Skip to content

Incidents in sector:

Other

Data breachOngoing

Leak at La France Insoumise

In May 2026, France's La France Insoumise party had data from its Action Populaire activist platform stolen and posted on a hacking forum, exposing some 120,000 email addresses, 20,000 phone numbers, postal addresses and member activity spanning 2017-2026.

Victim
La France Insoumise
Data breachContained

Leak at French Basketball Federation

In April 2026 the French Basketball Federation (FFBB) suffered a data breach after an attacker abused a compromised user account in its licensee-management tool, exposing identity and contact details of up to ~2 million licensees and ~900,000 legal representatives.

Victim
French Basketball Federation
Vulnerability exploitContained

Leak at I-Cad

I-Cad, France's national dog, cat and ferret identification registry, disclosed in March 2026 that a September 2025 software vulnerability had allowed automated querying of its database, exposing users' email addresses and fuelling phishing campaigns against pet owners.

Victim
I-Cad
Data breachUnknown

109,302 CMF members: data leak claimed

On 20 March 2026, a database of the Confรฉdรฉration Musicale de France (CMF) โ€” France's federation of amateur music ensembles and schools โ€” was put up for sale by the actor HexDex, allegedly exposing 109,302 members including many minors, with identities, contact details, school records and disability notes.

Victim
Confรฉdรฉration Musicale de France (CMF)
Records
109.3K
Data breachResolved

Divine Skins data breach (2026)

In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed emailโ€ฆ

Victim
Divine Skins
Records
105.8K
Supply chainContained

Leak at Palais de la Porte Dorรฉe

On 2 March 2026, the Palais de la Porte Dorรฉe was among 40+ French cultural institutions affected by a ransomware attack on shared ticketing provider Vivaticket, potentially exposing visitors' names, contact details, dates of birth, purchase histories and encrypted passwords.

Victim
Palais de la Porte Dorรฉe
Data breachContained

Data leak at the French Badminton Federation

The French Badminton Federation disclosed that an unauthorized export from its internal Poona membership platform, traced to a compromised administrator account and discovered in September 2025, exposed personal data on roughly 300,000 licensed members, including names, dates of birth, contact details and parents' names.

Victim
French Badminton Federation
Records
300.0K
Data breachUnknown

Leak at FFCK and Paddle Sports

In February 2026, the French Canoe Kayak and Paddle Sports Federation (FFCK) had a member database covering decades of licence-holders leaked and offered for sale, exposing the names, dates of birth, postal addresses, phone numbers, emails and club/licence details of roughly 393,374 people.

Victim
FFCK and Paddle Sports
Records
393.4K
Data breachUnknown

Data leak at Prozon, volume not specified

In February 2026, French company Prozon disclosed a data breach affecting its customers after an attacker gained unauthorised access to one of its infrastructure tools; the company confirmed the incident and notified France's data-protection regulator, the CNIL, though the volume of affected records was not specified.

Victim
Prozon
Data breachContained

Leak at French Table Tennis Federation

The French Table Tennis Federation (FFTT) disclosed a cyberattack in which a compromised account was used to bulk-extract licence-holder records โ€” names, dates and places of birth, nationality, licence numbers and contact details for an estimated 210,000โ€“254,000 members; no banking or health data was affected.

Victim
French Table Tennis Federation
Data breachContained

Leak at French Sailing Federation

In early February 2026, France's national sailing federation (FFVoile) disclosed a data breach of its licence-management platform via a compromised club account, exposing personal data of several hundred thousand licensees including names, birthdates, addresses, emails, phone numbers and disability status.

Victim
French Sailing Federation
Data breachResolved

Provecho data breach (2026)

In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed.

Victim
Provecho
Records
712.9K
Data breachOngoing

Leak at 11 real estate agencies

On 28 January 2026, a leak of roughly 1.18 million files (500+ GB) affecting 11 French real estate agencies โ€” including Marteau Immobilier (Orpi), AFG Immobilier and Trenta Immobilier โ€” was put up for sale on a cybercrime forum, exposing IDs, IBANs, contracts and credentials of an estimated 20,000+ owners, tenants and co-owners.

Victim
11 real estate agencies
Data breachContained

950,000 people affected by data leak at FFESSM

On 24 January 2026, France's underwater diving federation FFESSM disclosed a personal-data breach after unauthorised access to one of its IT systems exposed identity and contact details of members and licence holders, with roughly 950,000 people affected and data offered for sale on the dark web.

Victim
FFESSM (French Federation of Underwater Studies and Sports)
Records
950.0K
Data breachContained

Leak at French Hunting Federation

On 23 Jan 2026 the Fรฉdรฉration Nationale des Chasseurs disclosed a breach of its hunting-permit validation portal, exposing names, dates of birth, postal/email addresses, phone numbers, federal IDs and licence details of roughly 1.4 million hunters.

Victim
French Hunting Federation
Records
1.4M
Data breachOngoing

1,200,000 people exposed in data leak at FFVolley

The French Volleyball Federation (FFVolley) confirmed a breach of its membership database affecting roughly 1.2 million licensees, with about 23 GB of highly sensitive files โ€” including national ID cards, passports and birth certificates โ€” exfiltrated and offered for sale.

Victim
French Volleyball Federation (FFVolley)
Records
1.2M
Data breachOngoing

Leak at Orpi

In January 2026, a database from the French real-estate network Orpi's owner/tenant extranet surfaced online, exposing names, postal addresses, IBANs, rent receipts and extranet logins with passwords stored in plain text.

Victim
Orpi
Data breachUnknown

Data leak at Too Easy

On 23 January 2026, a data leak attributed to Too Easy was reported, exposing customer personal data including names, email addresses, phone numbers and IP addresses. The full scale of the incident has not been publicly confirmed.

Victim
Too Easy
Data breachUnknown

Data leak at Valorissimo

Disclosed on 23 January 2026, a leak from Valorissimo โ€” the French B2B new-build real estate marketplace owned by Bouygues Immobilier โ€” exposed account data of platform users, including logins, email addresses, names, phone numbers, postal addresses and company affiliations.

Victim
Valorissimo
Data breachContained

822,499 FNSPF members affected by data leak

Around 822,499 members of France's National Firefighters Federation (FNSPF) had their personal data exposed in a January 2026 leak tied to a wider campaign of French federation breaches, with names, dates of birth, postal and email addresses and phone numbers harvested and resold on underground forums.

Victim
French National Firefighters Federation (FNSPF)
Records
822.5K
Data breachContained

561,502 licence holders affected by data leak at FFME

In January 2026 the French Federation of Mountaineering and Climbing (FFME) disclosed a data breach in which a fraudulently used member account gave illegitimate access to contact data โ€” names, dates of birth, addresses, licence types โ€” for its licence holders, a leak tracked at 561,502 records.

Victim
French Federation of Mountaineering and Climbing (FFME) #2
Records
561.5K
Supply chainUnknown

133,297 members affected by Lions Clubs of France data leak

In early January 2026, a member database of the Fondation des Lions de France (Lions Clubs of France) was published on BreachForums, exposing 133,297 deduplicated individuals โ€” including full civil status, home addresses, phone numbers and profile photos โ€” in a leak traced to the MyAssoc club-management platform.

Victim
Lions de France Foundation (Lions Clubs of France)
Records
133.3K
Data breachOngoing

800,000 records in Adecco data leak

In early January 2026, staffing agency Adecco was hit by a data leak after a threat actor put a database of roughly 800,000 candidate profiles โ€” including about 750,000 CVs with names, contact details and work histories โ€” up for sale, claiming extraction from an internal Adecco tool.

Victim
Adecco
Records
800.0K
Data breachContained

Leak at French Speleology Federation

On 31 December 2024 the French Speleology Federation (FFS) disclosed a data leak from its insurance-subscription portal, exposing members' identity, contact details, nationality, profession and licence numbers as part of a wider wave of attacks on French sports federations.

Victim
French Speleology Federation
Data breachUnknown

Leak at French Kick Boxing Federation

In late December 2025, the French Kick Boxing Federation (FFKMDA) had its member database leaked on BreachForums, exposing 361,321 licensees' names, dates of birth, nationalities, contact details, postal addresses and licence records across 2015-2026 seasons.

Victim
French Kick Boxing Federation
Records
361.3K
Data breachContained

Leak at French Swimming Federation

Data on roughly 1.3 million members of the French Swimming Federation (FFN) was put up for sale on BreachForums on 23 December 2025 after its Extranat management platform was breached, exposing identity details, contact information and licence numbers.

Victim
French Swimming Federation
Records
1.3M
Data breachUnknown

Leak at 123 casting

On 22 December 2025, a database of roughly 240,000 users of French casting platform 123casting was published on BreachForums, exposing identities, contact details, MD5-hashed passwords, physical measurements, ethnic origin, photo/video books, private messages and payment data.

Victim
123 casting
Records
240.0K
Data breachContained

Leak at French Cycling Federation

On 10 December 2025, the Fรฉdรฉration Franรงaise de Cyclisme detected an intrusion (via stolen credentials/infostealers, no MFA) exposing licensees' names, dates of birth, nationality, postal addresses, emails and phone numbers; group Dumpsec also claimed to hold ID documents.

Victim
French Cycling Federation
Supply chainContained

Data leak at UFOLEP (via Exalto)

On 10 December 2025, UFOLEP โ€” the French multi-sport federation โ€” disclosed that a compromised account on its third-party licence-management provider Exalto exposed at least 3,624 member records, including identity, contact and legal-guardian details.

Victim
UFOLEP
Records
3.6K
Data breachResolved

Dragonica Lunaris data breach (2025)

In December 2025, the European Dragonica private server Dragonica Lunaris suffered a data breach. The incident exposed 126k email addresses, usernames, dates of birth and bcrypt password hashes. The service operator confirmed the breach and advised it has since been fixed.

Victim
Dragonica Lunaris
Records
126.3K
Data breachContained

Leak at French Dance Federation

In November 2025, the French Dance Federation (FFDanse) suffered a cyberattack on its extranet that damaged the server and exposed licence-holders' personal data, including names, dates of birth, contact details, licence numbers and hashed passwords; no medical or banking data was affected.

Victim
French Dance Federation
Data breachUnknown

Leak at ProxiServe

On 25 November 2025, a database belonging to French residential maintenance firm ProxiServe surfaced on a hacker forum, exposing personal and service data on 294,639 customers, including names, emails, postal addresses and details of home interventions.

Victim
ProxiServe
Records
294.6K
Data breachContained

Leak at French Cardiology Federation

Around 11 November 2025, the Fรฉdรฉration Franรงaise de Cardiologie disclosed that an unauthorized intrusion into its IT systems exposed members' personal data โ€” including names, postal and email addresses, phone numbers and passwords. No banking or medical data was compromised.

Victim
French Cardiology Federation
Data breachOngoing

Leak at French Table Tennis Federation

On 19 September 2025, the French Table Tennis Federation (FFTT) disclosed a data breach in which an attacker used a compromised account to bulk-extract member records, exposing the personal data of as many as 254,000 licensees, though no banking or health data.

Victim
French Table Tennis Federation
Data breachResolved

Giglio data breach (2025)

In August 2025, over 1M unique email addresses appeared in a breach allegedly obtained from Italian fashion designer Giglio. The data also included names, phone numbers and physical addresses. Giglio did not respond to repeated attempts to disclose the incident.

Victim
Giglio
Records
1.0M
Data breachResolved

Pi-hole data breach (2025)

In July 2025, a vulnerability in the GiveWP WordPress plugin exposed the names and email addresses of approximately 30k donors to the Pi-hole network-wide ad blocking project. Pi-hole subsequently self-submitted the list of impacted donors to HIBP.

Victim
Pi-hole
Records
29.9K
Data breachResolved

Allianz Life data breach (2025)

In July 2025, Allianz Life was the victim of a cyber attack which resulted in millions of records later being leaked online. Allianz attributed the attack to "a social engineering technique" which targeted data on Salesforce and resulted in the exposure of 1.1M unique email addresses, names,โ€ฆ

Victim
Allianz Life
Records
1.1M
Data breachResolved

Catwatchful data breach (2025)

In June 2025, spyware maker Catwatchful suffered a data breach that exposed over 60k customer records. The breach was due to a SQL injection vulnerability that enabled email addresses and plain text passwords to be extracted from the system.

Victim
Catwatchful
Records
61.6K
Data breachResolved

Creams Cafe data breach (2025)

In May 2025, 160k records of customer data was allegedly obtained from Creams Cafe, "the UK's favourite dessert parlour". The data included email and physical addresses, names and phone numbers.

Victim
Creams Cafe
Records
159.7K
Data breachContained

Leak at French Football Federation

In February 2025 the French Football Federation (FFF) suffered a data breach via a compromised account on its licensee-management platform; at least ~43,000 users had personal data exposed, including names, contact details, and copies of ID documents.

Victim
French Football Federation
Data breachResolved

Cocospy data breach (2025)

In February 2025, the spyware service Cocospy suffered a data breach along with sibling spyware service, Spyic. The Cocospy breach alone exposed almost 1.8M customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs,โ€ฆ

Victim
Cocospy
Records
1.8M
Data breachResolved

Spyic data breach (2025)

In February 2025, the spyware service Spyic suffered a data breach along with sibling spyware service, Cocospy. The Spyic breach alone exposed almost 876k customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs,โ€ฆ

Victim
Spyic
Records
876.0K
Data breachResolved

Doxbin Scrape data breach (2025)

In January 2025, 435k email addresses were scraped from the "doxing" service Doxbin. Posts to the service are usually intended to disclose the personal information of non-consensually third parties.

Victim
Doxbin Scrape
Records
435.8K
Data breachResolved

Frame & Optic data breach (2025)

In January 2025, the eyewear seller Frame & Optic suffered a data breach. The incident exposed almost 16k unique email addresses along with names, phone numbers and geolocation data including country, state and postcode.

Victim
Frame & Optic
Records
15.7K
Supply chainUnknown

Leak at French Strength Federation

In January 2025, the Fรฉdรฉration Franรงaise de Force (FFForce) had personal data of 64,512 members exposed via a compromised shared sports-licensing IT provider; records (names, dates of birth, emails, postal addresses, phone numbers) were later sold on BreachForums.

Victim
French Strength Federation
Records
64.5K
Supply chainContained

Leak at French Roller Skateboard Federation

In January 2025, the Fรฉdรฉration Franรงaise de Roller et Skateboard had the personal data of roughly 577,000 members exposed after a shared sports-federation IT provider was compromised; names, dates of birth, email/postal addresses and phone numbers were leaked.

Victim
French Roller Skateboard Federation
Records
577.1K
Data breachResolved

BitView data breach (2024)

In December 2024, the video sharing Community BitView suffered a data breach that exposed 63k customer records. Attributed to a backup taken by a previous administrator earlier in the year, the breach exposed email and IP addresses, bcrypt password hashes, usernames, bios, private messages, videoโ€ฆ

Victim
BitView
Records
63.1K
RansomwareUnknown

Leak at Deloitte

On 4 December 2024, the Brain Cipher ransomware group publicly claimed to have stolen over 1 TB of data from Deloitte UK; Deloitte said the allegations related to a single client's system outside its own network and that no Deloitte systems were impacted.

Victim
Deloitte
Data breachResolved

Switch data breach (2024)

In October 2024, the Hungarian IT headhunting service Switch inadvertently exposed thousands of customer records via a public GitHub repository. The exposed data contained job applications with names, email addresses and in some cases, commentary on the applicant.

Victim
Switch
Records
5.4K
Data breachResolved

Instituto Nacional de Deportes de Chile data breach (2024)

In September 2024, the Instituto Nacional de Deportes de Chile (Chile's National Sports Institute) suffered a data breach. The incident exposed 1.7M rows of data with 320k unique email addresses alongside names, dates of birth, genders and bcrypt password hashes.

Victim
Instituto Nacional de Deportes de Chile
Records
319.6K
Data breachResolved

MSI data breach (2024)

In July 2024, MSI inadvertently exposed hundreds of thousands of customer records related to RMA claims that were subsequently found to be publicly accessible. The data included 250k unique email addresses alongside names, phone numbers, physical addresses and warranty claims.

Victim
MSI
Records
250.0K
Data breachResolved

SpyX data breach (2024)

In June 2024, spyware maker SpyX suffered a data breach that exposed almost 2M unique email addresses. The breach also exposed IP addresses, countries of residence, device information and 6-digit PINs in the password field.

Victim
SpyX
Records
2.0M
Data breachResolved

Spytech data breach (2024)

In July 2024, spyware maker Spytech suffered a data breach that exposed data collected as recently as the previous month. Designed to "invisibly record everything users do", the breach exposed information related to both purchasers and targets of the product.

Victim
Spytech
Records
5.6K
Data breachResolved

Operation Endgame data breach (2024)

In May 2024, a coalition of international law enforcement agencies took down a series of botnets in a campaign they coined "Operation Endgame". Data seized in the operation included impacted email addresses and passwords which were provided to HIBP to help victims learn of their exposure.

Victim
Operation Endgame
Records
16.5M
Supply chainContained

Data leak at Ticketmaster

In 2024, ticketing giant Ticketmaster (Live Nation) suffered a breach of a third-party Snowflake cloud database; data on up to 560 million customers โ€” names, contact details, order history and partial payment-card data โ€” was stolen and offered for sale by ShinyHunters.

Victim
Ticketmaster
Records
560.0M
Data breachResolved

Fair Vote Canada data breach (2024)

In March 2024, the Canadian national citizens' campaign for proportional representation Fair Vote Canada suffered a data breach. The incident was attributed to "a well-meaning volunteer" who inadvertently exposed data from 2020 which included 134k unique email addresses, names, physical addresses,โ€ฆ

Victim
Fair Vote Canada
Records
134.3K
Data breachResolved

Spyzie data breach (2024)

In February 2025, the spyware service Spyzie suffered a data breach along with sibling spyware services, Spyic and Cocospy. The Spyzie breach alone exposed almost 519k customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos,โ€ฆ

Victim
Spyzie
Records
518.6K
Data breachResolved

Qakbot data breach (2023)

In August 2023, the US Justice Department announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, and the United Kingdom to disrupt the botnet and malware known as Qakbot and take down its infrastructure.

Victim
Qakbot
Records
6.4M
Data breachResolved

Phished Data via CERT Poland data breach (2023)

In August 2023, CERT Poland observed a phishing campaign that collected credentials from 68k victims. The campaign collected email addresses and passwords via a phishing email masquerading as a purchase order confirmation.

Victim
Phished Data via CERT Poland
Records
67.9K
Data breachResolved

Terravision data breach (2023)

In February 2023, the European airport transfers service Terravision suffered a data breach. The breach exposed over 2M records of customer data including names, phone numbers, email addresses, salted password hashes and in some cases, date of birth and country of origin.

Victim
Terravision
Records
2.1M
Data breachResolved

RealDudesInc data breach (2022)

In October 2022, the GTA mod menu provider RealDudesInc suffered a data breach that exposed over 100k email addresses (many of which are temporary guest account addresses). The breach also included usernames and bcrypt password hashes.

Victim
RealDudesInc
Records
101.5K
Data breachResolved

Doomworld data breach (2022)

In October 2022, the Doomworld fourm suffered a data breach that exposed 34k member records. The data included email and IP addresses, usernames and bcrypt password hashes.

Victim
Doomworld
Records
34.5K
Data breachResolved

DoorDash data breach (2022)

In August 2022, the food ordering and delivery service DoorDash disclosed a data breach that impacted a portion of their customers. DoorDash attributed the breach to an unnamed "third-party vendor" they stated was the victim of a phishing campaign.

Victim
DoorDash
Records
367.5K
Data breachResolved

NVIDIA data breach (2022)

In February 2022, microchip company NVIDIA suffered a data breach that exposed employee credentials and proprietary code. Impacted data included over 70k employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.

Victim
NVIDIA
Records
71.3K
Data breachResolved

GiveSendGo data breach (2022)

In February 2022, the Christian fundraising service GiveSendGo suffered a data breach which exposed the personal data of 90k donors to the Canadian "Freedom Convoy" protest against vaccine mandates.

Victim
GiveSendGo
Records
90.0K
Data breachResolved

RedLine Stealer data breach (2021)

In December 2021, logs from the RedLine Stealer malware were left publicly exposed and were then obtained by security researcher Bob Diachenko. The data included 441 thousand unique email addresses, usernames and plain text passwords.

Victim
RedLine Stealer
Records
441.7K
Data breachResolved

ZAP-Hosting data breach (2021)

In November 2021, web host ZAP-Hosting suffered a data breach that exposed over 60GB of data containing 746k unique email addresses. The breach also contained support chat logs, IP addresses, names, purchases, physical addresses and phone numbers.

Victim
ZAP-Hosting
Records
746.7K
Data breachResolved

Republican Party of Texas data breach (2021)

In September 2021, the Republican Party of Texas was hacked by a group claiming to be "Anonymous" in retaliation for the state's controversial abortion ban. The September defacement was followed by a leak of data and documents which included material from the hosting provider Epik.

Victim
Republican Party of Texas
Records
72.6K
Data breachResolved

Phoenix data breach (2021)

In mid-2021, the "vintage messaging reborn" service Phoenix suffered a data breach that exposed 75k unique email addresses. The breach also exposed IP addresses, usernames and passwords.

Victim
Phoenix
Records
74.8K
Data breachResolved

NurseryCam data breach (2021)

In February 2021, a series of egregiously bad security flaws were identified in the NurseryCam system designed for parents to remotely monitor their children whilst attending nursery. The flaws led to the exposure of over 10k parent records before the service was shut down.

Victim
NurseryCam
Records
10.6K
Data breachResolved

Emotet data breach (2021)

In January 2021, the FBI in partnership with the Dutch NHTCU, German BKA and other international law enforcement agencies brought down the world's most dangerous malware: Emotet.

Victim
Emotet
Records
4.3M
Data breachunresolved

Brazil 223-million mega-leak

The largest personal-data leak in Brazilian history: databases on roughly 223 million people โ€” including names, CPF tax IDs, facial images, salaries and credit scores โ€” surfaced for sale on a dark-web forum, with suspicion pointing at credit-bureau data.

Victim
Brazilian population (credit-bureau-linked databases)
Records
223.0M
Data breachResolved

Capital Economics data breach (2020)

In December 2020, the economic research company Capital Economics suffered a data breach that exposed 263k customer records. The exposed data included email and physical addresses, names, phone numbers, job titles and the employer of impacted customers.

Victim
Capital Economics
Records
263.8K
Data breachResolved

Not Acxiom data breach (2020)

In 2020, a corpus of data containing almost a quarter of a billion records spanning over 400 different fields was misattributed to database marketing company Acxiom and subsequently circulated within the hacking community.

Victim
Not Acxiom
Records
51.7M
Data breachResolved

Acuity data breach (2020)

In mid-2020, a 437GB corpus of data attributed to an entity named "Acuity" was created and later extensively distributed. However, the source could not be confidently verified as any known companies named Acuity.

Victim
Acuity
Records
14.1M
Data breachResolved

Straffic data breach (2020)

In February 2020, Israeli marketing company Straffic exposed a database with 140GB of personal data. The publicly accessible Elasticsearch database contained over 300M rows with 49M unique email addresses. Exposed data also included names, phone numbers, physical addresses and genders.

Victim
Straffic
Records
48.6M
Data breachResolved

Zoosk (2020) data breach (2020)

In January 2020, the online dating service Zoosk suffered a data breach which was subsequently shared extensively across online hacking communities. The breach contained 24 million unique email addresses alongside extensive personal information including genders, sexualities, dates of birth,โ€ฆ

Victim
Zoosk (2020)
Records
23.9M
Data breachResolved

Nameless Malware data breach (2020)

In January 2021, NordLocker provided HIBP 1.1 million email addresses collected by nameless malware. The malware campaign ran between 2018 and 2020 and infected 3.25 million computers, stealing files, credentials and taking screenshots and photos using the computer's webcam.

Victim
Nameless Malware
Records
1.1M
Data breachResolved

Universarium data breach (2019)

In approximately November 2019, the Russian "Remote preparatory faculty for IT specialties" Universarium suffered a data breach. The incident exposed 565k email addresses and passwords in plain text. Universarium did not respond to multiple attempts to make contact over a period of many weeks.

Victim
Universarium
Records
565.0K
Data breachResolved

Audi data breach (2019)

In August 2019, Audi USA suffered a data breach after a vendor left data unsecured and exposed on the internet. The data contained 2.7M unique email addresses along with names, phone numbers, physical addresses and vehicle information including VIN.

Victim
Audi
Records
2.7M
Data breachResolved

Wiener Bรผchereien data breach (2019)

In June 2019, the library of Vienna (Wiener Bรผchereien) suffered a data breach. The compromised data included 224k unique email addresses, names, physical addresses, phone numbers and dates of birth. The breached data was subsequently posted to Twitter by the alleged perpetrator of the breach.

Victim
Wiener Bรผchereien
Records
224.1K
Data breachResolved

Hakko Corporation data breach (2019)

In March 2019, the Japanese solder-related business Hakko Corporation suffered a data breach. The incident exposed almost 10k customer records including email and physical addresses, phone numbers, names, usernames, genders, dates of birth and plain text passwords.

Victim
Hakko Corporation
Records
9.7K
Data breachResolved

Intelimost data breach (2019)

In March 2019, a spam operation known as "Intelimost" sent millions of emails appearing to come from people the recipients knew. Security researcher Bob Diachenko found over 3 million unique email addresses in an exposed Elasticsearch database, alongside plain text passwords used to access theโ€ฆ

Victim
Intelimost
Records
3.1M
Data breachResolved

Elasticsearch Instance of Sales Leads on AWS data breach (2018)

In October 2018, security researcher Bob Diachenko identified multiple exposed databases with hundreds of millions of records. One of those datasets was an Elasticsearch instance on AWS containing sales lead data and 5.8M unique email addresses.

Victim
Elasticsearch Instance of Sales Leads on AWS
Records
5.8M
Data breachResolved

SaverSpy data breach (2018)

In September 2018, security researcher Bob Diachenko discovered a massive collection of personal details exposed in an unprotected Mongo DB instance. The data appears to have been used in marketing campaigns (possibly for spam purposes) but had little identifying data about it other than aโ€ฆ

Victim
SaverSpy
Records
2.5M
Data breachResolved

SpyFone data breach (2018)

In August 2018, the spyware company SpyFone left terabytes of data publicly exposed. Collected surreptitiously whilst the targets were using their devices, the data included photos, audio recordings, text messages and browsing history which were then exposed via a number of misconfigurations withinโ€ฆ

Victim
SpyFone
Records
44.1K
Data breachResolved

Pemiblanc data breach (2018)

In April 2018, a credential stuffing list containing 111 million email addresses and passwords known as Pemiblanc was discovered on a French server. The list contained email addresses and passwords collated from different data breaches and used to mount account takeover attacks against otherโ€ฆ

Victim
Pemiblanc
Records
111.0M
Data breachResolved

2,844 Separate Data Breaches data breach (2018)

In February 2018, a massive collection of almost 3,000 alleged data breaches was found online. Whilst some of the data had previously been seen in Have I Been Pwned, 2,844 of the files consisting of more than 80 million unique email addresses had not previously been seen.

Victim
2,844 Separate Data Breaches
Records
80.1M
Data breachResolved

HoundDawgs data breach (2017)

In December 2017, the Danish torrent tracker known as HoundDawgs suffered a data breach. More than 55GB of data was dumped publicly and whilst there was initially contention as to the severity of the incident, the data did indeed contain more than 45k unique email addresses complete extensive logsโ€ฆ

Victim
HoundDawgs
Records
45.7K
Data breachResolved

Legendas.TV data breach (2017)

In October 2017, the now defunct Brazilian service for retrieving subtitles in Portuguese Legendas.TV suffered a data breach that exposed nearly 4M customer records. The impacted data included names, usernames, email and IP addresses and unsalted SHA-1 hashes.

Victim
Legendas.TV
Records
3.9M
Data breachResolved

B2B USA Businesses data breach (2017)

In mid-2017, a spam list of over 105 million individuals in corporate America was discovered online. Referred to as "B2B USA Businesses", the list categorised email addresses by employer, providing information on individuals' job titles plus their work phone numbers and physical addresses.

Victim
B2B USA Businesses
Records
105.1M
Data breachResolved

8tracks data breach (2017)

In June 2017, the online playlists service known as 8Tracks suffered a data breach which impacted 18 million accounts. In their disclosure, 8Tracks advised that "the vector for the attack was an employeeโ€™s GitHub account, which was not secured using two-factor authentication".

Victim
8tracks
Records
18.0M
Data breachResolved

Freedom Hosting II data breach (2017)

In January 2017, the free hidden service host Freedom Hosting II suffered a data breach. The attack allegedly took down 20% of dark web sites running behind Tor hidden services with the attacker claiming that of the 10,613 impacted sites, more than 50% of the content was child pornography.

Victim
Freedom Hosting II
Records
380.8K
Data breachResolved

CloudPets data breach (2017)

In January, the maker of teddy bears that record children's voices and sends them to family and friends via the internet CloudPets left their database publicly exposed and it was subsequently downloaded by external parties (the data was also subject to 3 different ransom demands).

Victim
CloudPets
Records
583.5K
Data breachResolved

Little Monsters data breach (2017)

In approximately January 2017, the Lady Gaga fan site known as "Little Monsters" suffered a data breach that impacted 1 million accounts. The data contained usernames, email addresses, dates of birth and bcrypt hashes of passwords.

Victim
Little Monsters
Records
995.7K
Data breachResolved

Victory Phones data breach (2017)

In January 2017, the automated telephony services company Victory Phones left a Mongo DB database publicly facing without a password. Subsequently, 213GB of data was downloaded by an unauthorised party including names, addresses, phone numbers and over 166k unique email addresses.

Victim
Victory Phones
Records
166.0K
Data breachResolved

Anti Public Combo List data breach (2016)

In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems.

Victim
Anti Public Combo List
Records
458.0M
Data breachResolved

Youku data breach (2016)

In late 2016, China's leading online video platform Youku suffered a data breach exposing roughly 92 million unique user accounts together with usernames and MD5-hashed passwords, which later circulated on dark-web marketplaces.

Victim
Youku
Records
91.9M
Data breachResolved

MCBans data breach (2016)

In October 2016, the Minecraft banning service known as MCBans suffered a data breach resulting in the exposure of 120k unique user records. The data contained email and IP addresses, usernames and password hashes of unknown format.

Victim
MCBans
Records
119.9K
Data breachResolved

Exploit.In data breach (2016)

In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems.

Victim
Exploit.In
Records
593.4M
Data breachResolved

Pokรฉmon Negro data breach (2016)

In approximately October 2016, the Spanish Pokรฉmon site Pokรฉmon Negro suffered a data breach. The attack resulted in the disclosure of 830k accounts including email and IP addresses along with plain text passwords. Pokรฉmon Negro did not respond when contacted about the breach.

Victim
Pokรฉmon Negro
Records
830.2K
Data breachResolved

Real Estate Mogul data breach (2016)

In September 2016, the real estate investment site Real Estate Mogul had a Mongo DB instance compromised and 5GB of data downloaded by an unauthorised party. The data contained real estate listings including addresses and the names, phone numbers and 308k unique email addresses of the sellers.

Victim
Real Estate Mogul
Records
307.8K
Data breachResolved

Digimon data breach (2016)

In September 2016, over 16GB of logs from a service indicated to be digimon.co.in were obtained, most likely from an unprotected Mongo DB instance. The service ceased running shortly afterwards and no information remains about the precise nature of it.

Victim
Digimon
Records
7.7M
Data breachResolved

NetProspex data breach (2016)

In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet's NetProspex service was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them.

Victim
NetProspex
Records
33.7M
Data breachResolved

Roblox data breach (2016)

In August 2016, Roblox disclosed a data breach that affected over 50k users. The security incident impacted email and IP addresses, usernames, purchases and Robux balances which were left exposed on a test server.

Victim
Roblox
Records
52.5K
Data breachResolved

FreshMenu data breach (2016)

In July 2016, the India-based food delivery service FreshMenu suffered a data breach. The incident exposed the personal data of over 110k customers and included their names, email addresses, phone numbers, home addresses and order histories.

Victim
FreshMenu
Records
110.4K
Data breachResolved

Funimation data breach (2016)

In July 2016, the anime site Funimation suffered a data breach that impacted 2.5 million accounts. The data contained usernames, email addresses, dates of birth and salted SHA1 hashes of passwords.

Victim
Funimation
Records
2.5M
Data breachResolved

Uiggy data breach (2016)

In June 2016, the Facebook application known as Uiggy was hacked and 4.3M accounts were exposed, 2.7M of which had email addresses against them. The leaked accounts also exposed names, genders and the Facebook ID of the owners.

Victim
Uiggy
Records
2.7M
Data breachResolved

Teracod data breach (2016)

In May 2015, almost 100k user records were extracted from the Hungarian torrent site known as Teracod. The data was later discovered being torrented itself and included email addresses, passwords, private messages between members and the peering history of IP addresses using the service.

Victim
Teracod
Records
97.2K
Data breachResolved

KM.RU data breach (2016)

In February 2016, the Russian portal and email service KM.RU was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", KM.RU was one of several Russian sites in the breach and impacted almost 1.5M accountsโ€ฆ

Victim
KM.RU
Records
1.5M
Data breachResolved

TruckersMP data breach (2016)

In February 2016, the online trucking simulator mod TruckersMP suffered a data breach which exposed 84k user accounts. In a first for "Have I Been Pwned", the breached data was self-submitted directly by the organisation that was breached itself.

Victim
TruckersMP
Records
84.0K
Data breachResolved

V-Tight Gel data breach (2016)

In approximately February 2016, data surfaced which was allegedly obtained from V-Tight Gel (vaginal tightening gel). Whilst the data set was titled V-Tight, within there were 50 other (predominantly wellness-related) domain names, most owned by the same entity.

Victim
V-Tight Gel
Records
2.0M
Data breachResolved

Onverse data breach (2016)

In January 2016, the online virtual world known as Onverse was hacked and 800k accounts were exposed. Along with email and IP addresses, the site also exposed salted MD5 password hashes.

Victim
Onverse
Records
800.2K
Data breachResolved

ServerPact data breach (2016)

In mid-2015, the Dutch Minecraft site ServerPact was hacked and 73k accounts were exposed. Along with birth dates, email and IP addresses, the site also exposed SHA1 password hashes with the username as the salt.

Victim
ServerPact
Records
73.6K
Data breachResolved

Aternos data breach (2015)

In December 2015, the service for creating and running free Minecraft servers known as Aternos suffered a data breach that impacted 1.4 million subscribers. The data included usernames, email and IP addresses and hashed passwords.

Victim
Aternos
Records
1.4M
Data breachResolved

Ancestry data breach (2015)

In November 2015, an Ancestry service known as RootsWeb suffered a data breach. The breach was not discovered until late 2017 when a file containing almost 300k email addresses and plain text passwords was identified.

Victim
Ancestry
Records
297.8K
Data breachResolved

Mac-Torrents data breach (2015)

In October 2015, the torrent site Mac-Torrents was hacked and almost 94k usernames, email addresses and passwords were leaked. The passwords were hashed with MD5 and no salt.

Victim
Mac-Torrents
Records
94.0K
Data breachResolved

Special K Data Feed Spam List data breach (2015)

In mid to late 2015, a spam list known as the Special K Data Feed was discovered containing almost 31M identities. The data includes personal attributes such as names, physical and IP addresses, genders, birth dates and phone numbers. Read more about spam lists in HIBP.

Victim
Special K Data Feed Spam List
Records
30.7M
Data breachResolved

MyVidster (2015) data breach (2015)

In August 2015, the social video sharing and bookmarking site MyVidster was hacked and nearly 20,000 accounts were dumped online. The dump included usernames, email addresses and hashed passwords.

Victim
MyVidster (2015)
Records
19.9K
Data breachResolved

Hacking Team data breach (2015)

In July 2015, the Italian security firm Hacking Team suffered a major data breach that resulted in over 400GB of their data being posted online via a torrent. The data searchable on "Have I Been Pwned?" is from 189GB worth of PST mail folders in the dump.

Victim
Hacking Team
Records
32.3K
Data breachResolved

myRepoSpace data breach (2015)

In July 2015, the Cydia repository known as myRepoSpace was hacked and user data leaked publicly. Cydia is designed to facilitate the installation of apps on jailbroken iOS devices.

Victim
myRepoSpace
Records
252.8K
Data breachResolved

SC Daily Phone Spam List data breach (2015)

In early 2015, a spam list known as SC Daily Phone emerged containing almost 33M identities. The data includes personal attributes such as names, physical and IP addresses, genders, birth dates and phone numbers. Read more about spam lists in HIBP.

Victim
SC Daily Phone Spam List
Records
32.9M
Data breachResolved

000webhost data breach (2015)

In approximately March 2015, the free web hosting provider 000webhost suffered a major data breach that exposed almost 15 million customer records. The data was sold and traded before 000webhost was alerted in October. The breach included names, email addresses and plain text passwords.

Victim
000webhost
Records
14.9M
Data breachResolved

Team SoloMid data breach (2014)

In December 2014, the electronic sports organisation known as Team SoloMid was hacked and 442k members accounts were leaked. The accounts included email and IP addresses, usernames and salted hashes of passwords.

Victim
Team SoloMid
Records
442.2K
Data breachResolved

Quantum Booter data breach (2014)

In March 2014, the booter service Quantum Booter (also referred to as Quantum Stresser) suffered a breach which lead to the disclosure of their internal database.

Victim
Quantum Booter
Records
48.6K
Data breachResolved

Rambler data breach (2014)

A data dump of almost 100 million accounts from Russian internet portal Rambler โ€” often called 'the Russian Yahoo' โ€” surfaced for trade in 2016, exposing roughly 91 million unique usernames and passwords stored in plain text.

Victim
Rambler
Records
91.4M
Data breachResolved

Snapchat data breach (2014)

In January 2014 just one week after Gibson Security detailed vulnerabilities in the service, Snapchat had 4.6 million usernames and phone number exposed.

Victim
Snapchat
Records
4.6M
Data breachResolved

Lookbook data breach (2012)

In August 2012, the fashion site Lookbook suffered a data breach. The data later appeared listed for sale in June 2016 and included 1.1 million usernames, email and IP addresses, birth dates and plain text passwords.

Victim
Lookbook
Records
1.1M
Data breachResolved

Disqus data breach (2012)

In October 2017, the blog commenting service Disqus announced they'd suffered a data breach. The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced. The breach contained over 17.5 million unique email addresses and usernames.

Victim
Disqus
Records
17.6M
Data breachResolved

126 data breach (2012)

In approximately 2012, it's alleged that the Chinese email service known as 126 suffered a data breach that impacted 6.4 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
126
Records
6.4M
Data breachResolved

Zhenai.com data breach (2011)

In December 2011, the Chinese dating site known as Zhenai.com suffered a data breach that impacted 5 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Zhenai.com
Records
5.0M
Data breachResolved

Sony data breach (2011)

In 2011, Sony suffered breach after breach after breach โ€” it was a very bad year for them. The breaches spanned various areas of the business ranging from the PlayStation network all the way through to the motion picture arm, Sony Pictures.

Victim
Sony
Records
37.1K
Data breachResolved

QIP data breach (2011)

In mid-2011, the Russian instant messaging service known as QIP (Quiet Internet Pager) suffered a data breach. The attack resulted in the disclosure of over 26 million unique accounts including email addresses and passwords with the data eventually appearing in public years later.

Victim
QIP
Records
26.2M
Data breachResolved

Neteller data breach (2010)

In May 2010, the e-wallet service known as Neteller suffered a data breach which exposed over 3.6M customers. The breach was not discovered until October 2015 and included names, email addresses, home addresses and account balances.

Victim
Neteller
Records
3.6M
Data breachResolved

Money Bookers data breach (2009)

Sometime in 2009, the e-wallet service known as Money Bookers suffered a data breach which exposed almost 4.5M customers. Now called Skrill, the breach was not discovered until October 2015 and included names, email addresses, home addresses and IP addresses.

Victim
Money Bookers
Records
4.5M