Skip to content

Incidents in sector:

Finance

Supply chainContained

Leak at Alan (via Almerys)

On 23 May 2026, French digital health insurer Alan warned members that a cyberattack on its third-party claims processor Almerys had exposed their personal data — names, dates of birth, social security numbers and insurance contract details — though payment, password and health data were spared.

Victim
Alan
Data breachUnknown

23,685 records: claimed leak at ATOA

A threat actor put a database from ATOA — a French real-estate tokenization and fractional-investment fintech — up for sale on a dark web forum, exposing roughly 23,685 user and financial records plus 326 full KYC archives containing passports, ID cards and banking details.

Victim
ATOA
Records
23.7K
Data breachResolved

Vimeo data breach (2026)

In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.

Victim
Vimeo
Records
119.2K
Data breachResolved

Udemy data breach (2026)

In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors.

Victim
Udemy
Records
1.4M
Data breachResolved

Kemper data breach (2026)

In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign.

Victim
Kemper
Records
269.3K
Data breachResolved

Zara data breach (2026)

In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their "pay or leak" campaign.

Victim
Zara
Records
197.4K
Data breachResolved

Abrigo data breach (2026)

In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo…

Victim
Abrigo
Records
711.1K
Data breachResolved

Mytheresa data breach (2026)

In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses.

Victim
Mytheresa
Records
84.1K
Data breachResolved

ZenBusiness data breach (2026)

In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform.

Victim
ZenBusiness
Records
5.1M
Data breachResolved

Addi data breach (2026)

In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised".

Victim
Addi
Records
34.5M
Data breachResolved

Sound Radix data breach (2026)

In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP. The incident impacted 293k unique email addresses and names.

Victim
Sound Radix
Records
293.0K
Data breachContained

Data leak at Vatel Capital

On 9 March 2026, French AMF-regulated asset manager Vatel Capital emailed its clients to disclose an accidental exposure of files that occurred between 21 February and early March 2026, affecting personal data held by the firm.

Victim
Vatel Capital
Data breachResolved

Baydöner data breach (2026)

In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords.

Victim
Baydöner
Records
1.3M
Data breachResolved

Aura data breach (2026)

In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected.

Victim
Aura
Records
903.1K
Data breachResolved

SUCCESS data breach (2026)

In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes.

Victim
SUCCESS
Records
253.5K
Data breachResolved

Ameriprise data breach (2026)

In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure,…

Victim
Ameriprise
Records
502.6K
Data breachResolved

CarGurus data breach (2026)

In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings,…

Victim
CarGurus
Records
12.5M
Data breachResolved

Odido data breach (2026)

In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days.

Victim
Odido
Records
6.1M
Data breachUnknown

Data leak at Protexia France

In early February 2026, Protexia France — the legal-protection insurance subsidiary of Allianz France — was reported to have suffered a data breach exposing personal information belonging to its policyholders and contacts.

Victim
Protexia France
Data breachResolved

Figure data breach (2026)

In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth.

Victim
Figure
Records
967.2K
Data breachUnknown

Leak at Lovys

On 28 January 2026, a data leak was claimed against Lovys, a French 100% digital neo-insurer, allegedly exposing customer records; the scale and exact data categories remain unverified.

Victim
Lovys
Supply chainUnknown

Data leak at Wemind (via Allianz)

On 28 January 2026, a data leak affecting Wemind, the French neo-insurer for freelancers and small businesses, exposed members' contact details — names, postal addresses, email addresses and phone numbers — through its Allianz insurance/back-office channel.

Victim
Wemind
Data breachUnknown

Leak at Panorama Banques

On 24 January 2026, a database attributed to French bank-comparison and credit-brokerage service Panorama Banques (Panorabanques) surfaced online, exposing personal, contact and detailed financial-profile data on roughly 2.34 million customers.

Victim
Panorama Banques
Records
2.3M
Data breachContained

Data leak at Waltio

In January 2026, French crypto-tax platform Waltio disclosed a breach exposing data from around 50,000 users — email addresses and 2024 tax-report summaries (gains/losses and year-end balances) — followed by an extortion attempt the company refused to pay.

Victim
Waltio
Records
50.0K
Data breachResolved

Betterment data breach (2026)

In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an…

Victim
Betterment
Records
1.4M
Data breachUnknown

Leak at PayTrip

On 27 December 2025, French money-transfer fintech PayTrip suffered a data breach exposing data on 74,877 customers, including names, contact details, IBANs and account balances, later circulated online by a threat actor.

Victim
PayTrip
Records
74.9K
Supply chainContained

Leak at ASAF & AFPS (via Itelis)

Members of insurer ASAF & AFPS had personal data exposed after a breach at Itelis, the optical-care network processing their claims; names, dates of birth, social security numbers, claim records and vision-correction data from 2020-2022 were affected.

Victim
ASAF & AFPS
RansomwareOngoing

Leak at La Centrale du Financement

A threat actor exfiltrated around 387 GB of data (some 411,000 files) from French mortgage and credit broker La Centrale de Financement, exposing highly sensitive customer KYC documents, financial records and internal files, then offered the dataset for sale after failed extortion negotiations.

Victim
La Centrale du Financement
Supply chainContained

Leak at AG2R la Mondiale (via Itelis)

Disclosed in November 2025, a cyberattack on Itelis — the optical-care third-party network used by insurer AG2R la Mondiale — exposed beneficiaries' names, dates of birth, social security numbers, reimbursement records and vision-correction data for optical coverage handled between 2020 and early 2022.

Victim
AG2R la Mondiale
Data breachResolved

Canadian Tire data breach (2025)

In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses.

Victim
Canadian Tire
Records
38.3M
Supply chainContained

Leak at La Nef

In September 2025, French ethical cooperative bank La Nef notified shareholders that their email addresses were exposed after a cyberattack on third-party voting provider SLIB; only email addresses were affected, with no banking data, IDs or passwords compromised.

Victim
La Nef
Data breachResolved

Canada Goose data breach (2025)

In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly. The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card…

Victim
Canada Goose
Records
581.9K
Social engineeringContained

C&M Software Pix heist (Brazil, 2025)

A junior developer at C&M Software — a Central Bank-authorized provider of Pix instant-payment connectivity — was paid roughly R$5,000 to hand over credentials. Attackers used the access to drain approximately R$800 million ($148 million) from reserve accounts at six Brazilian financial institutions in 2.5 hours.

Victim
C&M Software (Pix payment infrastructure provider)
Loss
$148.0M
RansomwareOngoing

Leak at Harvest

Harvest, a French wealth-management software editor, was hit by a Run Some Wares ransomware double-extortion attack disclosed in April 2025; internal and client files were exfiltrated and published, reportedly exposing data on tens of thousands of individuals and thousands of companies.

Victim
Harvest
Supply chainContained

Leak at MAIF & BPCE

A ransomware attack on French wealth-management software vendor Harvest (Run Some Wares group, detected 27 Feb 2025) exposed personal and financial data of customers of insurer MAIF and banking group BPCE (Banque Populaire / Caisse d'Épargne) in a supply-chain breach.

Victim
MAIF & BPCE
Supply chainContained

Leak at Direct Assurance

In March 2025, French direct insurer Direct Assurance (an AXA subsidiary) suffered a breach via its partner Run Assurance: attackers exploited a flaw in the data exchanges between the two firms to access customer personal data, raising identity-theft and phishing risks.

Victim
Direct Assurance
Data breachContained

Data leak at UTwin

On 5 March 2025, French borrower-insurance broker UTwin notified clients that an intrusion into its IT system had temporarily exposed identity details, email addresses and phone numbers; the company said no banking, medical or contract data was affected.

Victim
UTwin
Data breachContained

Leak at Mutuelle des Motards

In February 2025, French motorcycle insurer Mutuelle des Motards suffered a breach of a marketing contact database, exposing names, email addresses, phone numbers and postal codes of more than 1.3 million members.

Victim
Mutuelle des Motards
Records
1.3M
Credential stuffingContained

Leak at Caisse des dépôts et des consignations

In February 2025, France's Caisse des dépôts disclosed that attackers used stolen login credentials to access the Ircantec pension platform and steal the personal data of about 70,000 public-sector contract workers, hospital practitioners and roughly 1,000 local elected officials.

Victim
Caisse des dépôts et des consignations
Records
70.0K
Data breachResolved

LandAirSea data breach (2025)

In January 2025, the GPS tracking service LandAirSea suffered a data breach that exposed 337k unique customer email addresses alongside names, usernames and password hashes.

Victim
LandAirSea
Records
337.4K
Data breachContained

Leak at Banque de France

On 23 November 2024, the threat actor Near2tlg advertised data allegedly stolen from France's central bank; the Banque de France denied any compromise of its secure systems, acknowledging only brief unauthorized access to an HR extranet with no sensitive data exposed.

Victim
Banque de France
Data breachResolved

Yonéma data breach (2024)

In November 2024, data from the Senegalese payment platform Yonéma was posted to a popular hacking forum. The data included 36k unique email addresses alongside phone numbers, names and what appears to be encrypted passwords and dates of birth.

Victim
Yonéma
Records
36.0K
Data breachContained

Leak at Direct Assurance

In November 2024, French online insurer Direct Assurance was breached via a compromised employee account, exposing personal data of roughly 15,000 clients and prospects — including the IBAN/RIB banking details of about 5,800 of them — later offered for sale online.

Victim
Direct Assurance
Records
15.0K
Data breachResolved

1win data breach (2024)

In November 2024, the online betting platform 1win suffered a data breach that exposed 96M users. The exposed data included email and IP addresses, phone numbers, dates of birth, country and SHA-256 password hashes.

Victim
1win
Records
96.2M
Data breachResolved

Interbank Peru data breach

After a two-week extortion negotiation collapsed, a threat actor known as kzoldyck leaked 3.7 TB of data on roughly 3 million Interbank customers, including names, DNI numbers, card data, and plaintext credentials.

Victim
Interbank (Banco Internacional del Perú)
Records
3.3M
Data breachResolved

Hot Topic data breach (2024)

In October 2024, retailer Hot Topic suffered a data breach that exposed 57 million unique email addresses. The impacted data also included physical addresses, phone numbers, purchases, genders, dates of birth and partial credit data containing card type, expiry and last 4 digits.

Victim
Hot Topic
Records
56.9M
Data breachResolved

Earth 2 data breach (2024)

In October 2024, 421k unique email addresses from the virtual earth game Earth 2 were derived from embedded Gravatar images. Appearing alongside player usernames, the root cause was related to how Gravatar presents links to avatars as MD5 hashes within consuming services, a feature Earth 2 advised…

Victim
Earth 2
Records
421.0K
Data breachResolved

Finsure data breach (2024)

In October 2024, almost 300k unique email addresses from Australian mortgage broking group Finsure were obtained from the ActivePipe real estate marketing platform. The impacted data also included names, phone numbers and physical addresses.

Victim
Finsure
Records
296.1K
Data breachContained

Leak at Meilleurtaux

In late September 2024, French credit and insurance broker Meilleurtaux disclosed that an external attack on its IT systems had exposed sensitive personal data of customers, including names, contact details, dates of birth, family situation, income and employment status.

Victim
Meilleurtaux
Data breachResolved

French Citizens data breach (2024)

In September 2024, over 90M rows of data on French Citizens was found left exposed in a publicly facing database. Compiled from various data breaches, the corpus contained 28M unique email addresses with the various source breaches each exposing different fields including name, physical and IP…

Victim
French Citizens
Records
28.4M
Data breachResolved

MC2 Data data breach (2024)

In August 2024, data aggregator MC2 Data left a database publicly accessible without a password which was subsequently discovered by a security researcher. The breach exposed the personal information of 2.1M subscribers to the service which was marketed under a series of different brand names.

Victim
MC2 Data
Records
2.1M
Data breachResolved

Ubook data breach (2024)

In July 2024, 700k unique email addresses from the audiobook platform Ubook were posted to a popular hacking forum. Allegedly scraped from the service, the data appears to be sourced from the Ubook Exchange (UBX) and also includes names, genders, dates of birth and links to profile photos.

Victim
Ubook
Records
699.9K
Data breachResolved

Otelier data breach (2024)

In July 2024, a threat actor gained access to the hotel management platform Otelier and retrieved customer data from well-known hotel brands including Marriott, Hilton, and Hyatt.

Victim
Otelier
Records
436.9K
Data breachResolved

Shoe Zone data breach (2024)

In June 2024, the UK footwear chain Shoe Zone disclosed a data breach that was subsequently posted for sale on a popular hacking forum. The data included over 100k orders containing names, addresses, partial credit card numbers (card type and last 4 digits), and 46k unique email addresses.

Victim
Shoe Zone
Records
46.1K
Data breachResolved

Z-lib data breach (2024)

In June 2024, almost 10M user records from Z-lib were discovered exposed online. Now defunct, Z-lib was a malicious clone of Z-Library, a well-known shadow online platform for pirating books and academic papers.

Victim
Z-lib
Records
9.7M
Data breachResolved

mSpy (2024) data breach (2024)

In June 2024, a huge trove of data from spyware maker mSpy was obtained by hacktivists and published online. Comprising of 142GB of user data and support tickets along with 176GB of more than half a million attachments, the data contained 2.4M unique email addresses, IP addresses names and photos.

Victim
mSpy (2024)
Records
2.4M
Credential stuffingContained

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
Records
560.0M
Data breachResolved

Blooms Today data breach (2023)

In April 2024, 15M records from the online florist Blooms Today were listed for sale on a popular hacking forum. The most recent data in the breach corpus was from November 2023 and appeared alongside 3.2M unique email addresses, names, phone numbers physical addresses and partial credit card data…

Victim
Blooms Today
Records
3.2M
RansomwareContained

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim
ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss
$9.00B
Data breachResolved

Manipulated Caiman data breach (2023)

In July 2023, Perception Point reported on a phishing operation dubbed "Manipulated Caiman". Targeting primarily the citizens of Mexico, the campaign attempted to gain access to victims' bank accounts via spear phishing attacks using malicious attachments.

Victim
Manipulated Caiman
Records
39.9M
Data breachResolved

Genesis Market data breach (2023)

In April 2023, the stolen identity marketplace Genesis Market was shut down by the FBI and a coalition of law enforcement agencies across the globe in "Operation Cookie Monster".

Victim
Genesis Market
Records
8.0M
Data breachResolved

MediaWorks data breach (2023)

In March 2024, millions of rows of data from the New Zealand media company MediaWorks was publicly posted to a popular hacking forum. The incident exposed 163k unique email addresses provided by visitors who filled out online competitions and included names, physical addresses, phone numbers, dates…

Victim
MediaWorks
Records
162.7K
Data breachResolved

HDB Financial Services data breach (2023)

In March 2023, the Indian non-bank lending unit HDB Financial Services suffered a data breach that disclosed over 70M customer records. Containing 1.6M unique email addresses, the breach also disclosed names, dates of birth, phone numbers, genders, post codes and loan information belonging to the…

Victim
HDB Financial Services
Records
1.7M
fraudinvestigating

Flutterwave unauthorized-transfer incidents

Nigeria's largest fintech suffered a series of unauthorized-transfer incidents in 2023, including a ₦2.9 billion ($4.2M) diversion across 28 accounts and a later ₦19 billion ($24M) loss via abused POS-merchant access, prompting Mareva injunctions to freeze thousands of beneficiary accounts.

Victim
Flutterwave
Loss
$24.0M
Data breachResolved

Eye4Fraud data breach (2023)

In February 2023, data alleged to have been taken from the fraud protection service Eye4Fraud was listed for sale on a popular hacking forum. Spanning tens of millions of rows with 16M unique email addresses, the data was spread across 147 tables totalling 65GB and included both direct users of the…

Victim
Eye4Fraud
Records
16.0M
Data breachResolved

Zurich data breach (2023)

In January 2023, the Japanese arm of Zurich insurance suffered a data breach that exposed 2.6M customer records with over 756k unique email addresses. The data was subsequently posted to a popular hacking forum and also included names, genders, dates of birth and details of insured vehicles.

Victim
Zurich
Records
756.7K
Data breachResolved

Gemini data breach (2022)

In late 2022, a hacker posted a data set to a public hacking forum which they alleged was sourced from the Gemini crypto exchange, a claim that was later proven to be false as the data was traced back to an incident at a third-party vendor.

Victim
Gemini
Records
5.3M
Data breachResolved

GunAuction.com data breach (2022)

In December 2022, the online firearms auction website GunAuction.com suffered a data breach which was later discovered left unprotected on the hacker's server.

Victim
GunAuction.com
Records
565.5K
Data breachResolved

CoinTracker data breach (2022)

In December 2022, the Crypto & NFT taxes service CoinTracker reported a data breach that impacted over 1.5M of their customers. The company later attributed the breach to a compromise SendGrid in an attack that targeted multiple customers of the email provider.

Victim
CoinTracker
Records
1.6M
Data breachResolved

Locally data breach (2022)

In October 2022, "The Industry's Leading Online-to-Offline Shopping Solution" Locally suffered a data breach. Whilst Locally acknowledged the breach privately, it's unknown whether impacted customers were subsequently notified of the incident which exposed over 362k names, phone numbers, email and…

Victim
Locally
Records
362.6K
Data breachResolved

Altenen data breach (2022)

In June 2022, the malicious "carding" (referring to credit card fraud) website Altenen suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 1.3M unique email addresses, usernames, bcrypt password hashes and cryptocurrency wallet addresses.

Victim
Altenen
Records
1.3M
Data breachResolved

PaySystem.tech data breach (2022)

In mid-2022, data alleged to have been sourced from the Russian payment provider PaySystem.tech appeared in hacking circles where it was made publicly available for download.

Victim
PaySystem.tech
Records
1.4M
Data breachResolved

PayHere data breach (2022)

In late March 2022, the Sri Lankan payment gateway PayHere suffered a data breach that exposed more than 65GB of payment records including over 1.5M unique email addresses.

Victim
PayHere
Records
1.6M
Data breachResolved

Viva Air data breach (2022)

In March 2022, the now defunct Colombian airline Viva Air suffered a data breach and subsequent ransomware attack. Among a trove of other ransomed data, the incident exposed a log of 2.6M transactions with 932k unique email addresses, physical and IP addresses, names, phone numbers and partial…

Victim
Viva Air
Records
932.2K
Data breachResolved

Carding Mafia (December 2021) data breach (2021)

In December 2021, the Carding Mafia forum suffered a data breach that exposed over 300k members' email addresses. Dedicated to the theft and trading of stolen credit cards, the forum breach also exposed usernames, IP addresses and passwords stored as salted MD5 hashes.

Victim
Carding Mafia (December 2021)
Records
303.9K
Data breachResolved

FlexBooker data breach (2021)

In December 2021, the online booking service FlexBooker suffered a data breach that exposed 3.7 million accounts. The data included email addresses, names, phone numbers and for a small number of accounts, password hashes and partial credit card data.

Victim
FlexBooker
Records
3.8M
Data breachResolved

BTC-Alpha data breach (2021)

In November 2021, the crypto exchange platform BTC-Alpha suffered a ransomware attack data breach after which customer data was publicly dumped. The impacted data included 362k email and IP addresses, usernames and passwords stored as PBKDF2 hashes.

Victim
BTC-Alpha
Records
362.4K
Data breachResolved

CoinMarketCap data breach (2021)

During October 2021, 3.1 million email addresses with accounts on the cryptocurrency market capitalisation website CoinMarketCap were discovered being traded on hacking forums.

Victim
CoinMarketCap
Records
3.1M
Data breachResolved

Imavex data breach (2021)

In August 2021, the website development company Imavex suffered a data breach that exposed 878 thousand unique email addresses. The data included user records containing names, usernames and password material with some records also containing genders and partial credit card data, including the last…

Victim
Imavex
Records
878.2K
Data breachResolved

Have Fun Teaching data breach (2021)

In August 2021, the teaching resources website Have Fun Teaching suffered a data breach that leaked 80k WooCommerce transactions which were later posted to a popular hacking forum.

Victim
Have Fun Teaching
Records
27.1K
Data breachResolved

Upstox data breach (2021)

In April 2021, Indian brokerage firm Upstox suffered a data breach. The incident exposed extensive personal information on over 100k customers including names, genders, dates of birth, physical addresses, banking information and passwords stored as bcrypt hashes.

Victim
Upstox
Records
111.0K
Data breachdisputed

MobiKwik data breach

An 8.2TB trove tied to Indian fintech MobiKwik — reportedly covering up to 99 million users with KYC documents, Aadhaar and card details — was advertised for sale on a dark-web forum, in a breach the company repeatedly denied.

Victim
MobiKwik
Records
99.0M
Data breachResolved

Carding Mafia (March 2021) data breach (2021)

In March 2021, the Carding Mafia forum suffered a data breach that exposed almost 300k members' email addresses. Dedicated to the theft and trading of stolen credit cards, the forum breach also exposed usernames, IP addresses and passwords stored as salted MD5 hashes.

Victim
Carding Mafia (March 2021)
Records
297.7K
Data breachResolved

Descomplica data breach (2021)

In March 2021, the Brazilian EdTech company Descomplica suffered a data breach which was subsequently posted to a popular hacking forum. The data included almost 5 million email addresses, names, the first 6 and last 4 digits and the expiry date of credit cards, purchase histories and password…

Victim
Descomplica
Records
4.8M
Data breachResolved

WeLeakInfo data breach (2021)

In March 2021, the Stripe account of the now-defunct WeLeakInfo service was taken over by "pompompurin" after acquiring an expired domain name with an email address used to manage the account.

Victim
WeLeakInfo
Records
11.8K
Data breachunresolved

Brazil 223-million mega-leak

The largest personal-data leak in Brazilian history: databases on roughly 223 million people — including names, CPF tax IDs, facial images, salaries and credit scores — surfaced for sale on a dark-web forum, with suspicion pointing at credit-bureau data.

Victim
Brazilian population (credit-bureau-linked databases)
Records
223.0M
Data breachResolved

Oxfam data breach (2021)

In January 2021, Oxfam Australia was the victim of a data breach which exposed 1.8M unique email addresses of supporters of the charity. The data was put up for sale on a popular hacking forum and also included names, phone numbers, addresses, genders and dates of birth.

Victim
Oxfam
Records
1.8M
Data breachResolved

Guns.com data breach (2021)

In January 2021, the firearms website guns.com suffered a data breach. The breach exposed 376k unique email addresses along with names, phone numbers, physical addresses, gun purchases, partial credit card data, dates of birth and passwords stored as bcrypt hashes.

Victim
Guns.com
Records
375.9K
Data breachResolved

Travel Oklahoma data breach (2020)

In December 2020, the Oklahoma state Tourism and Recreation Department suffered a data breach. The incident exposed 637k email addresses across a variety of tables including age ranges against brochure orders and dates of birth against contest entries.

Victim
Travel Oklahoma
Records
637.3K
Supply chainContained

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim
SolarWinds (Orion customers — ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss
$100.00B
RansomwareResolved

Shirbit insurance breach by Black Shadow

The Black Shadow group breached Israeli insurer Shirbit, stealing ID cards, passports, financial and medical documents, and demanded a bitcoin ransom that escalated toward $1 million. When Shirbit refused, the attackers leaked customer data in stages.

Victim
Shirbit Insurance
Data breachResolved

Playbook data breach (2020)

In September 2021, a publicly accessible PostgresSQL database belonging to the Playbook service was identified. Run by VC firm Plug and Play Ventures, the database had been exposed since October 2020 and contained more than 50 thousand unique email addresses along with names, phone numbers, job…

Victim
Playbook
Records
50.5K
RansomwareResolved

BancoEstado REvil ransomware attack

REvil (Sodinokibi) ransomware encrypted roughly 14,000 workstations at BancoEstado, one of Chile's largest banks, forcing it to close all branches nationwide for a day while ATMs, online banking, and customer funds were kept unaffected by network segmentation.

Victim
BancoEstado
DDoSResolved

NZX stock exchange DDoS attacks

A sustained volumetric DDoS campaign knocked New Zealand's stock exchange offline for parts of five consecutive trading days, halting trading because the exchange could not publish market announcements, and drawing a sharp regulatory rebuke.

Victim
NZX (New Zealand's Exchange)
Data breachResolved

Bonobos data breach (2020)

In August 2020, the clothing store Bonobos suffered a data breach that exposed almost 70GB of data containing 2.8 million unique email addresses. The breach also exposed names, physical and IP addresses, phone numbers, order histories and passwords stored as salted SHA-512 hashes, including…

Victim
Bonobos
Records
2.8M
Data breachResolved

Lazada RedMart data breach (2020)

In October 2020, news broke of Lazada RedMart data breach containing records as recent as July 2020 and being sold via an online marketplace. In all, the data contained 1.1 million customer email addresses alongside names, phone numbers, physical addresses, partial credit card numbers and passwords…

Victim
Lazada RedMart
Records
1.1M
Data breachResolved

Utah Gun Exchange data breach (2020)

In July 2020, the Utah Gun Exchange website suffered a data breach which included several other associated websites. In total, 235k unique email addresses were exposed before being traded online alongside names, usernames, genders, IP addresses and password hashes.

Victim
Utah Gun Exchange
Records
235.2K
Data breachResolved

Dave data breach (2020)

In June 2020, the digital banking app Dave suffered a data breach which exposed 7.5 million rows of data and subsequently appeared for public download on a hacking forum.

Victim
Dave
Records
3.0M
Data breachResolved

Ledger data breach (2020)

In June 2020, the hardware crypto wallet manufacturer Ledger suffered a data breach that exposed over 1 million email addresses. The data was initially sold before being dumped publicly in December 2020 and included names, physical addresses and phone numbers.

Victim
Ledger
Records
1.1M
Data breachResolved

Kreditplus data breach (2020)

In June 2020, the Indonesian credit service Kreditplus suffered a data breach which exposed 896k records containing 769k unique email addresses. The breach exposed extensive personal information including names, family makeup, information on spouses, income and expenses, religions and employment…

Victim
Kreditplus
Records
768.9K
Data breachResolved

Swvl data breach (2020)

In June 2020, the Egyptian bus operator Swvl suffered a data breach which impacted over 4 million members of the service. The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of…

Victim
Swvl
Records
4.2M
Data breachResolved

Home Chef data breach (2020)

In early 2020, the food delivery service Home Chef suffered a data breach which was subsequently sold online. The breach exposed the personal information of almost 9 million customers including names, IP addresses, post codes, the last 4 digits of credit card numbers and passwords stored as bcrypt…

Victim
Home Chef
Records
8.8M
Data breachResolved

Mastercard Priceless Specials data breach (2019)

In August 2019, the German Mastercard bonus program "Priceless Specials" suffered a data breach. Personal data on almost 90k program members was subsequently extensively circulated online and included names, email and IP addresses, phone numbers and partial credit card data.

Victim
Mastercard Priceless Specials
Records
89.4K
Insider threatResolved

Desjardins insider data breach

An insider at Desjardins — the largest financial cooperative in Canada — exfiltrated personal data on 9.7 million members and businesses over two years before being caught. The defining Canadian insider-threat case.

Victim
Desjardins Group
Loss
$100.0M
Records
9.7M
Data breachResolved

GateHub data breach (2019)

In October 2019, 1.4M accounts from the cryptocurrency wallet service GateHub were posted to a popular hacking forum. GateHub had previously acknowledged a data breach in June, albeit with a smaller number of impacted accounts.

Victim
GateHub
Records
1.4M
Vulnerability exploitResolved

First American Financial document exposure

An insecure direct object reference (IDOR) flaw on First American Financial's website exposed roughly 885 million title-insurance and mortgage documents — including Social Security numbers, bank account details, and driver's-license images — dating back to 2003, accessible to anyone without authentication.

Victim
First American Financial Corporation
Loss
$1.5M
Records
885.0M
Data breachResolved

EatStreet data breach (2019)

In May 2019, the online food ordering service EatStreet suffered a data breach affecting 6.4 million customers. An extensive amount of personal data was obtained including names, phone numbers, addresses, partial credit card data and passwords stored as bcrypt hashes.

Victim
EatStreet
Records
6.4M
Data breachResolved

Roll20 data breach (2018)

In December 2018, the tabletop role-playing games website Roll20 suffered a data breach. Almost 4 million customers were impacted by the breach and had email and IP addresses, names, bcrypt hashes of passwords and the last 4 digits of credit cards exposed.

Victim
Roll20
Records
4.0M
Data breachResolved

BankIslami / Pakistan banking card breach

Fraudulent withdrawals at BankIslami triggered Pakistan's largest banking-sector breach, with details of more than 19,000 payment cards from 22 banks dumped for sale on the Joker's Stash carding forum and cashed out via ATMs and POS terminals abroad.

Victim
BankIslami Pakistan
Loss
$6.0M
Records
19.0K
Data breachResolved

GoldSilver data breach (2018)

In October 2018, the bullion education and dealer services site GoldSilver suffered a data breach that exposed 243k unique email addresses spanning customers and mailing list subscribers.

Victim
GoldSilver
Records
242.7K
Data breachResolved

Atlas Quantum data breach (2018)

In August 2018, the cryptocurrency investment platform Atlas Quantum suffered a data breach. The breach leaked the personal data of 261k investors on the platform including their names, phone numbers, email addresses and account balances.

Victim
Atlas Quantum
Records
261.5K
Data breachResolved

Apollo data exposure (2018)

Sales-engagement startup Apollo left a database of 9 billion data points and over 200 million contact records exposed without a password in 2018; a subset of 126 million unique email addresses was loaded into Have I Been Pwned after researcher Vinny Troia found it.

Victim
Apollo
Records
125.9M
Data breachResolved

Romwe data breach (2018)

In mid-2018, the Hong Kong-based retailer Romwe suffered a data breach which exposed almost 20 million customers. The data was subsequently sold online and includes names, phone numbers, email and IP addresses, customer geographic locations and passwords stored as salted SHA-1 hashes.

Victim
Romwe
Records
19.5M
private-keystolen

Coincheck NEM heist

Tokyo-based cryptocurrency exchange Coincheck lost 523 million NEM tokens (~$530M at the time) from a hot wallet that had no multi-signature protection. The largest single crypto-exchange theft at the time — later attributed to North Korea's Lazarus Group.

Victim
Coincheck Inc.
Loss
$530.0M
Data breachResolved

The Fly on the Wall data breach (2017)

In December 2017, the stock market news website The Fly on the Wall suffered a data breach. The data in the breach included 84k unique email addresses as well as purchase histories and credit card data.

Victim
The Fly on the Wall
Records
84.0K
MalwareResolved

Far Eastern International Bank SWIFT heist

North Korea's Lazarus Group used custom malware to commandeer Far Eastern International Bank's SWIFT terminal and wire roughly $60 million to accounts in the U.S., Cambodia, and Sri Lanka, deploying Hermes ransomware as a diversion.

Victim
Far Eastern International Bank (FEIB)
Loss
$500.0K
Data breachResolved

Moneycontrol data breach (2017)

In April 2021, hackers posted data for sale originating from the online Indian financial platform, Moneycontrol. The data included 763 thousand unique email addresses (allegedly a subset of a larger 40 million account breach), alongside geographic locations, phone numbers, genders, dates of birth…

Victim
Moneycontrol
Records
762.9K
Data breachResolved

Coinmama data breach (2017)

In August 2017, the crypto coin brokerage service Coinmama suffered a data breach that impacted 479k subscribers. The breach was discovered in February 2019 with exposed data including email addresses, usernames and passwords stored as MD5 WordPress hashes.

Victim
Coinmama
Records
478.8K
Data breachResolved

Factual data breach (2017)

In March 2017, a file containing 8M rows of data allegedly sourced from data aggregator Factual was compiled and later exchanged on the premise it was a "breach". The data contained 2.5M unique email addresses alongside business names, addresses and phone numbers.

Victim
Factual
Records
2.5M
Data breachResolved

Data Enrichment Records data breach (2016)

In December 2016, more than 200 million "data enrichment profiles" were found for sale on the darknet. The seller claimed the data was sourced from Experian and whilst that claim was rejected by the company, the data itself was found to be legitimate suggesting it may have been sourced from other…

Victim
Data Enrichment Records
Records
8.2M
Data breachResolved

NemoWeb data breach (2016)

In September 2016, almost 21GB of data from the French website used for "standardised and decentralized means of exchange for publishing newsgroup articles" NemoWeb was leaked from what appears to have been an unprotected Mongo DB.

Victim
NemoWeb
Records
3.5M
Data breachResolved

MDPI data breach (2016)

In August 2016, the Swiss scholarly open access publisher known as MDPI had 17.5GB of data obtained from an unprotected Mongo DB instance. The data contained email exchanges between MDPI and their authors and reviewers which included 845k unique email addresses.

Victim
MDPI
Records
845.0K
Data breachResolved

Regpack data breach (2016)

In July 2016, a tweet was posted with a link to an alleged data breach of BlueSnap, a global payment gateway and merchant account provider. The data contained 324k payment records across 105k unique email addresses and included personal attributes such as name, home address and phone number.

Victim
Regpack
Records
105.0K
Data breachResolved

Qatar National Bank data breach

A 1.4 GB archive of internal files, customer account records, and nearly one million payment card numbers stored in clear text was leaked online, including dossiers on Qatar's Al Thani royal family, Al Jazeera staff, and apparent intelligence targets.

Victim
Qatar National Bank (QNB)
Records
100.0K
Data breachResolved

KnownCircle data breach (2016)

In approximately April 2016, the "marketing automation for agents and professional service providers" company KnownCircle had a large volume of data obtained by an external party.

Victim
KnownCircle
Records
2.0M
Data breachResolved

Staminus data breach (2016)

In March 2016, the DDoS protection service Staminus was "massively hacked" resulting in an outage of more than 20 hours and the disclosure of customer credentials (with unsalted MD5 hashes), support tickets, credit card numbers and other sensitive data.

Victim
Staminus
Records
26.8K
Data breachResolved

Experian (2015) data breach (2015)

In September 2015, the US based credit bureau and consumer data broker Experian suffered a data breach that impacted 15 million customers who had applied for financing from T-Mobile.

Victim
Experian (2015)
Records
7.2M
Data breachResolved

Bitcoin Talk data breach (2015)

In May 2015, the Bitcoin forum Bitcoin Talk was hacked and over 500k unique email addresses were exposed. The attack led to the exposure of a raft of personal data including usernames, email and IP addresses, genders, birth dates, security questions and MD5 hashes of their answers plus hashes of…

Victim
Bitcoin Talk
Records
501.4K
Data breachResolved

JPMorgan Chase data breach

Attackers exploited a server missing two-factor authentication to breach more than 90 JPMorgan Chase servers and steal contact details for 76 million households and 7 million small businesses — one of the largest intrusions ever into a U.S. financial institution.

Victim
JPMorgan Chase
Records
83.0M
Data breachResolved

BTC-E data breach (2014)

In October 2014, the Bitcoin exchange BTC-E was hacked and 568k accounts were exposed. The data included email and IP addresses, wallet balances and hashed passwords.

Victim
BTC-E
Records
568.3K
Data breachResolved

Banorte data breach (2014)

In August 2022, millions of records from Mexican bank "Banorte" were publicly dumped on a popular hacking forum including 2.1M unique email addresses, physical addresses, names, phone numbers, RFC (tax) numbers, genders and bank balances.

Victim
Banorte
Records
2.1M
Data breachResolved

Business Acumen Magazine data breach (2014)

In April 2014, the Australian "Business Acumen Magazine" website was hacked by an attacker known as 1337MiR. The breach resulted in over 26,000 accounts being exposed including usernames, email addresses and password stored with a weak cryptographic hashing algorithm (MD5 with no salt).

Victim
Business Acumen Magazine
Records
26.6K
Data breachResolved

Bell (2014 breach) data breach (2014)

In February 2014, Bell Canada suffered a data breach via the hacker collective known as NullCrew. The breach included data from multiple locations within Bell and exposed email addresses, usernames, user preferences and a number of unencrypted passwords and credit card data from 40,000 records…

Victim
Bell (2014 breach)
Records
20.9K
Insider threatResolved

Korea Credit Bureau card-data theft

A contractor at the Korea Credit Bureau copied the card and identity data of about 20 million customers of KB Kookmin, Lotte and NH Nonghyup card firms onto a USB drive and sold it — one of the largest financial-data thefts in South Korean history.

Victim
Korea Credit Bureau (KCB) / KB Kookmin, Lotte, NH Nonghyup card units
Records
20.0M
EspionageResolved

Gauss banking-espionage malware against Lebanese banks

Gauss, a nation-state cyber-surveillance toolkit related to Flame and Stuxnet, infected over 2,500 systems — most heavily in Lebanon — and was the first publicly known state-sponsored malware engineered to steal online-banking credentials from specific Lebanese banks.

Victim
Lebanese banks (Bank of Beirut, Byblos Bank, Fransabank, BlomBank, Credit Libanais) and their customers
Data breachResolved

League of Legends data breach (2012)

In June 2012, the multiplayer online game League of Legends suffered a data breach. At the time, the service had more than 32 million registered accounts and the breach affected various personal data attributes including "encrypted" passwords.

Victim
League of Legends
Records
339.5K
Data breachResolved

WHMCS data breach (2012)

In May 2012, the web hosting, billing and automation company WHMCS suffered a data breach that exposed 134k email addresses. The breach included extensive information about customers and payment histories including partial credit card numbers.

Victim
WHMCS
Records
134.0K
Data breachResolved

Stratfor data breach (2011)

In December 2011, "Anonymous" attacked the global intelligence company known as "Stratfor" and consequently disclosed a veritable treasure trove of data including hundreds of gigabytes of email and tens of thousands of credit card details which were promptly used by the attackers to make charitable…

Victim
Stratfor
Records
859.8K
Data breachResolved

Heartland Payment Systems card breach

An SQL-injection foothold let Albert Gonzalez's crew plant sniffer malware inside Heartland's payment-processing network, capturing roughly 130 million card numbers in transit — at the time the largest card-data breach ever disclosed.

Victim
Heartland Payment Systems
Loss
$200.0M
Records
130.0M
DDoSResolved

2007 cyberattacks on Estonia

A three-week wave of distributed denial-of-service attacks crippled Estonian government, banking, and media websites amid a dispute with Russia, becoming the first cyber assault on an entire nation-state and the birthplace of NATO's cyber-defence doctrine.

Victim
Republic of Estonia (government, banks, media)