around 81 GB of exfiltrated data including internal files and personal data tied to the public bodies it supports.

Victim
Cogitis
RansomwareContained

Leak at Atos

On 28 December 2024, the Space Bears ransomware group claimed to have compromised an Atos database; the French IT giant investigated and concluded its own systems were not breached, attributing the leaked Atos-related data to a compromised external third-party infrastructure.

Victim
Atos
RansomwareOngoing

Leak at Arsoé

A ransomware attack disclosed in late December 2024 crippled Arsoé de Soual, the agricultural IT provider hosting livestock-management software for ~30,000 farmers across some 22 French departments; systems were encrypted and a ransom demanded, with no data exfiltration detected.

Victim
Arsoé
Data breachContained

Data leak at Volkswagen

A misconfigured Amazon cloud storage system run by Volkswagen software subsidiary Cariad exposed data on about 800,000 EV owners across VW, Audi, Seat and Skoda, including contact details and precise vehicle location data for roughly 466,000 cars.

Victim
Volkswagen
Records
800.0K
Data breachinvestigating

Movistar Peru data leak

A database containing roughly 22 million records on Movistar Peru customers — DNI numbers, names, birth dates, and addresses collected between 2016 and 2018 — circulated freely on hacking forums over the December holiday break.

Victim
Movistar Peru (Telefónica del Perú)
Records
22.0M
RansomwareOngoing

Leak at Peugeot

In December 2024, the ransomware-as-a-service group Cicada 3301 claimed to have stolen 40 GB of data from Peugeot dealerships (mainly in Lot-et-Garonne, France), including customer ID documents, VINs and vehicle inventory data, threatening to publish it by 6 January 2025.

Victim
Peugeot
Supply chainContained

Leak at Cyberhaven

On 25 Dec 2024, data-security firm Cyberhaven's Chrome extension was hijacked via a phishing attack and pushed a malicious update that exfiltrated cookies and session tokens from roughly 400,000 users over a 24-hour window.

Victim
Cyberhaven
Data breachResolved

Speedio data breach (2024)

In December 2024, data alleged to have been taken from the Brazilian lead generation platform Speedio was posted for sale to a popular hacking forum. The data was allegedly obtained from an unsecured Elasticsearch instance and contained over 62M records of largely public business information…

Victim
Speedio
Records
27.5M
Data breachUnknown

Leak at Electro Dépôt

Customer data attributed to French electronics retailer Electro Dépôt surfaced as one of at least 17 French breaches consolidated on an open database, exposing names, contact details, IP addresses and partial payment data.

Victim
Electro Dépôt
Data breachUnknown

Leak at Go Sport

In December 2024, French sporting-goods retailer Go Sport was named in dark-web claims of a customer data leak; the alleged fresh breach was debunked, with the data tracing back to a 'go-sport.com' file in an earlier compilation of past French breaches.

Victim
Go Sport
Data breachResolved

Data leak at Sport 2000

Customer database of French sporting-goods retailer Sport 2000 — covering roughly 4.3 million people — was stolen and circulated on hacking forums and the dark web, exposing names, contact details, dates of birth and purchase history.

Victim
Sport 2000
Records
4.4M
Data breachUnknown

Data leak at Wakanim

Wakanim user data surfaced in a misconfigured, publicly accessible ElasticSearch server hoarding ~95 million records from 17 past French breaches, exposing names, emails, postal and IP addresses and phone numbers.

Victim
Wakanim
Data breachResolved

BitView data breach (2024)

In December 2024, the video sharing Community BitView suffered a data breach that exposed 63k customer records. Attributed to a backup taken by a previous administrator earlier in the year, the breach exposed email and IP addresses, bcrypt password hashes, usernames, bios, private messages, video…

Victim
BitView
Records
63.1K
Data breachContained

Data leak at Top Achat

On 12 December 2024, French PC-hardware e-tailer Top Achat (LDLC group) disclosed a breach exposing customer names, email and postal addresses; no passwords or payment data were affected. The intrusion was linked to an earlier compromise at parent company LDLC.

Victim
Top Achat
Data breachResolved

Young Living Essential Oils data breach (2024)

In December 2024, data claimed to be breached from the multi-level marketing company Young Living Essential Oils was posted to a popular hacking forum. The data contained 1.1M unique email addresses alongside names, the country of the account and in many cases, their date of birth.

Victim
Young Living Essential Oils
Records
1.1M
Data breachOngoing

Leak at LDLC

On 10 December 2024, French high-tech e-commerce retailer LDLC disclosed a data breach exposing personal data (names, email addresses, phone numbers) of both its online and in-store customers — potentially several million people — though it stated no financial or sensitive data was affected.

Victim
LDLC
RansomwareResolved

Electrica Group Lynx ransomware attack

The Lynx ransomware gang breached Electrica Group, one of Romania's largest electricity suppliers serving 3.8 million users, disrupting customer-facing services while SCADA and other critical grid systems were isolated and kept running.

Victim
Electrica Group
RansomwareUnknown

Leak at Deloitte

On 4 December 2024, the Brain Cipher ransomware group publicly claimed to have stolen over 1 TB of data from Deloitte UK; Deloitte said the allegations related to a single client's system outside its own network and that no Deloitte systems were impacted.

Victim
Deloitte
Data breachContained

Leak at Guy Demarle

French bakeware and kitchenware brand Guy Demarle disclosed in December 2024 that a cyberattack had copied part of its customer database, exposing names, postal addresses, email addresses and phone numbers; passwords and banking data were not affected.

Victim
Guy Demarle
Data breachContained

Leak at Norauto

On 2 December 2024, French automotive retailer Norauto disclosed a cyberattack on its vehicle-rental service that exposed personal data of about 78,000 customers, including names, contact details and, in some cases, ID-document numbers; the dataset was put up for sale on BreachForums.

Victim
Norauto
Records
78.0K
RansomwareResolved

RECOPE RansomHub ransomware attack

RansomHub ransomware forced Costa Rica's state oil refiner RECOPE to switch its entire fuel-distribution network to manual operations, triggering the first real-world deployment of the U.S. State Department's FALCON cyber-response program.

Victim
Refinadora Costarricense de Petróleo (RECOPE)
Data breachUnknown

Data leak at Ze Camping

On 27 November 2024, a database from French camping-holiday booking platform Ze Camping (ze-camping.fr) covering 2014-2024 was advertised for sale on a darknet forum, exposing some 1.6 million records including names, logins, hashed passwords, dates of birth, phone numbers and postal addresses.

Victim
Ze Camping
Records
1.6M
Data breachUnknown

Leak at JVS

On 26 November 2024, a dataset of user-account records tied to JVS-Mairistem — a leading French software vendor for municipalities and local authorities — was reported leaked, exposing names, email addresses, logins, phone numbers and the associated local authority.

Victim
JVS
Data breachOngoing

Data leak at SFR

On 24 November 2024, a threat actor advertised a leak of personal data on 3.6 million customers of French telecom operator SFR — names, postal and email addresses, dates of birth and phone numbers — plus 150,000 IBANs offered for separate sale on the dark web.

Victim
SFR
Records
3.6M
Data breachContained

Leak at Banque de France

On 23 November 2024, the threat actor Near2tlg advertised data allegedly stolen from France's central bank; the Banque de France denied any compromise of its secure systems, acknowledging only brief unauthorized access to an HR extranet with no sensitive data exposed.

Victim
Banque de France
Data breachResolved

Senior Dating data breach (2024)

In 2024, the 40+ dating website Senior Dating suffered a data breach. Attributed to an exposed Firebase database, the breach included extensive personal information on 766k users of the service including email addresses, photos, genders, links to Facebook accounts, dates of birth and precise…

Victim
Senior Dating
Records
765.5K
RansomwareContained

Leak at Chambres d'agriculture

In November 2024, the Chambres d'agriculture d'Occitanie — France's regional public chambers of agriculture — were hit by a malware/ransomware-type cyberattack that spread across their interconnected national network and rendered the workstations of roughly 1,000 regional staff unusable.

Victim
Chambres d'agriculture
Data breachResolved

Yonéma data breach (2024)

In November 2024, data from the Senegalese payment platform Yonéma was posted to a popular hacking forum. The data included 36k unique email addresses alongside phone numbers, names and what appears to be encrypted passwords and dates of birth.

Victim
Yonéma
Records
36.0K
Data breachContained

Leak at Auchan

On 19 November 2024, French retailer Auchan disclosed a breach of its loyalty programme exposing the personal data of more than 500,000 customers — names, contact details, dates of birth, family composition and loyalty-card/balance information; no bank data or passwords were affected.

Victim
Auchan
Records
500.0K
Data breachContained

Leak at Direct Assurance

In November 2024, French online insurer Direct Assurance was breached via a compromised employee account, exposing personal data of roughly 15,000 clients and prospects — including the IBAN/RIB banking details of about 5,800 of them — later offered for sale online.

Victim
Direct Assurance
Records
15.0K
Data breachContained

Leak at Mediboard

On 19 Nov 2024 a threat actor put the records of ~758,912 patients of French healthcare provider Aléo Santé — extracted via a compromised privileged account on the Mediboard patient-record platform — up for sale on BreachForums, exposing identities, contact details and sensitive medical data.

Victim
Mediboard
Records
758.9K
Data breachResolved

FlipaClip data breach (2024)

In November 2024, the animation app FlipaClip suffered a data breach that exposed almost 900k records due to an exposed Firebase server. The impacted data included name, email address, country and date of birth. FlipaClip advised the issue has since been rectified.

Victim
FlipaClip
Records
892.9K
Supply chainContained

Leak at Le Point

On 18 November 2024, French news magazine Le Point disclosed a breach traced to a compromised subscriber-management subcontractor, exposing the names, postal/email addresses and phone numbers of an estimated 900,000 current and former readers.

Victim
Le Point
Data breachResolved

The Real World data breach (2024)

In November 2024, the online course founded by Andrew Tate known as "The Real World" (previously "Hustler's University" suffered a data breach that exposed almost 325k users of the platform. The impacted data was limited to usernames, email addresses and chat logs.

Victim
The Real World
Records
324.4K
Data breachUnknown

Leak at Huttopia

On 14 November 2024, a data leak affecting Huttopia, the French eco-tourism and glamping operator, exposed customer records including last names, first names and email addresses.

Victim
Huttopia
Data breachResolved

PoinCampus data breach (2024)

In November 2024, the South Korean education platform PoinCampus suffered a data breach which was later published to a popular hacking forum. The data included 89k unique email addresses, names and a small number of phone numbers and dates of birth.

Victim
PoinCampus
Records
89.1K
Data breachContained

Leak at Molotov

Around 13 November 2024, French streaming TV service Molotov disclosed a data breach exposing roughly 10.8 million email addresses, along with the names and dates of birth of users who had supplied them; no passwords or banking data were affected.

Victim
Molotov
Records
10.8M
Credential stuffingContained

Leak at Picard

On 12 November 2024, French frozen-food retailer Picard disclosed a credential-stuffing attack that compromised the loyalty accounts of around 45,000 customers, exposing personal and loyalty-programme data; no banking data was affected and the company notified the CNIL.

Victim
Picard
Records
45.0K
Data breachResolved

Tibber data breach (2024)

In November 2024, the German electricity provider Tibber suffered a data breach that exposed the personal information of 50k customers. The data included names, email addresses, geographic locations (city and postcode) and total spend on purchases.

Victim
Tibber
Records
50.0K
Data breachResolved

1win data breach (2024)

In November 2024, the online betting platform 1win suffered a data breach that exposed 96M users. The exposed data included email and IP addresses, phone numbers, dates of birth, country and SHA-256 password hashes.

Victim
1win
Records
96.2M
Data breachinvestigating

RENIEC Peru citizen data leak

A threat actor advertised a database said to hold around 37 million records from Peru's national identity registry RENIEC, including DNI numbers, names, birth data, and addresses; RENIEC disputed that its systems were breached.

Victim
RENIEC (Registro Nacional de Identificación y Estado Civil)
Records
37.0M
Data breachResolved

Interbank Peru data breach

After a two-week extortion negotiation collapsed, a threat actor known as kzoldyck leaked 3.7 TB of data on roughly 3 million Interbank customers, including names, DNI numbers, card data, and plaintext credentials.

Victim
Interbank (Banco Internacional del Perú)
Records
3.3M
Data breachResolved

SuperDraft data breach (2024)

In October 2024, the fantasy sports platform SuperDraft suffered a data breach that exposed over 300k customer records. The breach contained 24GB of data including email addresses, usernames, purchases, latitudes and longitudes, dates of birth and bcrypt password hashes.

Victim
SuperDraft
Records
300.2K
Data breachContained

Leak at Free

In late October 2024, French ISP Free (Iliad group) disclosed a breach after attackers accessed an internal management tool, exposing subscriber identity and contact data plus around 5.1 million IBANs; the stolen data was later auctioned and sold online.

Victim
Free
Records
5.2M
Data breachContained

Leak at Ornikar

In late October 2024, French online driving school Ornikar disclosed a breach after an attacker offered a database of up to 4.2 million customer accounts for sale, exposing names, dates of birth, email and postal addresses, and phone numbers; bank data and passwords were unaffected.

Victim
Ornikar
Records
4.2M
Data breachResolved

Hot Topic data breach (2024)

In October 2024, retailer Hot Topic suffered a data breach that exposed 57 million unique email addresses. The impacted data also included physical addresses, phone numbers, purchases, genders, dates of birth and partial credit data containing card type, expiry and last 4 digits.

Victim
Hot Topic
Records
56.9M
Data breachResolved

Earth 2 data breach (2024)

In October 2024, 421k unique email addresses from the virtual earth game Earth 2 were derived from embedded Gravatar images. Appearing alongside player usernames, the root cause was related to how Gravatar presents links to avatars as MD5 hashes within consuming services, a feature Earth 2 advised…

Victim
Earth 2
Records
421.0K
Data breachResolved

Finsure data breach (2024)

In October 2024, almost 300k unique email addresses from Australian mortgage broking group Finsure were obtained from the ActivePipe real estate marketing platform. The impacted data also included names, phone numbers and physical addresses.

Victim
Finsure
Records
296.1K
Data breachResolved

The Club Penguin Experience data breach (2024)

In October 2024, The Club Penguin Experience (TCPE) suffered a data breach. The incident exposed over 6k subscribers' email addresses alongside usernames, age groups, passwords stored as bcrypt hashes and in some cases, plain text password hints.

Victim
The Club Penguin Experience
Records
6.3K
EspionageContained

Salt Typhoon US telecom espionage campaign (2024)

China-linked Salt Typhoon infiltrated at least nine U.S. telecom providers — Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated, Windstream — including the CALEA lawful-intercept systems used for court-authorised wiretaps. Metadata for over a million users was exposed; the U.S. Treasury sanctioned a linked PRC contractor.

Victim
U.S. telecommunications providers (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream)
Data breachResolved

Switch data breach (2024)

In October 2024, the Hungarian IT headhunting service Switch inadvertently exposed thousands of customer records via a public GitHub repository. The exposed data contained job applications with names, email addresses and in some cases, commentary on the applicant.

Victim
Switch
Records
5.4K
Data breachContained

Leak at Meilleurtaux

In late September 2024, French credit and insurance broker Meilleurtaux disclosed that an external attack on its IT systems had exposed sensitive personal data of customers, including names, contact details, dates of birth, family situation, income and employment status.

Victim
Meilleurtaux
Data breachResolved

digiDirect data breach (2024)

In September 2024, a data breach sourced from the Australian retailer digiDirect was published to a popular hacking forum. The breach exposed over 300k rows of data including email and physical address, name, phone number and date of birth.

Victim
digiDirect
Records
304.3K
Data breachResolved

French Citizens data breach (2024)

In September 2024, over 90M rows of data on French Citizens was found left exposed in a publicly facing database. Compiled from various data breaches, the corpus contained 28M unique email addresses with the various source breaches each exposing different fields including name, physical and IP…

Victim
French Citizens
Records
28.4M
Data breachContained

Leak at RED by SFR

In September 2024, RED by SFR — the low-cost mobile brand of French telecom SFR — disclosed a breach affecting several tens of thousands of recent customers, exposing names, contact details, IBANs, and SIM/handset identifiers after attackers accessed an order-management tool.

Victim
RED by SFR
Data breachResolved

Muah.AI data breach (2024)

In September 2024, the "AI girlfriend" website Muah.AI suffered a data breach. The breach exposed 1.9M email addresses alongside prompts to generate AI-based images. Many of the prompts were highly sexual in nature, with many also describing child exploitation scenarios.

Victim
Muah.AI
Records
1.9M
Data breachContained

Leak at Assurance retraite

On 13 September 2024, France's Assurance retraite (Cnav) disclosed a breach of its PPAS social-action partner portal, exposing data on about 370,000 pension beneficiaries including names, addresses, social security numbers and approximate income.

Victim
Assurance retraite (French pension fund)
Records
370.0K
Supply chainContained

Leak at Cybertek

On 12 September 2024, French computer-hardware retailer Cybertek disclosed a customer data breach stemming from a compromised shared IT provider, exposing names, email and postal addresses and phone numbers; passwords and payment data were not affected.

Victim
Cybertek
Data breachResolved

Instituto Nacional de Deportes de Chile data breach (2024)

In September 2024, the Instituto Nacional de Deportes de Chile (Chile's National Sports Institute) suffered a data breach. The incident exposed 1.7M rows of data with 320k unique email addresses alongside names, dates of birth, genders and bcrypt password hashes.

Victim
Instituto Nacional de Deportes de Chile
Records
319.6K
Supply chainContained

Leak at Cultura

On 10 September 2024, French cultural-goods retailer Cultura disclosed that a breach at a shared third-party IT provider exposed the personal data of about 1.5 million customers, including names, contact details and order history; passwords and bank data were not affected.

Victim
Cultura
Records
1.5M
Supply chainContained

Leak at Boulanger

On the night of 6-7 September 2024, French electronics retailer Boulanger suffered a data breach traced to a shared third-party delivery/IT provider, exposing the names, postal and email addresses and phone numbers of several hundred thousand customers; no banking data was affected.

Victim
Boulanger
Data breachResolved

MC2 Data data breach (2024)

In August 2024, data aggregator MC2 Data left a database publicly accessible without a password which was subsequently discovered by a security researcher. The breach exposed the personal information of 2.1M subscribers to the service which was marketed under a series of different brand names.

Victim
MC2 Data
Records
2.1M
Data breachResolved

Explore Talent (August 2024) data breach (2024)

In August 2024, a slew of security vulnerabilities were identified with a conglomerate of online services which included the talent network Explore Talent. A vulnerable API exposed the personal records of 11.4M users of the service of which 8.9M unique email addresses were provided to HIBP.

Victim
Explore Talent (August 2024)
Records
8.9M
Data breachResolved

schenkYOU data breach (2024)

In September 2024, data from the online German gift store schenkYOU was put up for sale on a popular hacking forum. Obtained the month before, the data included 237k unique email addresses alongside names, dates of birth and salted SHA-256 password hashes.

Victim
schenkYOU
Records
237.3K
Data breachResolved

Tracki data breach (2024)

In August 2024, a slew of security vulnerabilities were identified with a conglomerate of online services which included the GPS tracking service Tracki. Multiple vulnerabilities exposed the personal records of 372k users of the service including names and email addresses.

Victim
Tracki
Records
372.6K
Data breachResolved

Chris Leong data breach (2024)

In August 2024, the website of Master Chris Leong "a leading Tit Tar practitioner in Malaysia" suffered a data breach. The incident exposed 27k unique email addresses along with names, physical addresses, dates of birth, genders, nationalities and in many cases, links to Facebook profiles.

Victim
Chris Leong
Records
27.1K
Data breachResolved

Not SOCRadar data breach (2024)

In August 2024, over 332M rows of email addresses were posted to a popular hacking forum. The post alleged the addresses were scraped from cybersecurity firm SOCRadar, however an investigation on their behalf concluded that "the actor merely utilised functionalities inherent in the platform's…

Victim
Not SOCRadar
Records
282.5M
Data breachResolved

Ubook data breach (2024)

In July 2024, 700k unique email addresses from the audiobook platform Ubook were posted to a popular hacking forum. Allegedly scraped from the service, the data appears to be sourced from the Ubook Exchange (UBX) and also includes names, genders, dates of birth and links to profile photos.

Victim
Ubook
Records
699.9K
Data breachResolved

Stealer Logs Posted to Telegram data breach (2024)

In July 2024, info stealer logs with 26M unique email addresses were collated from malicious Telegram channels. The data contained 22GB of logs consisting of email addresses, passwords and the websites they were used on, all obtained by malware running on infected machines.

Victim
Stealer Logs Posted to Telegram
Records
26.1M
Credential stuffingRansom paid

AT&T Snowflake call-records breach

AT&T disclosed that attackers used credentials stolen by infostealers to authenticate into its Snowflake cloud-data-warehouse tenant — which lacked MFA — and exfiltrated call and text metadata covering nearly all 110 million AT&T wireless customers.

Victim
AT&T Communications
Loss
$200.0M
Records
110.0M
Data breachResolved

The Heritage Foundation data breach (2024)

In July 2024, hacktivists published almost 2GB of data taken from The Heritage Foundation and their media arm, The Daily Signal. The data contained 72k unique email addresses, primarily used for commenting on articles (along with names, IP addresses and the comments left) and by content…

Victim
The Heritage Foundation
Records
72.0K
Data breachResolved

MSI data breach (2024)

In July 2024, MSI inadvertently exposed hundreds of thousands of customer records related to RMA claims that were subsequently found to be publicly accessible. The data included 250k unique email addresses alongside names, phone numbers, physical addresses and warranty claims.

Victim
MSI
Records
250.0K
Data breachResolved

LuLu data breach (2024)

In July 2024, the Emirati-based LuLu retail store suffered a data breach. The impacted data included 190k email addresses and associated phone numbers which were subsequently shared on a popular hacking forum.

Victim
LuLu
Records
2.8M
Data breachResolved

AnimeLeague data breach (2024)

In July 2024, AnimeLeague disclosed a data breach of their services. The data was posted for sale on a popular hacking forum and included 2 databases covering both event registration records and a dump of the phpBB bulletin board.

Victim
AnimeLeague
Records
192.1K
Data breachResolved

FNTECH data breach (2024)

In July 2024, the events management platform FNTECH suffered a data breach that exposed 10k unique email addresses. The data contained registrants from various events, including participants of the Roblox Developer Conference registration list. The data also included names and IP addresses.

Victim
FNTECH
Records
10.4K
Data breachResolved

Husky Owners data breach (2024)

In July 2024, the Husky Owners forum website was defaced and linked to a breach of user data containing 16k records. The exposed data included usernames, email addresses, dates of birth and time zones.

Victim
Husky Owners
Records
16.5K
Data breachResolved

Ladies.com data breach (2024)

In 2024, the lesbian dating website ladies.com suffered a data breach. Attributed to an exposed Firebase database, the breach included extensive personal information on 119k users of the service including email addresses, photos, sexual orientation, genders, dates of birth and precise latitude and…

Victim
Ladies.com
Records
118.8K
Data breachResolved

Central Tickets data breach (2024)

In September 2024, data from the ticketing service Central Tickets was publicly posted to a hacking forum. The data suggests the breach occurred several months earlier and exposed 723k unique email addresses alongside names, phone numbers, IP addresses, purchases and passwords stored as unsalted…

Victim
Central Tickets
Records
722.9K
Data breachResolved

Otelier data breach (2024)

In July 2024, a threat actor gained access to the hotel management platform Otelier and retrieved customer data from well-known hotel brands including Marriott, Hilton, and Hyatt.

Victim
Otelier
Records
436.9K
Data breachResolved

Shoe Zone data breach (2024)

In June 2024, the UK footwear chain Shoe Zone disclosed a data breach that was subsequently posted for sale on a popular hacking forum. The data included over 100k orders containing names, addresses, partial credit card numbers (card type and last 4 digits), and 46k unique email addresses.

Victim
Shoe Zone
Records
46.1K
Data breachResolved

BudTrader data breach (2024)

In July 2024, a data breach of the now defunct cannabis social platform BudTrader was posted for sale on a hacking forum. Dating back to the previous month, the breach of the website exposed 2.7M email addresses, usernames and WordPress password hashes.

Victim
BudTrader
Records
2.7M
Data breachResolved

SpyX data breach (2024)

In June 2024, spyware maker SpyX suffered a data breach that exposed almost 2M unique email addresses. The breach also exposed IP addresses, countries of residence, device information and 6-digit PINs in the password field.

Victim
SpyX
Records
2.0M
Data breachResolved

Zacks (2024) data breach (2024)

In June 2024, the investment research company Zacks was allegedly breached, and data was later published to a popular hacking forum. This comes after a separate Zacks data breach confirmed by the organisation in 2023 with the subsequent breach disclosing millions of additional records representing…

Victim
Zacks (2024)
Records
12.0M
Data breachResolved

Z-lib data breach (2024)

In June 2024, almost 10M user records from Z-lib were discovered exposed online. Now defunct, Z-lib was a malicious clone of Z-Library, a well-known shadow online platform for pirating books and academic papers.

Victim
Z-lib
Records
9.7M
Data breachResolved

mSpy (2024) data breach (2024)

In June 2024, a huge trove of data from spyware maker mSpy was obtained by hacktivists and published online. Comprising of 142GB of user data and support tickets along with 176GB of more than half a million attachments, the data contained 2.4M unique email addresses, IP addresses names and photos.

Victim
mSpy (2024)
Records
2.4M
Data breachResolved

Advance Auto Parts data breach (2024)

In June 2024, Advance Auto Parts confirmed they had suffered a data breach which was posted for sale to a popular hacking forum. Linked to unauthorised access to Snowflake cloud services, the breach exposed a large number of records related to both customers and employees.

Victim
Advance Auto Parts
Records
79.2M
Data breachResolved

Spytech data breach (2024)

In July 2024, spyware maker Spytech suffered a data breach that exposed data collected as recently as the previous month. Designed to "invisibly record everything users do", the breach exposed information related to both purchasers and targets of the product.

Victim
Spytech
Records
5.6K
Data breachResolved

Robinsons Malls data breach (2024)

In June 2024, the Philippines' largest shopping-mall operators Robinsons Malls suffered a data breach stemming from their mobile app. The incident exposed 195k unique email addresses along with names, phone numbers, dates of birth, genders and the user's city and province.

Victim
Robinsons Malls
Records
195.6K
Data breachResolved

Ticketek data breach (2024)

In May 2024, the Australian event ticketing company Ticketek reported a data breach linked to a third party cloud-based platform. The following month, the data appeared for sale on a popular hacking forum and was later linked to a series of breaches of the Snowflake cloud storage service.

Victim
Ticketek
Records
17.6M
Data breachResolved

Operation Endgame data breach (2024)

In May 2024, a coalition of international law enforcement agencies took down a series of botnets in a campaign they coined "Operation Endgame". Data seized in the operation included impacted email addresses and passwords which were provided to HIBP to help victims learn of their exposure.

Victim
Operation Endgame
Records
16.5M
Credential stuffingContained

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
Records
560.0M
Data breachResolved

Combolists Posted to Telegram data breach (2024)

In May 2024, 2B rows of data with 361M unique email addresses were collated from malicious Telegram channels. The data contained 122GB across 1.7k files with email addresses, usernames, passwords and in many cases, the website they were entered into.

Victim
Combolists Posted to Telegram
Records
361.5M
Data breachResolved

pcTattletale data breach (2024)

In May 2024, the spyware service pcTattletale suffered a data breach that defaced the website and posted tens of gigabytes of data to the homepage, allegedly due to pcTattletale not responding to a previous security vulnerability report.

Victim
pcTattletale
Records
138.8K
Data breachResolved

BSNL telecom data breach

A threat actor advertised roughly 278 GB of data stolen from India's state-owned telecom BSNL — including IMSI numbers, SIM details, home location register data, and security keys — exposing millions of subscribers to SIM-cloning and fraud, in the carrier's second breach in six months.

Victim
Bharat Sanchar Nigam Limited (BSNL)
RansomwareResolved

MediSecure ransomware attack

A ransomware attack on Australian e-prescription provider MediSecure exposed the personal and health data of roughly 12.9 million Australians — one of the country's largest breaches — and pushed the company into administration and liquidation.

Victim
MediSecure
Records
12.9M
RansomwareContained

Ascension Health ransomware attack

Black Basta ransomware crippled Ascension, one of the largest U.S. health systems, after an employee downloaded a malicious file. The attack forced 140 hospitals onto manual operations for weeks, diverted ambulances, and ultimately exposed the data of nearly 5.6 million patients.

Victim
Ascension
Loss
$1.80B
Records
5.6M
Data breachResolved

The Post Millennial data breach (2024)

In May 2024, the conservative news website The Post Millennial suffered a data breach. The breach resulted in the defacement of the website and links posted to 3 different corpuses of data including hundreds of writers and editors (IP, physical address and email exposed), tens of thousands of…

Victim
The Post Millennial
Records
57.0M
Supply chainContained

Data leak at Ticketmaster

In 2024, ticketing giant Ticketmaster (Live Nation) suffered a breach of a third-party Snowflake cloud database; data on up to 560 million customers — names, contact details, order history and partial payment-card data — was stolen and offered for sale by ShinyHunters.

Victim
Ticketmaster
Records
560.0M
Data breachResolved

Piping Rock data breach (2024)

In April 2024, 2.1M email addresses from the online health products store Piping Rock were publicly posted to a popular hacking forum. The data also included names, phone numbers and physical addresses.

Victim
Piping Rock
Records
2.1M
Data breachResolved

Tappware data breach (2024)

In April 2024, a substantial volume of data was taken from the Bangladeshi IT services provider Tappware and published to a popular hacking forum. Comprising of 95k unique email addresses, the data also included extensive labour information on local citizens including names, physical addresses, job…

Victim
Tappware
Records
94.7K
Data breachResolved

T2 data breach (2024)

In April 2024, 95k records from the T2 tea store were posted to a popular hacking forum. Data included email and physical addresses, names, phone numbers, dates of birth, purchases and passwords stored as scrypt hashes.

Victim
T2
Records
94.6K
Data breachContained

Leak at Le Slip Français

In April 2024, French apparel brand Le Slip Français disclosed a customer data breach exposing names, phone numbers, postal and email addresses and order numbers; roughly 1.5 million email addresses and close to 700,000 full customer profiles were affected. No passwords or payment data were involved.

Victim
Le Slip Français
Data breachResolved

MovieBoxPro data breach (2024)

In April 2024, over 6M records from the streaming service MovieBoxPro were scraped from a vulnerable API. Of questionable legality, the service provided no contact information to disclose the incident, although reportedly the vulnerability was rectified after being mass enumerated.

Victim
MovieBoxPro
Records
6.0M
Data breachResolved

Neiman Marcus data breach (2024)

In 2024, the luxury retailer Neiman Marcus had data stolen from its Snowflake cloud environment via stolen credentials. The company reported about 64,000 individuals to regulators, but the leaked dataset exposed roughly 31 million unique email addresses along with names, contact details and gift-card numbers.

Victim
Neiman Marcus
Records
31.2M
Data breachResolved

Salvadoran Citizens data breach (2024)

In April 2024, nearly 6 million records of Salvadoran citizens were published to a popular hacking forum. The data included names, dates of birth, phone numbers, physical addresses and nearly 1M unique email addresses. Further, over 5M corresponding profile photos were also included in the breach.

Victim
Salvadoran Citizens
Records
947.0K
Data breachResolved

Pandabuy data breach (2024)

In March 2024, 1.3M unique email addresses from the online store for purchasing goods from China, Pandabuy, were posted to a popular hacking forum. The data also included IP and physical addresses, names, phone numbers and order enquiries.

Victim
Pandabuy
Records
1.3M
Supply chainContained

XZ Utils backdoor (CVE-2024-3094)

A multi-year social-engineering campaign by a maintainer persona named 'Jia Tan' planted a hidden SSH backdoor in the XZ Utils compression library (liblzma) versions 5.6.0 and 5.6.1, scoring CVSS 10.0 — caught by chance days before it could reach stable Linux releases worldwide.

Victim
XZ Utils / Linux open-source ecosystem
Data breachResolved

Lookiero data breach (2024)

In August 2024, a data breach from the online styling service Lookiero was posted to a popular hacking forum. Dating back to March 2024, the data included 5M unique email addresses, with many of the records also including name, phone number and physical address.

Victim
Lookiero
Records
5.0M
Data breachResolved

boAt data breach (2024)

In March 2024, the Indian audio and wearables brand boAt suffered a data breach that exposed 7.5M customer records. The data included physical and email address, names and phone numbers, all of which were subsequently published to a popular clear web hacking forum.

Victim
boAt
Records
7.5M
Data breachResolved

Kaspersky Club data breach (2024)

In March 2024, the independent fan forum Kaspersky Club suffered a data breach. The incident exposed 56k unique email addresses alongside usernames, IP addresses and passwords stored as either MD5 or bcrypt hashes.

Victim
Kaspersky Club
Records
56.0K
Data breachinvestigating

Nigeria NIN national-ID data exposure

Unauthorized websites such as XpressVerify and AnyVerify were caught selling Nigerians' National Identification Numbers, Bank Verification Numbers, passports, and other personal data for as little as ₦100 — exploiting improperly governed API access to the NIMC identity database.

Victim
National Identity Management Commission (NIMC)
Social engineeringContained

Leak at France Travail

On 8 March 2024, France's national employment agency France Travail disclosed a data breach exposing the personal data of up to 43 million jobseekers registered over the previous 20 years, including names, dates of birth, social security numbers and contact details.

Victim
France Travail
Records
43.0M
Data breachResolved

HuntStand data breach (2024)

In March 2024, millions of records scraped from the hunting and land management service HuntStand were publicly posted to a popular hacking forum. The data included 2.8M unique email addresses with many records also containing name, date of birth and country.

Victim
HuntStand
Records
2.8M
Data breachResolved

Giant Tiger data breach (2024)

In March 2024, Canadian discount store Giant Tiger suffered a data breach that exposed 2.8M customer records. Attributed to a vendor of the retailer, the breach included physical and email addresses, names and phone numbers.

Victim
Giant Tiger
Records
2.8M
Data breachResolved

WoTLabs data breach (2024)

In March 2024, WoTLabs (World of Tanks Statistics and Resources) suffered a data breach and website defacement attributed to "chromebook breachers". The breach exposed 22k forum members' personal data including email and IP addresses, usernames, dates of birth and time zones.

Victim
WoTLabs
Records
22.0K
Data breachResolved

Fair Vote Canada data breach (2024)

In March 2024, the Canadian national citizens' campaign for proportional representation Fair Vote Canada suffered a data breach. The incident was attributed to "a well-meaning volunteer" who inadvertently exposed data from 2020 which included 134k unique email addresses, names, physical addresses,…

Victim
Fair Vote Canada
Records
134.3K
Data breachContained

Leak at LDLC

In early March 2024, French electronics retailer LDLC confirmed a data breach affecting roughly 1.5 million in-store customers, exposing names, postal addresses, email addresses and phone numbers, though no banking or sensitive data.

Victim
LDLC
Records
1.5M
Data breachResolved

Life360 data breach (2024)

In July 2024, data scraped from a misconfigured Life360 API was posted online after being obtained several months earlier. The records included 443k unique email addresses and in most cases, corresponding names and phone numbers (some records were null or obfuscated).

Victim
Life360
Records
442.5K
Data breachResolved

Mr. Green Gaming data breach (2024)

In March 2024, the online games community Mr. Green Gaming suffered a data breach that exposed 27k user records. Acknowledged on their Discord server, the incident exposed email and IP addresses, usernames, geographic locations and dates of birth.

Victim
Mr. Green Gaming
Records
27.1K
Data breachResolved

DemandScience by Pure Incubation data breach (2024)

In early 2024, a large corpus of data from DemandScience (a company owned by Pure Incubation), appeared for sale on a popular hacking forum. Later attributed to a leak from a decommissioned legacy system, the breach contained extensive data that was largely business contact information aggregated…

Victim
DemandScience by Pure Incubation
Records
121.8M
Data breachResolved

Cutout.Pro data breach (2024)

In February 2024, the AI-powered visual design platform Cutout.Pro suffered a data breach that exposed 20M records. The data included email and IP addresses, names and salted MD5 password hashes which were subsequently broadly distributed on a popular hacking forum and Telegram channels.

Victim
Cutout.Pro
Records
20.0M
Data breachResolved

Spyzie data breach (2024)

In February 2025, the spyware service Spyzie suffered a data breach along with sibling spyware services, Spyic and Cocospy. The Spyzie breach alone exposed almost 519k customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos,…

Victim
Spyzie
Records
518.6K
Data breachResolved

Tangerine data breach (2024)

In February 2024, the Australian Telco Tangerine suffered a data breach that exposed over 200k customer records. Attributed to a legacy customer database, the data included physical and email addresses, names, phone numbers and dates of birth.

Victim
Tangerine
Records
243.5K
Data breachResolved

Doxbin (TOoDA) data breach (2024)

In February 2025, the "doxing" website Doxbin was compromised by a group calling themselves "TOoDA" and the data dumped publicly. Included in the breach were 336k unique email addresses alongside usernames.

Victim
Doxbin (TOoDA)
Records
136.5K
RansomwareResolved

Romanian hospitals ransomware wave

A Backmydata (Phobos-family) ransomware attack on the shared Hipocrate hospital information system encrypted data at 25 Romanian hospitals and forced about 75 more offline, pushing more than 100 facilities back to paper records.

Victim
Romanian hospitals (Hipocrate HIS / Romanian Soft Company)
Data breachContained

Leak at Almerys, Viamedis

In early February 2024, French third-party health-payment operators Viamedis and Almerys disclosed breaches exposing data on about 33 million people — names, dates of birth, social security numbers and health-insurer details — in one of France's largest ever data breaches.

Victim
Almerys, Viamedis
Records
33.0M
Data breachResolved

SurveyLama data breach (2024)

In February 2024, the paid survey website SurveyLama suffered a data breach that exposed 4.4M customer email addresses. The incident also exposed names, physical and IP addresses, phone numbers, dates of birth and passwords stored as either salted SHA-1, bcrypt or argon2 hashes.

Victim
SurveyLama
Records
4.4M
Data breachResolved

Spoutible data breach (2024)

In January 2024, Spoutible had 207k records scraped from a misconfigured API that inadvertently returned excessive personal information. The data included names, usernames, email and IP addresses, phone numbers (where provided to the platform), genders and bcrypt password hashes.

Victim
Spoutible
Records
207.1K
Data breachResolved

Trello data breach (2024)

In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses.

Victim
Trello
Records
15.1M
Data breachResolved

Hathway data breach (2023)

In December 2023, hundreds of gigabytes of data allegedly taken from Indian ISP and digital TV provider Hathway appeared on a popular hacking website. The incident exposed extensive personal information including 4.7M unique email addresses along with names, physical and IP addresses, phone…

Victim
Hathway
Records
4.7M
Data breachResolved

GLAMIRA data breach (2023)

In late 2023, the online jewellery store GLAMIRA suffered a data breach they attributed to "an unauthorised individual [who] briefly accessed one of our servers". The data was subsequently published on a popular hacking forum and included 875k email addresses, names, phone numbers and purchases.

Victim
GLAMIRA
Records
874.6K
Data breachResolved

InflateVids data breach (2023)

In December 2023, the inflatable and balloon fetish videos website InflateVids suffered a data breach. The incident exposed over 13k unique email addresses alongside usernames, IP addresses, genders and SHA-1 password hashes.

Victim
InflateVids
Records
13.4K
WiperResolved

Kyivstar wiper attack

Russia's Sandworm group destroyed thousands of virtual servers and workstations at Kyivstar, Ukraine's largest mobile operator, knocking out service for some 24 million subscribers and disrupting air-raid alerts, banking and payments in the most damaging cyberattack on Ukrainian telecoms since the 2022 invasion.

Victim
Kyivstar
Loss
$95.0M
RansomwareContained

Westpole LockBit ransomware — Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim
Westpole / PA Digitale (Urbi platform)
Data breachResolved

Welhof data breach (2023)

In late 2023, the Dutch appliance store Welhof suffered a data breach. The incident exposed over 100k unique email addresses along with names, physical addresses and the value of purchases made.

Victim
Welhof
Records
107.3K
RansomwareResolved

ALAB Laboratoria ransomware data leak

The RA World ransomware gang breached Poland's nationwide ALAB Laboratoria medical-lab network, stealing patient test results and PESEL identity numbers. ALAB refused to pay, and the criminals published sensitive medical data on tens of thousands of patients in what became Poland's largest medical data breach.

Victim
ALAB Laboratoria
Records
50.0K
Data breachResolved

Zadig & Voltaire data breach (2023)

In June 2024, a data brach sourced from French fashion brand Zadig & Voltaire was publicly posted to a popular hacking forum. The data included names, email and physical addresses, phone numbers and genders.

Victim
Zadig & Voltaire
Records
586.9K
Data breachResolved

KitchenPal data breach (2023)

In November 2023, the kitchen management application KitchenPal suffered a data breach that exposed 146k lines of data. When contacted about the incident, KitchenPal advised the corpus of data came from a staging environment, although acknowledged it contained a small number of users for debugging…

Victim
KitchenPal
Records
98.7K
Data breachResolved

Blooms Today data breach (2023)

In April 2024, 15M records from the online florist Blooms Today were listed for sale on a popular hacking forum. The most recent data in the breach corpus was from November 2023 and appeared alongside 3.2M unique email addresses, names, phone numbers physical addresses and partial credit card data…

Victim
Blooms Today
Records
3.2M
RansomwareContained

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim
ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss
$9.00B
Data breachResolved

Chess data breach (2023)

In November 2023, over 800k user records were scraped from the Chess website and posted to a popular hacking forum. The data included email address, name, username and the geographic location of the user. A further 446k scraped records were later provided and added to HIBP.

Victim
Chess
Records
1.3M
Data breachResolved

LinkedIn Scraped and Faked Data (2023) data breach (2023)

In November 2023, a post to a popular hacking forum alleged that millions of LinkedIn records had been scraped and leaked. On investigation, the data turned out to be a combination of legitimate data scraped from LinkedIn and email addresses constructed from impacted individuals' names.

Victim
LinkedIn Scraped and Faked Data (2023)
Records
19.8M
Data breachResolved

Toumei data breach (2023)

In October 2023, the Japanese consultancy firm Toumei suffered a data breach. The breach exposed over 100M lines and 10GB of data including 77k unique email addresses along with names, phone numbers and physical addresses.

Victim
Toumei
Records
76.7K
Data breachResolved

Bangladesh Smart NID Telegram data leak

A Telegram bot offered up the names, photos, parents' names, phone numbers and addresses of Bangladeshi voters on demand from a 10-digit NID number, leaked through one of 174 organisations with access to the Election Commission's National ID server.

Victim
Bangladesh Election Commission (NID Wing)
Records
55.0M
Data breachResolved

Facebook Marketplace data breach (2023)

In February 2024, 200k Facebook Marketplace records allegedly obtained from a Meta contractor in October 2023 were posted to a popular hacking forum. The data contained 77k unique email addresses alongside names, phone numbers, Facebook profile IDs and geographic locations.

Victim
Facebook Marketplace
Records
77.3K
Data breachResolved

Shadow data breach (2023)

In September 2023, the cloud gaming provider Shadow suffered a data breach that exposed over half a million customer records. The data included email and physical addresses, names and dates of birth.

Victim
Shadow
Records
543.3K
RansomwareResolved

PhilHealth Medusa ransomware attack

The Medusa ransomware gang breached the Philippine Health Insurance Corporation, exfiltrating around 750 GB of sensitive member and medical data and demanding a $300,000 ransom; the government refused to pay and the data was leaked.

Victim
Philippine Health Insurance Corporation (PhilHealth)
Data breachResolved

Naz.API data breach (2023)

In September 2023, over 100GB of stealer logs and credential stuffing lists titled "Naz.API" was posted to a popular hacking forum. The incident contained a combination of email address and plain text password pairs alongside the service they were entered into, and standalone credential pairs…

Victim
Naz.API
Records
70.8M
RansomwareResolved

IFX Networks supply-chain ransomware attack

A ransomware attack on regional cloud provider IFX Networks cascaded into more than 50 Colombian state and private entities — including the Ministry of Health, the Judiciary, and the Superintendency of Industry and Commerce — and affected 762 organisations across Latin America.

Victim
IFX Networks (Colombian government clients)
RansomwareResolved

Lanka Government Cloud ransomware attack

A ransomware attack on Sri Lanka's Lanka Government Cloud encrypted around 5,000 gov.lk email accounts — including the Cabinet Office — and, because backups were also encrypted, permanently destroyed roughly three months of government email.

Victim
Lanka Government Cloud (ICTA Sri Lanka)
Data breachResolved

Sphero data breach (2023)

In September 2023, over 1M rows of data from the educational robots company Sphero was posted to a popular hacking forum. The data contained 832k unique email addresses alongside names, usernames, dates of birth and geographic locations.

Victim
Sphero
Records
832.3K
Data breachResolved

Qakbot data breach (2023)

In August 2023, the US Justice Department announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, and the United Kingdom to disrupt the botnet and malware known as Qakbot and take down its infrastructure.

Victim
Qakbot
Records
6.4M
RansomwareRansom paid

Caesars Entertainment Scattered Spider ransom payment (2023)

Scattered Spider impersonated a Caesars employee on a call to a third-party IT support vendor and convinced the vendor to grant Okta credentials, then exfiltrated customer loyalty data including SSNs and driver's licences. Caesars paid roughly $15 million ransom; the FBI later froze a substantial portion of the funds with Chainalysis assistance.

Victim
Caesars Entertainment
Loss
$15.0M
Data breachResolved

PlayCyberGames data breach (2023)

In August 2023, PlayCyberGames which "allows users to play any games with LAN function or games using IP address" suffered a data breach which exposed 3.7M customer records. The data included email addresses, usernames and MD5 password hashes with a constant value in the "salt" field.

Victim
PlayCyberGames
Records
3.7M
Data breachResolved

MagicDuel data breach (2023)

In August 2023, the MagicDuel Adventure website suffered a data breach that exposed 138k user records. The data included player names, email and IP addresses and bcrypt password hashes.

Victim
MagicDuel
Records
138.4K
DDoSResolved

eCitizen Anonymous Sudan DDoS attack

The pro-Russian hacktivist group Anonymous Sudan flooded Kenya's eCitizen government portal with DDoS traffic, knocking out access to roughly 5,000 public services and disrupting M-Pesa, electricity tokens and visa processing for days.

Victim
eCitizen (Government of Kenya)
Data breachResolved

Manipulated Caiman data breach (2023)

In July 2023, Perception Point reported on a phishing operation dubbed "Manipulated Caiman". Targeting primarily the citizens of Mexico, the campaign attempted to gain access to victims' bank accounts via spear phishing attacks using malicious attachments.

Victim
Manipulated Caiman
Records
39.9M
Data breachResolved

Rightbiz data breach (2023)

In June 2023, data belonging to the "UK's No.1 Business Marketplace" Rightbiz appeared on a popular hacking forum. Comprising of more than 18M rows of data, the breach included 65k unique email addresses along with names, phone numbers and physical address.

Victim
Rightbiz
Records
65.4K
Data breachResolved

Bangladesh government citizen data leak

A misconfigured Bangladeshi government birth-and-death registration website exposed the names, addresses, phone numbers and national ID numbers of more than 50 million citizens, discovered accidentally via a Google search.

Victim
Office of the Registrar General, Birth & Death Registration (Bangladesh)
Records
50.0M
Data breachResolved

Dymocks data breach (2023)

In September 2023, the Australian book retailer Dymocks announced a data breach. The data dated back to June 2023 and contained 1.2M records with 836k unique email addresses. The breach also exposed names, dates of birth, genders, phone numbers and physical addresses.

Victim
Dymocks
Records
836.1K
Data breachResolved

BreachForums Clone data breach (2023)

In June 2023, a clone of the previously shuttered popular hacking forum "BreachForums" suffered a data breach that exposed over 4k records. The breach was due to an exposed backup of the MyBB database which included email and IP addresses, usernames and Argon2 password hashes.

Victim
BreachForums Clone
Records
4.2K
Data breachunresolved

e-Devlet (e-Government Gateway) data breach

Turkey's central e-Government portal was harvested for the records of an estimated 85 million citizens and residents, with ID numbers, addresses, phone numbers, family links, health and financial data sold online and updated in near real time.

Victim
e-Devlet (Türkiye e-Government Gateway)
Records
85.0M
Data breachResolved

JD Group data breach (2023)

In May 2023, the South African retailer JD Group announced a data breach affecting a number of their online assets including Bradlows, Everyshop, HiFi Corp, Incredible (Connection), Rochester, Russells, and Sleepmasters.

Victim
JD Group
Records
521.9K
DDoSResolved

Greek school-exam system DDoS attack

A massive multi-day DDoS attack on Greece's 'Subject Bank' (Trapeza Thematon) high-school exam platform disrupted nationwide exams with up to 280,000 connections per second and 165 million hits from 114 countries, the largest attack on a Greek public body.

Victim
Greek Ministry of Education (Subject Bank / Trapeza Thematon)
Data breachResolved

Polish Credentials data breach (2023)

In May 2023, a credential stuffing list of 6.3M Polish email address and password pairs appeared on a local forum. Likely obtained by malware running on victims' machines, each record included an email address and plain text password alongside the website the credentials were used on.

Victim
Polish Credentials
Records
1.2M
RansomwareContained

Xplain Play ransomware and Swiss federal documents leak (2023)

Play ransomware breached Swiss IT services provider Xplain, exfiltrating 1.3 million files. Approximately 65,000 documents belonging to the Swiss Federal Administration — including classified content, personal data, and readable passwords — were published on Play's dark-web leak site in June 2023.

Victim
Xplain (Swiss IT services provider to the Federal Administration)
Records
1.3M
EspionageContained

Microsoft Storm-0558 signing-key theft and US government email access (2023)

China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations — including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.

Victim
Microsoft customers (US State Department, Department of Commerce, ~25 organisations)
Data breachResolved

Le Coq Sportif Columbia data breach (2023)

In January 2025, a data breach from the Columbian website for Le Coq Sportif was posted to a popular hacking forum. The data included almost 80k unique email addresses with the breach dating back to May 2023.

Victim
Le Coq Sportif Columbia
Records
79.7K
Data breachResolved

Jobzone data breach (2023)

In April 2023, data from the Israeli jobs website Jobzone was posted online. The data included 30k records of email addresses, names, social security numbers, genders, dates of birth, fathers' names and physical addresses.

Victim
Jobzone
Records
29.7K
Data breachResolved

RentoMojo data breach (2023)

In April 2023, the Indian rental service RentoMojo suffered a data breach. The breach exposed over 2M unique email addresses along with names, phone, passport and Aadhaar numbers, genders, dates of birth, purchases and bcrypt password hashes.

Victim
RentoMojo
Records
2.2M
Data breachResolved

Genesis Market data breach (2023)

In April 2023, the stolen identity marketplace Genesis Market was shut down by the FBI and a coalition of law enforcement agencies across the globe in "Operation Cookie Monster".

Victim
Genesis Market
Records
8.0M
Data breachResolved

Tigo data breach (2023)

In Mid-2023, 300GB of data containing over 100M records from the Chinese video chat platform "Tigo" dating back to March that year was discovered. The data contained over 700k unique names, usernames, email and IP addresses, genders, profile photos and private messages.

Victim
Tigo
Records
700.4K
Supply chainResolved

3CX supply-chain attack (DPRK)

North Korea-linked actors trojanized the 3CXDesktopApp softphone client, distributing the SmoothOperator malware through a legitimately-signed update to a customer base of over 600,000 organizations — the first documented cascading software supply-chain compromise, itself enabled by a prior breach of trading software X_TRADER.

Victim
3CX (3CXDesktopApp customers)
Data breachResolved

MediaWorks data breach (2023)

In March 2024, millions of rows of data from the New Zealand media company MediaWorks was publicly posted to a popular hacking forum. The incident exposed 163k unique email addresses provided by visitors who filled out online competitions and included names, physical addresses, phone numbers, dates…

Victim
MediaWorks
Records
162.7K
Data breachResolved

DC Health Link data breach (2023)

In March 2023, DC Health Link discovered a data breach that was later publicly posted to a popular data breach forum. The impacted data included 48k unique email addresses alongside names, genders, dates of birth, home addresses, phone numbers and social security numbers.and "IntelBroker".

Victim
DC Health Link
Records
48.1K
Data breachResolved

CityJerks data breach (2023)

In early 2023, the "mutual masturbation" website CityJerks suffered a data breach that exposed 177k unique email addresses. The breach also included data from the TruckerSucker "dating app for REAL TRUCKERS and REAL MEN" with the combined corpus of data also exposing usernames, IP addresses, dates…

Victim
CityJerks
Records
177.6K
Data breachResolved

TheGradCafe data breach (2023)

In February 2023, the grad school admissions search website TheGradCafe suffered a data breach that disclosed the personal records of 310k users. The data included email addresses, names and usernames, genders, geographic locations and passwords stored as bcrypt hashes.

Victim
TheGradCafe
Records
311.0K
Data breachResolved

Phished Data via CERT Poland data breach (2023)

In August 2023, CERT Poland observed a phishing campaign that collected credentials from 68k victims. The campaign collected email addresses and passwords via a phishing email masquerading as a purchase order confirmation.

Victim
Phished Data via CERT Poland
Records
67.9K
Data breachResolved

HDB Financial Services data breach (2023)

In March 2023, the Indian non-bank lending unit HDB Financial Services suffered a data breach that disclosed over 70M customer records. Containing 1.6M unique email addresses, the breach also disclosed names, dates of birth, phone numbers, genders, post codes and loan information belonging to the…

Victim
HDB Financial Services
Records
1.7M
fraudinvestigating

Flutterwave unauthorized-transfer incidents

Nigeria's largest fintech suffered a series of unauthorized-transfer incidents in 2023, including a ₦2.9 billion ($4.2M) diversion across 28 accounts and a later ₦19 billion ($24M) loss via abused POS-merchant access, prompting Mareva injunctions to freeze thousands of beneficiary accounts.

Victim
Flutterwave
Loss
$24.0M
Data breachResolved

The Kodi Foundation data breach (2023)

In February 2023, The Kodi Foundation suffered a data breach that exposed more than 400k user records. Attributed to an account belonging to "a trusted but currently inactive member of the forum admin team", the breach involved the administrator account creating a database backup that was…

Victim
The Kodi Foundation
Records
400.6K
RansomwareContained

Indigo Books LockBit ransomware

LockBit affiliates encrypted Canada's largest bookseller, taking the website and in-store payment systems offline for weeks. Indigo publicly refused the ransom; LockBit published employee personal data.

Victim
Indigo Books & Music Inc.
Loss
$40.0M
Records
5.0K
Data breachResolved

Convex data breach (2023)

In February 2023, the Russian telecommunications provider Convex was hacked by "Anonymous" who subsequently released 128GB of data publicly, alleging it revealed illegal government surveillance. The leaked data contained 150k unique email, IP and physical addresses, names and phone numbers.

Victim
Convex
Records
150.1K
Data breachResolved

Terravision data breach (2023)

In February 2023, the European airport transfers service Terravision suffered a data breach. The breach exposed over 2M records of customer data including names, phone numbers, email addresses, salted password hashes and in some cases, date of birth and country of origin.

Victim
Terravision
Records
2.1M
Data breachResolved

Eye4Fraud data breach (2023)

In February 2023, data alleged to have been taken from the fraud protection service Eye4Fraud was listed for sale on a popular hacking forum. Spanning tens of millions of rows with 16M unique email addresses, the data was spread across 147 tables totalling 65GB and included both direct users of the…

Victim
Eye4Fraud
Records
16.0M
Data breachResolved

Duolingo data breach (2023)

In August 2023, 2.6M records of data scraped from Duolingo were broadly distributed on a popular hacking forum. Obtained by enumerating a vulnerable API, the data had earlier appeared for sale in January 2023 and contained email addresses, names, the languages being learned, XP (experience points),…

Victim
Duolingo
Records
2.7M
Data breachResolved

School District 42 data breach (2023)

In January 2023, Pitt Meadows School District 42 in British Columbia suffered a data breach. The incident exposed the names and email addresses of approximately 19k students and staff which were consequently redistributed on a popular hacking forum.

Victim
School District 42
Records
18.9K
Data breachResolved

Planet Ice data breach (2023)

In January 2023, the UK-based ice skating rink booking service Planet Ice suffered a data breach. The incident exposed the personal data of 240k people including email and physical addresses, phone numbers, genders, dates of birth and passwords stored as MD5 hashes.

Victim
Planet Ice
Records
240.5K
Data breachResolved

Zurich data breach (2023)

In January 2023, the Japanese arm of Zurich insurance suffered a data breach that exposed 2.6M customer records with over 756k unique email addresses. The data was subsequently posted to a popular hacking forum and also included names, genders, dates of birth and details of insured vehicles.

Victim
Zurich
Records
756.7K
Data breachResolved

Autotrader data breach (2023)

In January 2023, 1.4M records from the Autotrader online vehicle marketplace appeared on a popular hacking forum. Autotrader stated that the "data in question relates to aged listing data that was generally publicly available on our site at the time and open to automated collection methods".

Victim
Autotrader
Records
20.0K
Data breachResolved

iD Tech data breach (2023)

In February 2023, the tech camps for kids service iD Tech had almost 1M records posted to a popular hacking forum. The data included 415k unique email addresses, names, dates of birth and plain text passwords which appear to have been breached in the previous month.

Victim
iD Tech
Records
415.1K
Data breachResolved

RailYatri data breach (2022)

In December 2022, India’s government-approved online travel agency RailYatri suffered a data breach. The incident impacted over 31M customers and exposed 23M unique email addresses. Also impacted were names, genders, phone numbers and tickets purchased, including travel information and fares.

Victim
RailYatri
Records
23.2M
RansomwareResolved

SickKids hospital ransomware attack

Toronto's Hospital for Sick Children was hit by a ransomware attack over the December 2022 holidays that delayed lab and imaging results; in a rare move, the LockBit gang apologized, blamed a rogue affiliate, and released a free decryptor.

Victim
The Hospital for Sick Children (SickKids)
Data breachResolved

Gemini data breach (2022)

In late 2022, a hacker posted a data set to a public hacking forum which they alleged was sourced from the Gemini crypto exchange, a claim that was later proven to be false as the data was traced back to an incident at a third-party vendor.

Victim
Gemini
Records
5.3M
RansomwareResolved

EPM BlackCat ransomware attack

The BlackCat/ALPHV ransomware gang crippled Colombia's largest public utility, Empresas Públicas de Medellín, forcing 4,000 staff to work offline and disrupting electricity, water, and gas billing across 123 municipalities.

Victim
Empresas Públicas de Medellín (EPM)
Data breachResolved

SevenRooms data breach (2022)

In December 2022, over 400GB of data belonging to restaurant customer management platform SevenRooms was posted for sale to a popular hacking forum. The data included 1.2M unique email addresses alongside names and purchases.

Victim
SevenRooms
Records
1.2M
Data breachResolved

Activision data breach (2022)

In December 2022, attackers socially engineered an Activision HR employee into disclosing information which led to the breach of almost 20k employee records. The data contained 16k unique email addresses along with names, phone numbers, job titles and the office location of the employee.

Victim
Activision
Records
16.0K
Data breachResolved

GunAuction.com data breach (2022)

In December 2022, the online firearms auction website GunAuction.com suffered a data breach which was later discovered left unprotected on the hacker's server.

Victim
GunAuction.com
Records
565.5K
Data breachResolved

CoinTracker data breach (2022)

In December 2022, the Crypto & NFT taxes service CoinTracker reported a data breach that impacted over 1.5M of their customers. The company later attributed the breach to a compromise SendGrid in an attack that targeted multiple customers of the email provider.

Victim
CoinTracker
Records
1.6M
Data breachResolved

BreachForums data breach (2022)

In November 2022, the well-known hacking forum "BreachForums" was itself, breached. Later the following year, the operator of the website was arrested and the site seized by law enforcement agencies.

Victim
BreachForums
Records
212.2K
Data breachResolved

Movie Forums data breach (2022)

In December 2022, the Movie Forums website suffered a data breach that affected 40k users. The breach exposed email and IP addresses, usernames, dates of birth and passwords stored as easily crackable salted MD5 hashes. The data was subsequently posted a popular clear web hacking forum.

Victim
Movie Forums
Records
39.9K
RansomwareContained

AIIMS Delhi ransomware

Ransomware encrypted the All India Institute of Medical Sciences in New Delhi — India's most prestigious public hospital — taking patient registration and clinical records offline for two weeks during peak winter patient load.

Victim
All India Institute of Medical Sciences (AIIMS) New Delhi
Loss
$15.0M
Data breachResolved

Avito data breach (2022)

In November 2022, the Moroccan e-commerce service Avito suffered a data breach that exposed the personal information of 2.7M customers. The data included name, email, phone, IP address and geographic location.

Victim
Avito
Records
2.7M
Data breachResolved

Washington State Food Worker Card data breach (2022)

In June 2023, the Tacoma-Pierce County Health Department announced a data breach of their Washington State Food Worker Card online training system. The breach was published to a popular hacking forum the year before and dated back to a 2018 database backup.

Victim
Washington State Food Worker Card
Records
1.6M
Data breachResolved

Abandonia (2022) data breach (2022)

In November 2022, the gaming website dedicated to classic DOS games Abandonia suffered a data breach resulting in the exposure of 920k unique user records. This breach was in addition to another one 7 years earlier in 2015.

Victim
Abandonia (2022)
Records
919.8K
Data breachResolved

MyPertamina data breach (2022)

In November 2022, the Indonesian oil and gas company Pertamina suffered a data breach of their MyPertamina service. The incident exposed 44M records with 6M unique email addresses along with names, dates of birth, genders, physical addresses and purchases.

Victim
MyPertamina
Records
6.0M
Data breachResolved

RealDudesInc data breach (2022)

In October 2022, the GTA mod menu provider RealDudesInc suffered a data breach that exposed over 100k email addresses (many of which are temporary guest account addresses). The breach also included usernames and bcrypt password hashes.

Victim
RealDudesInc
Records
101.5K
Data breachResolved

Doomworld data breach (2022)

In October 2022, the Doomworld fourm suffered a data breach that exposed 34k member records. The data included email and IP addresses, usernames and bcrypt password hashes.

Victim
Doomworld
Records
34.5K
Data breachResolved

Locally data breach (2022)

In October 2022, "The Industry's Leading Online-to-Offline Shopping Solution" Locally suffered a data breach. Whilst Locally acknowledged the breach privately, it's unknown whether impacted customers were subsequently notified of the incident which exposed over 362k names, phone numbers, email and…

Victim
Locally
Records
362.6K
Data breachResolved

ClickASnap data breach (2022)

In September 2022, the online photo sharing platform ClickASnap suffered a data breach. The incident exposed almost 3.3M personal records including email addresses, usernames and passwords stored as SHA-512 hashes.

Victim
ClickASnap
Records
3.3M
Data breachResolved

Traderie data breach (2022)

In September 2022, the in-game trading marketplace Traderie suffered a data breach that exposed almost 400k records (this preceded a subsequent breach the following year). The incident exposed email and IP addresses, usernames and links to social media profiles.

Victim
Traderie
Records
364.9K
Data breachResolved

Get Revenge On Your Ex data breach (2022)

In September 2022, the revenge website Get Revenge On Your Ex suffered a data breach that exposed almost 80k unique email addresses. The data spanned both customers and victims including names, IP and physical addresses, phone numbers, purchase histories and plain text passwords.

Victim
Get Revenge On Your Ex
Records
79.2K
Data breachResolved

APK.TW data breach (2022)

In September 2022, the Taiwanese Android forum APK.TW suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed 2.5M unique email addresses along with IP addresses, usernames and salted MD5 password hashes.

Victim
APK.TW
Records
2.5M
Data breachResolved

Wakanim data breach (2022)

In August 2022, the European streaming service Wakanim suffered a data breach which was subsequently advertised and sold on a popular hacking forum. The breach exposed 6.7M customer records including email, IP and physical addresses, names and usernames.

Victim
Wakanim
Records
6.7M
RansomwareResolved

TAP Air Portugal ransomware breach

The Ragnar Locker ransomware gang breached Portugal's flag carrier, exfiltrating and later publishing 581 GB of data on roughly 1.5 million customers, exposing names, dates of birth, addresses and contact details for over 5 million email accounts.

Victim
TAP Air Portugal
Records
1.5M
RansomwareResolved

SERNAC government ransomware attack

Ransomware encrypted the Microsoft and VMware ESXi servers of Chile's National Consumer Service (SERNAC), disrupting its systems and online services and prompting the government CSIRT to issue a state-wide cybersecurity alert.

Victim
Servicio Nacional del Consumidor (SERNAC)
Data breachResolved

Brand New Tube data breach (2022)

In August 2022, the streaming website Brand New Tube suffered a data breach that exposed the personal information of almost 350k subscribers. The impacted data included email and IP addresses, usernames, genders, passwords stored as unsalted SHA-1 hashes and private messages.

Victim
Brand New Tube
Records
349.6K
Data breachResolved

Latest Pilot Jobs data breach (2022)

In August 2022, the Latest Pilot Jobs website suffered a data breach that later appeared on a popular hacking forum before being redistributed as part of a larger corpus of data. The data included 119k unique email addresses along with names, usernames and unsalted MD5 password hashes.

Victim
Latest Pilot Jobs
Records
118.9K
Data breachResolved

GGCorp data breach (2022)

In August 2022, the MMORPG website GGCorp suffered a data breach that exposed almost 2.4M unique email addresses. The data also included IP addresses, usernames and MD5 password hashes.

Victim
GGCorp
Records
2.4M
Data breachResolved

iMenu360 data breach (2022)

In approximately late 2022, 3.4M customer records from iMenu360 ("The world's #1 most trusted online ordering platform") were exposed. The data appeared to be from ordering systems using the platform and contained email and physical addresses, latitudes and longitudes, names and phone numbers.

Victim
iMenu360
Records
3.4M
Data breachResolved

Shitexpress data breach (2022)

In August 2022, the online faeces delivery service Shitexpress suffered a data breach that exposed 24k unique email addresses. The addresses spanned invoices, gift cards, promotions and PayPal records.

Victim
Shitexpress
Records
23.8K
RansomwareResolved

Advanced / NHS 111 ransomware attack

A LockBit 3.0 ransomware attack on NHS software supplier Advanced took down the NHS 111 triage service and forced clinicians back to pen and paper, exposing data on tens of thousands of patients and drawing a £3.07 million ICO fine.

Victim
Advanced (Advanced Computer Software Group)
Loss
$27.0M
Records
82.9K
Data breachResolved

DoorDash data breach (2022)

In August 2022, the food ordering and delivery service DoorDash disclosed a data breach that impacted a portion of their customers. DoorDash attributed the breach to an unnamed "third-party vendor" they stated was the victim of a phishing campaign.

Victim
DoorDash
Records
367.5K
EspionageResolved

Greek Predatorgate surveillance scandal

Greece's 'Predatorgate' wiretapping scandal exposed the use of Intellexa/Cytrox's Predator spyware and parallel legal surveillance against journalists, politicians and officials, toppling intelligence chiefs and ending in landmark 2026 convictions.

Victim
Greek journalists, politicians and state officials
Data breachResolved

Didi Global data security enforcement case

China's cyberspace regulator fined ride-hailing giant Didi Global RMB 8.026 billion (about $1.2 billion) after a year-long review found 16 violations of the Cybersecurity Law, Data Security Law and Personal Information Protection Law, including the illegal collection of facial-recognition, location and clipboard data from hundreds of millions of riders and drivers.

Victim
Didi Global
Loss
$1.20B
Data breachResolved

Exvagos data breach (2022)

In July 2022, the direct download website Exvagos suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed 2.1M unique email addresses along with IP addresses, usernames, dates of birth and MD5 password hashes.

Victim
Exvagos
Records
2.1M
Data breachResolved

Hjedd data breach (2022)

In July 2022, the Chinese adult website Hjedd was found to be leaking more than 13M customer records which subsequently appeared on a popular hacking forum. The exposed data included email and IP addresses, usernames and passwords stored as bcrypt hashes.

Victim
Hjedd
Records
13.2M
WiperContained

Albania HomeLand Justice destructive wiper (Iran MOIS, 2022)

Iran's Ministry of Intelligence and Security, operating as 'HomeLand Justice', spent 14 months dwelling in Albanian government networks before launching ransomware-style file encryption and disk-wiping malware. Albania suspended online public services and became the first country in history to sever diplomatic ties with another state over a cyberattack.

Victim
Government of Albania
Data breachResolved

OGUsers (2022 breach) data breach (2022)

In July 2022, the account hijacking and SIM swapping forum OGusers suffered a data breach, the fifth since December 2018. The breach contained usernames, email and IP addresses and passwords stored as argon2 hashes. A total of 529k unique email addresses appeared in the breach.

Victim
OGUsers (2022 breach)
Records
529.0K
Data breachResolved

Weee data breach (2022)

In February 2023, data belonging to the Asian and Hispanic food delivery service Weee appeared on a popular hacking forum. Dating back to mid-2022, the data included 1.1M unique email addresses from 11M rows of orders containing names, phone numbers and delivery instructions.

Victim
Weee
Records
1.1M
Data breachResolved

Vultr data breach (2022)

In March 2023, the "AI-first global cloud platform" Vultr disclosed a security incident at a third-party vendor. Dating back to the previous year, the incident was attributed to the ActiveCampaign email marketing service provider and resulted in the exposure of 188k unique email addresses.

Victim
Vultr
Records
187.9K
Data breachunresolved

Shanghai National Police database leak

An exposed Shanghai Public Security Bureau database left a hacker known as 'ChinaDan' offering 23 terabytes of data on roughly 1 billion Chinese residents — names, national ID numbers, phone numbers, addresses and police case records — for 10 bitcoin, in what is widely regarded as the largest government data breach in Chinese history.

Victim
Shanghai National Police (Shanghai Public Security Bureau)
Records
1.00B
Data breachResolved

Adopt Me Trading Values data breach (2022)

In July 2022, the Adopt Me Trading Values website for assessing the value of pet trades within the "Adopt Me!" Roblox game suffered a data breach that was later redistributed as part of a larger corpus of data.

Victim
Adopt Me Trading Values
Records
86.1K
sabotageunresolved

Iranian steel plants cyber-sabotage

Predatory Sparrow compromised industrial control systems at three major Iranian steelmakers, halting production and — in CCTV footage the group released — causing a machine at Khouzestan Steel to spew molten metal and fire across the factory floor.

Victim
Khouzestan Steel, Mobarakeh Steel & Hormozgan Steel
Data breachResolved

Altenen data breach (2022)

In June 2022, the malicious "carding" (referring to credit card fraud) website Altenen suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 1.3M unique email addresses, usernames, bcrypt password hashes and cryptocurrency wallet addresses.

Victim
Altenen
Records
1.3M
Data breachResolved

Disk Union data breach (2022)

In June 2022, the Japanese record chain store Disk Union suffered a data breach. The incident exposed 690k unique email addresses along with names, post codes, phone numbers and plain text passwords.

Victim
Disk Union
Records
690.7K
Data breachResolved

MemeChat data breach (2022)

In mid-2022, "the ultimate hub of memes" MemeChat suffered a data breach that exposed 7.4M records. Alleged to be due to a misconfigured Elasticsearch instance, the data contained 4.3M unique email addresses alongside usernames.

Victim
MemeChat
Records
4.3M
Data breachResolved

TNAFlix data breach (2022)

In June 2022, the adult website TNAFlix suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 1.4M records of email and IP addresses, usernames and plain text passwords.

Victim
TNAFlix
Records
1.4M
RansomwareResolved

CCSS Hive ransomware attack

The Hive ransomware group crippled Costa Rica's national public-health insurer, the CCSS, encrypting more than 800 servers, forcing hospitals back to paper, and cancelling tens of thousands of medical appointments.

Victim
Caja Costarricense de Seguro Social (CCSS)
Data breachResolved

WiredBucks data breach (2022)

In May 2022, the now defunct social media influencer platform WiredBucks suffered a data breach that was later redistributed as part of a larger corpus of data.

Victim
WiredBucks
Records
918.5K
Data breachResolved

QuestionPro data breach (2022)

In May 2022, the survey website QuestionPro was the target of an extortion attempt relating to an alleged data breach. Over 100GB of data containing 22M unique email addresses (some of which appear to be generated by the platform), are alleged to have been extracted from the service along with IP…

Victim
QuestionPro
Records
22.2M
Data breachResolved

Mangatoon data breach (2022)

In May 2022, the Hong Kong based Manga service Mangatoon suffered a data breach that exposed 23M subscriber records. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and passwords stored as salted MD5 hashes.

Victim
Mangatoon
Records
23.0M
Data breachResolved

BlackBerry Fans data breach (2022)

In May 2022, the Chinese BlackBerry enthusiasts website BlackBerry Fans suffered a data breach that exposed 174k member records. The impacted data included usernames, email and IP addresses and passwords stored as salted MD5 hashes.

Victim
BlackBerry Fans
Records
174.2K
Data breachResolved

Gemotest medical laboratory data breach

A database from Russian medical-testing chain Gemotest was offered on a hacking forum, with sellers claiming data on 31 million clients — names, passport and insurance numbers, dates of birth, addresses, phone numbers and email addresses. Have I Been Pwned later indexed about 6.3 million unique email addresses from the leak.

Victim
Gemotest
Records
31.0M
Data breachResolved

Fanpass data breach (2022)

In April 2022, the UK based website for buying and selling soccer tickets Fanpass suffered a data breach which exposed 112k customer records. Impacted data includes names, phone numbers, physical addresses, purchase histories and salted password hashes.

Victim
Fanpass
Records
112.3K
Data breachResolved

PaySystem.tech data breach (2022)

In mid-2022, data alleged to have been sourced from the Russian payment provider PaySystem.tech appeared in hacking circles where it was made publicly available for download.

Victim
PaySystem.tech
Records
1.4M
RansomwareContained

Conti ransomware attack on the Government of Costa Rica

Conti encrypted 27 Costa Rican government institutions including the Ministry of Finance, paralyzing tax collection and customs for months. President Chaves declared a national emergency — the first cyber-incident state of emergency in history.

Victim
Government of Costa Rica (27 institutions incl. Ministry of Finance, Customs, Social Security)
Loss
$130.0M
Data breachResolved

E-Pal data breach (2022)

In October 2022, the service dedicated to finding friends on Discord known as E-Pal disclosed a data breach. The compromised data included over 100k unique email addresses and usernames spanning approximately 1M orders. The data was subsequently distributed via a popular hacking forum.

Victim
E-Pal
Records
108.9K
Data breachResolved

PayHere data breach (2022)

In late March 2022, the Sri Lankan payment gateway PayHere suffered a data breach that exposed more than 65GB of payment records including over 1.5M unique email addresses.

Victim
PayHere
Records
1.6M
RansomwareResolved

Hellenic Post (ELTA) ransomware attack

A ransomware attack attributed to the Vice Society gang paralysed Greece's national postal operator ELTA for roughly eight days, halting financial services and pension payments, with data later leaked and a €2.99 million GDPR fine in 2024.

Victim
Hellenic Post (ELTA)
Loss
$3.2M
Data breachResolved

Viva Air data breach (2022)

In March 2022, the now defunct Colombian airline Viva Air suffered a data breach and subsequent ransomware attack. Among a trove of other ransomed data, the incident exposed a log of 2.6M transactions with 932k unique email addresses, physical and IP addresses, names, phone numbers and partial…

Victim
Viva Air
Records
932.2K
Data breachResolved

CDEK data breach (2022)

In early 2022, a collective known as IT Army whose stated goal is to "completely de-anonymise most Russian users by leaking hundreds of gigabytes of databases" published over 30GB of data allegedly sourced from Russian courier service CDEK.

Victim
CDEK
Records
19.2M
RansomwareResolved

Rompetrol Hive ransomware attack

The Hive ransomware gang hit Rompetrol, operator of Romania's largest oil refinery Petromidia, demanding a $2 million ransom and knocking out the Fill&Go payment service and corporate websites while refinery operations continued.

Victim
Rompetrol (KMG International)
Data breachResolved

CraftRise data breach (2022)

In May 2023, news broke of a data breach of the Turkish Minecraft server known as CraftRise. The data of over 2.5M users was subsequently shared on a popular hacking forum and included email addresses, usernames, geographic locations and plain text passwords.

Victim
CraftRise
Records
2.5M
Insider threatResolved

Yandex.Eda customer data leak

Yandex's food-delivery service Yandex.Eda leaked the names, phone numbers, addresses, intercom codes and order details of more than 58,000 customers, which were later mapped onto an interactive public website. Russian regulator Roskomnadzor opened a case and a Moscow court fined the company 60,000 rubles.

Victim
Yandex.Eda
Loss
$700
Records
58.0K
Data breachResolved

Explore Talent (July 2024) data breach (2022)

In July 2024, a data breach attributed to Explore Talent was publicly posted to a popular hacking forum. Containing 5.7M rows with 5.4M unique email addresses, the incident has been described by various sources as occurring between early 2022 to 2023 and also contains names, phone numbers and…

Victim
Explore Talent (July 2024)
Records
5.4M
WiperContained

Viasat KA-SAT AcidRain wiper

One hour before Russia's invasion of Ukraine, Sandworm operators deployed the AcidRain wiper against Viasat KA-SAT satellite modems, bricking ~30,000 European terminals and 5,800 German wind turbines and disabling Ukrainian military command-and-control.

Victim
Viasat KA-SAT (subscribers across Ukraine and Europe)
Loss
$100.0M
Data breachResolved

NVIDIA data breach (2022)

In February 2022, microchip company NVIDIA suffered a data breach that exposed employee credentials and proprietary code. Impacted data included over 70k employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.

Victim
NVIDIA
Records
71.3K
Data breachResolved

A1 Hrvatska data breach

Croatian mobile carrier A1 Hrvatska disclosed unauthorized access to a customer database exposing the names, personal identification numbers, addresses and phone numbers of roughly 200,000 subscribers — about 10% of its customer base.

Victim
A1 Hrvatska
Records
200.0K
Data breachResolved

GiveSendGo data breach (2022)

In February 2022, the Christian fundraising service GiveSendGo suffered a data breach which exposed the personal data of 90k donors to the Canadian "Freedom Convoy" protest against vaccine mandates.

Victim
GiveSendGo
Records
90.0K
Data breachResolved

Leaked Reality data breach (2022)

In January 2022, the now defunct uncensored video website Leaked Reality suffered a data breach that exposed 115k unique email addresses. The data also included usernames, IP addresses and passwords stored as either MD5 or phpass hashes.

Victim
Leaked Reality
Records
114.9K
Data breachResolved

MacGeneration data breach (2022)

In January 2022, the French Apple news website MacGeneration suffered a data breach. The incident exposed over 100k usernames, email addresses and passwords stored as salted SHA-512 hashes. After discovering the incident, MacGeneration self-submitted data to HIBP.

Victim
MacGeneration
Records
101.0K
Data breachResolved

Sundry Files data breach (2022)

In January 2022, the now defunct file upload service Sundry Files suffered a data breach that exposed 274k unique email addresses. The data also included usernames, IP addresses and passwords stored as salted SHA-256 hashes.

Victim
Sundry Files
Records
274.5K
WiperResolved

WhisperGate wiper attack

On the eve of Russia's invasion, a destructive wiper disguised as ransomware corrupted master boot records and files across dozens of Ukrainian government, IT and non-profit organisations, defacing official websites and signalling the cyber dimension of the coming war.

Victim
Ukrainian government, IT and non-profit organisations
Data breachResolved

Doxbin data breach (2022)

In January 2022, the "doxing" website designed to disclose the personal information of targeted individuals ("doxes") Doxbin suffered a data breach. The breach was subsequently leaked online and included over 370k unique email addresses across user accounts and doxes.

Victim
Doxbin
Records
370.8K
RansomwareResolved

Impresa media group ransomware attack

The Lapsus$ group seized the Amazon Web Services account of Impresa, Portugal's largest media conglomerate, knocking the Expresso newspaper and SIC television channels offline, defacing their websites and hijacking Expresso's verified Twitter account in what authorities called the country's largest ransomware attack.

Victim
Impresa (Expresso / SIC)
Data breachResolved

Twitter data breach (2022)

In January 2022, a vulnerability in Twitter's platform allowed an attacker to build a database of the email addresses and phone numbers of millions of users of the social platform.

Victim
Twitter
Records
6.7M
RansomwareResolved

Amedia ransomware attack

A ransomware attack encrypted the central systems of Amedia, Norway's largest local-newspaper group, halting presses and disrupting subscription and advertising systems for more than 70 titles serving around 2 million readers. Amedia refused to pay.

Victim
Amedia
Data breachResolved

Carding Mafia (December 2021) data breach (2021)

In December 2021, the Carding Mafia forum suffered a data breach that exposed over 300k members' email addresses. Dedicated to the theft and trading of stolen credit cards, the forum breach also exposed usernames, IP addresses and passwords stored as salted MD5 hashes.

Victim
Carding Mafia (December 2021)
Records
303.9K
Data breachResolved

FlexBooker data breach (2021)

In December 2021, the online booking service FlexBooker suffered a data breach that exposed 3.7 million accounts. The data included email addresses, names, phone numbers and for a small number of accounts, password hashes and partial credit card data.

Victim
FlexBooker
Records
3.8M
Zero-dayResolved

Log4Shell (Apache Log4j CVE-2021-44228)

A trivially exploitable remote code execution flaw in Apache Log4j 2, the ubiquitous Java logging library, scored a maximum CVSS 10.0 and exposed hundreds of millions of devices and applications worldwide to instant takeover via a single crafted log string.

Victim
Global (Apache Log4j users worldwide)
Data breachResolved

RedLine Stealer data breach (2021)

In December 2021, logs from the RedLine Stealer malware were left publicly exposed and were then obtained by security researcher Bob Diachenko. The data included 441 thousand unique email addresses, usernames and plain text passwords.

Victim
RedLine Stealer
Records
441.7K
Data breachResolved

Aditya Birla Fashion and Retail data breach (2021)

In December 2021, Indian retailer Aditya Birla Fashion and Retail Ltd was breached and ransomed. The ransom demand was allegedly rejected and data containing 5.4M unique email addresses was subsequently dumped publicly on a popular hacking forum the next month.

Victim
Aditya Birla Fashion and Retail
Records
5.5M
Data breachResolved

Travelio data breach (2021)

In November 2021, the Indonesian real estate website Travelio suffered a data breach that exposed over 470k customer accounts. The data included email addresses, names, password hashes, phone numbers and for some accounts, dates of birth, physical address and Facebook auth tokens.

Victim
Travelio
Records
471.4K
Data breachResolved

ZAP-Hosting data breach (2021)

In November 2021, web host ZAP-Hosting suffered a data breach that exposed over 60GB of data containing 746k unique email addresses. The breach also contained support chat logs, IP addresses, names, purchases, physical addresses and phone numbers.

Victim
ZAP-Hosting
Records
746.7K
Data breachResolved

Stripchat data breach (2021)

In November 2021, the live sex cams and adult chat website Stripchat left several databases exposed and unsecured. In June the following year, over 10M Stripchat records appeared on a popular hacking forum. The exposed data included usernames, email addresses and IP addresses.

Victim
Stripchat
Records
10.0M
Data breachResolved

Robinhood data breach (2021)

In November 2021, the online trading platform Robinhood suffered a data breach after a customer service representative was socially engineered. The incident exposed over 5M customer email addresses and 2M customer names.

Victim
Robinhood
Records
5.0M
Data breachResolved

BTC-Alpha data breach (2021)

In November 2021, the crypto exchange platform BTC-Alpha suffered a ransomware attack data breach after which customer data was publicly dumped. The impacted data included 362k email and IP addresses, usernames and passwords stored as PBKDF2 hashes.

Victim
BTC-Alpha
Records
362.4K
Data breachResolved

CyberServe data breach (2021)

In October 2021, the Israeli hosting provider CyberServe was breached and ransomed before having a substantial amount of their customer data leaked publicly by a group known as "Black Shadow". Amongst the data was the LGBTQ dating site Atraf and the Machon Mor medical institute.

Victim
CyberServe
Records
1.1M
Data breachResolved

JukinMedia data breach (2021)

In October 2021, the "global leader in user-generated entertainment" Jukin Media suffered a data breach. The breach exposed 13GB of code, configuration and data consisting of 314k unique email addresses along with names, phone numbers, IP addresses and bcrypt password hashes.

Victim
JukinMedia
Records
314.3K
sabotageunresolved

Iran nationwide fuel-distribution cyberattack

A cyberattack attributed to Predatory Sparrow disabled the system behind Iran's subsidized-fuel cards, knocking out payment at all 4,300 of the country's gas stations and hijacking highway billboards to taunt Supreme Leader Khamenei.

Victim
National Iranian Oil Products Distribution Company (NIOPDC) — fuel-card network
Data breachResolved

Animeify data breach (2021)

In October 2021, the now defunct Arabic language Anime website Animeify suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 808k unique email addresses along with names, usernames, genders and plain text passwords.

Victim
Animeify
Records
808.0K
Data breachContained

Argentina RENAPER national ID database breach (2021)

An attacker used a compromised government VPN account to query Argentina's RENAPER national ID database for all 45 million Argentines. Photos and ID details for the president, soccer star Lionel Messi, and other public figures were posted to Twitter as proof. The data went on sale on a dark-web forum.

Victim
Registro Nacional de las Personas (RENAPER), Argentina
Records
45.0M
RansomwareResolved

Hillel Yaffe Medical Center ransomware attack

DeepBlueMagic ransomware paralysed Israel's Hillel Yaffe Medical Center, locking every hospital computer system. As a government-owned hospital barred from paying ransom, it ran on paper and alternative systems for weeks, taking roughly two months to fully recover.

Victim
Hillel Yaffe Medical Center
Data breachResolved

RENAPER national ID database breach

A hacker accessed Argentina's RENAPER national identity registry through a stolen government VPN credential, obtaining ID-card data and photographs on the country's entire population of roughly 45 million citizens.

Victim
Registro Nacional de las Personas (RENAPER)
Records
45.0M
Data breachResolved

CoinMarketCap data breach (2021)

During October 2021, 3.1 million email addresses with accounts on the cryptocurrency market capitalisation website CoinMarketCap were discovered being traded on hacking forums.

Victim
CoinMarketCap
Records
3.1M
Data breachResolved

ActMobile data breach (2021)

In October 2021, security researcher Bob Diachenko discovered an exposed database he attributed to ActMobile, the operators of Dash VPN and FreeVPN. The exposed data included 1.6 million unique email addresses along with IP addresses and password hashes, all of which were subsequently leaked on a…

Victim
ActMobile
Records
1.6M
Data breachResolved

Protemps data breach (2021)

In October 2021, the Singaporean recruitment website Protemps suffered a data breach that exposed almost 50,000 unique email addresses. The impacted data includes names, email and physical addresses, phone numbers, passport numbers and passwords stored as unsalted MD5 hashes, among troves of other…

Victim
Protemps
Records
49.6K
Data breachResolved

Fantasy Football Hub data breach (2021)

In October 2021, the fantasy premier league (soccer) website Fantasy Football Hub suffered a data breach that exposed 66 thousand unique email addresses. The data included names, usernames, IP addresses, transactions and passwords stored as WordPress MD5 hashes.

Victim
Fantasy Football Hub
Records
66.5K
Data breachResolved

Fitmart data breach (2021)

In October 2021, data from the German fitness supplies store Fitmart was obtained and later redistributed online. The data included 214k unique email addresses accompanied by plain text passwords, allegedly "dehashed" from the original stored version.

Victim
Fitmart
Records
214.5K
Data breachResolved

Epik data breach (2021)

In September 2021, the domain registrar and web host Epik suffered a significant data breach, allegedly in retaliation for hosting alt-right websites. The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organisations who…

Victim
Epik
Records
15.0M
Data breachResolved

Republican Party of Texas data breach (2021)

In September 2021, the Republican Party of Texas was hacked by a group claiming to be "Anonymous" in retaliation for the state's controversial abortion ban. The September defacement was followed by a leak of data and documents which included material from the hosting provider Epik.

Victim
Republican Party of Texas
Records
72.6K
Data breachResolved

Dennis Kirk data breach (2021)

In October 2024, almost 20GB of data containing 1.3M unique email addresses from motorcycle supplies store Dennis Kirk was circulated. Dating back to September 2021, the data also contained purchases from the online store along with customer names, phone numbers and postcodes.

Victim
Dennis Kirk
Records
1.4M
Data breachResolved

DatPiff data breach (2021)

In late 2021, email address and plain text password pairs from the rap mixtape website DatPiff appeared for sale on a popular hacking forum. The data allegedly dated back to an earlier breach and in total, contained almost 7.5M email addresses and cracked password pairs.

Victim
DatPiff
Records
7.5M
Data breachResolved

AT&T data breach (2021)

A dataset dating to August 2021 — names, addresses, phone numbers, and encrypted SSNs and dates of birth — resurfaced in March 2024 and was leaked for free, with AT&T eventually confirming ~73 million current and former customers were affected.

Victim
AT&T
Records
73.0M
Data breachResolved

Imavex data breach (2021)

In August 2021, the website development company Imavex suffered a data breach that exposed 878 thousand unique email addresses. The data included user records containing names, usernames and password material with some records also containing genders and partial credit card data, including the last…

Victim
Imavex
Records
878.2K
Data breachResolved

Have Fun Teaching data breach (2021)

In August 2021, the teaching resources website Have Fun Teaching suffered a data breach that leaked 80k WooCommerce transactions which were later posted to a popular hacking forum.

Victim
Have Fun Teaching
Records
27.1K
Vulnerability exploitResolved

Pakistan FBR data centre breach

Attackers compromised the data centre of Pakistan's Federal Board of Revenue by exploiting a pirated copy of Microsoft Hyper-V, taking down all tax-authority websites and putting network access for 360 virtual machines up for sale on a Russian dark-web forum.

Victim
Federal Board of Revenue (FBR)
Data breachResolved

Open Subtitles data breach (2021)

In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers' personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

Victim
Open Subtitles
Records
6.8M
Data breachResolved

AndroidLista data breach (2021)

In July 2021, the Android applications and games review site AndroidLista suffered a data breach. The incident exposed 6.6M user records containing email addresses, names, usernames and passwords stored as salted SHA-1 hashes, all of which were subsequently posted to a popular hacking forum.

Victim
AndroidLista
Records
6.6M
RansomwareContained

Transnet 'Death Kitty' ransomware (South Africa, 2021)

A ransomware attack on South Africa's state-owned logistics firm Transnet shut down operations at Durban, Ngqura, Port Elizabeth and Cape Town container terminals, forcing the operator to declare force majeure. Durban — 60% of Southern Africa's containerised trade — reverted to paper-based clearance for cargo for a week.

Victim
Transnet SOC (state-owned freight & port operator)
Data breachResolved

Guntrader data breach (2021)

In July 2021, the United Kingdom based website Guntrader suffered a data breach that exposed 112k unique email addresses. Extensive personal information was also exposed including names, phone numbers, geolocation data, IP addresses and various physical address attributes (cities for all users,…

Victim
Guntrader
Records
112.0K
RansomwareResolved

CNT Ecuador RansomEXX attack

The RansomEXX gang hit Ecuador's state-run telecom CNT, disrupting its payment portal and call centers and claiming to have stolen more than 190 GB of corporate and customer data.

Victim
Corporación Nacional de Telecomunicaciones (CNT EP)
Wiperunresolved

Iranian Railways 'MeteorExpress' wiper attack

A previously unseen wiper named Meteor crippled Iran's national railway network, wiping computers across stations, halting and delaying hundreds of trains, and defacing departure boards with a number for travelers to call: the office of Supreme Leader Khamenei.

Victim
Islamic Republic of Iran Railways (RAI) / Ministry of Roads and Urban Development
Data breachResolved

Qraved data breach (2021)

In July 2021, the Indonesian restaurant website Qraved suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed almost 1M unique email addresses along with names, phone numbers, dates of birth and passwords stored as MD5 hashes.

Victim
Qraved
Records
984.5K
Data breachResolved

Jam Tangan data breach (2021)

In July 2021, the online Indonesian watch store, Jam Tangan (AKA Machtwatch), suffered a data breach that exposed over 400k customer records which were subsequently posted to a popular hacking forum.

Victim
Jam Tangan
Records
434.8K
Data breachResolved

ECCIE data breach (2021)

In January 2021, the adult escort forum ECCIE suffered a data breach which was later posted to a popular hacking forum. The data included 536k user records with email and IP addresses, usernames, dates of birth and salted MD5 password hashes.

Victim
ECCIE
Records
536.9K
Data breachResolved

Short Édition data breach (2021)

In June 2021, the French publishing house of short literature Short Édition suffered a data breach that exposed 505k records. Impacted data included email and physical addresses, names, usernames, phone numbers, dates of birth, genders and passwords stored as either salted SHA-1 or salted SHA-512…

Victim
Short Édition
Records
505.5K
Data breachResolved

HeatGames data breach (2021)

In June 2021, the (now defunct) gaming website HeatGames suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed almost 650k unique email addresses along with IP addresses, country and salted MD5 password hashes.

Victim
HeatGames
Records
647.9K
Data breachResolved

Phoenix data breach (2021)

In mid-2021, the "vintage messaging reborn" service Phoenix suffered a data breach that exposed 75k unique email addresses. The breach also exposed IP addresses, usernames and passwords.

Victim
Phoenix
Records
74.8K
Data breachResolved

START data breach (2021)

In August 2022, news broke of an attack against the Russian streaming service "START". The incident led to the exposure of 44M records containing 7.4M unique email addresses. The impacted data also included the subscriber's country and password hash.

Victim
START
Records
7.5M
Data breachResolved

IndiaMART data breach (2021)

In August 2021, 38 million records from Indian e-commerce company IndiaMART were found being traded on a popular hacking forum. Dated several months earlier, the data included over 20 million unique email addresses alongside names, phone numbers and physical addresses.

Victim
IndiaMART
Records
20.2M
Data breachResolved

Paragon Cheats data breach (2021)

In May 2021, the Grand Theft Auto Online cheats website Paragon Cheats suffered a data breach that lead to the shutdown of the service. The breach exposed 188k customer records including usernames, email and IP addresses.

Victim
Paragon Cheats
Records
188.1K
Supply chainResolved

Air India SITA passenger data breach

A supply-chain compromise of aviation IT provider SITA exposed roughly 4.5 million Air India passengers' names, passport details, ticket data, frequent-flyer numbers, and payment card information collected over nearly a decade of bookings.

Victim
Air India
Records
4.5M
RansomwareContained

HSE Ireland ransomware (Conti)

Conti ransomware paralysed Ireland's Health Service Executive, forcing cancellation of outpatient appointments nationwide for weeks. Conti released the decryptor for free; recovery still cost an estimated €100M+.

Victim
Health Service Executive (HSE) of Ireland
Loss
$130.0M
Records
700.0K
Data breachResolved

SirHurt data breach (2021)

In April 2021, the the Roblox cheats website SirHurt suffered a data breach that exposed over 90k customer records. The exposed data included email and IP addresses, usernames and passwords stored as MD5 hashes.

Victim
SirHurt
Records
90.7K
Data breachResolved

Atmeltomo data breach (2021)

In April 2021, "Japan's largest e-mail friend search site" Atmeltomo suffered a data breach that was later sold on a popular hacking forum. The breach exposed 1.3M records with 580k unique email addresses along with usernames, IP addresses and unsalted MD5 password hashes.

Victim
Atmeltomo
Records
580.2K
Data breachResolved

OGUsers (2021 breach) data breach (2021)

In April 2021, the account hijacking and SIM swapping forum OGusers suffered a data breach, the fourth since December 2018. The breach was subsequently sold on a rival hacking forum and contained usernames, email and IP addresses and passwords stored as either salted MD5 or argon2 hashes.

Victim
OGUsers (2021 breach)
Records
348.3K
Data breachResolved

Phone House España data breach (2021)

In April 2021, the Spanish retailer Phone House allegedly suffered a ransomware attack that also exposed significant volumes of customer data. Attributed to the Babuk ransomware, a collection of data alleged to be a subset of a larger corpus was posted to a dark web site and contained 5.2M email…

Victim
Phone House España
Records
5.2M
RansomwareResolved

Phone House Spain ransomware breach

The Babuk ransomware gang breached Spanish mobile retailer The Phone House and leaked roughly 100 GB of customer data — names, ID numbers, bank details and contact information on up to 3 million people — after the company refused to pay.

Victim
The Phone House España
Loss
$7.0M
Records
3.0M
Data breachResolved

Upstox data breach (2021)

In April 2021, Indian brokerage firm Upstox suffered a data breach. The incident exposed extensive personal information on over 100k customers including names, genders, dates of birth, physical addresses, banking information and passwords stored as bcrypt hashes.

Victim
Upstox
Records
111.0K
Data breachResolved

SlideTeam data breach (2021)

In April 2021, the "world’s largest collection of pre-designed presentation slides" SlideTeam had 1.4M records breached and later published to a popular hacking forum the following year.

Victim
SlideTeam
Records
1.5M
Data breachdisputed

MobiKwik data breach

An 8.2TB trove tied to Indian fintech MobiKwik — reportedly covering up to 99 million users with KYC documents, Aadhaar and card details — was advertised for sale on a dark-web forum, in a breach the company repeatedly denied.

Victim
MobiKwik
Records
99.0M
Data breachResolved

KinoKong data breach (2021)

In March 2021, the Russian online streaming service KinoKong suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed over 800k unique email addresses along with names, usernames, IP addresses and MD5 password hashes.

Victim
KinoKong
Records
817.8K
Data breachResolved

Domino's India data breach (2021)

In April 2021, 13TB of compromised Domino's India appeared for sale on a hacking forum after which the company acknowledged a major data breach they dated back to March. The compromised data included 22.5 million unique email addresses, names, phone numbers, order histories and physical addresses.

Victim
Domino's India
Records
22.5M
Data breachResolved

MangaDex data breach (2021)

In March 2021, the manga fan site MangaDex suffered a data breach that resulted in the exposure of almost 3 million subscribers. The data included email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was subsequently circulated within hacking groups.

Victim
MangaDex
Records
3.0M
Data breachResolved

ParkMobile data breach (2021)

In March 2021, the mobile parking app service ParkMobile suffered a data breach which exposed 21 million customers' personal data. The impacted data included email addresses, names, phone numbers, vehicle licence plates and passwords stored as bcrypt hashes.

Victim
ParkMobile
Records
20.9M
Data breachResolved

Air Europa payment-data breach

Spanish airline Air Europa exposed contact and full payment-card data — including CVV codes — on roughly 489,000 customers across 1.5 million records, and was fined €600,000 by the AEPD for weak security and a 41-day notification delay.

Victim
Air Europa
Loss
$648.0K
Records
1.5M
Data breachResolved

Carding Mafia (March 2021) data breach (2021)

In March 2021, the Carding Mafia forum suffered a data breach that exposed almost 300k members' email addresses. Dedicated to the theft and trading of stolen credit cards, the forum breach also exposed usernames, IP addresses and passwords stored as salted MD5 hashes.

Victim
Carding Mafia (March 2021)
Records
297.7K
Data breachResolved

IDC Games data breach (2021)

In March 2021, 4 million records sourced from IDC Games were shared on a public hacking forum. The data included usernames, email addresses and passwords stored as salted MD5 hashes.

Victim
IDC Games
Records
4.0M
Data breachResolved

Descomplica data breach (2021)

In March 2021, the Brazilian EdTech company Descomplica suffered a data breach which was subsequently posted to a popular hacking forum. The data included almost 5 million email addresses, names, the first 6 and last 4 digits and the expiry date of credit cards, purchase histories and password…

Victim
Descomplica
Records
4.8M
Data breachResolved

Liker data breach (2021)

In March 2021, the self-proclaimed "kinder, smarter social network" Liker suffered a data breach, allegedly in retaliation for the Gab data breach and scraping of data from Parler.

Victim
Liker
Records
465.1K
Data breachResolved

WeLeakInfo data breach (2021)

In March 2021, the Stripe account of the now-defunct WeLeakInfo service was taken over by "pompompurin" after acquiring an expired domain name with an email address used to manage the account.

Victim
WeLeakInfo
Records
11.8K
Data breachResolved

Gab data breach (2021)

In February 2021, the alt-tech social network service Gab suffered a data breach. The incident exposed almost 70GB of data including 4M user accounts, a small number of private chat logs and a list of public groups and public posts made to the service.

Victim
Gab
Records
66.5K
Data breachResolved

SuperVPN & GeckoVPN data breach (2021)

In February 2021, a series of "free" VPN services were breached including SuperVPN and GeckoVPN, exposing over 20M records. The data appeared together in a single file with a small number of records also included from FlashVPN, suggesting that all three brands may share the same platform.

Victim
SuperVPN & GeckoVPN
Records
20.3M
Data breachResolved

Gemplex data breach (2021)

In February 2021, the Indian streaming platform Gemplex suffered a data breach that exposed 4.6M user accounts. The impacted data included device information, names, phone numbers, email addresses and bcrypt password hashes.

Victim
Gemplex
Records
4.6M
Data breachResolved

NurseryCam data breach (2021)

In February 2021, a series of egregiously bad security flaws were identified in the NurseryCam system designed for parents to remotely monitor their children whilst attending nursery. The flaws led to the exposure of over 10k parent records before the service was shut down.

Victim
NurseryCam
Records
10.6K
Insider threatResolved

Yandex mail insider breach

Yandex disclosed that one of three administrators with privileged access to its email service had been selling unauthorized access to user mailboxes, compromising 4,887 inboxes before the company's internal security team detected the abuse during a routine review.

Victim
Yandex
Records
4.9K
Data breachResolved

CityBee data breach (2021)

In February 2021, the Lithuanian car-sharing service CityBee announced they'd suffered a data breach that exposed 110k customers' personal information. The breach exposed names, email addresses, government issued IDs and passwords stored as unsalted SHA-1 hashes.

Victim
CityBee
Records
110.2K
Data breachResolved

KomplettFritid data breach (2021)

In January 2023, the online Norwegian store KomplettFritid was reported as having had a data breach dating back to February 2021. The incident exposed 140k customer records including physical, email and IP addresses, names, phone numbers and passwords.

Victim
KomplettFritid
Records
139.4K
Data breachResolved

Raychat data breach (2021)

In January 2021, the now defunct Iranian social media platform Raychat suffered a data breach that exposed 939 thousand unique email addresses. The data included names, IP addresses, browser user agent strings and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.

Victim
Raychat
Records
939.0K
Data breachResolved

Ducks Unlimited data breach (2021)

In mid-2021, Risk Based Security reported on a database sourced from Ducks Unlimited being traded online. The data dated back to January 2021 and contained 1.3M unique email addresses across both a membership list and a list of website users.

Victim
Ducks Unlimited
Records
1.3M
Data breachResolved

Bookchor data breach (2021)

In January 2021, the Indian book trading website Bookchor suffered a data breach that exposed half a million customer records. The exposed data included email and IP addresses, names, genders, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes.

Victim
Bookchor
Records
498.3K
Data breachResolved

Emotet data breach (2021)

In January 2021, the FBI in partnership with the Dutch NHTCU, German BKA and other international law enforcement agencies brought down the world's most dangerous malware: Emotet.

Victim
Emotet
Records
4.3M
Data breachResolved

Unverified Data Source data breach (2021)

In January 2021, over 11M unique email addresses were discovered by Night Lion Security alongside an extensive amount of personal information including names, physical and IP addresses, phone numbers and dates of birth.

Victim
Unverified Data Source
Records
11.5M
Data breachunresolved

Brazil 223-million mega-leak

The largest personal-data leak in Brazilian history: databases on roughly 223 million people — including names, CPF tax IDs, facial images, salaries and credit scores — surfaced for sale on a dark-web forum, with suspicion pointing at credit-bureau data.

Victim
Brazilian population (credit-bureau-linked databases)
Records
223.0M
Data breachResolved

Oxfam data breach (2021)

In January 2021, Oxfam Australia was the victim of a data breach which exposed 1.8M unique email addresses of supporters of the charity. The data was put up for sale on a popular hacking forum and also included names, phone numbers, addresses, genders and dates of birth.

Victim
Oxfam
Records
1.8M
Data breachResolved

Daily Quiz data breach (2021)

In January 2021, the quiz website Daily Quiz suffered a data breach that exposed over 8 million unique email addresses. The data also included usernames, IP addresses and passwords stored in plain text.

Victim
Daily Quiz
Records
8.0M
Data breachResolved

Bourse des Vols data breach (2021)

In January 2021, the French travel company Bourse des Vols suffered a data breach that exposed 1.46M unique email addresses across more than 1.2k .sql files and over 9GB of data.

Victim
Bourse des Vols
Records
1.5M
Data breachResolved

Date Hot Brunettes data breach (2021)

In January 2021, the now defunct website Date Hot Brunettes which provided a service to "Date Neglected Women Who Can Keep a Secret", suffered a data breach. The incident exposed 1.5M unique email addresses along with IP addresses, usernames, user-entered bios and MD5 password hashes.

Victim
Date Hot Brunettes
Records
1.5M
Data breachResolved

Guns.com data breach (2021)

In January 2021, the firearms website guns.com suffered a data breach. The breach exposed 376k unique email addresses along with names, phone numbers, physical addresses, gun purchases, partial credit card data, dates of birth and passwords stored as bcrypt hashes.

Victim
Guns.com
Records
375.9K
Data breachResolved

WedMeGood data breach (2021)

In January 2021, the Indian wedding planning platform WedMeGood suffered a data breach that exposed 1.3 million customers. The breach exposed 41.5GB of data including email and physical addresses, names, genders, phone numbers and password hashes. The data was provided to HIBP by dehashed.com.

Victim
WedMeGood
Records
1.3M
Data breachResolved

Devil-Torrents.pl data breach (2021)

In early 2021, the Polish torrents website Devil-Torrents.pl suffered a data breach. A subset of the data including 63k unique email addresses and cracked passwords were subsequently socialised on a popular data breach sharing service.

Victim
Devil-Torrents.pl
Records
63.5K
Data breachResolved

Ho. Mobile SIM data breach

The customer database of Ho. Mobile, Vodafone Italy's budget operator, was stolen and offered for sale on the dark web — exposing the personal and SIM data of about 2.5 million Italian subscribers and prompting a mass SIM replacement.

Victim
Ho. Mobile (Vodafone Italy)
Records
2.5M
Data breachResolved

Adecco data breach (2021)

In March 2021, news broke of a massive data breach impacting millions of Adecco customers in South America which was subsequently sold on a popular hacking forum.

Victim
Adecco
Records
4.3M
Data breachResolved

MEO data breach (2020)

In early 2023, a corpus of data sourced from the New Zealand based face mask company MEO was discovered. Dating back to December 2020, the data contained over 8k customer records including names, addresses, phone numbers and passwords stored as MD5 Wordpress hashes.

Victim
MEO
Records
8.2K
Data breachResolved

University of California data breach (2020)

In December 2020, the University of California suffered a data breach due to vulnerability in in a third-party provider, Accellion. The breach exposed extensive personal data on both students and staff including 547 thousand unique email addresses, names, dates of birth, genders, social security…

Victim
University of California
Records
547.4K
Data breachResolved

NetGalley data breach (2020)

In December 2020, the book promotion site NetGalley suffered a data breach. The incident exposed 1.4 million unique email addresses alongside names, usernames, physical and IP addresses, phone numbers, dates of birth and passwords stored as salted SHA-1 hashes.

Victim
NetGalley
Records
1.4M
Data breachResolved

MMG Fusion data breach (2020)

In December 2020, the dental practice management service MMG Fusion was the victim of a data breach which exposed 2.6M unique email addresses. The data also included patient appointments, names, phone numbers, dates of birth, genders and physical addresses.

Victim
MMG Fusion
Records
2.7M
Data breachResolved

DriveSure data breach (2020)

In December 2020, the car dealership service provider DriveSure suffered a data breach. The incident resulted in 26GB of data being downloaded and later shared on a hacking forum. Impacted personal information included 3.6 million unique email addresses, names, phone numbers and physical addresses.

Victim
DriveSure
Records
3.7M
Data breachResolved

Roblox Developer Conference (2023) data breach (2020)

In July 2023, a list of alleged attendees from the 2017-2020 Roblox Developers Conferences was circulated on a forum. The data contained 4k unique email addresses along with names, usernames, dates of birth, phone numbers, physical and IP addresses and T-shirt sizes

Victim
Roblox Developer Conference (2023)
Records
3.9K
Data breachResolved

Travel Oklahoma data breach (2020)

In December 2020, the Oklahoma state Tourism and Recreation Department suffered a data breach. The incident exposed 637k email addresses across a variety of tables including age ranges against brochure orders and dates of birth against contest entries.

Victim
Travel Oklahoma
Records
637.3K
Supply chainContained

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim
SolarWinds (Orion customers — ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss
$100.00B
Data breachResolved

Capital Economics data breach (2020)

In December 2020, the economic research company Capital Economics suffered a data breach that exposed 263k customer records. The exposed data included email and physical addresses, names, phone numbers, job titles and the employer of impacted customers.

Victim
Capital Economics
Records
263.8K
Data breachResolved

GamingMonk data breach (2020)

In December 2020, India's "largest esports community" GamingMonk (since acquired by and redirected to MPL Esports), suffered a data breach. The incident exposed 655k unique email addresses along with names, usernames, phone numbers, dates of birth and bcrypt password hashes.

Victim
GamingMonk
Records
654.5K
RansomwareResolved

Shirbit insurance breach by Black Shadow

The Black Shadow group breached Israeli insurer Shirbit, stealing ID cards, passports, financial and medical documents, and demanded a bitcoin ransom that escalated toward $1 million. When Shirbit refused, the attackers leaked customer data in stages.

Victim
Shirbit Insurance
Data breachResolved

Wongnai data breach (2020)

In October 2020, 17 previously undisclosed data breaches appeared for sale including the Thai restaurant, hotel and attraction finding service, Wongnai.

Victim
Wongnai
Records
3.9M
Data breachContained

Vastaamo psychotherapy data breach and patient extortion (Finland, 2020)

Records on approximately 33,000 patients of Finnish psychotherapy provider Vastaamo were stolen in 2018 from an unencrypted database with no root password. After failed company-extortion in October 2020, the attacker sent ransom demands to ~30,000 patients directly. Founder later acquitted; Aleksanteri Kivimäki convicted and sentenced to 6 years 3 months.

Victim
Vastaamo (Finnish psychotherapy centre)
Loss
$670.0K
Records
33.0K
Data breachResolved

Playbook data breach (2020)

In September 2021, a publicly accessible PostgresSQL database belonging to the Playbook service was identified. Run by VC firm Plug and Play Ventures, the database had been exposed since October 2020 and contained more than 50 thousand unique email addresses along with names, phone numbers, job…

Victim
Playbook
Records
50.5K
Data breachResolved

bigbasket data breach (2020)

In October 2020, the Indian grocery platform bigbasket suffered a data breach that exposed over 20 million customer records. The data was originally sold before being leaked publicly in April the following year and included email, IP and physical addresses, names, phones numbers, dates of birth…

Victim
bigbasket
Records
24.5M
Data breachResolved

Thingiverse data breach (2020)

In October 2021, a database backup taken from the 3D model sharing service Thingiverse began extensively circulating within the hacking community. Dating back to October 2020, the 36GB file contained 228 thousand unique email addresses, mostly alongside comments left on 3D models.

Victim
Thingiverse
Records
228.1K
Data breachResolved

Animal Jam data breach (2020)

In October 2020, the online game for kids Animal Jam suffered a data breach which was subsequently shared through online hacking communities the following month. The data contained 46 million user accounts with over 7 million unique email addresses.

Victim
Animal Jam
Records
7.1M
Data breachResolved

Famm data breach (2020)

In late 2020, the Japanese family photos website Famm suffered a data breach that subsequently exposed 1.3M customer records, including 535k unique email addresses. Impacted data also included names, dates of birth, genders and passwords stored as SHA-256 hashes.

Victim
Famm
Records
535.2K
Data breachResolved

LimeVPN data breach (2020)

In October 2020, the VPN provider LimeVPN suffered a data breach that exposed the personal information of tens of thousands of customers. The data included email, IP and physical addresses, names, phone numbers, purchase histories and passwords stored as salted MD5 hashes.

Victim
LimeVPN
Records
23.3K
Data breachResolved

Pixlr data breach (2020)

In October 2020, the online photo editing application Pixlr suffered a data breach exposing 1.9 million subscribers. Impacted data included names, email addresses, social media profiles, the country signed up from and passwords stored as SHA-512 hashes. The data was provided to HIBP by dehashed.com.

Victim
Pixlr
Records
1.9M
Data breachResolved

Chowbus data breach (2020)

In October 2020, the Asian food delivery app Chowbus suffered a data breach which led to over 800,000 records being emailed to customers. The email contained a link to a CSV file with customer data including physical addresses, names, phone numbers and over 444,000 unique email addresses.

Victim
Chowbus
Records
444.2K
Data breachResolved

Gravatar data scraping (2020)

In October 2020, a researcher disclosed that Gravatar's profile API could be enumerated without rate limiting. 167 million names, usernames, and email-hash records were scraped, and 114 million of the MD5 hashes were cracked to reveal email addresses.

Victim
Gravatar
Records
114.0M
Data breachResolved

GeniusU data breach (2020)

In November 2020, a collection of data breaches were made public including the "Entrepreneur Success Platform", GeniusU. Dating back to the previous month, the data included 1.3M names, email and IP addresses, genders, links to social media profiles and passwords stored as bcrypt hashes.

Victim
GeniusU
Records
1.3M
Data breachResolved

Nitro data breach (2020)

In September 2020, the Nitro PDF service suffered a massive data breach which exposed over 70 million unique email addresses. The breach also exposed names, bcrypt password hashes and the titles of converted documents. The data was provided to HIBP by dehashed.com.

Victim
Nitro
Records
77.2M
Data breachResolved

Eskimi data breach (2020)

In late 2020, the AdTech platform Eskimi suffered a data breach that exposed 26M records with 1.2M unique email addresses. The data included usernames, dates of birth, genders and passwords stored as unsalted MD5 hashes.

Victim
Eskimi
Records
1.2M
Data breachResolved

RaidForums data breach (2020)

In May 2023, 478k user records from the now defunct hacking forum known as "RaidForums" was posted to another hacking forum. The data dated back to September 2020 and included email addresses, usernames, dates of birth, IP addresses and passwords stored as Argon2 hashes.

Victim
RaidForums
Records
478.6K
Data breachResolved

Games Box data breach (2020)

In September 2020, now defunct website Games Box suffered a data breach that was later redistributed as part of a larger corpus of data. The impacted data included 1.4M email addresses alongside usernames, genders, ages and passwords stored as either a hash or plain text.

Victim
Games Box
Records
1.4M
Data breachResolved

Horse Isle data breach (2020)

In June 2020 then again in September that same year, Horse Isle "The Secrent Land of Horses" suffered a data breach. The incident exposed 28k unique email addresses along with names, usernames, IP addresses, genders, purchases and plain text passwords.

Victim
Horse Isle
Records
27.8K
misconfigurationResolved

RedDoorz data breach

A misconfigured cloud database exposed the records of about 5.9 million RedDoorz hotel-booking customers, making it Singapore's largest data breach at the time and drawing a record-context PDPC fine against operator Commeasure.

Victim
RedDoorz (Commeasure Pte Ltd)
Loss
$54.5K
Records
5.9M
Data breachResolved

ShopBack data breach (2020)

In September 2020, the cashback reward program ShopBack suffered a data breach. The incident exposed over 20 million unique email addresses along with names, phone numbers, country of residence and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by dehashed.com.

Victim
ShopBack
Records
20.5M
Data breachResolved

Shopper+ data breach (2020)

In March 2023, "Canada's online shopping mall" Shopper+ disclosed a data breach discovered on a public hacking forum. The breach dated back to September 2020 and included 878k customer records with email and physical addresses, names, phone numbers and in some cases, genders and dates of birth.

Victim
Shopper+
Records
878.3K
RansomwareResolved

K-Electric NetWalker ransomware attack

NetWalker ransomware crippled the billing and online systems of Karachi's sole electricity supplier and demanded a $3.85 million ransom that would double to $7.7 million; when K-Electric refused, the gang dumped an 8.5 GB archive of stolen data online.

Victim
K-Electric
Social engineeringResolved

Service NSW data breach

A phishing campaign compromised 47 Service NSW staff email accounts, exposing 738 GB of data and roughly 3.8 million documents; about 104,000 customers had personal information including driver's licences and birth certificates stolen.

Victim
Service NSW
Records
738.0K
RansomwareResolved

BancoEstado REvil ransomware attack

REvil (Sodinokibi) ransomware encrypted roughly 14,000 workstations at BancoEstado, one of Chile's largest banks, forcing it to close all branches nationwide for a day while ATMs, online banking, and customer funds were kept unaffected by network segmentation.

Victim
BancoEstado
Data breachResolved

RedDoorz data breach (2020)

In September 2020, the hotel management & booking platform RedDoorz suffered a data breach that exposed over 5.8M user accounts. The breached data included names, email addresses, phone numbers, genders, dates of birth and passwords stored as bcrypt hashes.

Victim
RedDoorz
Records
5.9M
Data breachResolved

Hopamedia data breach (2020)

In 2024, data relating to an unknown service referred to as "Hopamedia" and dating back to 2020 appeared in a publicly exposed database. The data included almost 24M records of email address, name, phone number, the country of the individual and their telecommunications carrier.

Victim
Hopamedia
Records
23.8M
Data breachResolved

Livpure data breach (2020)

In August 2020, the Indian retailer Livpure suffered a data breach which exposed over 1 million customer purchases with 270 thousand unique email addresses. The data also included names, phone numbers, physical addresses and details of purchased items.

Victim
Livpure
Records
269.6K
RansomwareResolved

Gunnebo security blueprints leak

Attackers breached Swedish physical-security firm Gunnebo, stole 19 GB of data, and after the company refused to pay, leaked bank-vault floor plans, alarm schematics, and security arrangements for high-value clients including a Swedish parliament building.

Victim
Gunnebo Group
Records
38.0K
DDoSResolved

NZX stock exchange DDoS attacks

A sustained volumetric DDoS campaign knocked New Zealand's stock exchange offline for parts of five consecutive trading days, halting trading because the exchange could not publish market announcements, and drawing a sharp regulatory rebuke.

Victim
NZX (New Zealand's Exchange)
Data breachResolved

Experian (South Africa) data breach (2020)

In August 2020, Experian South Africa suffered a data breach which exposed the personal information of tens of millions of individuals. Only 1.3M of the records contained email addresses, whilst most contained government issued identity numbers, names, addresses, occupations and employers, amongst…

Victim
Experian (South Africa)
Records
1.3M
Data breachResolved

Bonobos data breach (2020)

In August 2020, the clothing store Bonobos suffered a data breach that exposed almost 70GB of data containing 2.8 million unique email addresses. The breach also exposed names, physical and IP addresses, phone numbers, order histories and passwords stored as salted SHA-512 hashes, including…

Victim
Bonobos
Records
2.8M
Data breachResolved

Jefit data breach (2020)

In August 2020, the workout tracking app Jefit suffered a data breach. The data was subsequently sold within the hacking community and included over 9 million email and IP addresses, usernames and passwords stored as either vBulletin or argon2 hashes.

Victim
Jefit
Records
9.1M
Data breachResolved

ShockGore data breach (2020)

In August 2020, the website for sharing graphic videos and images of gore and animal cruelty suffered a data breach. The breach exposed 74k unique email addresses alongside usernames, IP addresses, genders and unsalted SHA-1 password hashes.

Victim
ShockGore
Records
73.9K
Data breachResolved

Lazada RedMart data breach (2020)

In October 2020, news broke of Lazada RedMart data breach containing records as recent as July 2020 and being sold via an online marketplace. In all, the data contained 1.1 million customer email addresses alongside names, phone numbers, physical addresses, partial credit card numbers and passwords…

Victim
Lazada RedMart
Records
1.1M
Data breachResolved

Utah Gun Exchange data breach (2020)

In July 2020, the Utah Gun Exchange website suffered a data breach which included several other associated websites. In total, 235k unique email addresses were exposed before being traded online alongside names, usernames, genders, IP addresses and password hashes.

Victim
Utah Gun Exchange
Records
235.2K
Data breachResolved

WiziShop data breach (2020)

In July 2020, the French e-commerce platform WiziShop suffered a data breach. The breach exposed 18GB worth of data including names, phone numbers, dates of birth, physical and IP addresses, SHA-1 password hashes and almost 3 million unique email addresses.

Victim
WiziShop
Records
2.9M
Data breachResolved

StreamCraft data breach (2020)

In July 2020, the Russian Minecraft service StreamCraft suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 1.8M records of usernames, email and IP addresses and passwords stored as either MD5 or bcrypt hashes.

Victim
StreamCraft
Records
1.8M
Data breachResolved

Drizly data breach (2020)

In approximately July 2020, the US-based online alcohol delivery service Drizly suffered a data breach. The data was sold online before being extensively redistributed and contained 2.5 million unique email addresses alongside names, physical and IP addresses, phone numbers, dates of birth and…

Victim
Drizly
Records
2.5M
Data breachResolved

OrderSnapp data breach (2020)

In June 2020, the restaurant solutions provider OrderSnapp suffered a data breach which exposed 1.3M unique email addresses. Impacted data also included names, phone numbers, dates of birth and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.

Victim
OrderSnapp
Records
1.3M
Data breachResolved

Wattpad data breach (2020)

In mid-2020, the user-generated stories platform Wattpad suffered a breach exposing roughly 268.8 million records, including names, email addresses, dates of birth, and bcrypt-hashed passwords. The database was first sold privately, then leaked for free on a hacking forum.

Victim
Wattpad
Records
268.8M
Data breachResolved

Dave data breach (2020)

In June 2020, the digital banking app Dave suffered a data breach which exposed 7.5 million rows of data and subsequently appeared for public download on a hacking forum.

Victim
Dave
Records
3.0M
Data breachResolved

ProctorU data breach (2020)

In June 2020, the online exam service ProctorU suffered a data breach which was subsequently shared extensively across online hacking communities. The breach contained 444k user records including names, email and physical addresses, phones numbers and passwords stored as bcrypt hashes.

Victim
ProctorU
Records
444.5K
Data breachResolved

Havenly data breach (2020)

In June 2020, the interior design website Havenly suffered a data breach which impacted almost 1.4 million members of the service. The exposed data included email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes, all of which was subsequently shared…

Victim
Havenly
Records
1.4M
Data breachResolved

Ledger data breach (2020)

In June 2020, the hardware crypto wallet manufacturer Ledger suffered a data breach that exposed over 1 million email addresses. The data was initially sold before being dumped publicly in December 2020 and included names, physical addresses and phone numbers.

Victim
Ledger
Records
1.1M
Data breachResolved

Kreditplus data breach (2020)

In June 2020, the Indonesian credit service Kreditplus suffered a data breach which exposed 896k records containing 769k unique email addresses. The breach exposed extensive personal information including names, family makeup, information on spouses, income and expenses, religions and employment…

Victim
Kreditplus
Records
768.9K
Data breachResolved

Swvl data breach (2020)

In June 2020, the Egyptian bus operator Swvl suffered a data breach which impacted over 4 million members of the service. The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of…

Victim
Swvl
Records
4.2M
Data breachResolved

Appen data breach (2020)

In June 2020, the AI training data company Appen suffered a data breach exposing the details of almost 5.9 million users which were subsequently sold online. Included in the breach were names, email addresses and passwords stored as bcrypt hashes.

Victim
Appen
Records
5.9M
Data breachResolved

Promo data breach (2020)

In July 2020, the self-proclaimed "World's #1 Marketing Video Maker" Promo suffered a data breach which was then shared extensively on a hacking forum. The incident exposed 22 million records containing almost 15 million unique email addresses alongside IP addresses, genders, names and salted…

Victim
Promo
Records
14.6M
Data breachResolved

Scentbird data breach (2020)

In June 2020, the online fragrance service Scentbird suffered a data breach that exposed the personal information of over 5.8 million customers. Personal information including names, email addresses, genders, dates of birth, passwords stored as bcrypt hashes and indicators of password strength were…

Victim
Scentbird
Records
5.8M
Data breachResolved

Vakinha data breach (2020)

In June 2020, the Brazilian fund raising service Vakinha suffered a data breach which impacted almost 4.8 million members. The exposed data included email addresses, names, phone numbers, geographic locations and passwords stored as bcrypt hashes, all of which was subsequently shared extensively…

Victim
Vakinha
Records
4.8M
Data breachResolved

yotepresto.com data breach (2020)

In June 2020, the Mexican lending platform yotepresto.com suffered a data breach. Over 1.4 million customers were impacted by the breach which disclosed email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.

Victim
yotepresto.com
Records
1.4M
Data breachResolved

Not Acxiom data breach (2020)

In 2020, a corpus of data containing almost a quarter of a billion records spanning over 400 different fields was misattributed to database marketing company Acxiom and subsequently circulated within the hacking community.

Victim
Not Acxiom
Records
51.7M
Data breachResolved

SitePoint data breach (2020)

In June 2020, the web development site SitePoint suffered a data breach that exposed over 1M customer records. Impacted data included email and IP addresses, names, usernames, bios and passwords stored as bcrypt hashes.

Victim
SitePoint
Records
1.0M
Data breachResolved

Dunzo data breach (2020)

In approximately June 2019, the Indian delivery service Dunzo suffered a data breach. Exposing 3.5 million unique email addresses, the Dunzo breach also included names, phone numbers and IP addresses which were all broadly distributed online via a hacking forum.

Victim
Dunzo
Records
3.5M
Data breachResolved

LiveAuctioneers data breach (2020)

In June 2020, the online antiques marketplace LiveAuctioneers suffered a data breach which was subsequently sold online then extensively redistributed in the hacking community.

Victim
LiveAuctioneers
Records
3.4M
Data breachResolved

Acuity data breach (2020)

In mid-2020, a 437GB corpus of data attributed to an entity named "Acuity" was created and later extensively distributed. However, the source could not be confidently verified as any known companies named Acuity.

Victim
Acuity
Records
14.1M
Data breachResolved

Mashable data breach (2020)

In approximately mid-2020, Mashable suffered a data breach that subsequently turned up publicly in November 2020. The data included 1.4 million unique email addresses along with names, genders, expired auth tokens, physical locations, links to social media profiles and days and months of birth.

Victim
Mashable
Records
1.4M
Data breachResolved

Preen.Me data breach (2020)

In May 2020, social media marketing company Preen.Me was the target of a ransom attack that resulted in hundreds of thousands of records being publicly posted. Over 236k unique email addresses were exposed in the attack alongside names, usernames and links to social media profiles.

Victim
Preen.Me
Records
236.1K
Data breachResolved

Nulled.ch data breach (2020)

In May 2020, the hacking forum Nulled.ch was breached and the data published to a rival hacking forum. Over 43k records were compromised and included IP and email addresses, usernames and passwords stored as salted MD5 hashes alongside the private message history of the website's admin.

Victim
Nulled.ch
Records
43.5K
Data breachResolved

Zacks data breach (2020)

In December 2022, the investment research company Zacks announced a data breach. The following month, reports emerged of the incident impacting 820k customers. However, in June 2023, a corpus of data with almost 9M Zacks customers appeared before being broadly circulated on a popular hacking forum.

Victim
Zacks
Records
8.9M
Data breachResolved

Minted data breach (2020)

In May 2020, the online marketplace for independent artists Minted suffered a data breach that exposed 4.4M unique customer records subsequently sold on a dark web marketplace. Exposed data also included names, physical addresses, phone numbers and passwords stored as bcrypt hashes.

Victim
Minted
Records
4.4M
Data breachResolved

Stalker Online data breach (2020)

In May 2020, over 1.3M records from the MMO game Stalker Online were breached. The data included email and IP addresses, usernames and hashed passwords.

Victim
Stalker Online
Records
1.4M
Data breachResolved

Tokopedia data breach (2020)

In April 2020, Indonesia's largest online store Tokopedia was breached and roughly 91 million user records — names, emails, hashed passwords, and dates of birth — were put up for sale on dark-web forums.

Victim
Tokopedia
Records
91.2M
Data breachResolved

Aptoide data breach (2020)

In April 2020, the independent Android app store Aptoide suffered a data breach. The incident resulted in the exposure of 20M customer records which were subsequently shared online via a popular hacking forum.

Victim
Aptoide
Records
20.0M
Data breachResolved

Vianet data breach (2020)

In April 2020, the Nepalese internet service provider Vianet suffered a data breach. The attack on the ISP led to the exposure of 177k customer records including 94k unique email addresses. Also exposed were names, phone numbers and physical addresses.

Victim
Vianet
Records
94.4K
Data breachResolved

HomeRefill data breach (2020)

In April 2020, now defunct Brazilian e-commerce platform HomeRefill suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 187k unique email addresses along with names, phone numbers, dates of birth and salted password hashes.

Victim
HomeRefill
Records
187.5K
Data breachResolved

OGUsers (2020 breach) data breach (2020)

In April 2020, the account hijacking and SIM swapping forum OGUsers suffered their second data breach in less than a year. As with the previous breach, the exposed data included email and IP addresses, usernames, private messages and passwords stored as salted MD5 hashes.

Victim
OGUsers (2020 breach)
Records
263.2K
Data breachResolved

집꾸미기 data breach (2020)

In March 2020, the Korean interior decoration website ???? (Decorating the House) suffered a data breach which impacted almost 1.3 million members. Served via the URL ggumim.co.kr, the exposed data included email addresses, names, usernames and phone numbers, all of which was subsequently shared…

Victim
집꾸미기
Records
1.3M
Data breachResolved

Glofox data breach (2020)

In March 2020, the Irish gym management software company Glofox suffered a data breach which exposed 2.3M membership records. The data included email addresses, names, phone numbers, genders, dates of birth and passwords stored as unsalted MD5 hashes.

Victim
Glofox
Records
2.3M
Data breachResolved

Chatbooks data breach (2020)

In March 2020, the photo print service Chatbooks suffered a data breach which was subsequently put up for sale on a dark web marketplace. The breach contained 15 million user records with 2.5 million unique email addresses alongside names, phone numbers, social media profiles and salted SHA-512…

Victim
Chatbooks
Records
2.5M
Data breachResolved

James data breach (2020)

In June 2020, 14 previously undisclosed data breaches appeared for sale including the Brazilian delivery service, "James". The breach occurred in March 2020 and exposed 1.5M unique email addresses, customer locations expressed in longitude and latitude and passwords stored as bcrypt hashes.

Victim
James
Records
1.5M
Data breachResolved

123RF data breach (2020)

In March 2020, the stock photo site 123RF suffered a data breach which impacted over 8 million subscribers and was subsequently sold online. The breach included email, IP and physical addresses, names, phone numbers and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
123RF
Records
8.7M
Data breachResolved

Sina Weibo data leak

Personal data on 538 million Sina Weibo accounts — including the phone numbers of 172 million users — was offered for sale on the dark web for about $250, in a leak Weibo attributed to address-book matching abuse dating back to 2018. China's industry ministry summoned the company over its handling of personal data.

Victim
Sina Weibo
Records
538.0M
RansomwareResolved

Brno University Hospital ransomware attack

A ransomware attack forced Brno University Hospital — one of Czechia's largest hospitals and a major COVID-19 testing centre — to shut down its entire IT network, cancel surgeries, and divert acute patients at the height of the early pandemic.

Victim
Brno University Hospital (Fakultní nemocnice Brno)
Data breachResolved

Lead Hunter data breach (2020)

In March 2020, a massive trove of personal information referred to as "Lead Hunter" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server.

Victim
Lead Hunter
Records
68.7M
Data breachResolved

Catho data breach (2020)

In approximately March 2020, the Brazilian recruitment website Catho was compromised and subsequently appeared alongside 20 other breached websites listed for sale on a dark web marketplace. The breach included almost 11 million records with 1.2 million unique email addresses.

Victim
Catho
Records
1.2M
Data breachResolved

Tamodo data breach (2020)

In February 2020, the affiliate marketing network Tamodo suffered a data breach which was subsequently shared on a popular hacking forum. The incident exposed almost 500k accounts including names, email addresses, dates of birth and passwords stored as bcrypt hashes.

Victim
Tamodo
Records
494.9K
Data breachResolved

AnimeGame data breach (2020)

In February 2020, the gaming website AnimeGame suffered a data breach. The incident affected 1.4M subscribers and exposed email addresses, usernames and passwords stored as salted MD5 hashes. The data was subsequently shared on a popular hacking forum and was provided to HIBP by dehashed.com.

Victim
AnimeGame
Records
1.4M
Data breachResolved

TrueFire data breach (2020)

In February 2020, the guitar tuition website TrueFire suffered a data breach which impacted 600k members. The breach exposed extensive personal information including names, email and physical addresses, account balances and unsalted MD5 password hashes. The data was provided to HIBP by dehashed.com.

Victim
TrueFire
Records
599.7K
Data breachResolved

Covve data breach (2020)

In February 2020, a massive trove of personal information referred to as "db8151dd" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server.

Victim
Covve
Records
22.8M
Data breachResolved

Slickwraps data breach (2020)

In February 2020, the online store for consumer electronics wraps Slickwraps suffered a data breach. The incident resulted in the exposure of 858k unique email addresses across customer records and newsletter subscribers.

Victim
Slickwraps
Records
857.6K
RansomwareResolved

INA Group ransomware attack

Clop ransomware encrypted backend servers at INA Group, Croatia's largest oil company and petrol-station chain, knocking out invoicing, loyalty cards, e-vignettes, mobile vouchers and utility-bill payments while fuel sales continued.

Victim
INA Group
Data breachResolved

Straffic data breach (2020)

In February 2020, Israeli marketing company Straffic exposed a database with 140GB of personal data. The publicly accessible Elasticsearch database contained over 300M rows with 49M unique email addresses. Exposed data also included names, phone numbers, physical addresses and genders.

Victim
Straffic
Records
48.6M
Data breachResolved

Home Chef data breach (2020)

In early 2020, the food delivery service Home Chef suffered a data breach which was subsequently sold online. The breach exposed the personal information of almost 9 million customers including names, IP addresses, post codes, the last 4 digits of credit card numbers and passwords stored as bcrypt…

Victim
Home Chef
Records
8.8M
Data breachResolved

Bhinneka data breach (2020)

In early 2020, the Indonesian consumer electronics website Bhinneka suffered a data breach that exposed almost 1.3M customer records. The data included email and physical addresses, names, genders, dates of birth, phone numbers and salted password hashes.

Victim
Bhinneka
Records
1.3M
Data breachResolved

Wishbone (2020) data breach (2020)

In January 2020, the mobile app to "compare anything" Wishbone suffered another data breach which followed their breach from 2016. An extensive amount of personal information including almost 10M unique email addresses alongside names, phone numbers geographic locations and other personal…

Victim
Wishbone (2020)
Records
9.7M
Data breachResolved

MeetMindful data breach (2020)

In early 2020, the online dating service MeetMindful suffered a data breach that exposed 1.4 million unique customer email addresses. Included in the data was an extensive array of personal information used to find romantic matches including physical attributes, use of alcohol, drugs and…

Victim
MeetMindful
Records
1.4M
Data breachResolved

Ulmon data breach (2020)

In January 2020, the travel app creator Ulmon suffered a data breach. The service had almost 1.3M records with 777k unique email addresses, names, passwords stored as bcrypt hashes and in some cases, social media profile IDs, telephone numbers and bios.

Victim
Ulmon
Records
777.8K
Data breachResolved

Mathway data breach (2020)

In January 2020, the math solving website Mathway suffered a data breach that exposed over 25M records. The data was subsequently sold on a dark web marketplace and included names, Google and Facebook IDs, email addresses and salted password hashes.

Victim
Mathway
Records
25.7M
Data breachResolved

Zoosk (2020) data breach (2020)

In January 2020, the online dating service Zoosk suffered a data breach which was subsequently shared extensively across online hacking communities. The breach contained 24 million unique email addresses alongside extensive personal information including genders, sexualities, dates of birth,…

Victim
Zoosk (2020)
Records
23.9M
Data breachResolved

MobiFriends data breach (2020)

In January 2020, the Barcelona-based dating app MobiFriends suffered a data breach that exposed 3.5 million unique email addresses. The data also included usernames, genders, dates of birth and MD5 password hashes.

Victim
MobiFriends
Records
3.5M
EspionageResolved

Austrian Foreign Ministry state-sponsored cyberattack

A sophisticated, weeks-long intrusion hit Austria's Foreign Ministry over the 2020 New Year, attributed by Austrian media to the Russia-linked Turla APT. The ministry, which runs around 100 diplomatic missions, fought a prolonged espionage operation before declaring its systems cleaned.

Victim
Austrian Federal Ministry for European and International Affairs (BMEIA)
Data breachResolved

HTC Mania data breach (2020)

In January 2020, the Spanish mobile phone forum HTC Mania suffered a data breach of the vBulletin based site. The incident exposed 1.5M member email addresses, usernames, IP addresses, dates of birth and salted MD5 password hashes and password histories.

Victim
HTC Mania
Records
1.5M
Data breachResolved

Pampling data breach (2020)

In January 2020, the online clothing retailer Pampling suffered a data breach that exposed 383k unique customer email addresses. The data was later shared on a popular hacking forum and also included names, usernames and unsalted MD5 password hashes.

Victim
Pampling
Records
383.5K
Vulnerability exploitResolved

Virgin Mobile Polska data breach

An unauthorised party exploited a flaw in Virgin Mobile Polska's prepaid-registration application to access the personal data of over 114,000 subscribers, including PESEL identity numbers and ID-card details. Poland's data-protection authority fined the operator nearly PLN 2 million for inadequate security testing.

Victim
Virgin Mobile Polska
Records
115.0K
Data breachResolved

Nameless Malware data breach (2020)

In January 2021, NordLocker provided HIBP 1.1 million email addresses collected by nameless malware. The malware campaign ran between 2018 and 2020 and infected 3.25 million computers, stealing files, credentials and taking screenshots and photos using the computer's webcam.

Victim
Nameless Malware
Records
1.1M
Data breachResolved

Sonicbids data breach (2019)

In December 2019, the booking website Sonicbids suffered a data breach which they attributed to "a data privacy event involving our third-party cloud hosting services". The breach contained 752k user records including names and usernames, email addresses and passwords stored as PBKDF2 hashes.

Victim
Sonicbids
Records
751.7K
Data breachResolved

BtoBet data breach (2019)

In December 2019, a large collection of data from Nigerian gambling company Surebet247 was sent to HIBP. Alongside the Surebet247, database backups from gambling sites BetAlfa, BetWay, BongoBongo and TopBet was also included.

Victim
BtoBet
Records
444.2K
RansomwareRansom paid

Maastricht University Clop ransomware (Netherlands, 2019)

TA505 used Clop ransomware to encrypt 267 Maastricht University servers over Christmas 2019 after two phishing emails on 15–16 October had compromised the network. The university paid 30 BTC (~$220,000). The ransom Bitcoin — later seized from a money mule — was returned and had appreciated, leaving the university ahead by ~$300,000.

Victim
Maastricht University
Loss
$220.0K
Data breachResolved

Avvo data breach (2019)

In approximately December 2019, an alleged data breach of the lawyer directory service Avvo was published to an online hacking forum and used in an extortion scam (it's possible the exposure dates back earlier than that).

Victim
Avvo
Records
4.1M
Data breachResolved

GameSprite data breach (2019)

In December 2019, the now defunct gaming platform GameSprite suffered a data breach that exposed over 6M unique email addresses. The impacted data also included usernames, IP addresses and salted MD5 password hashes.

Victim
GameSprite
Records
6.2M
Data breachResolved

Go Ninja data breach (2019)

In December 2019, the now defunct German gaming website Go Ninja suffered a data breach that exposed 5M unique email addresses. The impacted data included usernames, email and IP addresses and salted MD5 password hashes.

Victim
Go Ninja
Records
5.0M
RansomwareRansom paid

LifeLabs data breach

Canada's largest medical-testing laboratory disclosed that attackers had accessed health data on roughly 15 million customers, paid an undisclosed ransom to retrieve the stolen records, and was later found by privacy regulators to have failed to safeguard the information.

Victim
LifeLabs
Records
15.0M
Data breachResolved

SoarGames data breach (2019)

In December 2019, the now defunct gaming website SoarGames suffered a data breach that exposed 4.8M unique email addresses. The impacted data included usernames, email and IP addresses and salted MD5 password hashes.

Victim
SoarGames
Records
4.8M
Data breachResolved

JoyGames data breach (2019)

In December 2019, the forum for the JoyGames website suffered a data breach that exposed 4.5M unique email addresses. The impacted data also included usernames, IP addresses and salted MD5 password hashes.

Victim
JoyGames
Records
4.5M
Data breachResolved

Unigame data breach (2019)

In December 2019, the now defunct gaming website Unigame (maker of Hunter Online) suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 844k email addresses and salted MD5 password hashes.

Victim
Unigame
Records
843.7K
RansomwareResolved

Benešov Hospital Ryuk ransomware attack

An Emotet–TrickBot–Ryuk malware chain crippled the Rudolf and Stefanie Hospital in Benešov, Czech Republic, knocking out X-ray, ultrasound, and laboratory systems and paralysing the facility for weeks. The hospital did not pay the ransom and reported no patient-record loss.

Victim
Rudolf and Stefanie Hospital, Benešov
Data breachResolved

TaiLieu data breach (2019)

In November 2019, the Vietnamese education website TaiLieu allegedly suffered a data breach exposing 7.3M customer records. Impacted data included names and usernames, email addresses, dates of birth, genders and passwords stored as unsalted MD5 hashes.

Victim
TaiLieu
Records
7.3M
Data breachResolved

Benchmark data breach (2019)

In November 2019, the Serbian technology news website Benchmark suffered a breach of its forum that exposed 93k customer records. The breach exposed IP and email addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Benchmark
Records
93.3K
Data breachResolved

IndiHome data breach (2019)

In mid-2021, reports emerged of a data breach of Indonesia's telecommunications company, IndiHome. Over 26M rows of data alleged to have been sourced from the company was posted to a popular hacking forum and contained 12.6M unique email addresses alongside names, IP addresses, genders and…

Victim
IndiHome
Records
12.6M
Data breachResolved

Universarium data breach (2019)

In approximately November 2019, the Russian "Remote preparatory faculty for IT specialties" Universarium suffered a data breach. The incident exposed 565k email addresses and passwords in plain text. Universarium did not respond to multiple attempts to make contact over a period of many weeks.

Victim
Universarium
Records
565.0K
Data breachResolved

Indian Railways data breach (2019)

In November 2019, the website for Indian Rail left more than 2M records exposed on an unprotected Firebase database instance. The exposed data included 583k unique email addresses alongside usernames and passwords stored in plain text.

Victim
Indian Railways
Records
583.4K
Data breachResolved

StarTribune data breach (2019)

In October 2019, the Minnesota-based news service StarTribune suffered a data breach which was subsequently sold on the dark web. The breach exposed over 2 million unique email addresses alongside names, usernames, physical addresses, dates of birth, genders and passwords stored as bcrypt hashes.

Victim
StarTribune
Records
2.2M
Data breachResolved

The Halloween Spot data breach (2019)

In September 2019, the Halloween costume store The Halloween Spot suffered a data breach. Originally misattributed to fancy dress store Smiffys, the breach contained 13GB of data with over 10k unique email addresses alongside names, physical and IP addresses, phone numbers and order histories.

Victim
The Halloween Spot
Records
10.7K
Data breachResolved

Zooville data breach (2019)

In September 2019, the zoophilia and bestiality forum Zooville suffered a data breach. The usernames and email addresses of 71k members were accessed via an unpatched vulnerability in the vBulletin forum software then subsequently distributed online.

Victim
Zooville
Records
71.4K
Data breachResolved

Novaestrat Ecuador data leak

An unsecured Elasticsearch server run by Ecuadorian consultancy Novaestrat exposed 20.8 million records covering nearly the entire population of Ecuador, including 6.7 million children, financial records, and vehicle data.

Victim
Novaestrat
Records
20.8M
Data breachResolved

KiwiFarms data breach (2019)

In September 2019, the forum for discussing "lolcows" (people who can be milked for laughs) Kiwi Farms suffered a data breach. The disclosure notice advised that email and IP addresses, dates of birth and content created by members were all exposed in the incident.

Victim
KiwiFarms
Records
4.6K
RansomwareResolved

Demant ransomware attack

A ransomware-style cyber incident forced Danish hearing-aid giant Demant to shut down IT systems worldwide, crippling production and order processing and causing an estimated loss of up to $95 million — one of the costliest single ransomware events on record.

Victim
Demant
Loss
$95.0M
Data breachResolved

EpicBot data breach (2019)

In September 2019, the RuneScape bot provider EpicBot suffered a data breach that impacted 817k subscribers. Data from the breach was subsequently shared on a popular hacking forum and included usernames, email and IP addresses and passwords stored as either salted MD5 or bcrypt hashes.

Victim
EpicBot
Records
816.7K
Data breachResolved

Zynga data breach (2019)

In September 2019, the hacker Gnosticplayers breached game developer Zynga, accessing data for nearly 173 million Words With Friends and Draw Something players. Exposed data included emails, usernames, phone numbers, and salted SHA-1 password hashes.

Victim
Zynga
Records
172.9M
Data breachResolved

AlpineReplay data breach (2019)

In 2019, the snow sports tracking app AlpineReplay suffered a data breach that exposed 900k unique email addresses. Later rolled into the Trace service, the breach included names, usernames, genders, dates of birth, weights and passwords stored as either unsalted MD5 or bcrypt hashes.

Victim
AlpineReplay
Records
898.7K
Data breachResolved

ToonDoo data breach (2019)

In August 2019, the comic strip creation website ToonDoo suffered a data breach. The data was subsequently redistributed on a popular hacking forum in November where the personal information of over 6M subscribers was shared.

Victim
ToonDoo
Records
6.0M
Data breachResolved

Mastercard Priceless Specials data breach (2019)

In August 2019, the German Mastercard bonus program "Priceless Specials" suffered a data breach. Personal data on almost 90k program members was subsequently extensively circulated online and included names, email and IP addresses, phone numbers and partial credit card data.

Victim
Mastercard Priceless Specials
Records
89.4K
Data breachResolved

Audi data breach (2019)

In August 2019, Audi USA suffered a data breach after a vendor left data unsecured and exposed on the internet. The data contained 2.7M unique email addresses along with names, phone numbers, physical addresses and vehicle information including VIN.

Victim
Audi
Records
2.7M
Data breachResolved

europa.jobs data breach (2019)

In August 2019, the now defunct European jobs website europa.jobs (Google cache link) suffered a data breach. The incident exposed 226k unique email addresses alongside extensive personal information including names, dates of birth, job applications and passwords.

Victim
europa.jobs
Records
226.1K
Data breachResolved

Promofarma data breach (2019)

In August 2019, a data breach from the Spanish online pharmacy Promofarma appeared for sale on a dark web marketplace. The breach exposed over 2.7M records and contained almost 1.3M unique customer email addresses. The data also included customer names and was provided to HIBP by dehashed.com.

Victim
Promofarma
Records
1.3M
Data breachResolved

StockX data breach (2019)

In July 2019, the fashion and sneaker trading platform StockX suffered a data breach which was subsequently sold via a dark webmarketplace. The exposed data included 6.8 million unique email addresses, names, physical addresses, purchases and passwords stored as salted MD5 hashes.

Victim
StockX
Records
6.8M
Data breachResolved

MGM Resorts data breach (2019)

In July 2019, MGM Resorts discovered a data breach of one of their cloud services. The breach included 10.6M guest records with 3.1M unique email addresses stemming back to 2017.

Victim
MGM Resorts
Records
3.1M
Data breachResolved

Cracked.to data breach (2019)

In July 2019, the hacking website Cracked.to suffered a data breach. There were 749k unique email addresses spread across 321k forum users and other tables in the database.

Victim
Cracked.to
Records
749.2K
Data breachResolved

Bulgarian National Revenue Agency data breach (2019)

In July 2019, a massive data breach of the Bulgarian National Revenue Agency began circulating with data on 5 million people. Allegedly obtained in June, the data was broadly shared online and included taxation information alongside names, phone numbers, physical addresses and 471 thousand unique…

Victim
Bulgarian National Revenue Agency
Records
471.2K
Data breachResolved

BlackSpigotMC data breach (2019)

In July 2019, the hacking website BlackSpigotMC suffered a data breach. The XenForo forum based site was allegedly compromised by a rival hacking website and resulted in 8.5GB of data being leaked including the database and website itself.

Victim
BlackSpigotMC
Records
140.0K
Data breachResolved

Vedantu data breach (2019)

In mid-2019, the Indian interactive online tutoring platform Vedantu suffered a data breach which exposed the personal data of 687k users. The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored as…

Victim
Vedantu
Records
686.9K
Data breachResolved

Planet Calypso data breach (2019)

In approximately July 2019, the forums for the Planet Calypso game suffered a data breach. The breach of the vBulletin based forum exposed email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Planet Calypso
Records
62.3K
Data breachResolved

Quidd data breach (2019)

In 2019, online marketplace for trading stickers, cards, toys, and other collectibles Quidd suffered a data breach. The breach exposed almost 4 million users' email addresses, usernames and passwords stored as bcrypt hashes.

Victim
Quidd
Records
3.8M
Data breachResolved

XKCD data breach (2019)

In July 2019, the forum for webcomic XKCD suffered a data breach that impacted 562k subscribers. The breached phpBB forum leaked usernames, email and IP addresses and passwords stored in MD5 phpBB3 format. The data was provided to HIBP by white hat security researcher and data analyst Adam Davies.

Victim
XKCD
Records
562.0K
Insider threatResolved

Desjardins insider data breach

An insider at Desjardins — the largest financial cooperative in Canada — exfiltrated personal data on 9.7 million members and businesses over two years before being caught. The defining Canadian insider-threat case.

Victim
Desjardins Group
Loss
$100.0M
Records
9.7M
Data breachResolved

Artvalue data breach (2019)

In June 2019, the France-based art valuation website Artvalue.com left their 158k member subscriber base publicly exposed in a text file on their website. The exposed data included names, usernames, email addresses and passwords stored as MD5 hashes.

Victim
Artvalue
Records
157.7K
Data breachResolved

Social Engineered data breach (2019)

In June 2019, the "Art of Human Hacking" site Social Engineered suffered a data breach. The breach of the MyBB forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database.

Victim
Social Engineered
Records
89.4K
Data breachResolved

Void.to data breach (2019)

In June 2019, the hacking website Void.to suffered a data breach. There were 95k unique email addresses spread across 86k forum users and other tables in the database.

Victim
Void.to
Records
95.4K
Data breachResolved

Wiener Büchereien data breach (2019)

In June 2019, the library of Vienna (Wiener Büchereien) suffered a data breach. The compromised data included 224k unique email addresses, names, physical addresses, phone numbers and dates of birth. The breached data was subsequently posted to Twitter by the alleged perpetrator of the breach.

Victim
Wiener Büchereien
Records
224.1K
EspionageResolved

Australian National University data breach

A sophisticated, likely state-sponsored actor breached the Australian National University's administrative systems in late 2018, exfiltrating up to 19 years of staff and student records in an intrusion praised by ANU's own report for its extraordinary operational security.

Victim
Australian National University
Records
200.0K
Data breachResolved

GateHub data breach (2019)

In October 2019, 1.4M accounts from the cryptocurrency wallet service GateHub were posted to a popular hacking forum. GateHub had previously acknowledged a data breach in June, albeit with a smaller number of impacted accounts.

Victim
GateHub
Records
1.4M
Data breachResolved

Condo.com data breach (2019)

In June 2019, now defunct website Condo.com suffered a data breach that was later redistributed as part of a larger corpus of data. The impacted data included 1.5M email addresses alongside names, phone numbers and for a small number of records, physical addresses.

Victim
Condo.com
Records
1.5M
Vulnerability exploitResolved

First American Financial document exposure

An insecure direct object reference (IDOR) flaw on First American Financial's website exposed roughly 885 million title-insurance and mortgage documents — including Social Security numbers, bank account details, and driver's-license images — dating back to 2003, accessible to anyone without authentication.

Victim
First American Financial Corporation
Loss
$1.5M
Records
885.0M
Data breachResolved

Minehut data breach (2019)

In May 2019, the Minecraft server website Minehut suffered a data breach. The company advised a database backup had been obtained after which they subsequently notified all impacted users. 397k email addresses from the incident were provided to HIBP.

Victim
Minehut
Records
396.5K
Data breachResolved

EatStreet data breach (2019)

In May 2019, the online food ordering service EatStreet suffered a data breach affecting 6.4 million customers. An extensive amount of personal data was obtained including names, phone numbers, addresses, partial credit card data and passwords stored as bcrypt hashes.

Victim
EatStreet
Records
6.4M
Data breachResolved

Read Novel data breach (2019)

In May 2019, the Chinese literature website Read Novel allegedly suffered a data breach that exposed 22M unique email addresses. Data also included usernames, genders, phone numbers and passwords stored as salted MD5 hashes. Read more about Chinese data breaches in Have I Been Pwned.

Victim
Read Novel
Records
22.4M
Data breachResolved

Aimware data breach (2019)

In mid-2019, the video game cheats website "Aimware" suffered a data breach that exposed hundreds of thousands of subscribers' personal information. Data included email and IP addresses, usernames, forum posts, private messages, website activity and passwords stored as salted MD5 hashes.

Victim
Aimware
Records
305.5K
Data breachResolved

Deezer data breach (2019)

A 2019 snapshot of Deezer user data, retained by a former third-party partner in violation of its contract, was leaked in November 2022 and exposed roughly 229 million records — including names, emails, dates of birth, and locations. No passwords or payment data were affected.

Victim
Deezer
Records
229.0M
Data breachResolved

ApexSMS data breach (2019)

In May 2019, news broke of a massive SMS spam operation known as "ApexSMS" which was discovered after a MongoDB instance of the same name was found exposed without a password.

Victim
ApexSMS
Records
23.2M
Data breachResolved

Instant Checkmate data breach (2019)

In 2019, the public records search service Instant Checkmate suffered a data breach that later came to light in early 2023. The data included almost 12M unique customer email addresses, names, phone numbers and passwords stored as scrypt hashes.

Victim
Instant Checkmate
Records
11.9M
Data breachResolved

Truth Finder data breach (2019)

In 2019, the public records search service TruthFinder suffered a data breach that later came to light in early 2023. The data included over 8M unique customer email addresses, names, phone numbers and passwords stored as scrypt hashes.

Victim
Truth Finder
Records
8.2M
Data breachResolved

Storenvy data breach (2019)

In mid-2019, the e-commerce website Storenvy suffered a data breach that exposed millions of customer records. A portion of the breached records were subsequently posted to a hacking forum with cracked password hashes, whilst the entire corpus of 23M rows was put up for sale.

Victim
Storenvy
Records
11.1M
Data breachResolved

Lumin PDF data breach (2019)

In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum.

Victim
Lumin PDF
Records
15.5M
Data breachResolved

Hakko Corporation data breach (2019)

In March 2019, the Japanese solder-related business Hakko Corporation suffered a data breach. The incident exposed almost 10k customer records including email and physical addresses, phone numbers, names, usernames, genders, dates of birth and plain text passwords.

Victim
Hakko Corporation
Records
9.7K
Data breachResolved

Everybody Edits data breach (2019)

In March 2019, the multiplayer platform game Everybody Edits suffered a data breach. The incident exposed 871k unique email addresses alongside usernames and IP addresses. The data was subsequently distributed online across a collection of files.

Victim
Everybody Edits
Records
871.2K
Data breachResolved

Utair data breach (2019)

In August 2020, news broke of a data breach of Russian airline Utair that dated back to the previous year. The breach contained over 400k unique email addresses along with extensive personal information including names, physical addresses, dates of birth, passport numbers and loyalty program…

Victim
Utair
Records
401.4K
Data breachResolved

Mindjolt data breach (2019)

In March 2019, the online gaming website MindJolt suffered a data breach that exposed 28M unique email addresses. Also impacted were names and dates of birth, but no passwords.

Victim
Mindjolt
Records
28.4M
Data breachResolved

Hurb data breach (2019)

In approximately March 2019, the online Brazilian travel agency Hurb (formerly Hotel Urbano) suffered a data breach. The data subsequently appeared online for download the following year and included over 20 million customer records with email and IP addresses, names, dates of birth, phone numbers…

Victim
Hurb
Records
20.7M
Data breachResolved

Intelimost data breach (2019)

In March 2019, a spam operation known as "Intelimost" sent millions of emails appearing to come from people the recipients knew. Security researcher Bob Diachenko found over 3 million unique email addresses in an exposed Elasticsearch database, alongside plain text passwords used to access the…

Victim
Intelimost
Records
3.1M
Data breachResolved

MalindoAir data breach (2019)

In early 2019, the Malaysian airline Malindo Air suffered a data breach that exposed tens of millions of customer records. Containing 4.3M unique email addresses, the breach also exposed extensive personal information including names, dates of birth, genders, physical addresses, phone numbers and…

Victim
MalindoAir
Records
4.3M
Data breachResolved

Estante Virtual data breach (2019)

In February 2019, the Brazilian book store Estante Virtual suffered a data breach that impacted 5.4M customers. The exposed data included names, usernames, email and physical addresses, phone numbers, dates of birth and unsalted SHA-1 password hashes.

Victim
Estante Virtual
Records
5.4M
Data breachResolved

Lifebear data breach (2019)

In early 2019, the Japanese schedule app Lifebear appeared for sale on a dark web marketplace amongst a raft of other hacked websites. The breach exposed almost 3.7M unique email addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Lifebear
Records
3.7M
Data breachResolved

Verifications.io data breach (2019)

In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses…

Victim
Verifications.io
Records
763.1M
Data breachResolved

GameSalad data breach (2019)

In February 2019, the education and game creation website Game Salad suffered a data breach. The incident impacted 1.5M accounts and exposed email addresses, usernames, IP addresses and passwords stored as SHA-256 hashes.

Victim
GameSalad
Records
1.5M
Data breachResolved

CafePress data breach (2019)

In February 2019, the custom merchandise retailer CafePress suffered a data breach. The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes.

Victim
CafePress
Records
23.2M
Data breachResolved

Demon Forums data breach (2019)

In February 2019, the hacking forum Demon Forums suffered a data breach. The compromise of the vBulletin forum exposed 52k unique email addresses alongside usernames and passwords stored as salted MD5 hashes.

Victim
Demon Forums
Records
52.6K
Data breachResolved

YouNow data breach (2019)

In February 2019, data from the live broadcasting service YouNow appeared for sale on a dark web marketplace. Whilst it's not clear what date the actual breach occurred on, the impacted data included 18M unique email addresses, IP addresses, names, usernames and links to social media profiles.

Victim
YouNow
Records
18.2M
Data breachResolved

LBB data breach (2019)

In August 2022, customer data of the Indian shopping site "LBB" (Little Black Book) was posted to a popular hacking forum. The data contained over 3M records with 39k unique email addresses alongside IP and physical addresses, names and device information with the most recent data dating back to…

Victim
LBB
Records
39.3K
Data breachResolved

devkitPro data breach (2019)

In February 2019, the devkitPro forum suffered a data breach. The phpBB based forum had 1,508 unique email addresses exposed in the breach alongside forum posts, private messages and passwords stored as weak salted hashes. The data breach was self-submitted to HIBP by the forum operator.

Victim
devkitPro
Records
1.5K
Data breachResolved

Youthmanual data breach (2019)

In January 2019, the Indonesian college and career platform Youthmanual suffered a data breach that exposed 1.1M records of data. The breached included 938k unique email addresses along with extensive personal information including names, genders, dates and places of birth, phone numbers, physical…

Victim
Youthmanual
Records
937.9K
data-leakResolved

Singapore HIV registry leak

Confidential records of 14,200 HIV-positive people from Singapore's national HIV registry were stolen and leaked online by a foreigner who obtained them through his partner, a Ministry of Health doctor with privileged access.

Victim
Singapore Ministry of Health (MOH)
Records
14.2K
Data breachResolved

Peatix data breach (2019)

In January 2019, the event organising platform Peatix suffered a data breach. The incident exposed 4.2M email addresses, names and salted password hashes. The data was provided to HIBP by dehashed.com.

Victim
Peatix
Records
4.2M
Credential stuffingResolved

Collection #1 credential dump

A 87GB aggregated credential dump posted to the MEGA cloud service exposed 772.9 million unique email addresses and 21.2 million unique passwords, assembled from thousands of prior breaches to fuel credential-stuffing attacks at industrial scale.

Victim
Internet users worldwide (aggregated multi-breach dump)
Records
772.9M
Data breachResolved

ixigo data breach (2019)

In January 2019, the travel and hotel booking site ixigo suffered a data breach. The data appeared for sale on a dark web marketplace the following month and included over 17M unique email addresses alongside names, genders, phone numbers, connections to Facebook profiles and passwords stored as…

Victim
ixigo
Records
17.2M
Data breachResolved

Armor Games data breach (2019)

In January 2019, the game portal website Armor Games suffered a data breach. A total of 10.6 million email addresses were impacted by the breach which also exposed usernames, IP addresses, birthdays of administrator accounts and passwords stored as salted SHA-1 hashes.

Victim
Armor Games
Records
10.6M
Data breachResolved

Royal Enfield data breach (2019)

In January 2020, motorcycle maker Royal Enfield left a database publicly exposed that resulted in the inadvertent publication of over 400k customers. The impacted data included email and physical addresses, names, motorcycle information, social media profiles, passwords, and other personal…

Victim
Royal Enfield
Records
420.9K
Data breachResolved

IIMJobs data breach (2018)

In December 2018, the Indian job portal IIMJobs suffered a data breach that exposed 4.1 million unique email addresses. The data also included names, phone numbers, geographic locations, dates of birth, job titles, job applications and cover letters plus passwords stored as unsalted MD5 hashes.

Victim
IIMJobs
Records
4.2M
Data breachResolved

BannerBit data breach (2018)

In approximately December 2018, the online ad platform BannerBit suffered a data breach. Containing 213k unique email addresses and plain text passwords, the data was provided to HIBP by a third party. Multiple attempts were made to contact BannerBit, but no response was received.

Victim
BannerBit
Records
213.4K
Data breachResolved

BlankMediaGames data breach (2018)

In December 2018, the Town of Salem website produced by BlankMediaGames suffered a data breach. Reported to HIBP by DeHashed, the data contained 7.6M unique user email addresses alongside usernames, IP addresses, purchase histories and passwords stored as phpass hashes.

Victim
BlankMediaGames
Records
7.6M
Data breachResolved

OGUsers (2019 breach) data breach (2018)

In May 2019, the account hijacking and SIM swapping forum OGusers suffered a data breach. The breach exposed a database backup from December 2018 which was published on a rival hacking forum. There were 161k unique email addresses spread across 113k forum users and other tables in the database.

Victim
OGUsers (2019 breach)
Records
161.1K
Data breachResolved

Roll20 data breach (2018)

In December 2018, the tabletop role-playing games website Roll20 suffered a data breach. Almost 4 million customers were impacted by the breach and had email and IP addresses, names, bcrypt hashes of passwords and the last 4 digits of credit cards exposed.

Victim
Roll20
Records
4.0M
Data breachResolved

Ajarn data breach (2018)

In September 2021, the Thai-based English language teaching website Ajarn discovered they'd been the victim of a data breach dating back to December 2018. The breach was self-submitted to HIBP and included 266k email addresses, names, genders, phone numbers and other personal information.

Victim
Ajarn
Records
266.4K
Data breachResolved

Wanelo data breach (2018)

In approximately December 2018, the digital mall Wanelo suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in April 2019.

Victim
Wanelo
Records
23.2M
Data breachResolved

Mappery data breach (2018)

In December 2018, the mapping website Mappery suffered a data breach that exposed over 205k unique email addresses. The incident also exposed usernames, the geographic location of the user and passwords stored as unsalted SHA-1 hashes.

Victim
Mappery
Records
205.2K
Data breachResolved

Bombuj.eu data breach (2018)

In December 2018, the Slovak website for watching movies online for free Bombuj.eu suffered a data breach. The incident exposed over 575k unique email addresses and passwords stored as unsalted MD5 hashes. No response was received from Bombuj.eu when contacted about the incident.

Victim
Bombuj.eu
Records
575.4K
Data breachContained

Quora data breach

The question-and-answer platform Quora disclosed that an unauthorized third party had accessed the data of approximately 100 million users, including names, email addresses, salted-and-hashed passwords, and imported contact and demographic data.

Victim
Quora
Records
100.0M
Data breachResolved

Dubsmash data breach (2018)

The video-messaging app Dubsmash was breached in December 2018, exposing roughly 162 million accounts with email addresses, usernames and PBKDF2 password hashes that later surfaced for sale on the Dream Market dark-web bazaar via the broker GnosticPlayers.

Victim
Dubsmash
Records
161.7M
Data breachResolved

Fotolog data breach (2018)

In December 2018, the photo sharing social network Fotolog suffered a data breach that exposed 16.7 million unique email addresses. The data also included usernames and unsalted SHA-256 password hashes.

Victim
Fotolog
Records
16.7M
EspionageResolved

Marriott / Starwood guest data breach

Chinese state-attributed operators sat undetected on Starwood's guest reservation database from 2014, surviving Marriott's 2016 acquisition. Disclosed 2018: 500 million guest records exposed, including 5.25 million unencrypted passport numbers.

Victim
Marriott International / Starwood Hotels & Resorts
Loss
$200.0M
Records
500.0M
Data breachResolved

Technic data breach (2018)

In November 2018, the Minecraft modpack platform known as Technic suffered a data breach. Technic promptly disclosed the breach and advised that the impacted data included over 265k unique users' email and IP addresses, chat logs, private messages and passwords stored as bcrypt hashes with a work…

Victim
Technic
Records
265.4K
Data breachResolved

Morele.net data breach

Attackers stole the customer database of the Polish e-commerce group Morele.net, exposing data on about 2.2 million customers and launching an SMS-phishing campaign that demanded a fake PLN 1 'top-up' via a counterfeit payment gateway. Poland's UODO issued its then-largest GDPR fine of EUR 660,000.

Victim
Morele.net
Records
2.2M
Data breachResolved

Data & Leads data breach (2018)

In November 2018, security researcher Bob Diachenko identified an unprotected database believed to be hosted by a data aggregator. Upon further investigation, the data was linked to marketing company Data & Leads.

Victim
Data & Leads
Records
44.3M
Data breachResolved

Adapt data breach (2018)

In November 2018, security researcher Bob Diachenko identified an unprotected database hosted by data aggregator "Adapt". A provider of "Fresh Quality Contacts", the service exposed over 9.3M unique records of individuals and employer information including their names, employers, job titles,…

Victim
Adapt
Records
9.4M
Data breachResolved

WPSandbox data breach (2018)

In November 2018, the WordPress sandboxing service that allows people to create temporary websites WP Sandbox discovered their service was being used to host a phishing site attempting to collect Microsoft OneDrive accounts.

Victim
WPSandbox
Records
858
Data breachResolved

Elasticsearch Instance of Sales Leads on AWS data breach (2018)

In October 2018, security researcher Bob Diachenko identified multiple exposed databases with hundreds of millions of records. One of those datasets was an Elasticsearch instance on AWS containing sales lead data and 5.8M unique email addresses.

Victim
Elasticsearch Instance of Sales Leads on AWS
Records
5.8M
Data breachResolved

BankIslami / Pakistan banking card breach

Fraudulent withdrawals at BankIslami triggered Pakistan's largest banking-sector breach, with details of more than 19,000 payment cards from 22 banks dumped for sale on the Joker's Stash carding forum and cashed out via ATMs and POS terminals abroad.

Victim
BankIslami Pakistan
Loss
$6.0M
Records
19.0K
Data breachResolved

GoldSilver data breach (2018)

In October 2018, the bullion education and dealer services site GoldSilver suffered a data breach that exposed 243k unique email addresses spanning customers and mailing list subscribers.

Victim
GoldSilver
Records
242.7K
Data breachResolved

Eatigo data breach (2018)

In October 2018, the restaurant reservation service Eatigo suffered a data breach that exposed 2.8 million accounts. The data included email addresses, names, phone numbers, social media profiles, genders and passwords stored as unsalted MD5 hashes.

Victim
Eatigo
Records
2.8M
Data breachResolved

Pluto TV data breach (2018)

In October 2018, the internet television service Pluto TV suffered a data breach which was then shared extensively in hacking communities. Pluto TV "decided not to proactively inform users of the breach" which contained 3.2M unique email and IP addresses, names, usernames, genders, dates of birth…

Victim
Pluto TV
Records
3.2M
Data breachResolved

Wife Lovers data breach (2018)

In October 2018, the site dedicated to posting naked photos and other erotica of wives Wife Lovers suffered a data breach. The underlying database supported a total of 8 different adult websites and contained over 1.2M unique email addresses.

Victim
Wife Lovers
Records
1.3M
Data breachResolved

You've Been Scraped data breach (2018)

In October and November 2018, security researcher Bob Diachenko identified several unprotected MongoDB instances believed to be hosted by a data aggregator.

Victim
You've Been Scraped
Records
66.1M
Data breachResolved

VimeWorld data breach (2018)

In October 2018, the Russian Minecraft service VimeWorld suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 3.1M records of usernames, email and IP addresses and passwords stored as either MD5 or bcrypt hashes.

Victim
VimeWorld
Records
3.1M
Data breachResolved

SaverSpy data breach (2018)

In September 2018, security researcher Bob Diachenko discovered a massive collection of personal details exposed in an unprotected Mongo DB instance. The data appears to have been used in marketing campaigns (possibly for spam purposes) but had little identifying data about it other than a…

Victim
SaverSpy
Records
2.5M
Data breachResolved

Color Dating data breach (2018)

In September 2018, the dating app to match people with different ethnicities Color Dating suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed 220k unique email addresses along with bios, names, profile photos and bcrypt password hashes.

Victim
Color Dating
Records
220.5K
Data breachResolved

Knuddels data breach (2018)

In September 2018, the German social media website Knuddels suffered a data breach. The incident exposed 808k unique email addresses alongside usernames, real names, the city of the person and their password in plain text. Knuddels was subsequently fined €20k for the breach.

Victim
Knuddels
Records
808.3K
Data breachResolved

Multiplayer.it data breach (2018)

In April 2024, over half a million records taken from the Italian gaming website Multiplayer.it were posted to a popular hacking forum. The impacted data included email addresses, usernames and salted MD5 password hashes.

Victim
Multiplayer.it
Records
504.0K
Data breachResolved

Atlas Quantum data breach (2018)

In August 2018, the cryptocurrency investment platform Atlas Quantum suffered a data breach. The breach leaked the personal data of 261k investors on the platform including their names, phone numbers, email addresses and account balances.

Victim
Atlas Quantum
Records
261.5K
Data breachResolved

HTH Studios data breach (2018)

In August 2018, the adult furry interactive game creator HTH Studios suffered a data breach impacting multiple repositories of customer data. Several months later, the data surfaced on a popular hacking forum and included 411k unique email addresses along with physical and IP addresses, names,…

Victim
HTH Studios
Records
411.8K
Data breachResolved

SpyFone data breach (2018)

In August 2018, the spyware company SpyFone left terabytes of data publicly exposed. Collected surreptitiously whilst the targets were using their devices, the data included photos, audio recordings, text messages and browsing history which were then exposed via a number of misconfigurations within…

Victim
SpyFone
Records
44.1K
Data breachResolved

HauteLook data breach (2018)

In mid-2018, the fashion shopping site HauteLook was among a raft of sites that were breached and their data then sold in early-2019. The data included over 28 million unique email addresses alongside names, genders, dates of birth and passwords stored as bcrypt hashes.

Victim
HauteLook
Records
28.5M
Data breachResolved

Rbx.Rocks data breach (2018)

In August 2018, the Roblox trading site Rbx.Rocks suffered a data breach. Almost 25k records were sent to HIBP in November and included names, email addresses and passwords stored as bcrypt hashes. In July 2019, a further 125k records emerged bringing the total size of the incident to 150k.

Victim
Rbx.Rocks
Records
150.0K
Data breachResolved

Lanwar data breach (2018)

In July 2018, staff of the Lanwar gaming site discovered a data breach they believe dates back to sometime over the previous several months. The data contained 45k names, email addresses, usernames and plain text passwords.

Victim
Lanwar
Records
45.1K
Data breachResolved

Apollo data exposure (2018)

Sales-engagement startup Apollo left a database of 9 billion data points and over 200 million contact records exposed without a password in 2018; a subset of 126 million unique email addresses was loaded into Have I Been Pwned after researcher Vinny Troia found it.

Victim
Apollo
Records
125.9M
EspionageContained

SingHealth data breach

Chinese state-attributed actors exfiltrated personal and outpatient medication records on 1.5 million SingHealth patients — including Prime Minister Lee Hsien Loong — in Singapore's most serious cyber incident.

Victim
Singapore Health Services (SingHealth)
Loss
$7.5M
Records
1.5M
Data breachResolved

Animoto data breach (2018)

In July 2018, the cloud-based video making service Animoto suffered a data breach. The breach exposed 22 million unique email addresses alongside names, dates of birth, country of origin and salted password hashes.

Victim
Animoto
Records
22.4M
Data breachResolved

Fashion Nexus data breach (2018)

In July 2018, UK-based ecommerce company Fashion Nexus suffered a data breach which exposed 1.4 million records. Multiple websites developed by sister company White Room Solutions were impacted in the breach amongst which were sites including Jaded London and AX Paris.

Victim
Fashion Nexus
Records
1.3M
Data breachResolved

Bookmate data breach (2018)

In mid-2018, the social ebook subscription service Bookmate was among a raft of sites that were breached and their data then sold in early-2019. The data included almost 4 million unique email addresses alongside names, genders, dates of birth and passwords stored as salted SHA-512 hashes.

Victim
Bookmate
Records
3.8M
Data breachResolved

500px data breach (2018)

In mid-2018, the online photography community 500px suffered a data breach. The incident exposed almost 15 million unique email addresses alongside names, usernames, genders, dates of birth and either an MD5 or bcrypt password hash.

Victim
500px
Records
14.9M
Data breachResolved

Stronghold Kingdoms data breach (2018)

In July 2018, the massive multiplayer online game Stronghold Kingdoms suffered a data breach. Almost 5.2 million accounts were impacted by the incident which exposed emails addresses, usernames and passwords stored as salted SHA-1 hashes.

Victim
Stronghold Kingdoms
Records
5.2M
Data breachResolved

8fit data breach (2018)

In July 2018, the health and fitness service 8fit suffered a data breach. The data subsequently appeared for sale on a dark web marketplace in February 2019 and included over 15M unique email addresses alongside names, genders, IP addresses and passwords stored as bcrypt hashes.

Victim
8fit
Records
15.0M
Data breachResolved

Zoomcar data breach (2018)

In July 2018, the Indian self-drive car rental company Zoomcar suffered a data breach which was subsequently sold on a dark web marketplace in 2020. The breach exposed over 3.5M records including names, email and IP addresses, phone numbers and passwords stored as bcrypt hashes.

Victim
Zoomcar
Records
3.6M
Data breachResolved

Exactis data exposure

Data-marketing firm Exactis left a database of nearly 340 million detailed records on individuals and businesses exposed on a publicly accessible server with no firewall. Each record held up to 400 fields of personal profiling data, from contact details to children's ages, religion, and habits.

Victim
Exactis LLC
Records
340.0M
Data breachResolved

Light's Hope data breach (2018)

In June 2018, the World of Warcraft service Light's Hope suffered a data breach which they subsequently self-submitted to HIBP. Over 30K unique users were impacted and their exposed data included email addresses, dates of birth, private messages and passwords stored as bcrypt hashes.

Victim
Light's Hope
Records
30.5K
Data breachResolved

Mortal Online data breach (2018)

In June 2018, the massively multiplayer online role-playing game (MMORPG) Mortal Online suffered a data breach. A file containing 570k email addresses and cracked passwords was subsequently distributed online.

Victim
Mortal Online
Records
606.6K
Data breachResolved

Trik Spam Botnet data breach (2018)

In June 2018, the command and control server of a malicious botnet known as the "Trik Spam Botnet" was misconfigured such that it exposed the email addresses of more than 43 million people.

Victim
Trik Spam Botnet
Records
43.4M
Data breachResolved

Romwe data breach (2018)

In mid-2018, the Hong Kong-based retailer Romwe suffered a data breach which exposed almost 20 million customers. The data was subsequently sold online and includes names, phone numbers, email and IP addresses, customer geographic locations and passwords stored as salted SHA-1 hashes.

Victim
Romwe
Records
19.5M
Data breachResolved

SHEIN data breach (2018)

In June 2018, fast-fashion retailer SHEIN suffered a breach of its payment systems exposing about 39 million account credentials. In 2022, New York fined parent company Zoetop $1.9 million for understating the breach and failing to notify most victims.

Victim
SHEIN
Loss
$1.9M
Records
39.1M
Data breachResolved

Ticketfly data breach (2018)

In May 2018, the website for the ticket distribution service Ticketfly was defaced by an attacker and was subsequently taken offline. The attacker allegedly requested a ransom to share details of the vulnerability with Ticketfly but did not receive a reply and subsequently posted the breached data…

Victim
Ticketfly
Records
26.2M
Data breachResolved

Adult-FanFiction.Org data breach (2018)

In May 2018, the website for sharing adult-orientated works of fiction known as Adult-FanFiction.Org had 186k records exposed in a data breach. The data contained names, email addresses, dates of birth and passwords stored as both MD5 hashes and plain text.

Victim
Adult-FanFiction.Org
Records
186.1K
Data breachResolved

Houzz data breach (2018)

In mid-2018, the home-design platform Houzz had a file containing user data obtained by an unauthorized third party. The company learned of it in late 2018 and disclosed it in early 2019. Roughly 49 million accounts were exposed, including emails, usernames, salted password hashes and IP-derived locations.

Victim
Houzz
Records
48.9M
Data breachResolved

Poshmark data breach (2018)

In May 2018, the social-commerce marketplace Poshmark was breached and roughly 36 million user accounts were exposed, including email addresses, names, usernames, genders, locations and bcrypt-hashed passwords. The company confirmed the incident in August 2019.

Victim
Poshmark
Records
36.4M
Data breachResolved

Lolzteam data breach (2018)

In May 2018, the Russian hacking forum Lolzteam suffered a data breach that exposed 400k members. The impacted data included usernames and email addresses which were later redistributed via another hacking forum.

Victim
Lolzteam
Records
398.0K
Data breachResolved

ViewFines data breach (2018)

In May 2018, the South African website for viewing traffic fines online known as ViewFines suffered a data breach. Over 934k records containing 778k unique email addresses were exposed and included names, phone numbers, government issued IDs and passwords stored in plain text.

Victim
ViewFines
Records
777.6K
Data breachResolved

Creative data breach (2018)

In May 2018, the forum for Singaporean hardware company Creative Technology suffered a data breach which resulted in the disclosure of 483k unique email addresses. Running on an old version of vBulletin, the breach also disclosed usernames, IP addresses and salted MD5 password hashes.

Victim
Creative
Records
483.0K
Data breachResolved

Linux Forums data breach (2018)

In May 2018, the Linux Forums website suffered a data breach which resulted in the disclosure of 276k unique email addresses. Running on an old version of vBulletin, the breach also disclosed usernames, IP addresses and salted MD5 password hashes.

Victim
Linux Forums
Records
275.8K
Data breachResolved

Chegg data breach (2018)

The education-technology company Chegg disclosed a 2018 breach affecting about 40 million users, exposing emails, names and unsalted MD5 password hashes; the FTC later cited four breaches and ordered Chegg to overhaul its security.

Victim
Chegg
Records
39.7M
Data breachResolved

Funny Games data breach (2018)

In April 2018, the online entertainment site Funny Games suffered a data breach that disclosed 764k records including usernames, email and IP addresses and salted MD5 password hashes.

Victim
Funny Games
Records
764.4K
Data breachResolved

Pemiblanc data breach (2018)

In April 2018, a credential stuffing list containing 111 million email addresses and passwords known as Pemiblanc was discovered on a French server. The list contained email addresses and passwords collated from different data breaches and used to mount account takeover attacks against other…

Victim
Pemiblanc
Records
111.0M
Data breachResolved

AerServ data breach (2018)

In April 2018, the ad management platform known as AerServ suffered a data breach. Acquired by InMobi earlier in the year, the AerServ breach impacted over 66k unique email addresses and also included contact information and passwords stored as salted SHA-512 hashes.

Victim
AerServ
Records
66.3K
Data breachResolved

Artsy data breach (2018)

In April 2018, the online arts database Artsy suffered a data breach which consequently appeared for sale on a dark web marketplace. Over 1M accounts were impacted and included IP and email addresses, names and passwords stored as salted SHA-512 hashes.

Victim
Artsy
Records
1.1M
Data breachResolved

Emuparadise data breach (2018)

In April 2018, the self-proclaimed "biggest retro gaming website on earth", Emuparadise, suffered a data breach. The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
Emuparadise
Records
1.1M
Data breachResolved

Wendy's data breach (2018)

In March 2018, Wendy's in the Philippines suffered a data breach which impacted over 52k customers and job applicants. The breach exposed extensive personal information including names, email and IP addresses, physical addresses, phone numbers and passwords stored as MD5 hashes.

Victim
Wendy's
Records
52.5K
Data breachResolved

Bestialitysextaboo data breach (2018)

In March 2018, the animal bestiality website known as Bestialitysextaboo was hacked. A collection of various sites running on the same service were also compromised and details of the hack (including links to the data) were posted on a popular forum.

Victim
Bestialitysextaboo
Records
3.2K
Data breachResolved

EyeEm data breach (2018)

In February 2018, photography website EyeEm suffered a data breach. The breach was identified among a collection of other large incidents and exposed almost 20M unique email addresses, names, usernames, bios and password hashes.

Victim
EyeEm
Records
19.6M
Data breachResolved

2,844 Separate Data Breaches data breach (2018)

In February 2018, a massive collection of almost 3,000 alleged data breaches was found online. Whilst some of the data had previously been seen in Have I Been Pwned, 2,844 of the files consisting of more than 80 million unique email addresses had not previously been seen.

Victim
2,844 Separate Data Breaches
Records
80.1M
Data breachResolved

Florida Virtual School data breach (2018)

In March 2018, the Florida Virtual School (FLVS) posted a data breach notification to their website. The school had identified a data breach which had occurred sometime between 6 May 2016 and 12 Feb 2018 and an XML file containing 368k student records was subsequently found circulating.

Victim
Florida Virtual School
Records
542.9K
Data breachResolved

Jobandtalent data breach (2018)

In approximately February 2018, the employment website Jobandtalent suffered a data breach which then appeared for sale alongside other breaches a year later. The incident impacted 11 million subscribers and exposed their names, email and IP addresses and passwords stored as salted SHA-1 hashes.

Victim
Jobandtalent
Records
11.0M
Data breachResolved

MyFitnessPal data breach (2018)

In February 2018, Under Armour's MyFitnessPal app was breached, exposing about 144 million accounts with usernames, emails and passwords hashed using a mix of SHA-1 and bcrypt; the data later surfaced for sale via GnosticPlayers.

Victim
MyFitnessPal (Under Armour)
Records
143.6M
Data breachResolved

JoomlArt data breach (2018)

In January 2018, the Joomla template website JoomlArt inadvertently exposed more than 22k unique customer records in a Jira ticket. The exposed data was from iJoomla and JomSocial, both services that JoomlArt acquired the previous year.

Victim
JoomlArt
Records
22.5K
Data breachResolved

PropTiger data breach (2018)

In January 2018, the Indian property website PropTiger suffered a data breach which resulted in a 3.46GB database file being exposed and subsequently shared extensively on a popular hacking forum 2 years later.

Victim
PropTiger
Records
2.2M
private-keystolen

Coincheck NEM heist

Tokyo-based cryptocurrency exchange Coincheck lost 523 million NEM tokens (~$530M at the time) from a hot wallet that had no multi-signature protection. The largest single crypto-exchange theft at the time — later attributed to North Korea's Lazarus Group.

Victim
Coincheck Inc.
Loss
$530.0M
Data breachResolved

Netshoes customer data breach

Brazilian e-commerce giant Netshoes exposed the personal data — names, CPF tax IDs, emails and purchase histories — of about 2 million customers, drawing one of the first major enforcement actions by Brazilian prosecutors over a data breach.

Victim
Netshoes
Loss
$135.0K
Records
2.0M
EspionageResolved

Dark Caracal global mobile espionage campaign

A multi-year cyber-espionage campaign tied to the Lebanese General Directorate of General Security (GDGS) stole hundreds of gigabytes of data from thousands of victims across 21+ countries using trojanized Android apps and desktop malware.

Victim
Activists, journalists, lawyers, military and government targets (21+ countries)
Data breachUnknown

Aadhaar database exposure

Tribune India journalists demonstrated that paid intermediaries could provide full Aadhaar records — including biometric-linked identity data on roughly 1.1 billion Indian residents — for 500 rupees per record.

Victim
Unique Identification Authority of India (UIDAI) / Aadhaar
Records
1.10B
Data breachResolved

DailyObjects data breach (2018)

In approximately January 2018, a collection of more than 464k customer records from the Indian online retailer DailyObjects were leaked online. The data included names, physical and email addresses, phone numbers and "pincodes" stored in plain text.

Victim
DailyObjects
Records
464.3K
Data breachResolved

Elanic data breach (2018)

In January 2020, the Indian fashion marketplace Elanic had 2.8M records with 2.3M unique email addresses posted publicly to a popular hacking forum. Elanic confirmed that they had "verified the data and it was pulled from one of our test servers where this data was exposed publicly" and that the…

Victim
Elanic
Records
2.3M
Data breachResolved

The Fly on the Wall data breach (2017)

In December 2017, the stock market news website The Fly on the Wall suffered a data breach. The data in the breach included 84k unique email addresses as well as purchase histories and credit card data.

Victim
The Fly on the Wall
Records
84.0K
Data breachResolved

HoundDawgs data breach (2017)

In December 2017, the Danish torrent tracker known as HoundDawgs suffered a data breach. More than 55GB of data was dumped publicly and whilst there was initially contention as to the severity of the incident, the data did indeed contain more than 45k unique email addresses complete extensive logs…

Victim
HoundDawgs
Records
45.7K
Data breachResolved

Lyrics Mania data breach (2017)

In December 2017, the song lyrics website known as Lyrics Mania suffered a data breach. The data in the breach included 109k usernames, email addresses and plain text passwords. Numerous attempts were made to contact Lyrics Mania about the incident, however no responses were received.

Victim
Lyrics Mania
Records
109.2K
Data breachResolved

2fast4u data breach (2017)

In December 2017, the Belgian motorcycle forum 2fast4u discovered a data breach of their system. The breach of the vBulletin message board impacted over 17k individual users and exposed email addresses, usersnames and salted MD5 passwords.

Victim
2fast4u
Records
17.7K
Data breachResolved

PetFlow data breach (2017)

In December 2017, the pet care delivery service PetFlow suffered a data breach which consequently appeared for sale on a dark web marketplace. Almost 1M accounts were impacted and exposed email addresses and passwords stored as unsalted MD5 hashes.

Victim
PetFlow
Records
990.9K
Data breachResolved

piZap data breach (2017)

In approximately December 2017, the online photo editing site piZap suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in February 2019.

Victim
piZap
Records
41.8M
Data breachResolved

ai.type data breach (2017)

In December 2017, the virtual keyboard application ai.type was found to have left a huge amount of data publicly facing in an unsecured MongoDB instance.

Victim
ai.type
Records
20.6M
Data breachResolved

dvd-shop.ch data breach (2017)

In December 2017, the online Swiss DVD store known as dvd-shop.ch suffered a data breach. The incident led to the exposure of 68k email addresses and plain text passwords. The site has since been updated to indicate that it is currently closed.

Victim
dvd-shop.ch
Records
68.0K
Data breachResolved

Open CS:GO data breach (2017)

In December 2017, the website for purchasing Counter-Strike skins known as Open CS:GO (Counter-Strike: Global Offensive) suffered a data breach (address since redirects to dropgun.com).

Victim
Open CS:GO
Records
512.3K
Data breachResolved

TheTVDB.com data breach (2017)

In November 2017, the open television database known as TheTVDB.com suffered a data breach. The breached data was posted to a hacking forum and included 182k records with usernames, email addresses and MySQL password hashes.

Victim
TheTVDB.com
Records
181.9K
Data breachResolved

Uber 2016 data breach and cover-up

Attackers stole personal data on 57 million Uber riders and drivers in October 2016. Rather than disclose, Uber paid the hackers a $100,000 ransom and disguised it as a bug bounty — a cover-up that led to a $148 million multistate settlement and the criminal conviction of Uber's security chief.

Victim
Uber Technologies, Inc.
Loss
$148.0M
Records
57.0M
Data breachunresolved

Malaysia telecommunications mega data breach

Personal data of 46.2 million Malaysian mobile subscribers — names, ID card numbers, SIM and IMSI numbers, and addresses from at least a dozen telcos and MVNOs — was leaked and offered for sale online, in the largest data breach in Malaysian history.

Victim
Malaysian mobile operators (Maxis, Celcom, DiGi, U Mobile and others)
Records
46.2M
Data breachResolved

MyHeritage data breach (2017)

Genealogy and DNA-testing service MyHeritage was breached in October 2017, exposing roughly 92 million account email addresses and salted SHA-1 password hashes. The incident was only discovered and disclosed in June 2018.

Victim
MyHeritage
Records
92.0M
Data breachResolved

Bukalapak data breach (2017)

In March 2019, the Indonesian e-commerce website Bukalapak discovered a data breach of the organisation's backups dating back to October 2017. The incident exposed approximately 13 million unique email addresses alongside IP addresses, names and passwords stored as bcrypt and salted SHA-512 hashes.

Victim
Bukalapak
Records
13.4M
MalwareResolved

Far Eastern International Bank SWIFT heist

North Korea's Lazarus Group used custom malware to commandeer Far Eastern International Bank's SWIFT terminal and wire roughly $60 million to accounts in the U.S., Cambodia, and Sri Lanka, deploying Hermes ransomware as a diversion.

Victim
Far Eastern International Bank (FEIB)
Loss
$500.0K
Data breachResolved

Legendas.TV data breach (2017)

In October 2017, the now defunct Brazilian service for retrieving subtitles in Portuguese Legendas.TV suffered a data breach that exposed nearly 4M customer records. The impacted data included names, usernames, email and IP addresses and unsalted SHA-1 hashes.

Victim
Legendas.TV
Records
3.9M
Data breachResolved

Smogon data breach (2017)

In April 2018, the Pokémon website known as Smogon announced they'd suffered a data breach. The breach dated back to September 2017 and affected their XenForo based forum. The exposed data included usernames, email addresses, genders and both bcrypt and MD5 password hashes.

Victim
Smogon
Records
386.5K
Data breachResolved

Moneycontrol data breach (2017)

In April 2021, hackers posted data for sale originating from the online Indian financial platform, Moneycontrol. The data included 763 thousand unique email addresses (allegedly a subset of a larger 40 million account breach), alongside geographic locations, phone numbers, genders, dates of birth…

Victim
Moneycontrol
Records
762.9K
Vulnerability exploitResolved

Estonian ID-card ROCA crypto crisis

A flaw in Infineon's RSA key-generation library (ROCA, CVE-2017-15361) made it theoretically possible to forge digital identities for some 750,000 Estonian ID-cards, forcing a nationwide certificate suspension and emergency remote re-keying.

Victim
Republic of Estonia (national ID-card / e-residency)
Data breachResolved

TGBUS data breach (2017)

In approximately 2017, it's alleged that the Chinese gaming site known as TGBUS suffered a data breach that impacted over 10 million unique subscribers.

Victim
TGBUS
Records
10.4M
Data breachResolved

Onliner Spambot data breach (2017)

In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information.

Victim
Onliner Spambot
Records
711.5M
Data breachResolved

Coinmama data breach (2017)

In August 2017, the crypto coin brokerage service Coinmama suffered a data breach that impacted 479k subscribers. The breach was discovered in February 2019 with exposed data including email addresses, usernames and passwords stored as MD5 WordPress hashes.

Victim
Coinmama
Records
478.8K
Data breachResolved

Taringa data breach (2017)

In September 2017, news broke that Taringa had suffered a data breach exposing 28 million records. Known as "The Latin American Reddit", Taringa's breach disclosure notice indicated the incident dated back to August that year.

Victim
Taringa
Records
28.0M
Data breachResolved

MALL.cz data breach (2017)

In July 2017, the Czech Republic e-commerce site MALL.cz suffered a data breach after which 735k unique accounts including email addresses, names, phone numbers and passwords were later posted online.

Victim
MALL.cz
Records
735.4K
Data breachResolved

B2B USA Businesses data breach (2017)

In mid-2017, a spam list of over 105 million individuals in corporate America was discovered online. Referred to as "B2B USA Businesses", the list categorised email addresses by employer, providing information on individuals' job titles plus their work phone numbers and physical addresses.

Victim
B2B USA Businesses
Records
105.1M
Data breachResolved

Swedish Transport Agency data leak

A botched IT outsourcing deal exposed Sweden's entire vehicle and driver-licence database — including data on protected identities, police, and military personnel — to foreign IT workers without security clearance, triggering a national political crisis.

Victim
Swedish Transport Agency (Transportstyrelsen)
Data breachResolved

8tracks data breach (2017)

In June 2017, the online playlists service known as 8Tracks suffered a data breach which impacted 18 million accounts. In their disclosure, 8Tracks advised that "the vector for the attack was an employee’s GitHub account, which was not secured using two-factor authentication".

Victim
8tracks
Records
18.0M
Data breachResolved

Exposed VINs data breach (2017)

In June 2017, an unsecured database with more than 10 million VINs (vehicle identification numbers) was discovered by researchers. Believed to be sourced from US car dealerships, the data included a raft of personal information and vehicle data along with 397k unique email addresses.

Victim
Exposed VINs
Records
396.6K
EspionageResolved

Qatar News Agency hack

Attackers planted malware on Qatar's state news agency in April 2017 and exploited it on 24 May to publish fabricated quotes attributed to the Emir, providing the pretext used by Saudi Arabia, the UAE, Bahrain, and Egypt to launch a blockade of Qatar.

Victim
Qatar News Agency (QNA)
Data breachResolved

Zomato data breach (2017)

In May 2017, the restaurant guide website Zomato was hacked resulting in the exposure of almost 17 million accounts. The data was consequently redistributed online and contains email addresses, usernames and salted MD5 hashes of passwords (the password hash was not present on all accounts).

Victim
Zomato
Records
16.5M
Data breachResolved

DaFont data breach (2017)

In May 2017, font sharing site DaFont suffered a data breach resulting in the exposure of 637k records. Allegedly due to a SQL injection vulnerability exploited by multiple parties, the exposed data included usernames, email addresses and passwords stored as MD5 without a salt.

Victim
DaFont
Records
637.3K
Data breachResolved

Bell (2017 breach) data breach (2017)

In May 2017, the Bell telecommunications company in Canada suffered a data breach resulting in the exposure of millions of customer records. The data was consequently leaked online with a message from the attacker stating that they were "releasing a significant portion of Bell.ca's data due to the…

Victim
Bell (2017 breach)
Records
2.2M
Data breachResolved

Edmodo data breach (2017)

In May 2017, the education platform Edmodo was hacked resulting in the exposure of 77 million records comprised of over 43 million unique customer email addresses. The data was consequently published to a popular hacking forum and made freely available.

Victim
Edmodo
Records
43.4M
Data breachResolved

Reincubate data breach (2017)

In October 2020, the app data company Reincubate suffered a data breach which exposed a backup from November 2017 (the newest record in the data appeared several months earlier). The data included over 616k unique email addresses, names and passwords stored as PBKDF2 hashes.

Victim
Reincubate
Records
616.1K
Data breachResolved

Ge.tt data breach (2017)

In May 2017, the file sharing platform Ge.tt suffered a data breach. The data was subsequently put up for sale on a dark web marketplace in February 2019 alongside a raft of other breaches.

Victim
Ge.tt
Records
2.5M
Data breachResolved

Underworld Empire data breach (2017)

In April 2017, the vBulletin forum for the Underworld Empire game suffered a data breach that exposed 429k accounts. The data was then posted to a hacking forum in mid-February 2018 where it was made available to download.

Victim
Underworld Empire
Records
428.8K
Data breachResolved

Dueling Network data breach (2017)

In March 2017, the Flash game based on the Yu-Gi-Oh trading card game Dueling Network suffered a data breach. The site itself was taken offline in 2016 due to a cease-and-desist order but the forum remained online for another year.

Victim
Dueling Network
Records
6.5M
Data breachResolved

Appartoo data breach (2017)

In March 2017, the French Flatsharing site known as Appartoo suffered a data breach. The incident exposed an extensive amount of personal information on almost 50k members including email addresses, genders, ages, private messages sent between users of the service and passwords stored as SHA-256…

Victim
Appartoo
Records
49.7K
Data breachResolved

Health Now Networks data breach (2017)

In March 2017, the telemarketing service Health Now Networks left a database containing hundreds of thousands of medical records exposed. There were over 900,000 records in total containing significant volumes of personal information including names, dates of birth, various medical conditions and…

Victim
Health Now Networks
Records
321.9K
Data breachResolved

Factual data breach (2017)

In March 2017, a file containing 8M rows of data allegedly sourced from data aggregator Factual was compiled and later exchanged on the premise it was a "breach". The data contained 2.5M unique email addresses alongside business names, addresses and phone numbers.

Victim
Factual
Records
2.5M
Data breachResolved

Master Deeds data breach (2017)

In March 2017, a 27GB database backup file named "Master Deeds" was sent to HIBP by a supporter of the project. Upon detailed analysis later that year, the file was found to contain the personal data of tens of millions of living and deceased South African residents.

Victim
Master Deeds
Records
2.3M
Data breachResolved

Bolt data breach (2017)

In approximately March 2017, the file sharing website Bolt suffered a data breach resulting in the exposure of 995k unique user records. The data was sourced from their vBulletin forum and contained email and IP addresses, usernames and salted MD5 password hashes.

Victim
Bolt
Records
995.3K
EspionageResolved

MINDEF I-net breach

A targeted intrusion into Singapore's Ministry of Defence I-net web-surfing system stole the NRIC numbers, phone numbers and birth dates of 850 national servicemen and staff in the country's first publicly disclosed breach of a government defence network.

Victim
Singapore Ministry of Defence (MINDEF)
Records
850
Vulnerability exploitResolved

Cloudflare "Cloudbleed" memory leak

A buffer-overflow bug in Cloudflare's edge servers caused them to leak adjacent chunks of memory — including passwords, cookies, and private messages from other customers — into web pages, where some were cached by search engines. The flaw was active for months before Google's Project Zero discovered it.

Victim
Cloudflare, Inc.
Data breachResolved

Retina-X data breach (2017)

In February 2017, the mobile device monitoring software developer Retina-X was hacked and customer data downloaded before being wiped from their servers.

Victim
Retina-X
Records
71.2K
Data breachResolved

Coachella data breach (2017)

In February 2017, hundreds of thousands of records from the Coachella music festival were discovered being sold online. Allegedly taken from a combination of the main Coachella website and their vBulletin-based message board, the data included almost 600k usernames, IP and email addresses and…

Victim
Coachella
Records
599.8K
Data breachResolved

FreeOnes data breach (2017)

In February 2017, the forum for the adult website FreeOnes suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 960k unique email addresses alongside usernames, IP addresses and salted MD5 password hashes.

Victim
FreeOnes
Records
960.2K
Data breachResolved

Freedom Hosting II data breach (2017)

In January 2017, the free hidden service host Freedom Hosting II suffered a data breach. The attack allegedly took down 20% of dark web sites running behind Tor hidden services with the attacker claiming that of the 10,613 impacted sites, more than 50% of the content was child pornography.

Victim
Freedom Hosting II
Records
380.8K
Data breachResolved

DataCamp data breach (2017)

In December 2018, the data science website DataCamp suffered a data breach of records dating back to January 2017. The incident exposed 760k unique email and IP addresses along with names and passwords stored as bcrypt hashes.

Victim
DataCamp
Records
760.6K
Data breachResolved

SwordFantasy data breach (2017)

In January 2019, the now defunct MMO and RPG game SwordFantasy suffered a data breach that exposed 2.7M unique email addresses. Other impacted data included username, IP address and salted MD5 password hashes.

Victim
SwordFantasy
Records
2.7M
Data breachResolved

CrimeAgency vBulletin Hacks data breach (2017)

In January 2016, a large number of unpatched vBulletin forums were compromised by an actor known as "CrimeAgency". A total of 140 forums had data including usernames, email addresses and passwords (predominantly stored as salted MD5 hashes), extracted and then distributed.

Victim
CrimeAgency vBulletin Hacks
Records
942.0K
Data breachResolved

Sephora data breach (2017)

In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information.

Victim
Sephora
Records
780.1K
Data breachResolved

CloudPets data breach (2017)

In January, the maker of teddy bears that record children's voices and sends them to family and friends via the internet CloudPets left their database publicly exposed and it was subsequently downloaded by external parties (the data was also subject to 3 different ransom demands).

Victim
CloudPets
Records
583.5K
Data breachResolved

Hub4Tech data breach (2017)

On an unknown date in approximately 2017, the Indian training and assessment service known as Hub4Tech suffered a data breach via a SQL injection attack. The incident exposed almost 37k unique email addresses and passwords stored as unsalted MD5 hashes.

Victim
Hub4Tech
Records
36.9K
Data breachResolved

Little Monsters data breach (2017)

In approximately January 2017, the Lady Gaga fan site known as "Little Monsters" suffered a data breach that impacted 1 million accounts. The data contained usernames, email addresses, dates of birth and bcrypt hashes of passwords.

Victim
Little Monsters
Records
995.7K
Data breachResolved

LiveJournal data breach (2017)

In mid-2019, news broke of an alleged LiveJournal data breach. This followed multiple reports of credential abuse against Dreamwidth beginning in 2018, a fork of LiveJournal with a significant crossover in user base.

Victim
LiveJournal
Records
26.4M
Data breachResolved

R2 (2017 forum breach) data breach (2017)

In early 2017, the forum for the gaming website R2 Games was hacked. R2 had previously appeared on HIBP in 2015 after a prior incident. This one exposed over 1 million unique user accounts and corresponding MD5 password hashes with no salt.

Victim
R2 (2017 forum breach)
Records
1.0M
Data breachResolved

River City Media Spam List data breach (2017)

In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation.

Victim
River City Media Spam List
Records
393.4M
Data breachResolved

Russian America data breach (2017)

In approximately 2017, the website for Russian speakers in America known as Russian America suffered a data breach. The incident exposed 183k unique records including names, email addresses, phone numbers and passwords stored in both plain text and as MD5 hashes.

Victim
Russian America
Records
182.7K
Data breachResolved

Victory Phones data breach (2017)

In January 2017, the automated telephony services company Victory Phones left a Mongo DB database publicly facing without a password. Subsequently, 213GB of data was downloaded by an unauthorised party including names, addresses, phone numbers and over 166k unique email addresses.

Victim
Victory Phones
Records
166.0K
Data breachResolved

Data Enrichment Records data breach (2016)

In December 2016, more than 200 million "data enrichment profiles" were found for sale on the darknet. The seller claimed the data was sourced from Experian and whilst that claim was rejected by the company, the data itself was found to be legitimate suggesting it may have been sourced from other…

Victim
Data Enrichment Records
Records
8.2M
Data breachResolved

Anti Public Combo List data breach (2016)

In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems.

Victim
Anti Public Combo List
Records
458.0M
Data breachResolved

Ethereum data breach (2016)

In December 2016, the forum for the public blockchain-based distributed computing platform Ethereum suffered a data breach. The database contained over 16k unique email addresses along with IP addresses, private forum messages and (mostly) bcrypt hashed passwords.

Victim
Ethereum
Records
16.4K
Data breachResolved

PayAsUGym data breach (2016)

In December 2016, an attacker breached PayAsUGym's website exposing over 400k customers' personal data. The data was consequently leaked publicly and broadly distributed via Twitter.

Victim
PayAsUGym
Records
400.3K
Data breachResolved

MrExcel data breach (2016)

In December 2016, the forum for the Microsoft Excel tips and solutions site Mr Excel suffered a data breach. The hack of the vBulletin forum led to the exposure of over 366k accounts along with email and IP addresses, dates of birth and salted passwords hashed with MD5.

Victim
MrExcel
Records
366.1K
Data breachResolved

Biohack.me data breach (2016)

In December 2016, the forum for the biohacking website Biohack.me suffered a data breach that exposed 3.4k accounts. The data included usernames, email addresses and hashed passwords along with the private messages of forum members. The data was self-submitted to HIBP by the Biohack.me operators.

Victim
Biohack.me
Records
3.4K
Data breachResolved

FashionFantasyGame data breach (2016)

In late 2016, the fashion gaming website Fashion Fantasy Game suffered a data breach. The incident exposed 2.3 million unique user accounts and corresponding MD5 password hashes with no salt. The data was contributed to Have I Been Pwned courtesy of rip@creep.im.

Victim
FashionFantasyGame
Records
2.4M
Data breachResolved

Warmane data breach (2016)

In approximately December 2016, the online service for World of Warcraft private servers Warmane suffered a data breach. The incident exposed over 1.1M accounts including usernames, email addresses, dates of birth and salted MD5 password hashes.

Victim
Warmane
Records
1.1M
Data breachResolved

Youku data breach (2016)

In late 2016, China's leading online video platform Youku suffered a data breach exposing roughly 92 million unique user accounts together with usernames and MD5-hashed passwords, which later circulated on dark-web marketplaces.

Victim
Youku
Records
91.9M
Data breachResolved

xHamster data breach (2016)

In November 2016, news broke that hackers were trading hundreds of thousands of xHamster porn account details. In total, the data contained almost 380k unique user records including email addresses, usernames and unsalted MD5 password hashes.

Victim
xHamster
Records
377.4K
Data breachResolved

RankWatch data breach (2016)

In approximately November 2016, the search engine optimisation management company RankWatch exposed a Mongo DB with no password publicly whereupon their data was exfiltrated and posted to an online forum.

Victim
RankWatch
Records
7.4M
Data breachResolved

CashCrate data breach (2016)

In June 2017, news broke that CashCrate had suffered a data breach exposing 6.8 million records. The breach of the cash-for-surveys site dated back to November 2016 and exposed names, physical addresses, email addresses and passwords stored in plain text for older accounts along with weak MD5…

Victim
CashCrate
Records
6.8M
Data breachResolved

SubaGames data breach (2016)

In November 2016, the game developer Suba Games suffered a data breach which led to the exposure of 6.1M unique email addresses. Impacted data also included usernames and passwords, most of which appeared circulating in the breached file in plain text after being cracked from salted MD5 hashes.

Victim
SubaGames
Records
6.1M
Data breachResolved

MCBans data breach (2016)

In October 2016, the Minecraft banning service known as MCBans suffered a data breach resulting in the exposure of 120k unique user records. The data contained email and IP addresses, usernames and password hashes of unknown format.

Victim
MCBans
Records
119.9K
DDoSResolved

Dyn DNS Mirai DDoS attack

A massive Mirai-botnet DDoS attack against managed DNS provider Dyn knocked Twitter, Netflix, Spotify, GitHub, Reddit, and dozens of other major sites offline across the U.S. and Europe, demonstrating how a botnet of compromised IoT devices could disrupt large swathes of the internet.

Victim
Dyn, Inc.
Data breachResolved

Adult FriendFinder (2016) data breach (2016)

In October 2016, the adult entertainment company Friend Finder Networks suffered a massive data breach. The incident impacted multiple separate online assets owned by the company, the largest of which was the Adult FriendFinder website alleged to be "the world's largest sex & swinger community".

Victim
Adult FriendFinder (2016)
Records
169.7M
Data breachResolved

Exploit.In data breach (2016)

In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems.

Victim
Exploit.In
Records
593.4M
Data breachResolved

GFAN data breach (2016)

In October 2016, data surfaced that was allegedly obtained from the Chinese website known as GFAN and contained 22.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
GFAN
Records
22.5M
Data breachResolved

Modern Business Solutions data breach (2016)

In October 2016, a large Mongo DB file containing tens of millions of accounts was shared publicly on Twitter (the file has since been removed). The database contained over 58M unique email addresses along with IP addresses, names, home addresses, genders, job titles, dates of birth and phone…

Victim
Modern Business Solutions
Records
58.8M
Data breachContained

Leak at Dailymotion

In October 2016, French video-sharing platform Dailymotion was breached, exposing roughly 85.2 million user accounts including email addresses and usernames, with bcrypt password hashes for about 18 million of them.

Victim
Dailymotion
Records
85.2M
Data breachResolved

Pokémon Negro data breach (2016)

In approximately October 2016, the Spanish Pokémon site Pokémon Negro suffered a data breach. The attack resulted in the disclosure of 830k accounts including email and IP addresses along with plain text passwords. Pokémon Negro did not respond when contacted about the breach.

Victim
Pokémon Negro
Records
830.2K
Data breachResolved

Aipai.com data breach (2016)

In September 2016, data allegedly obtained from the Chinese gaming website known as Aipai.com and containing 6.5M accounts was leaked online. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Aipai.com
Records
6.5M
Data breachResolved

Leet data breach (2016)

In August 2016, the service for creating and running Pocket Minecraft edition servers known as Leet was reported as having suffered a data breach that impacted 6 million subscribers.

Victim
Leet
Records
5.1M
Data breachResolved

Real Estate Mogul data breach (2016)

In September 2016, the real estate investment site Real Estate Mogul had a Mongo DB instance compromised and 5GB of data downloaded by an unauthorised party. The data contained real estate listings including addresses and the names, phone numbers and 308k unique email addresses of the sellers.

Victim
Real Estate Mogul
Records
307.8K
Data breachResolved

uuu9 data breach (2016)

In September 2016, data was allegedly obtained from the Chinese website known as uuu9.com and contained 7.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
uuu9
Records
7.5M
Data breachResolved

Digimon data breach (2016)

In September 2016, over 16GB of logs from a service indicated to be digimon.co.in were obtained, most likely from an unprotected Mongo DB instance. The service ceased running shortly afterwards and no information remains about the precise nature of it.

Victim
Digimon
Records
7.7M
Data breachResolved

ClixSense data breach (2016)

In September 2016, the paid-to-click site ClixSense suffered a data breach which exposed 2.4 million subscriber identities. The breached data was then posted online by the attackers who claimed it was a subset of a larger data breach totalling 6.6 million records.

Victim
ClixSense
Records
2.4M
Data breachResolved

NemoWeb data breach (2016)

In September 2016, almost 21GB of data from the French website used for "standardised and decentralized means of exchange for publishing newsgroup articles" NemoWeb was leaked from what appears to have been an unprotected Mongo DB.

Victim
NemoWeb
Records
3.5M
Data breachResolved

NetProspex data breach (2016)

In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet's NetProspex service was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them.

Victim
NetProspex
Records
33.7M
Data breachResolved

MDPI data breach (2016)

In August 2016, the Swiss scholarly open access publisher known as MDPI had 17.5GB of data obtained from an unprotected Mongo DB instance. The data contained email exchanges between MDPI and their authors and reviewers which included 845k unique email addresses.

Victim
MDPI
Records
845.0K
Data breachResolved

PPCGeeks data breach (2016)

In August 2016, the pocket PC fan site forum PPCGeeks suffered a data breach that exposed over 490k records. The breach of the vBulletin forum exposed email and IP addresses, usernames, dates of birth and passwords stored as salted MD5 hashes.

Victim
PPCGeeks
Records
492.5K
Data breachResolved

GeekedIn data breach (2016)

In August 2016, the technology recruitment site GeekedIn left a MongoDB database exposed and over 8M records were extracted by an unknown third party. The breached data was originally scraped from GitHub in violation of their terms of use and contained information exposed in public profiles,…

Victim
GeekedIn
Records
1.1M
Data breachResolved

Epic Games data breach (2016)

In August 2016, the Epic Games forum suffered a data breach, allegedly due to a SQL injection vulnerability in vBulletin. The attack resulted in the exposure of 252k accounts including usernames, email addresses and salted MD5 hashes of passwords.

Victim
Epic Games
Records
251.7K
Data breachResolved

Unreal Engine data breach (2016)

In August 2016, the Unreal Engine Forum suffered a data breach, allegedly due to a SQL injection vulnerability in vBulletin. The attack resulted in the exposure of 530k accounts including usernames, email addresses and salted MD5 hashes of passwords.

Victim
Unreal Engine
Records
530.1K
Data breachResolved

Cross Fire data breach (2016)

In August 2016, the Russian gaming forum known as Cross Fire (or cfire.mail.ru) was hacked along with a number of other forums on the Russian mail provider, mail.ru. The vBulletin forum contained 12.8 million accounts including usernames, email addresses and passwords stored as salted MD5 hashes.

Victim
Cross Fire
Records
12.9M
Data breachResolved

Пара Па data breach (2016)

In August 2016, the Russian gaming site known as Пара Па (or parapa.mail.ru) was hacked along with a number of other forums on the Russian mail provider, mail.ru. The vBulletin forum contained 4.9 million accounts including usernames, email addresses and passwords stored as salted MD5 hashes.

Victim
Пара Па
Records
4.9M
Data breachResolved

Wishbone (2016) data breach (2016)

In August 2016, the mobile app to "compare anything" known as Wishbone suffered a data breach. The data contained 9.4 million records with 2.2 million unique email addresses and was allegedly a subset of the complete data set.

Victim
Wishbone (2016)
Records
2.2M
Data breachResolved

GSM Hosting data breach (2016)

In August 2016, breached data from the vBulletin forum for GSM-Hosting appeared for sale alongside dozens of other hacked services. The breach impacted 2.6M users of the service and included email and IP addresses, usernames and salted MD5 password hashes.

Victim
GSM Hosting
Records
2.6M
Data breachResolved

GTAGaming data breach (2016)

In August 2016, the Grand Theft Auto forum GTAGaming was hacked and nearly 200k user accounts were leaked. The vBulletin based forum included usernames, email addresses and password hashes.

Victim
GTAGaming
Records
197.2K
Data breachResolved

DLH.net data breach (2016)

In July 2016, the gaming news site DLH.net suffered a data breach which exposed 3.3M subscriber identities. Along with the keys used to redeem and activate games on the Steam platform, the breach also resulted in the exposure of email addresses, birth dates and salted MD5 password hashes.

Victim
DLH.net
Records
3.3M
Data breachResolved

Roblox data breach (2016)

In August 2016, Roblox disclosed a data breach that affected over 50k users. The security incident impacted email and IP addresses, usernames, purchases and Robux balances which were left exposed on a test server.

Victim
Roblox
Records
52.5K
Data breachResolved

AKP Emails data breach (2016)

In July 2016, a hacker known as Phineas Fisher hacked Turkey's ruling party (Justice and Development Party or "AKP") and gained access to 300k emails. The full contents of the emails were subsequently published by WikiLeaks and made searchable.

Victim
AKP Emails
Records
917.5K
Data breachResolved

i-Dressup data breach (2016)

In June 2016, the teen social site known as i-Dressup was hacked and over 2 million user accounts were exposed. At the time the hack was reported, the i-Dressup operators were not contactable and the underlying SQL injection flaw remained open, allegedly exposing a total of 5.5 million accounts.

Victim
i-Dressup
Records
2.2M
Data breachResolved

Clash of Kings data breach (2016)

In July 2016, the forum for the game "Clash of Kings" suffered a data breach that impacted 1.6 million subscribers. The impacted data included usernames, IP and email addresses and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
Clash of Kings
Records
1.6M
Data breachResolved

Dota2 data breach (2016)

In July 2016, the Dota2 official developers forum suffered a data breach that exposed almost 2 million users. The hack of the vBulletin forum led to the disclosure of email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Dota2
Records
1.9M
Data breachResolved

Shadi.com data breach (2016)

In July 2016, the Muslim dating site Shadi.com suffered a data breach that exposed over 2M members' email addresses. The breach also exposed passwords stored as MD5 hashes alongside their plain text equivalents.

Victim
Shadi.com
Records
2.0M
Data breachResolved

dBforums data breach (2016)

In July 2016, a data breach of the now defunct database forum "dBforums" appeared for sale alongside several others hacked from the parent company, Penton.

Victim
dBforums
Records
363.5K
Data breachResolved

Mac Forums data breach (2016)

In July 2016, the self-proclaimed "Ultimate Source For Your Mac" website Mac Forums suffered a data breach. The vBulletin-based system exposed over 326k usernames, email and IP addresses, dates of birth and passwords stored as salted MD5 hashes.

Victim
Mac Forums
Records
326.7K
Data breachResolved

AbuseWith.Us data breach (2016)

In 2016, the site dedicated to helping people hack email and online gaming accounts known as Abusewith.us suffered multiple data breaches. The site allegedly had an administrator in common with the nefarious LeakedSource site, both of which have since been shut down.

Victim
AbuseWith.Us
Records
1.4M
Data breachResolved

CrackingForum data breach (2016)

In approximately mid-2016, the cracking community forum known as CrackingForum suffered a data breach. The vBulletin based forum exposed 660k email and IP addresses, usernames and salted MD5 hashes.

Victim
CrackingForum
Records
660.3K
Data breachResolved

FreshMenu data breach (2016)

In July 2016, the India-based food delivery service FreshMenu suffered a data breach. The incident exposed the personal data of over 110k customers and included their names, email addresses, phone numbers, home addresses and order histories.

Victim
FreshMenu
Records
110.4K
Data breachResolved

Funimation data breach (2016)

In July 2016, the anime site Funimation suffered a data breach that impacted 2.5 million accounts. The data contained usernames, email addresses, dates of birth and salted SHA1 hashes of passwords.

Victim
Funimation
Records
2.5M
Data breachResolved

GPS Underground data breach (2016)

In early 2017, GPS Underground was amongst a collection of compromised vBulletin websites that were found being sold online. The breach dated back to mid-2016 and included 670k records with usernames, email and IP addresses, dates of birth and salted MD5 password hashes.

Victim
GPS Underground
Records
669.6K
Data breachResolved

Kaneva data breach (2016)

In July 2016, now defunct website Kaneva, the service to "build and explore virtual worlds", suffered a data breach that exposed 3.9M user records. The data included email addresses, usernames, dates of birth and salted MD5 password hashes.

Victim
Kaneva
Records
3.9M
Data breachResolved

OnRPG data breach (2016)

In July 2016, the now defunct free online games list website OnRPG suffered a data breach that was later redistributed as part of a larger corpus of data. The incident exposed just over 1M email and IP addresses alongside usernames and passwords stored as salted MD5 hashes.

Victim
OnRPG
Records
1.0M
Data breachResolved

Tunngle data breach (2016)

In 2016, the now defunct global LAN gaming network Tunngle suffered a data breach that exposed 8.2M unique email addresses. The compromised data also included usernames, IP addresses and passwords stored as salted MD5 hashes.

Victim
Tunngle
Records
8.2M
Data breachResolved

Web Hosting Talk data breach (2016)

In July 2016, the Web Hosting Talk forum suffered a data breach that was subsequently listed for sale. The breach of the vBulletin based forum exposed 515k user records including usernames, email addresses, IP addresses and salted MD5 password hashes.

Victim
Web Hosting Talk
Records
515.1K
Data breachResolved

StreetEasy data breach (2016)

In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019.

Victim
StreetEasy
Records
988.2K
Data breachResolved

Whitepages data breach (2016)

In mid-2016, the telephone and address directory service Whitepages was among a raft of sites that were breached and their data then sold in early-2019. The data included over 11 million unique email addresses alongside names and passwords stored as either a SHA-1 or bcrypt hash.

Victim
Whitepages
Records
11.7M
Data breachResolved

Muslim Match data breach (2016)

In June 2016, the Muslim Match dating website had 150k email addresses exposed. The data included private chats and messages between relationship seekers and numerous other personal attributes including passwords hashed with MD5.

Victim
Muslim Match
Records
149.8K
Data breachResolved

HLTV data breach (2016)

In June 2016, the "home of competitive Counter Strike" website HLTV was hacked and 611k accounts were exposed. The attack led to the exposure of names, usernames, email addresses and bcrypt hashes of passwords.

Victim
HLTV
Records
611.1K
EspionageResolved

Democratic National Committee hack

Russian GRU Units 26165 (APT28) and 31165 (APT29) compromised the Democratic National Committee, Hillary Clinton campaign, and DCCC. Stolen emails were selectively released via 'DCLeaks', 'Guccifer 2.0', and WikiLeaks to influence the 2016 U.S. presidential election.

Victim
Democratic National Committee + Clinton campaign + DCCC
Loss
$50.0M
Records
50.0K
Data breachResolved

Facepunch data breach (2016)

In June 2016, the game development studio Facepunch suffered a data breach that exposed 343k users. The breached data included usernames, email and IP addresses, dates of birth and salted MD5 password hashes. Facepunch advised they were aware of the incident and had notified people at the time.

Victim
Facepunch
Records
342.9K
Data breachResolved

Evony data breach (2016)

In June 2016, the online multiplayer game Evony was hacked and over 29 million unique accounts were exposed. The attack led to the exposure of usernames, email and IP addresses and MD5 hashes of passwords (without salt).

Victim
Evony
Records
29.4M
Data breachResolved

ForumCommunity data breach (2016)

In approximately mid-2016, the Italian-based service for creating forums known as ForumCommunity suffered a data breach. The incident impacted over 776k unique email addresses along with usernames and unsalted MD5 password hashes. No response was received from ForumCommunity when contacted.

Victim
ForumCommunity
Records
776.6K
Data breachResolved

MangaFox.me data breach (2016)

In approximately July 2016, the manga website known as mangafox.me suffered a data breach. The vBulletin based forum exposed 1.3 million accounts including usernames, email and IP addresses, dates of birth and salted MD5 password hashes.

Victim
MangaFox.me
Records
1.3M
Data breachResolved

Uiggy data breach (2016)

In June 2016, the Facebook application known as Uiggy was hacked and 4.3M accounts were exposed, 2.7M of which had email addresses against them. The leaked accounts also exposed names, genders and the Facebook ID of the owners.

Victim
Uiggy
Records
2.7M
Data breachResolved

MySpace credentials breach

Credentials for roughly 360 million pre-2013 MySpace accounts surfaced for sale on the dark web in 2016. The passwords were stored as unsalted SHA-1 hashes, making one of the largest credential dumps ever disclosed trivially crackable.

Victim
MySpace (Time Inc.)
Records
360.0M
Data breachResolved

Teracod data breach (2016)

In May 2015, almost 100k user records were extracted from the Hungarian torrent site known as Teracod. The data was later discovered being torrented itself and included email addresses, passwords, private messages between members and the peering history of IP addresses using the service.

Victim
Teracod
Records
97.2K
Data breachResolved

Regpack data breach (2016)

In July 2016, a tweet was posted with a link to an alleged data breach of BlueSnap, a global payment gateway and merchant account provider. The data contained 324k payment records across 105k unique email addresses and included personal attributes such as name, home address and phone number.

Victim
Regpack
Records
105.0K
Data breachResolved

Army Force Online data breach (2016)

In May 2016, the online gaming site Army Force Online suffered a data breach that exposed 1.5M accounts. The breached data was found being regularly traded online and included usernames, email and IP addresses and MD5 passwords.

Victim
Army Force Online
Records
1.5M
Data breachResolved

Fur Affinity data breach (2016)

In May 2016, the Fur Affinity website for people with an interest in anthropomorphic animal characters (also known as "furries") was hacked. The attack exposed 1.2M email addresses (many accounts had a different "first" and "last" email against them) and hashed passwords.

Victim
Fur Affinity
Records
1.3M
Data breachResolved

Rosebutt Board data breach (2016)

Some time prior to May 2016, the forum known as "Rosebutt Board" was hacked and 107k accounts were exposed. The self-described "top one board for anal fisting, prolapse, huge insertions and rosebutt fans" had email and IP addresses, usernames and weakly stored salted MD5 password hashes hacked from…

Victim
Rosebutt Board
Records
107.3K
Data breachResolved

Shotbow data breach (2016)

In May 2016, the multiplayer server for Minecraft service Shotbow announced they'd suffered a data breach. The incident resulted in the exposure of over 1 million unique email addresses, usernames and salted SHA-256 password hashes.

Victim
Shotbow
Records
1.1M
Data breachResolved

Nulled.cr data breach (2016)

In May 2016, the cracking community forum known as Nulled.cr was hacked and 599k user accounts were leaked publicly. The compromised data included email and IP addresses, weak salted MD5 password hashes and hundreds of thousands of private messages between members.

Victim
Nulled.cr
Records
599.1K
Data breachResolved

GameVN data breach (2016)

In May 2016, the Vietnamese gaming forum GameVN suffered a data breach that was later redistributed as part of a larger corpus of data. Data breached from the XenForo-based forum included 1.4M unique email addresses, usernames, IP addresses and salted MD5 password hashes.

Victim
GameVN
Records
1.4M
Social engineeringResolved

Interpark customer data breach

South Korean police attributed a breach of online retailer Interpark — exposing the personal data of more than 10 million shoppers — to North Korea's intelligence agency, which used spearphishing and then demanded a multi-million-dollar bitcoin ransom.

Victim
Interpark
Records
10.3M
Data breachResolved

Qatar National Bank data breach

A 1.4 GB archive of internal files, customer account records, and nearly one million payment card numbers stored in clear text was leaked online, including dossiers on Qatar's Al Thani royal family, Al Jazeera staff, and apparent intelligence targets.

Victim
Qatar National Bank (QNB)
Records
100.0K
Data breachResolved

Foodora data breach (2016)

In April 2016, the online food delivery service Foodora suffered a data breach which was then extensively redistributed online. The breach included the personal information of hundreds of thousands of customers from multiple countries including their names, delivery addresses, phone numbers and…

Victim
Foodora
Records
582.6K
Data breachResolved

17 data breach (2016)

In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.

Victim
17
Records
4.0M
Data breachResolved

Mexican voter database exposure (Mexico, 2016)

A misconfigured MongoDB database left the full Mexican national voter roll — 93.4 million records including names, addresses, birthdates and national ID numbers — publicly accessible on Amazon's cloud with no password, for months.

Victim
Instituto Nacional Electoral (INE) — Mexican voter registry
Records
93.4M
Data breachResolved

KnownCircle data breach (2016)

In approximately April 2016, the "marketing automation for agents and professional service providers" company KnownCircle had a large volume of data obtained by an external party.

Victim
KnownCircle
Records
2.0M
Data breachResolved

Guns and Robots data breach (2016)

In approximately April 2016, the gaming website Guns and Robots suffered a data breach resulting in the exposure of 143k unique records. The data contained email and IP addresses, usernames and SHA-1 password hashes.

Victim
Guns and Robots
Records
143.6K
Data breachResolved

COMELEC 'Comeleak' voter database breach

Hackers defaced the Philippine Commission on Elections website and leaked its entire voter registration database — records on roughly 55 million voters, including 15.8 million fingerprints and 1.3 million overseas passport numbers — in one of the largest government breaches ever.

Victim
Commission on Elections (COMELEC)
Records
55.0M
Data breachResolved

Tuned Global data breach (2016)

In January 2021, data from a number of breached services including Tuned Global were released to a public hacking forum. The breach appears to date back to 2016 and includes 985k records containing email addresses, names, a small number of physical addresses and phone numbers and passwords stored…

Victim
Tuned Global
Records
985.6K
Data breachResolved

Naughty America data breach (2016)

In March 2016, the adult website Naughty America was hacked and the data consequently sold online. The breach included data from numerous systems with various personal identity attributes, the largest of which had passwords stored as easily crackable MD5 hashes.

Victim
Naughty America
Records
1.4M
Data breachResolved

Staminus data breach (2016)

In March 2016, the DDoS protection service Staminus was "massively hacked" resulting in an outage of more than 20 hours and the disclosure of customer credentials (with unsalted MD5 hashes), support tickets, credit card numbers and other sensitive data.

Victim
Staminus
Records
26.8K
Data breachResolved

CD Projekt RED data breach (2016)

In March 2016, Polish game developer CD Projekt RED suffered a data breach. The hack of their forum led to the exposure of almost 1.9 million accounts along with usernames, email addresses and salted SHA1 passwords.

Victim
CD Projekt RED
Records
1.9M
Data breachResolved

KM.RU data breach (2016)

In February 2016, the Russian portal and email service KM.RU was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", KM.RU was one of several Russian sites in the breach and impacted almost 1.5M accounts…

Victim
KM.RU
Records
1.5M
Data breachResolved

Mate1.com data breach (2016)

In February 2016, the dating site mate1.com suffered a huge data breach resulting in the disclosure of over 27 million subscribers' information. The data included deeply personal information about their private lives including drug and alcohol habits, incomes levels and sexual fetishes as well as…

Victim
Mate1.com
Records
27.4M
Data breachResolved

Nival data breach (2016)

In February 2016, the Russian gaming company Nival was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", Nival was one of several Russian sites in the breach and impacted over 1.5M accounts including…

Victim
Nival
Records
1.5M
Data breachResolved

TruckersMP data breach (2016)

In February 2016, the online trucking simulator mod TruckersMP suffered a data breach which exposed 84k user accounts. In a first for "Have I Been Pwned", the breached data was self-submitted directly by the organisation that was breached itself.

Victim
TruckersMP
Records
84.0K
Data breachResolved

Linux Mint data breach (2016)

In February 2016, the website for the Linux distro known as Linux Mint was hacked and the ISO infected with a backdoor. The site also ran a phpBB forum which was subsequently put up for sale complete with almost 145k email addresses, passwords and other personal subscriber information.

Victim
Linux Mint
Records
145.0K
Data breachResolved

SkTorrent data breach (2016)

In February 2016, the Slovak torrent tracking site SkTorrent was hacked and over 117k records leaked online. The data dump included usernames, email addresses and passwords stored in plain text.

Victim
SkTorrent
Records
117.1K
Data breachResolved

V-Tight Gel data breach (2016)

In approximately February 2016, data surfaced which was allegedly obtained from V-Tight Gel (vaginal tightening gel). Whilst the data set was titled V-Tight, within there were 50 other (predominantly wellness-related) domain names, most owned by the same entity.

Victim
V-Tight Gel
Records
2.0M
Data breachResolved

Flash Flash Revolution (2016 breach) data breach (2016)

In February 2016, the music-based rhythm game known as Flash Flash Revolution was hacked and 1.8M accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.

Victim
Flash Flash Revolution (2016 breach)
Records
1.8M
Data breachResolved

Minecraft World Map data breach (2016)

In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed. The data included usernames, email and IP addresses along with salted and hashed passwords.

Victim
Minecraft World Map
Records
71.1K
Data breachResolved

uTorrent data breach (2016)

In early 2016, the forum for the uTorrent BitTorrent client suffered a data breach which came to light later in the year. The database from the IP.Board based forum contained 395k accounts including usernames, email addresses and MD5 password hashes without a salt.

Victim
uTorrent
Records
395.0K
Data breachResolved

Battlefy data breach (2016)

In January 2016, the esports website Battlefy suffered a data breach that exposed 83k customer records. The impacted data included email addresses, usernames and passwords stored as bcrypt hashes.

Victim
Battlefy
Records
83.6K
Data breachResolved

EpicNPC data breach (2016)

In January 2016, the hacked account reseller EpicNPC suffered a data breach that impacted 409k subscribers. The impacted data included usernames, IP and email addresses and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
EpicNPC
Records
408.8K
Data breachResolved

Anime-Planet data breach (2016)

In approximately 2016, the anime website Anime-Planet suffered a data breach that impacted 369k subscribers. The exposed data included usernames, IP and email addresses, dates of birth and passwords stored as unsalted MD5 hashes and for newer accounts, bcrypt hashes.

Victim
Anime-Planet
Records
368.5K
Data breachResolved

BitTorrent data breach (2016)

In January 2016, the forum for the popular torrent software BitTorrent was hacked. The IP.Board based forum stored passwords as weak SHA1 salted hashes and the breached data also included usernames, email and IP addresses.

Victim
BitTorrent
Records
34.2K
Data breachResolved

D3Scene data breach (2016)

In January 2016, the gaming website D3Scene, suffered a data breach. The compromised vBulletin forum exposed 569k million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
D3Scene
Records
568.8K
Data breachResolved

Lifeboat data breach (2016)

In January 2016, the Minecraft community known as Lifeboat was hacked and more than 7 million accounts leaked. Lifeboat knew of the incident for three months before the breach was made public but elected not to advise customers.

Victim
Lifeboat
Records
7.1M
Data breachResolved

MoDaCo data breach (2016)

In approximately January 2016, the UK based Android community known as MoDaCo suffered a data breach which exposed 880k subscriber identities. The data included email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
MoDaCo
Records
879.7K
Data breachResolved

Onverse data breach (2016)

In January 2016, the online virtual world known as Onverse was hacked and 800k accounts were exposed. Along with email and IP addresses, the site also exposed salted MD5 password hashes.

Victim
Onverse
Records
800.2K
Data breachResolved

ServerPact data breach (2016)

In mid-2015, the Dutch Minecraft site ServerPact was hacked and 73k accounts were exposed. Along with birth dates, email and IP addresses, the site also exposed SHA1 password hashes with the username as the salt.

Victim
ServerPact
Records
73.6K
Data breachResolved

XPG data breach (2016)

In approximately early 2016, the gaming website Xpgamesaves (XPG) suffered a data breach resulting in the exposure of 890k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

Victim
XPG
Records
890.3K
Data breachResolved

Trillian data breach (2015)

In December 2015, the instant messaging application Trillian suffered a data breach. The breach became known in July 2016 and exposed various personal data attributes including names, email addresses and passwords stored as salted MD5 hashes.

Victim
Trillian
Records
3.8M
EspionageContained

Ukraine power grid attack — Sandworm BlackEnergy (2015)

The Russia-linked Sandworm group used spear-phishing, BlackEnergy3, and KillDisk to remotely flip breakers at three Ukrainian regional electricity distribution companies, cutting power to approximately 230,000 customers for 1–6 hours. It is the first publicly acknowledged successful cyberattack on an electric power grid in history.

Victim
Ukrainian regional electricity distribution companies (Oblenergos)
Data breachResolved

QuinStreet data breach (2015)

In approximately late 2015, the maker of "performance marketing products" QuinStreet had a number of their online assets compromised. The attack impacted 28 separate sites, predominantly technology forums such as flashkit.com, codeguru.com and webdeveloper.com (view a full list of sites).

Victim
QuinStreet
Records
4.9M
Data breachResolved

Aternos data breach (2015)

In December 2015, the service for creating and running free Minecraft servers known as Aternos suffered a data breach that impacted 1.4 million subscribers. The data included usernames, email and IP addresses and hashed passwords.

Victim
Aternos
Records
1.4M
Data breachResolved

DaniWeb data breach (2015)

In late 2015, the technology and social site DaniWeb suffered a data breach. The attack resulted in the disclosure of 1.1 million accounts including email and IP addresses which were also accompanied by salted MD5 hashes of passwords.

Victim
DaniWeb
Records
1.1M
Data breachResolved

Nihonomaru data breach (2015)

In late 2015, the anime community known as Nihonomaru had their vBulletin forum hacked and 1.7 million accounts exposed. The compromised data included email and IP addresses, usernames and salted hashes of passwords.

Victim
Nihonomaru
Records
1.7M
Data breachResolved

Programming Forums data breach (2015)

In approximately late 2015, the programming forum at programmingforums.org suffered a data breach resulting in the exposure of 707k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

Victim
Programming Forums
Records
707.4K
Data breachResolved

The Fappening data breach (2015)

In December 2015, the forum for discussing naked celebrity photos known as "The Fappening" (named after the iCloud leaks of 2014) was compromised and 179k accounts were leaked. Exposed member data included usernames, email addresses and salted hashes of passwords.

Victim
The Fappening
Records
179.0K
Data breachResolved

MajorGeeks data breach (2015)

In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.

Victim
MajorGeeks
Records
269.5K
Data breachResolved

Beautiful People data breach (2015)

In November 2015, the dating website Beautiful People was hacked and over 1.1M accounts were leaked. The data was being traded in underground circles and included a huge amount of personal information related to dating.

Victim
Beautiful People
Records
1.1M
Data breachResolved

Comcast data breach (2015)

In November 2015, the US internet and cable TV provider Comcast suffered a data breach that exposed 590k customer email addresses and plain text passwords. A further 27k accounts appeared with home addresses with the entire data set being sold on underground forums.

Victim
Comcast
Records
616.9K
Data breachResolved

Ancestry data breach (2015)

In November 2015, an Ancestry service known as RootsWeb suffered a data breach. The breach was not discovered until late 2017 when a file containing almost 300k email addresses and plain text passwords was identified.

Victim
Ancestry
Records
297.8K
Data breachResolved

InterPals data breach (2015)

In late 2015, the online penpal site InterPals had their website hacked and 3.4 million accounts exposed. The compromised data included email addresses, geographical locations, birthdates and salted hashes of passwords.

Victim
InterPals
Records
3.4M
Data breachResolved

xat data breach (2015)

In November 2015, the online chatroom known as "xat" was hacked and 6 million user accounts were exposed. Used as a chat engine on websites, the leaked data included usernames, email and IP addresses along with hashed passwords.

Victim
xat
Records
6.0M
Data breachResolved

vBulletin data breach (2015)

In November 2015, the forum software maker vBulletin suffered a serious data breach. The attack lead to the release of both forum user and customer accounts totalling almost 519k records.

Victim
vBulletin
Records
519.0K
Data breachResolved

Abandonia (2015) data breach (2015)

In November 2015, the gaming website dedicated to classic DOS games Abandonia suffered a data breach resulting in the exposure of 776k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

Victim
Abandonia (2015)
Records
776.1K
Data breachResolved

R2Games data breach (2015)

In late 2015, the gaming website R2Games was hacked and more than 2.1M personal records disclosed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
R2Games
Records
22.3M
Data breachResolved

Mac-Torrents data breach (2015)

In October 2015, the torrent site Mac-Torrents was hacked and almost 94k usernames, email addresses and passwords were leaked. The passwords were hashed with MD5 and no salt.

Victim
Mac-Torrents
Records
94.0K
Data breachResolved

PHP Freaks data breach (2015)

In October 2015, the PHP discussion board PHP Freaks was hacked and 173k user accounts were publicly leaked. The breach included multiple personal data attributes as well as salted and hashed passwords.

Victim
PHP Freaks
Records
173.9K
Data breachResolved

Go Games data breach (2015)

In approximately October 2015, the manga website Go Games suffered a data breach. The exposed data included 3.4M customer records including email and IP addresses, usernames and passwords stored as salted MD5 hashes. Go Games did not respond when contacted about the incident.

Victim
Go Games
Records
3.4M
Data breachResolved

Gamerzplanet data breach (2015)

In approximately October 2015, the online gaming forum known as Gamerzplanet was hacked and more than 1.2M accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Gamerzplanet
Records
1.2M
Data breachResolved

MPGH data breach (2015)

In October 2015, the multiplayer game hacking website MPGH was hacked and 3.1 million user accounts disclosed. The vBulletin forum breach contained usernames, email addresses, IP addresses and salted hashes of passwords.

Victim
MPGH
Records
3.1M
Data breachResolved

NapsGear data breach (2015)

In October 2015, the anabolic steroids retailer NapsGear suffered a data breach. An extensive amount of personal information on 287k customers was exposed including email addresses, names, addresses, phone numbers, purchase histories and salted MD5 password hashes.

Victim
NapsGear
Records
287.1K
Data breachResolved

NetEase data breach (2015)

In October 2015, a dataset attributed to the Chinese email provider NetEase (163.com and 126.com) surfaced, allegedly exposing around 234 million email addresses and plaintext passwords. NetEase denied any breach; HIBP lists the incident as unverified.

Victim
NetEase
Records
234.8M
Data breachResolved

Special K Data Feed Spam List data breach (2015)

In mid to late 2015, a spam list known as the Special K Data Feed was discovered containing almost 31M identities. The data includes personal attributes such as names, physical and IP addresses, genders, birth dates and phone numbers. Read more about spam lists in HIBP.

Victim
Special K Data Feed Spam List
Records
30.7M
Data breachResolved

Patreon data breach (2015)

In October 2015, the crowdfunding site Patreon was hacked and over 16GB of data was released publicly. The dump included almost 14GB of database records with more than 2.3M unique email addresses, millions of personal messages and passwords stored as bcrypt hashes.

Victim
Patreon
Records
2.3M
Data breachResolved

PSP ISO data breach (2015)

In approximately September 2015, the PlayStation PSP forum known as PSP ISO was hacked and almost 1.3 million accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.

Victim
PSP ISO
Records
1.3M
Data breachResolved

WIIU ISO data breach (2015)

In September 2015, the Nintendo Wii U forum known as WIIU ISO was hacked and 458k accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.

Victim
WIIU ISO
Records
458.2K
Data breachResolved

Xbox 360 ISO data breach (2015)

In approximately September 2015, the XBOX 360 forum known as XBOX360 ISO was hacked and 1.2 million accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.

Victim
Xbox 360 ISO
Records
1.3M
Data breachResolved

Final Fantasy Shrine data breach (2015)

In September 2015, the Final Fantasy discussion forum known as FFShrine was breached and the data dumped publicly. Approximately 620k records were released containing email addresses, IP addresses and salted hashes of passwords.

Victim
Final Fantasy Shrine
Records
620.7K
Data breachResolved

Experian (2015) data breach (2015)

In September 2015, the US based credit bureau and consumer data broker Experian suffered a data breach that impacted 15 million customers who had applied for financing from T-Mobile.

Victim
Experian (2015)
Records
7.2M
Data breachResolved

The Candid Board data breach (2015)

In September 2015, the non-consensual voyeurism site "The Candid Board" suffered a data breach. The hack of the vBulletin forum led to the exposure of over 178k accounts along with email and IP addresses, dates of birth and salted passwords hashed with MD5.

Victim
The Candid Board
Records
178.2K
Data breachResolved

ClearVoice Surveys data breach (2015)

In April 2021, the market research surveys company ClearVoice Surveys had a publicly facing database backup from 2015 taken and redistributed on a popular hacking forum.

Victim
ClearVoice Surveys
Records
15.1M
Data breachResolved

MyVidster (2015) data breach (2015)

In August 2015, the social video sharing and bookmarking site MyVidster was hacked and nearly 20,000 accounts were dumped online. The dump included usernames, email addresses and hashed passwords.

Victim
MyVidster (2015)
Records
19.9K
Data breachResolved

StoryBird data breach (2015)

In August 2015, the storytelling service StoryBird suffered a data breach exposing 4 million records with 1 million unique email addresses. Impacted data also included names, usernames and passwords stored as PBKDF2 hashes. The data was provided to HIBP by dehashed.com.

Victim
StoryBird
Records
1.0M
Data breachResolved

Pokébip data breach (2015)

In July 2015, the French Pokémon site Pokébip suffered a data breach which exposed 657k subscriber identities. The data included email and IP addresses, usernames and passwords stored as unsalted MD5 hashes.

Victim
Pokébip
Records
657.0K
Data breachResolved

Ashley Madison (Avid Life Media) breach

A group calling itself the Impact Team breached infidelity dating site Ashley Madison, then dumped the account data of roughly 32 million users — names, emails, sexual preferences and payment records — after parent company Avid Life Media refused to shut the site down.

Victim
Avid Life Media (Ashley Madison)
Loss
$1.6M
Records
32.0M
Data breachResolved

Soundwave data breach (2015)

In approximately mid 2015, the music tracking app Soundwave suffered a data breach. The breach stemmed from an incident whereby "production data had been used to populate the test database" and was then inadvertently exposed in a MongoDB.

Victim
Soundwave
Records
130.7K
Data breachResolved

Seedpeer data breach (2015)

In July 2015, the torrent site Seedpeer was hacked and 282k member records were exposed. The data included usernames, email addresses and passwords stored as weak MD5 hashes.

Victim
Seedpeer
Records
281.9K
Data breachResolved

WildStar data breach (2015)

In July 2015, the IP.Board forum for the gaming website WildStar suffered a data breach that exposed over 738k forum members' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and passwords.

Victim
WildStar
Records
738.6K
Data breachResolved

Hemmakväll data breach (2015)

In July 2015, the Swedish video store chain Hemmakväll was hacked and nearly 50k records dumped publicly. The disclosed data included various attributes of their customers including email and physical addresses, names and phone numbers.

Victim
Hemmakväll
Records
47.3K
Data breachResolved

Hacking Team data breach (2015)

In July 2015, the Italian security firm Hacking Team suffered a major data breach that resulted in over 400GB of their data being posted online via a torrent. The data searchable on "Have I Been Pwned?" is from 189GB worth of PST mail folders in the dump.

Victim
Hacking Team
Records
32.3K
Data breachResolved

myRepoSpace data breach (2015)

In July 2015, the Cydia repository known as myRepoSpace was hacked and user data leaked publicly. Cydia is designed to facilitate the installation of apps on jailbroken iOS devices.

Victim
myRepoSpace
Records
252.8K
Data breachResolved

Plex data breach (2015)

In July 2015, the discussion forum for Plex media centre was hacked and over 327k accounts exposed. The IP.Board forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Plex
Records
327.3K
Data breachResolved

CheapAssGamer.com data breach (2015)

In approximately mid-2015, the forum for CheapAssGamer.com suffered a data breach. The database from the IP.Board based forum contained 445k accounts including usernames, email and IP addresses and salted MD5 password hashes.

Victim
CheapAssGamer.com
Records
444.8K
Data breachResolved

iPmart data breach (2015)

During 2015, the iPmart forum (now known as Mobi NUKE) was hacked and over 2 million forum members' details were exposed. The vBulletin forum included IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
iPmart
Records
2.5M
Data breachResolved

PS3Hax data breach (2015)

In approximately July 2015, the Sony Playstation hacks and mods forum known as PS3Hax was hacked and more than 447k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
PS3Hax
Records
447.4K
Data breachResolved

SvenskaMagic data breach (2015)

Sometime in 2015, the Swedish magic website SvenskaMagic suffered a data breach that exposed over 30k records. The compromised data included usernames, email addresses and MD5 password hashes. The data was self-submitted to HIBP by SvenskaMagic.

Victim
SvenskaMagic
Records
30.3K
Data breachResolved

Minefield data breach (2015)

In June 2015, the French Minecraft server known as Minefield was hacked and 188k member records were exposed. The IP.Board forum included email and IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Minefield
Records
188.3K
Data breachResolved

Scuf Gaming data breach (2015)

In June 2015, custom gaming controller maker Scuf Gaming suffered a data breach. The incident exposed 129k unique email addresses along with usernames, display names, IP addresses and password hashes.

Victim
Scuf Gaming
Records
128.7K
Data breachResolved

Eroticy data breach (2015)

In mid-2016, it's alleged that the adult website known as Eroticy was hacked. Almost 1.4 million unique accounts were found circulating in late 2016 which contained a raft of personal information ranging from email addresses to phone numbers to plain text passwords.

Victim
Eroticy
Records
1.4M
Data breachResolved

Minecraft Pocket Edition Forum data breach (2015)

In May 2015, the Minecraft Pocket Edition forum was hacked and over 16k accounts were dumped public. Allegedly hacked by @rmsg0d, the forum data included numerous personal pieces of data for each user. The forum has subsequently been decommissioned.

Victim
Minecraft Pocket Edition Forum
Records
16.0K
Data breachResolved

Bitcoin Talk data breach (2015)

In May 2015, the Bitcoin forum Bitcoin Talk was hacked and over 500k unique email addresses were exposed. The attack led to the exposure of a raft of personal data including usernames, email and IP addresses, genders, birth dates, security questions and MD5 hashes of their answers plus hashes of…

Victim
Bitcoin Talk
Records
501.4K
Data breachResolved

Adult FriendFinder (2015) data breach (2015)

In May 2015, the adult hookup site Adult FriendFinder was hacked and nearly 4 million records dumped publicly. The data dump included extremely sensitive personal information about individuals and their relationship statuses and sexual preferences combined with personally identifiable information.

Victim
Adult FriendFinder (2015)
Records
3.9M
Data breachResolved

Gaadi data breach (2015)

In May 2015, the Indian motoring website known as Gaadi had 4.3 million records exposed in a data breach. The data contained usernames, email and IP addresses, genders, the city of users as well as passwords stored in both plain text and as MD5 hashes.

Victim
Gaadi
Records
4.3M
Data breachResolved

mSpy data breach (2015)

In May 2015, the "monitoring" software known as mSpy suffered a major data breach. The software (allegedly often used to spy on unsuspecting victims), stored extensive personal information within their online service which after being breached, was made freely available on the internet.

Victim
mSpy
Records
699.8K
EspionageResolved

German Bundestag intrusion (APT28)

Russian GRU Unit 26165 (APT28 / Fancy Bear) compromised the Bundestag's parliamentary network, exfiltrating ~16 GB of data including emails from Chancellor Merkel's parliamentary office. Forced a full Bundestag IT estate rebuild.

Victim
Deutscher Bundestag (German federal parliament)
Loss
$22.0M
Data breachResolved

Evermotion data breach (2015)

In May 2015, the Polish 3D modelling website known as Evermotion suffered a data breach resulting in the exposure of 435k unique user records. The data was sourced from a vBulletin forum and contained email addresses, usernames, dates of birth and salted MD5 hashes of passwords.

Victim
Evermotion
Records
435.5K
Data breachResolved

Kimsufi data breach (2015)

In mid-2015, the forum for the providers of affordable dedicated servers known as Kimsufi suffered a data breach. The vBulletin forum contained over half a million accounts including usernames, email and IP addresses and passwords stored as salted MD5 hashes.

Victim
Kimsufi
Records
504.6K
Data breachResolved

OVH data breach (2015)

In mid-2015, the forum for the hosting provider known as OVH suffered a data breach. The vBulletin forum contained 453k accounts including usernames, email and IP addresses and passwords stored as salted MD5 hashes.

Victim
OVH
Records
452.9K
Data breachResolved

SC Daily Phone Spam List data breach (2015)

In early 2015, a spam list known as SC Daily Phone emerged containing almost 33M identities. The data includes personal attributes such as names, physical and IP addresses, genders, birth dates and phone numbers. Read more about spam lists in HIBP.

Victim
SC Daily Phone Spam List
Records
32.9M
Data breachResolved

SweClockers.com data breach (2015)

In early 2015, the Swedish tech news site SweClockers was hacked and 255k accounts were exposed. The attack led to the exposure of usernames, email addresses and salted hashes of passwords stored with a combination of MD5 and SHA512.

Victim
SweClockers.com
Records
254.9K
Data breachResolved

Snail data breach (2015)

In March 2015, the gaming website Snail suffered a data breach that impacted 1.4 million subscribers. The impacted data included usernames, IP and email addresses and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
Snail
Records
1.4M
Data breachResolved

000webhost data breach (2015)

In approximately March 2015, the free web hosting provider 000webhost suffered a major data breach that exposed almost 15 million customer records. The data was sold and traded before 000webhost was alerted in October. The breach included names, email addresses and plain text passwords.

Victim
000webhost
Records
14.9M
Data breachResolved

GameTuts data breach (2015)

Likely in early 2015, the video game website GameTuts suffered a data breach and over 2 million user accounts were exposed. The site later shut down in July 2016 but was identified as having been hosted on a vBulletin forum.

Victim
GameTuts
Records
2.1M
Data breachResolved

HongFire data breach (2015)

In March 2015, the anime and manga forum HongFire suffered a data breach. The hack of their vBulletin forum led to the exposure of 1 million accounts along with email and IP addresses, usernames, dates of birth and salted MD5 passwords.

Victim
HongFire
Records
1000.0K
Data breachResolved

StarNet data breach (2015)

In February 2015, the Moldavian ISP "StarNet" had it's database published online. The dump included nearly 140k email addresses, many with personal details including contact information, usage patterns of the ISP and even passport numbers.

Victim
StarNet
Records
139.4K
Data breachResolved

MyFHA data breach (2015)

In approximately February 2015, the home financing website MyFHA suffered a data breach which disclosed the personal information of nearly 1 million people.

Victim
MyFHA
Records
972.6K
Data breachResolved

Flashback data breach (2015)

In February 2015, the Swedish forum known as Flashback had sensitive internal data on 40k members published via the tabloid newspaper Aftonbladet. The data was allegedly sold to them via Researchgruppen (The Research Group) who have a history of exposing otherwise anonymous users, primarily those…

Victim
Flashback
Records
40.3K
Data breachResolved

PSX-Scene data breach (2015)

In approximately February 2015, the Sony Playstation forum known as PSX-Scene was hacked and more than 340k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
PSX-Scene
Records
341.1K
Data breachResolved

Xbox-Scene data breach (2015)

In approximately February 2015, the Xbox forum known as Xbox-Scene was hacked and more than 432k accounts were exposed. The IP.Board forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Xbox-Scene
Records
432.6K
Data breachResolved

Lizard Squad data breach (2015)

In January 2015, the hacker collective known as "Lizard Squad" created a DDoS service by the name of "Lizard Stresser" which could be procured to mount attacks against online targets.

Victim
Lizard Squad
Records
13.5K
Data breachResolved

Bleach Anime Forum data breach (2015)

In 2015, the now defunct independent forum for the Bleach Anime series suffered a data breach that exposed 144k user records. The impacted data included usernames, email addresses and salted MD5 password hashes.

Victim
Bleach Anime Forum
Records
143.7K
Data breachResolved

Team SoloMid data breach (2014)

In December 2014, the electronic sports organisation known as Team SoloMid was hacked and 442k members accounts were leaked. The accounts included email and IP addresses, usernames and salted hashes of passwords.

Victim
Team SoloMid
Records
442.2K
EspionageResolved

German steel mill cyberattack

Attackers used spear-phishing to pivot from a German steel mill's office network into its production network, manipulating industrial controls so a blast furnace could not be shut down properly and suffered massive physical damage.

Victim
Unnamed German steel mill
Data breachResolved

Acne.org data breach (2014)

In November 2014, the acne website acne.org suffered a data breach that exposed over 430k forum members' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and passwords.

Victim
Acne.org
Records
432.9K
WiperResolved

Sony Pictures Entertainment hack

A North Korean wiper attack tied to the release of 'The Interview' destroyed roughly half of Sony Pictures' IT estate and leaked terabytes of internal documents, emails, and unreleased films.

Victim
Sony Pictures Entertainment
Loss
$100.0M
Records
1.0M
Data breachResolved

Warframe data breach (2014)

In November 2014, the online game Warframe was hacked and 819k unique email addresses were exposed. Allegedly due to a SQL injection flaw in Drupal, the attack exposed usernames, email addresses and data in a "pass" column which adheres to the salted SHA12 password hashing pattern used by Drupal 7.

Victim
Warframe
Records
819.5K
Data breachResolved

Malwarebytes data breach (2014)

In November 2014, the Malwarebytes forum was hacked and 111k member records were exposed. The IP.Board forum included email and IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Malwarebytes
Records
111.6K
Data breachResolved

Bot of Legends data breach (2014)

In November 2014, the forum for Bot of Legends suffered a data breach. The IP.Board forum contained 238k accounts including usernames, email and IP addresses and passwords stored as salted MD5 hashes.

Victim
Bot of Legends
Records
238.4K
Data breachResolved

ILikeCheats data breach (2014)

In October 2014, the game cheats website known as ILikeCheats suffered a data breach that exposed 189k accounts. The vBulletin based forum leaked usernames, IP and email addresses and weak MD5 hashes of passwords. The data was provided with support from dehashed.com.

Victim
ILikeCheats
Records
188.8K
Data breachResolved

JPMorgan Chase data breach

Attackers exploited a server missing two-factor authentication to breach more than 90 JPMorgan Chase servers and steal contact details for 76 million households and 7 million small businesses — one of the largest intrusions ever into a U.S. financial institution.

Victim
JPMorgan Chase
Records
83.0M
Data breachResolved

9Lives data breach (2014)

In October 2014, the (now defunct) Belgian gaming news forum 9Lives suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed 109k unique email addresses along with usernames and salted MD5 password hashes.

Victim
9Lives
Records
109.5K
Data breachResolved

BTC-E data breach (2014)

In October 2014, the Bitcoin exchange BTC-E was hacked and 568k accounts were exposed. The data included email and IP addresses, wallet balances and hashed passwords.

Victim
BTC-E
Records
568.3K
Data breachResolved

Tout data breach (2014)

In approximately September 2014, the now defunct social networking service Tout suffered a data breach. The breach subsequently appeared years later and included 653k unique email addresses, names, IP addresses, the location of the user, their bio and passwords stored as bcrypt hashes.

Victim
Tout
Records
652.7K
Data breachResolved

mail.ru Dump data breach (2014)

In September 2014, several large dumps of user accounts appeared on the Russian Bitcoin Security Forum including one with nearly 5M email addresses and passwords, predominantly on the mail.ru domain.

Victim
mail.ru Dump
Records
16.6M
MalwareResolved

Home Depot POS breach

Attackers used a vendor's stolen credentials and custom point-of-sale malware to harvest about 56 million payment cards and 53 million email addresses from Home Depot's U.S. and Canadian self-checkout systems over five months — the largest retail card breach of its time.

Victim
The Home Depot
Loss
$179.0M
Records
56.0M
Data breachResolved

Yandex Dump data breach (2014)

In September 2014, news broke of a massive leak of accounts from Yandex, the Russian search engine giants who also provides email services. The purported million "breached" accounts were disclosed at the same time as nearly 5M mail.ru accounts with both companies claiming the credentials were…

Victim
Yandex Dump
Records
1.2M
Data breachResolved

Bin Weevils data breach (2014)

In September 2014, the online game Bin Weevils suffered a data breach. Whilst originally stating that only usernames and passwords had been exposed, a subsequent story on DataBreaches.net indicated that a more extensive set of personal attributes were impacted (comments there also suggest the data…

Victim
Bin Weevils
Records
1.3M
Data breachResolved

Powerbot data breach (2014)

In approximately September 2014, the RuneScape bot website Powerbot suffered a data breach resulting in the exposure of over half a million unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

Victim
Powerbot
Records
503.5K
Data breachResolved

Vermillion data breach (2014)

In August 2014, the Roblox hacking forum Vermillion suffered a data breach that exposed over 8k subscriber records. The breach of the MyBB forum exposed email and IP addresses, usernames, dates of birth and salted password hashes.

Victim
Vermillion
Records
8.1K
Data breachResolved

Banorte data breach (2014)

In August 2022, millions of records from Mexican bank "Banorte" were publicly dumped on a popular hacking forum including 2.1M unique email addresses, physical addresses, names, phone numbers, RFC (tax) numbers, genders and bank balances.

Victim
Banorte
Records
2.1M
Data breachResolved

diet.com data breach (2014)

In August 2014, the diet and nutrition website diet.com suffered a data breach resulting in the exposure of 1.4 million unique user records dating back as far as 2004.

Victim
diet.com
Records
1.4M
Data breachResolved

Pokémon Creed data breach (2014)

In August 2014, the Pokémon RPG website Pokémon Creed was hacked after a dispute with rival site, Pokémon Dusk. In a post on Facebook, "Cruz Dusk" announced the hack then pasted the dumped MySQL database on pkmndusk.in.

Victim
Pokémon Creed
Records
116.5K
Data breachResolved

Insanelyi data breach (2014)

In July 2014, the iOS forum Insanelyi was hacked by an attacker known as Kim Jong-Cracks. A popular source of information for users of jailbroken iOS devices running Cydia, the Insanelyi breach disclosed over 104k users' emails addresses, user names and weakly hashed passwords (salted MD5).

Victim
Insanelyi
Records
104.1K
Insider threatResolved

Benesse insider data breach

A contractor's system engineer copied 35 million customer records from Japanese education giant Benesse onto a personal device and sold them to data brokers — the largest insider data theft in Japanese history, triggering a ¥20 billion compensation programme.

Victim
Benesse Holdings
Loss
$190.0M
Records
35.0M
Data breachResolved

PoliceOne data breach (2014)

In February 2017, the law enforcement website PoliceOne confirmed they'd suffered a data breach. The breach contained over 700k accounts which appeared for sale by a data broker and included email and IP addresses, usernames and salted MD5 password hashes.

Victim
PoliceOne
Records
709.9K
Data breachResolved

Black Hat World data breach (2014)

In June 2014, the search engine optimisation forum Black Hat World had three quarters of a million accounts breached from their system. The breach included various personally identifiable attributes which were publicly released in a MySQL database script.

Victim
Black Hat World
Records
777.4K
Data breachResolved

Sumo Torrent data breach (2014)

In June 2014, the torrent site Sumo Torrent was hacked and 285k member records were exposed. The data included IP addresses, email addresses and passwords stored as weak MD5 hashes.

Victim
Sumo Torrent
Records
285.2K
Data breachResolved

Domino's data breach (2014)

In June 2014, Domino's Pizza in France and Belgium was hacked by a group going by the name "Rex Mundi" and their customer data held to ransom. Domino's refused to pay the ransom and six months later, the attackers released the data along with troves of other hacked accounts.

Victim
Domino's
Records
648.2K
Data breachResolved

Manga Traders data breach (2014)

In June 2014, the Manga trading website Mangatraders.com had the usernames and passwords of over 900k users leaked on the internet (approximately 855k of the emails were unique). The passwords were weakly hashed with a single iteration of MD5 leaving them vulnerable to being easily cracked.

Victim
Manga Traders
Records
855.2K
Data breachResolved

Avast data breach (2014)

In May 2014, the Avast anti-virus forum was hacked and 423k member records were exposed. The Simple Machines Based forum included usernames, emails and password hashes.

Victim
Avast
Records
423.0K
Data breachResolved

eBay credentials breach

Attackers used a small number of compromised employee credentials to access eBay's corporate network and exfiltrate a database covering all 145 million users — names, encrypted passwords, email and postal addresses, phone numbers, and dates of birth.

Victim
eBay
Records
145.0M
Data breachResolved

Bitly data breach (2014)

In May 2014, the link management company Bitly announced they'd suffered a data breach. The breach contained over 9.3 million unique email addresses, usernames and hashed passwords, most using SHA1 with a small number using bcrypt.

Victim
Bitly
Records
9.3M
Data breachResolved

Fridae data breach (2014)

In May 2014, over 25,000 user accounts were breached from the Asian lesbian, gay, bisexual and transgender website known as "Fridae". The attack which was announced on Twitter appears to have been orchestrated by Deletesec who claim that "Digital weapons shall annihilate all secrecy within…

Victim
Fridae
Records
35.4K
Data breachResolved

Business Acumen Magazine data breach (2014)

In April 2014, the Australian "Business Acumen Magazine" website was hacked by an attacker known as 1337MiR. The breach resulted in over 26,000 accounts being exposed including usernames, email addresses and password stored with a weak cryptographic hashing algorithm (MD5 with no salt).

Victim
Business Acumen Magazine
Records
26.6K
Data breachResolved

NextGenUpdate data breach (2014)

Early in 2014, the video game website NextGenUpdate reportedly suffered a data breach that disclosed almost 1.2 million accounts. Amongst the data breach was usernames, email addresses, IP addresses and salted and hashed passwords.

Victim
NextGenUpdate
Records
1.2M
Data breachResolved

CafeMom data breach (2014)

In 2014, the social network for mothers CafeMom suffered a data breach. The data surfaced alongside a number of other historical breaches including Kickstarter, Bitly and Disqus and contained 2.6 million email addresses and plain text passwords.

Victim
CafeMom
Records
2.6M
Data breachResolved

BigMoneyJobs data breach (2014)

In April 2014, the job site bigmoneyjobs.com was hacked by an attacker known as "ProbablyOnion". The attack resulted in the exposure of over 36,000 user accounts including email addresses, usernames and passwords which were stored in plain text.

Victim
BigMoneyJobs
Records
36.8K
Data breachResolved

Boxee data breach (2014)

In March 2014, the home theatre PC software maker Boxee had their forums compromised in an attack. The attackers obtained the entire vBulletin MySQL database and promptly posted it for download on the Boxee forum itself.

Victim
Boxee
Records
158.1K
Data breachResolved

Quantum Booter data breach (2014)

In March 2014, the booter service Quantum Booter (also referred to as Quantum Stresser) suffered a breach which lead to the disclosure of their internal database.

Victim
Quantum Booter
Records
48.6K
Data breachResolved

Rambler data breach (2014)

A data dump of almost 100 million accounts from Russian internet portal Rambler — often called 'the Russian Yahoo' — surfaced for trade in 2016, exposing roughly 91 million unique usernames and passwords stored in plain text.

Victim
Rambler
Records
91.4M
Data breachResolved

Spirol data breach (2014)

In February 2014, Connecticut based Spirol Fastening Solutions suffered a data breach that exposed over 70,000 customer records. The attack was allegedly mounted by exploiting a SQL injection vulnerability which yielded data from Spirol’s CRM system ranging from customers’ names, companies, contact…

Victim
Spirol
Records
55.6K
Data breachResolved

Muslim Directory data breach (2014)

In February 2014, the UK guide to services and business known as the Muslim Directory was attacked by the hacker known as @th3inf1d3l. The data was consequently dumped publicly and included the web accounts of tens of thousands of users which contained data including their names, home address, age…

Victim
Muslim Directory
Records
37.8K
Data breachResolved

Forbes data breach (2014)

In February 2014, the Forbes website succumbed to an attack that leaked over 1 million user accounts. The attack was attributed to the Syrian Electronic Army, allegedly as retribution for a perceived "Hate of Syria".

Victim
Forbes
Records
1.1M
Data breachResolved

Tesco data breach (2014)

In February 2014, over 2,000 Tesco accounts with usernames, passwords and loyalty card balances appeared on Pastebin. Whilst the source of the breach is not clear, many confirmed the credentials were valid for Tesco and indeed they have a history of poor online security.

Victim
Tesco
Records
2.2K
Data breachResolved

Coupon Mom / Armor Games data breach (2014)

In 2014, a file allegedly containing data hacked from Coupon Mom was created and included 11 million email addresses and plain text passwords. On further investigation, the file was also found to contain data indicating it had been sourced from Armor Games.

Victim
Coupon Mom / Armor Games
Records
11.0M
Data breachResolved

Cannabis.com data breach (2014)

In February 2014, the vBulletin forum for the Marijuana site cannabis.com was breached and leaked publicly. Whilst there has been no public attribution of the breach, the leaked data included over 227k accounts and nearly 10k private messages between users of the forum.

Victim
Cannabis.com
Records
227.7K
Data breachResolved

Bell (2014 breach) data breach (2014)

In February 2014, Bell Canada suffered a data breach via the hacker collective known as NullCrew. The breach included data from multiple locations within Bell and exposed email addresses, usernames, user preferences and a number of unencrypted passwords and credit card data from 40,000 records…

Victim
Bell (2014 breach)
Records
20.9K
Data breachResolved

Verified data breach (2014)

In January 2014, one of the largest communities of Eastern Europe cybercriminals known as "Verified" was hacked. The breach exposed nearly 17k users of the vBulletin forum including their personal messages and other potentially personally identifiable information.

Victim
Verified
Records
16.9K
Data breachResolved

Bitcoin Security Forum Gmail Dump data breach (2014)

In September 2014, a large dump of nearly 5M usernames and passwords was posted to a Russian Bitcoin forum. Whilst commonly reported as 5M "Gmail passwords", the dump also contained 123k yandex.ru addresses.

Victim
Bitcoin Security Forum Gmail Dump
Records
4.8M
Insider threatResolved

Korea Credit Bureau card-data theft

A contractor at the Korea Credit Bureau copied the card and identity data of about 20 million customers of KB Kookmin, Lotte and NH Nonghyup card firms onto a USB drive and sold it — one of the largest financial-data thefts in South Korean history.

Victim
Korea Credit Bureau (KCB) / KB Kookmin, Lotte, NH Nonghyup card units
Records
20.0M
Data breachResolved

WPT Amateur Poker League data breach (2014)

In January 2014, the World Poker Tour (WPT) Amateur Poker League website was hacked by the Twitter user @smitt3nz. The attack resulted in the public disclosure of 175,000 accounts including 148,000 email addresses. The plain text password for each account was also included in the breach.

Victim
WPT Amateur Poker League
Records
148.4K
Data breachResolved

HiAPK data breach (2014)

In approximately 2014, it's alleged that the Chinese Android store known as HIAPK suffered a data breach that impacted 13.8 million unique subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as…

Victim
HiAPK
Records
13.9M
Data breachResolved

ReverbNation data breach (2014)

In January 2014, the online service for assisting musicians to build their careers ReverbNation suffered a data breach which wasn't identified until September the following year. The breach contained over 7 million accounts with unique email addresses and salted SHA1 passwords.

Victim
ReverbNation
Records
7.0M
Data breachResolved

Snapchat data breach (2014)

In January 2014 just one week after Gibson Security detailed vulnerabilities in the service, Snapchat had 4.6 million usernames and phone number exposed.

Victim
Snapchat
Records
4.6M
Data breachResolved

ThisHabbo Forum data breach (2014)

In 2014, the ThisHabbo forum (a fan site for Habbo.com, a Finnish social networking site) appeared among a list of compromised sites which has subsequently been removed from the internet.

Victim
ThisHabbo Forum
Records
612.4K
Data breachResolved

Astropid data breach (2013)

In December 2013, the vBulletin forum for the social engineering site known as "AstroPID" was breached and leaked publicly. The site provided tips on fraudulently obtaining goods and services, often by providing a legitimate "PID" or Product Information Description.

Victim
Astropid
Records
5.8K
Supply chainResolved

Target POS malware breach

Attackers entered Target via stolen credentials from an HVAC contractor, pivoted to the payment network, and stole magstripe data on 40 million credit and debit cards plus PII on 70 million customers.

Victim
Target Corporation
Loss
$292.0M
Records
110.0M
Data breachResolved

Torrent Invites data breach (2013)

In December 2013, the torrent site Torrent Invites was hacked and over 352k accounts were exposed. The vBulletin forum contained usernames, email and IP addresses, birth dates and salted MD5 hashes of passwords.

Victim
Torrent Invites
Records
352.1K
Data breachResolved

Pixel Federation data breach (2013)

In December 2013, a breach of the web-based game community based in Slovakia exposed over 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, many of which were easily converted back to plain text.

Victim
Pixel Federation
Records
38.1K
Data breachResolved

Vodafone data breach (2013)

In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal…

Victim
Vodafone
Records
56.0K
Data breachResolved

XSplit data breach (2013)

In November 2013, the makers of gaming live streaming and recording software XSplit was compromised in an online attack. The data breach leaked almost 3M names, email addresses, usernames and hashed passwords.

Victim
XSplit
Records
3.0M
Data breachResolved

We Heart It data breach (2013)

In November 2013, the image-based social network We Heart It suffered a data breach. The incident wasn't discovered until October 2017 when 8.6 million user records were sent to HIBP.

Victim
We Heart It
Records
8.6M
Data breachResolved

Mecho Download data breach (2013)

In October 2013, the (now defunct) downloads website "Mecho Download" suffered a data breach that exposed 438k records. Data from the vBulletin based website included email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Mecho Download
Records
437.9K
Data breachResolved

Adobe data breach (2013)

Attackers stole roughly 153 million Adobe account records — IDs, emails, weakly encrypted passwords and plaintext password hints — along with source code for several Adobe products, in one of the largest software-company breaches on record.

Victim
Adobe Systems
Loss
$1.0M
Records
152.4M
Data breachResolved

iMesh data breach (2013)

In September 2013, the media and file sharing client known as iMesh was hacked and approximately 50M accounts were exposed. The data was later put up for sale on a dark market website in mid-2016 and included email and IP addresses, usernames and salted MD5 hashes.

Victim
iMesh
Records
49.5M
Data breachResolved

Crack Community data breach (2013)

In late 2013, the Crack Community forum specialising in cracks for games was compromised and over 19k accounts published online. Built on the MyBB forum platform, the compromised data included email addresses, IP addresses and salted MD5 passwords.

Victim
Crack Community
Records
19.2K
Data breachResolved

Win7Vista Forum data breach (2013)

In September 2013, the Win7Vista Windows forum (since renamed to the "Beyond Windows 9" forum) was hacked and later had its internal database dumped. The dump included over 200k members’ personal information and other internal data extracted from the forum.

Victim
Win7Vista Forum
Records
202.7K
Data breachResolved

imgur data breach (2013)

In September 2013, the online image sharing community imgur suffered a data breach. A selection of the data containing 1.7 million email addresses and passwords surfaced more than 4 years later in November 2017.

Victim
imgur
Records
1.7M
Data breachResolved

Yatra data breach (2013)

In September 2013, the Indian bookings website known as Yatra had 5 million records exposed in a data breach. The data contained email and physical addresses, dates of birth and phone numbers along with both PINs and passwords stored in plain text.

Victim
Yatra
Records
5.0M
Data breachResolved

DragonNest data breach (2013)

In August 2013, the massively multiplayer online role-playing game (MMORGP) DragonNest suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed over 500k unique email addresses along with usernames, IP addresses and plain text passwords.

Victim
DragonNest
Records
511.3K
Data breachResolved

Evite data breach (2013)

An archived 2013 database from social-invitations site Evite was accessed by an attacker and later traded online, exposing roughly 101 million unique email addresses along with names, phone numbers, postal addresses, dates of birth and plaintext passwords.

Victim
Evite
Records
101.0M
Data breachResolved

Lord of the Rings Online data breach (2013)

In August 2013, the interactive video game Lord of the Rings Online suffered a data breach that exposed over 1.1M players' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and password hashes.

Victim
Lord of the Rings Online
Records
1.1M
Data breachResolved

Lounge Board data breach (2013)

At some point in 2013, 45k accounts were breached from the Lounge Board "General Discussion Forum" and then dumped publicly. Lounge Board was a MyBB forum launched in 2012 and discontinued in mid 2013 (the last activity in the logs was from August 2013).

Victim
Lounge Board
Records
45.0K
Data breachResolved

OwnedCore data breach (2013)

In approximately August 2013, the World of Warcraft exploits forum known as OwnedCore was hacked and more than 880k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
OwnedCore
Records
880.3K
Data breachResolved

Nexus Mods data breach (2013)

In December 2015, the game modding site Nexus Mods released a statement notifying users that they had been hacked. They subsequently dated the hack as having occurred in July 2013 although there is evidence to suggest the data was being traded months in advance of that.

Victim
Nexus Mods
Records
5.9M
Data breachResolved

Yam data breach (2013)

In June 2013, the Taiwanese website Yam.com suffered a data breach which was shared to a popular hacking forum in 2021. The data included 13 million unique email addresses alongside names, usernames, phone numbers, physical addresses, dates of birth and unsalted MD5 password hashes.

Victim
Yam
Records
13.3M
Data breachResolved

Badoo data breach (2013)

A dataset attributed to the dating and social network Badoo exposed roughly 112 million unique email addresses along with names, birthdates and MD5 password hashes; the data surfaced among traders in 2016 and remains formally unverified.

Victim
Badoo
Records
112.0M
Data breachResolved

AhaShare.com data breach (2013)

In May 2013, the torrent site AhaShare.com suffered a breach which resulted in more than 180k user accounts being published publicly. The breach included a raft of personal information on registered users plus despite assertions of not distributing personally identifiable information, the site also…

Victim
AhaShare.com
Records
180.5K
Data breachResolved

Non Nude Girls data breach (2013)

In May 2013, the non-consensual voyeurism site "Non Nude Girls" suffered a data breach. The hack of the vBulletin forum led to the exposure of over 75k accounts along with email and IP addresses, names and plain text passwords.

Victim
Non Nude Girls
Records
75.4K
Data breachResolved

Neopets data breach (2013)

In May 2016, a set of breached data originating from the virtual pet website "Neopets" was found being traded online. Allegedly hacked "several years earlier", the data contains sensitive personal information including birthdates, genders and names as well as almost 27 million unique email…

Victim
Neopets
Records
26.9M
Data breachResolved

Dungeons & Dragons Online data breach (2013)

In April 2013, the interactive video game Dungeons & Dragons Online suffered a data breach that exposed almost 1.6M players' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and password hashes.

Victim
Dungeons & Dragons Online
Records
1.6M
Data breachResolved

Brazzers data breach (2013)

In April 2013, the adult website known as Brazzers was hacked and 790k accounts were exposed publicly. Each record included a username, email address and password stored in plain text. The breach was brought to light by the Vigilante.pw data breach reporting site in September 2016.

Victim
Brazzers
Records
790.7K
Data breachResolved

Heroes of Gaia data breach (2013)

In early 2013, the online fantasy multiplayer game Heroes of Gaia suffered a data breach. The newest records in the data set indicate a breach date of 4 January 2013 and include usernames, IP and email addresses but no passwords.

Victim
Heroes of Gaia
Records
180.0K
Data breachResolved

FaceUP data breach (2013)

In 2013, the Danish social media site FaceUP suffered a data breach. The incident exposed 87k unique email addresses alongside genders, dates of birth, names, phone numbers and passwords stored as unsalted MD5 hashes.

Victim
FaceUP
Records
87.6K
Data breachResolved

JD data breach (2013)

In 2013 (exact date unknown), the Chinese e-commerce service JD suffered a data breach that exposed 13GB of data containing 77 million unique email addresses. The data also included usernames, phone numbers and passwords stored as SHA-1 hashes.

Victim
JD
Records
77.4M
Data breachResolved

OMGPOP data breach (2013)

In approximately 2013, the maker of the Draw Something game OMGPOP suffered a data breach. Formerly known as i'minlikewithyou or iilwy and later purchased by Zynga, the breach exposed over 7M email address and plain text password pairs which were later leaked in 2019.

Victim
OMGPOP
Records
7.1M
Data breachResolved

Heroes of Newerth data breach (2012)

In December 2012, the multiplayer online battle arena game known as Heroes of Newerth was hacked and over 8 million accounts extracted from the system. The compromised data included usernames, email addresses and passwords.

Victim
Heroes of Newerth
Records
8.1M
Data breachResolved

BookCrossing data breach (2012)

In August 2022, the book social networking site BookCrossing disclosed a data breach that dated back to a database backup from November 2012. The incident exposed almost 1.6M records including names, usernames, email and IP addresses, dates of birth and plain text passwords.

Victim
BookCrossing
Records
1.6M
Data breachResolved

Netlog data breach (2012)

In July 2018, the Belgian social networking site Netlog identified a data breach of their systems dating back to November 2012 (PDF). Although the service was discontinued in 2015, the data breach still impacted 49 million subscribers for whom email addresses and plain text passwords were exposed.

Victim
Netlog
Records
49.0M
Data breachResolved

Lookbook data breach (2012)

In August 2012, the fashion site Lookbook suffered a data breach. The data later appeared listed for sale in June 2016 and included 1.1 million usernames, email and IP addresses, birth dates and plain text passwords.

Victim
Lookbook
Records
1.1M
WiperContained

Saudi Aramco Shamoon wiper

Iranian-attributed Shamoon wiper destroyed data on roughly 30,000 Saudi Aramco workstations on a single day, taking the world's largest oil company's IT estate offline for two weeks. The first major Iranian retaliatory cyber operation.

Victim
Saudi Aramco
Loss
$200.0M
Data breachResolved

The Botting Network data breach (2012)

In August 2012, the forum for making money with botting "The Botting Network" suffered a data breach that exposed 96k user records. The now defunct vBulletin forum leaked 96k email addresses, usernames, dates of birth and salted MD5 password hashes.

Victim
The Botting Network
Records
96.3K
EspionageResolved

Gauss banking-espionage malware against Lebanese banks

Gauss, a nation-state cyber-surveillance toolkit related to Flame and Stuxnet, infected over 2,500 systems — most heavily in Lebanon — and was the first publicly known state-sponsored malware engineered to steal online-banking credentials from specific Lebanese banks.

Victim
Lebanese banks (Bank of Beirut, Byblos Bank, Fransabank, BlomBank, Credit Libanais) and their customers
Data breachResolved

Xiaomi data breach (2012)

In August 2012, the Xiaomi user forum website suffered a data breach. In all, 7 million email addresses appeared in the breach although a significant portion of them were numeric aliases on the bbs_ml_as_uid.xiaomi.com domain.

Victim
Xiaomi
Records
7.1M
Data breachResolved

Yahoo data breach (2012)

In July 2012, Yahoo! had their online publishing service "Voices" compromised via a SQL injection attack. The breach resulted in the disclosure of nearly half a million usernames and passwords stored in plain text.

Victim
Yahoo
Records
453.4K
Data breachResolved

War Inc. data breach (2012)

In mid-2012, the real-time strategy game War Inc. suffered a data breach. The attack resulted in the exposure of over 1 million accounts including usernames, email addresses and salted MD5 hashes of passwords.

Victim
War Inc.
Records
1.0M
Data breachResolved

Disqus data breach (2012)

In October 2017, the blog commenting service Disqus announced they'd suffered a data breach. The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced. The breach contained over 17.5 million unique email addresses and usernames.

Victim
Disqus
Records
17.6M
Data breachResolved

League of Legends data breach (2012)

In June 2012, the multiplayer online game League of Legends suffered a data breach. At the time, the service had more than 32 million registered accounts and the breach affected various personal data attributes including "encrypted" passwords.

Victim
League of Legends
Records
339.5K
Data breachResolved

LinkedIn password breach

A 2012 intrusion into LinkedIn exposed user passwords stored as unsalted SHA-1 hashes. Initially reported as 6.5 million credentials, the full scope of 117 million accounts only emerged in 2016 when the data surfaced for sale on the dark web.

Victim
LinkedIn
Loss
$1.3M
Records
117.0M
Data breachResolved

WHMCS data breach (2012)

In May 2012, the web hosting, billing and automation company WHMCS suffered a data breach that exposed 134k email addresses. The breach included extensive information about customers and payment histories including partial credit card numbers.

Victim
WHMCS
Records
134.0K
Data breachResolved

Last.fm data breach (2012)

The music platform Last.fm was hacked in March 2012, exposing more than 43 million accounts with usernames, email addresses and unsalted MD5 password hashes; over 96% of passwords were cracked within hours once the data surfaced in 2016.

Victim
Last.fm
Records
37.2M
Data breachResolved

JobStreet data breach (2012)

In October 2017, the Malaysian website lowyat.net ran a story on a massive set of breached data affecting millions of Malaysians after someone posted it for sale on their forums.

Victim
JobStreet
Records
3.9M
Data breachResolved

Gamigo data breach (2012)

In March 2012, the German online game publisher Gamigo was hacked and more than 8 million accounts publicly leaked. The breach included email addresses and passwords stored as weak MD5 hashes with no salt.

Victim
Gamigo
Records
8.2M
Data breachResolved

YouPorn data breach (2012)

In February 2012, the adult website YouPorn had over 1.3M user accounts exposed in a data breach. The publicly released data included both email addresses and plain text passwords.

Victim
YouPorn
Records
1.3M
Data breachResolved

126 data breach (2012)

In approximately 2012, it's alleged that the Chinese email service known as 126 suffered a data breach that impacted 6.4 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
126
Records
6.4M
Data breachResolved

Taobao data breach (2012)

In approximately 2012, it's alleged that the Chinese shopping site known as Taobao suffered a data breach that impacted over 21 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as…

Victim
Taobao
Records
21.1M
Data breachResolved

VK data breach (2012)

Russia's largest social network VK was compromised around 2012, exposing roughly 93 million accounts with names, phone numbers, email addresses and plaintext passwords. The data surfaced for sale in 2016 via the broker 'Peace'.

Victim
VK
Records
93.3M
Data breachResolved

17173 data breach (2011)

In late 2011, a series of data breaches in China affected up to 100 million users, including 7.5 million from the gaming site known as 17173. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
17173
Records
7.5M
Data breachResolved

RuneScape Boards data breach (2011)

In around 2011, the now defunct RuneScape Boards forum (also known as RSBoards) suffered a data breach that was later redistributed as part of a larger corpus of data. The vBulletin-based service exposed 223k unique email addresses along with usernames, IP addresses and salted MD5 password hashes.

Victim
RuneScape Boards
Records
222.8K
Data breachResolved

Tianya data breach (2011)

In December 2011, China's largest online forum known as Tianya was hacked and tens of millions of accounts were obtained by the attacker. The leaked data included names, usernames and email addresses.

Victim
Tianya
Records
29.0M
Data breachResolved

Stratfor data breach (2011)

In December 2011, "Anonymous" attacked the global intelligence company known as "Stratfor" and consequently disclosed a veritable treasure trove of data including hundreds of gigabytes of email and tens of thousands of credit card details which were promptly used by the attackers to make charitable…

Victim
Stratfor
Records
859.8K
Data breachResolved

hemmelig.com data breach (2011)

In December 2011, Norway's largest online sex shop hemmelig.com was hacked by a collective calling themselves "Team Appunity". The attack exposed over 28,000 usernames and email addresses along with nicknames, gender, year of birth and unsalted MD5 password hashes.

Victim
hemmelig.com
Records
28.6K
Data breachResolved

Zhenai.com data breach (2011)

In December 2011, the Chinese dating site known as Zhenai.com suffered a data breach that impacted 5 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Zhenai.com
Records
5.0M
Data breachResolved

Dodonew.com data breach (2011)

In late 2011, data was allegedly obtained from the Chinese website known as Dodonew.com and contained 8.7M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Dodonew.com
Records
8.7M
Data breachResolved

Android Forums data breach (2011)

In October 2011, the Android Forums website was hacked and 745k user accounts were subsequently leaked publicly. The compromised data included email addresses, user birth dates and passwords stored as a salted MD5 hash.

Victim
Android Forums
Records
745.4K
Data breachResolved

Civil Online data breach (2011)

In mid-2011, data was allegedly obtained from the Chinese engineering website known as Civil Online and contained 7.8M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Civil Online
Records
7.8M
Data breachResolved

Battlefield Heroes data breach (2011)

In June 2011 as part of a final breached data dump, the hacker collective "LulzSec" obtained and released over half a million usernames and passwords from the game Battlefield Heroes.

Victim
Battlefield Heroes
Records
530.3K
Data breachResolved

hackforums.net data breach (2011)

In June 2011, the hacktivist group known as "LulzSec" leaked one final large data breach they titled "50 days of lulz". The compromised data came from sources such as AT&T, Battlefield Heroes and the hackforums.net website.

Victim
hackforums.net
Records
191.5K
Data breachResolved

Sony data breach (2011)

In 2011, Sony suffered breach after breach after breach — it was a very bad year for them. The breaches spanned various areas of the business ranging from the PlayStation network all the way through to the motion picture arm, Sony Pictures.

Victim
Sony
Records
37.1K
Data breachResolved

Dangdang data breach (2011)

In 2011, the Chinese e-commerce site Dangdang suffered a data breach. The incident exposed over 4.8 million unique email addresses which were subsequently traded online over the ensuing years.

Victim
Dangdang
Records
4.8M
Data breachResolved

QIP data breach (2011)

In mid-2011, the Russian instant messaging service known as QIP (Quiet Internet Pager) suffered a data breach. The attack resulted in the disclosure of over 26 million unique accounts including email addresses and passwords with the data eventually appearing in public years later.

Victim
QIP
Records
26.2M
EspionageResolved

RSA SecurID seed compromise

A spear-phishing email carrying a Flash zero-day gave attackers a foothold inside RSA, from which they exfiltrated data tied to the SecurID two-factor authentication system — data later used in an intrusion attempt against Lockheed Martin.

Victim
RSA Security (EMC)
Loss
$66.0M
Data breachResolved

Fling data breach (2011)

In 2011, the self-proclaimed "World's Best Adult Social Network" website known as Fling was hacked and more than 40 million accounts obtained by the attacker.

Victim
Fling
Records
40.8M
Data breachResolved

7k7k data breach (2011)

In approximately 2011, it's alleged that the Chinese gaming site known as 7k7k suffered a data breach that impacted 9.1 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
7k7k
Records
9.1M
Data breachResolved

Duowan.com data breach (2011)

In approximately 2011, data was allegedly obtained from the Chinese gaming website known as Duowan.com and contained 2.6M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Duowan.com
Records
2.6M
Data breachResolved

Gawker data breach (2010)

In December 2010, Gawker was attacked by the hacker collective "Gnosis" in retaliation for what was reported to be a feud between Gawker and 4Chan. Information about Gawkers 1.3M users was published along with the data from Gawker's other web presences including Gizmodo and Lifehacker.

Victim
Gawker
Records
1.2M
Data breachResolved

Paddy Power data breach (2010)

In October 2010, the Irish bookmaker Paddy Power suffered a data breach that exposed 750,000 customer records with nearly 600,000 unique email addresses.

Victim
Paddy Power
Records
591.0K
WiperResolved

Stuxnet (Operation Olympic Games)

U.S. and Israeli intelligence services jointly developed and deployed Stuxnet — the first widely-known cyber weapon to cause physical damage. The worm targeted Iran's Natanz uranium enrichment facility and destroyed approximately 1,000 IR-1 centrifuges over 2009–2010.

Victim
Natanz uranium enrichment facility (Iran)
Loss
$100.0M
Data breachResolved

Neteller data breach (2010)

In May 2010, the e-wallet service known as Neteller suffered a data breach which exposed over 3.6M customers. The breach was not discovered until October 2015 and included names, email addresses, home addresses and account balances.

Victim
Neteller
Records
3.6M
Data breachResolved

DivX SubTitles data breach (2010)

In approximately 2010, the now defunct website DivX SubTitles suffered a data breach that exposed 783k user accounts including email addresses, usernames and plain text passwords.

Victim
DivX SubTitles
Records
783.1K
Data breachResolved

Heartland Payment Systems card breach

An SQL-injection foothold let Albert Gonzalez's crew plant sniffer malware inside Heartland's payment-processing network, capturing roughly 130 million card numbers in transit — at the time the largest card-data breach ever disclosed.

Victim
Heartland Payment Systems
Loss
$200.0M
Records
130.0M
Data breachResolved

Elance data breach (2009)

Sometime in 2009, staffing platform Elance suffered a data breach that impacted 1.3 million accounts. Appearing online 8 years later, the data contained usernames, email addresses, phone numbers and SHA1 hashes of passwords, amongst other personal data.

Victim
Elance
Records
1.3M
Data breachResolved

Money Bookers data breach (2009)

Sometime in 2009, the e-wallet service known as Money Bookers suffered a data breach which exposed almost 4.5M customers. Now called Skrill, the breach was not discovered until October 2015 and included names, email addresses, home addresses and IP addresses.

Victim
Money Bookers
Records
4.5M
Data breachResolved

Baby Names data breach (2008)

In approximately 2008, the site to help parents name their children known as Baby Names suffered a data breach. The incident exposed 846k email addresses and passwords stored as salted MD5 hashes.

Victim
Baby Names
Records
846.7K
Data breachResolved

Foxy Bingo data breach (2008)

In April 2007, the online gambling site Foxy Bingo was hacked and 252,000 accounts were obtained by the hackers. The breached records were subsequently sold and traded and included personal information data such as plain text passwords, birth dates and home addresses.

Victim
Foxy Bingo
Records
252.2K
Data breachResolved

gPotato data breach (2007)

In July 2007, the multiplayer game portal known as gPotato (link to archive of the site at that time) suffered a data breach and over 2 million user accounts were exposed. The site later merged into the Webzen portal where the original accounts still exist today.

Victim
gPotato
Records
2.1M
DDoSResolved

2007 cyberattacks on Estonia

A three-week wave of distributed denial-of-service attacks crippled Estonian government, banking, and media websites amid a dispute with Russia, becoming the first cyber assault on an entire nation-state and the birthplace of NATO's cyber-defence doctrine.

Victim
Republic of Estonia (government, banks, media)
Data breachResolved

TJX Companies (T.J. Maxx) card breach

Attackers led by Albert Gonzalez sniffed weakly-encrypted in-store Wi-Fi at a Marshalls outlet and pivoted to TJX's central systems, exfiltrating an estimated 94 million payment-card records over an 18-month intrusion — the largest U.S. retail data breach of its era.

Victim
The TJX Companies, Inc.
Loss
$256.0M
Records
94.0M