Skip to content

Incidents in sector:

Retail

Data breachResolved

Atlas Menu data breach (2026)

In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository.

Victim
Atlas Menu
Records
63.9K
Data breachOngoing

1,528 contacts at Nature & Cie, claimed leak

In late May 2026, a B2B commercial database attributed to French organic-food distributor Nature & Cie surfaced on a cybercriminal forum, exposing roughly 5,635 stores, over 1,500 professional contacts and around 1,500 sales-visit reports covering Biocoop, Naturalia and La Vie Claire partners.

Victim
Nature & Cie
Records
1.5K
Data breachContained

Leak at Bilov

In May 2026, Bilov — operator of the French Boulangeries Ange bakery chain — disclosed a data breach exposing the personal details (name, city, phone number) of around 812,000 customers after an active authentication token allowed unauthorized API access.

Victim
Bilov
Records
812.0K
Data breachUnknown

Leak at Céram Décor

On 25 April 2026, a confirmed data leak exposed customer personal data — names, email addresses, phone numbers, postal addresses and hashed passwords — from French ceramic and tile decoration retailer Céram Décor.

Victim
Céram Décor
Data breachContained

Data leak at Système U

In April 2026, French retail cooperative Système U disclosed a breach of its magasins-u.com loyalty portal in which attackers gained unauthorized access to customer accounts, exposing names, contact details and loyalty-card numbers but no banking data.

Victim
Système U
Supply chainContained

Leak at Jeu Jouet

French online toy retailer JeuJouet.com warned customers in April 2026 that its Magento e-commerce platform was compromised in a mass exploitation campaign, potentially exposing names, email addresses, account credentials and order data; no banking details were affected.

Victim
Jeu Jouet
Data breachResolved

7-Eleven data breach (2026)

In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers.

Victim
7-Eleven
Records
185.3K
Data breachResolved

Hallmark data breach (2026)

In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming…

Victim
Hallmark
Records
1.7M
Data breachContained

Le Petit Vapoteur: 3.3 million customers exposed

In late March 2026, French e-cigarette retailer Le Petit Vapoteur was hit by a data breach after a hacker using the alias 'undef' put its customer database up for sale, exposing names, emails, phone numbers, postal addresses and IP logs for a claimed 3.3 million customers and 599 employees spanning 2012-2026.

Victim
Le Petit Vapoteur
Records
3.3M
Data breachOngoing

476,282 customers affected by a claimed leak at Intersport Rent

On 11 March 2026, a database belonging to INTERSPORT Rent — the ski- and snowboard-equipment rental arm of the Intersport sports retail group — was dumped on a hacker forum, exposing roughly 1.2 million rows covering about 476,282 unique customers, including names, emails, phone numbers, loyalty numbers and rental order histories.

Victim
Intersport Rent
Records
476.3K
Data breachResolved

CarMax data breach (2026)

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Victim
CarMax
Records
431.4K
Data breachResolved

Edmunds data breach (2026)

In January 2026, the automotive research and car-shopping platform Edmunds was listed by the ShinyHunters hacking group as having been breached. Data purportedly obtained in the incident was later published publicly and included 178k unique email addresses, usernames, passwords, IP addresses, phone…

Victim
Edmunds
Records
177.9K
Data breachUnknown

Leak at Guiot de Bourg

On 24 January 2026, a customer database from French silver-jewelry brand Guiot de Bourg covering some 90,000 e-commerce accounts surfaced online, exposing names, emails, dates of birth, hashed passwords and order/payment metadata.

Victim
Guiot de Bourg
Data breachUnknown

Leak at Blackstore

On 12 January 2026, French streetwear and sneaker retailer Blackstore had a customer database leaked exposing the personal and order details of 101,979 people, including names, email addresses, phone numbers, store locations and order records.

Victim
Blackstore
Records
102.0K
Data breachContained

Leak at EasyCash

A threat actor put a customer database stolen from second-hand retailer EasyCash up for sale on a hacking forum, exposing roughly 14 million records — names, dates of birth, postal addresses, phone numbers and email addresses — apparently extracted via a compromised internal/partner account.

Victim
EasyCash
Data breachContained

Leak at Batterie de Portable

On 28 Dec 2025, French e-commerce retailer Batteriedeportable (Aubagne) disclosed a November cyberattack that exposed customer identity and contact data — names, dates of birth, postal/email addresses and phone numbers. It claims over a million European customers.

Victim
Batterie de Portable
Data breachUnknown

Leak at Nouvelle Lune

On 26 December 2025, a customer database from French online boutique Nouvelle Lune was leaked, exposing personal data for roughly 161 customers, including names, email and postal addresses, and order history.

Victim
Nouvelle Lune
Data breachResolved

Raaga data breach (2025)

In December 2025, data allegedly breached from the Indian streaming music service "Raaga" was posted for sale to a popular hacking forum. The data contained 10M unique email addresses along with names, genders, ages (in some cases, full date of birth), postcodes and passwords stored as unsalted MD5…

Victim
Raaga
Records
10.2M
Data breachUnknown

Leak at Euromatik

On 12 December 2025, customer data from French roller-shutter and home-automation retailer Euromatik was exposed in a breach, including names, postal and email addresses, phone numbers, order and contract details, and hashed passwords.

Victim
Euromatik
Data breachContained

Leak at Cuisinella

In December 2025, French kitchen retailer Cuisinella (Schmidt Groupe) disclosed that an unauthorized third party accessed customer contact details — title, first name, last name, phone number and email address — for thousands of customers; no bank, address or password data was exposed.

Victim
Cuisinella
Data breachContained

Leak at Schmidt

In early December 2025, French kitchen and home-furnishing group Schmidt (brands Schmidt and Cuisinella) disclosed that an unauthorized third party had accessed the contact details of thousands of customers and prospects — title, name, first name, phone number and email address.

Victim
Schmidt
Data breachContained

Leak at Leroy Merlin

In December 2025, French DIY retailer Leroy Merlin disclosed a cyberattack that exposed the loyalty-program data of several hundred thousand French customers, including names, contact details, postal addresses and dates of birth; no banking data or passwords were affected.

Victim
Leroy Merlin
Data breachContained

Leak at Murfy

In November 2025, French home-appliance repair and refurbishment company Murfy disclosed a data breach exposing the personal data of around 294,000 customers — names, email and postal addresses, phone numbers and service-history details — but no banking data or passwords.

Victim
Murfy
Records
294.1K
Data breachResolved

Under Armour data breach (2025)

In November 2025, the Everest ransomware group claimed to have stolen 343GB of data from apparel maker Under Armour. After no ransom was paid, customer data was leaked in January 2026, exposing roughly 72.7 million unique email addresses with names, dates of birth, genders, locations and purchase histories. This is a separate incident from the 2018 MyFitnessPal breach.

Victim
Under Armour
Records
72.7M
RansomwareContained

Leak at Poltronesofa

On 27 October 2025, Italian sofa and furniture retailer Poltronesofà suffered a ransomware attack that encrypted its servers and exposed personal data of thousands of customers, including names, postal addresses, emails, phone numbers and tax identification numbers; no banking data was affected.

Victim
Poltronesofa
Supply chainContained

Leak at Mango

In October 2025, Spanish fashion retailer Mango disclosed that an external marketing service provider was breached, exposing customers' first name, country, postal code, email address and phone number; no passwords or banking data were affected.

Victim
Mango
Data breachContained

Leak at Clarins

French luxury skincare group Clarins confirmed in September 2025 that the Everest extortion gang had exfiltrated contact details of customers in France, the US and Canada; the actor claimed over 600,000 records, with no financial data affected.

Victim
Clarins
Records
600.0K
Data breachResolved

Artists&Clients data breach (2025)

In August 2025, the "marketplace that connects artists to prospective clients" Artists&Clients, suffered a data breach and subsequent ransom demand of US$50k.

Victim
Artists&Clients
Records
95.4K
Data breachContained

Leak at Auchan

In August 2025, French retailer Auchan disclosed a breach exposing personal data of several hundred thousand Waaoh loyalty-program customers — names, titles, postal and email addresses, phone numbers and loyalty card numbers; bank data and PINs were not affected.

Victim
Auchan
Supply chainContained

Leak at Alltricks

In August 2025, French online cycling and sports retailer Alltricks had its Sendinblue/Brevo email-marketing system compromised; attackers sent customers convincing phishing emails from the brand's own infrastructure, exposing names, email addresses and purchase history.

Victim
Alltricks
Supply chainContained

Leak at Pandora

In August 2025, Danish jewelry maker Pandora disclosed a breach of a third-party CRM platform (Salesforce) in which attackers stole customer contact data — names, email addresses and birth dates — while stating no passwords or payment data were taken.

Victim
Pandora
RansomwareOngoing

Leak at Groupe 5àSec

The DragonForce ransomware group claimed a July 2025 attack on French dry-cleaning chain 5àSec, exfiltrating roughly 290 GB of data — SQL production and test databases spanning the group's France, Switzerland, Luxembourg, Spain and Portugal operations — and published it after the company declined to pay.

Victim
Groupe 5àSec
Data breachContained

Leak at Louis Vuitton

In July 2025, French luxury brand Louis Vuitton disclosed that an unauthorized third party had accessed customer data — names, contact details, postal addresses, dates of birth and purchase history — as part of a global breach affecting clients in France, South Korea and other markets; no payment data was exposed.

Victim
Louis Vuitton
Data breachContained

Leak at Cartier

In June 2025, luxury jeweller Cartier (Richemont) disclosed a data breach in which attackers accessed customer records — names, email addresses and country of residence — though no passwords, payment or banking data were exposed.

Victim
Cartier
Data breachUnknown

Leak at Kaviari

On 3 June 2025, a customer database belonging to Kaviari, the Paris-based luxury caviar and premium seafood house, was reported leaked, exposing shoppers' names, contact details, dates of birth, account credentials and order histories.

Victim
Kaviari
Data breachContained

Leak at Dior

On 13 May 2025, luxury fashion house Christian Dior Couture (LVMH) began notifying customers — first in Asia — that an intrusion discovered on 7 May exposed names, contact details, purchase histories and marketing preferences; no bank or payment-card data was affected.

Victim
Dior
Data breachContained

Leak at Easy Cash

In April 2025, French second-hand retail chain Easy Cash disclosed a breach exposing the names, first names and dates of birth of around 92,000 customers, traced to a compromised in-store workstation.

Victim
Easy Cash
Records
92.0K
Supply chainContained

Leak at Afflelou

In April 2025, French optical and hearing-aid retailer Alain Afflelou disclosed a breach caused by a vulnerability at a third-party CRM provider, exposing the personal and commercial data of thousands of customers and prospects.

Victim
Afflelou
Data breachContained

Leak at Intersport

In March 2025, French sporting-goods retailer Intersport had data on roughly 3.4 million customers stolen via a compromised FTP server and put up for sale on BreachForums, exposing names, contact details, addresses, PayPal references and transaction history (no banking credentials).

Victim
Intersport
Records
3.4M
Data breachUnknown

Data leak at Sport Découverte

On 17 February 2025, French sports-experience e-commerce retailer Sport Découverte (sport-decouverte.com) was reported breached, with a database of roughly 488,000 customer accounts — names, dates of birth, phone numbers and email addresses — exposed.

Victim
Sport Découverte
Records
488.0K
Data breachContained

Leak at King Jouet

In February 2025, French toy retailer King Jouet was hit by a breach of its online order-tracking interface; a hacker claimed 4.3 million records, but the company said fewer than 25,000 customers across two stores had names, contact details and order information exposed.

Victim
King Jouet
Data breachResolved

Lexipol data breach (2025)

In February 2025, the public safety policy management systems company Lexipol suffered a data breach. Attributed to the self-proclaimed "Puppygirl Hacker Polycule", the breach exposed an extensive number of documents and user records which were subsequently published publicly.

Victim
Lexipol
Records
672.5K
Credential stuffingContained

Leak at Kiabi

In January 2025, French clothing retailer Kiabi disclosed a credential-stuffing attack on its secondhand site (secondemain.kiabi.com) that exposed the names, dates of birth, contact details and IBANs of about 20,000 customers.

Victim
Kiabi
Records
20.0K
Data breachUnknown

Leak at Electro Dépôt

Customer data attributed to French electronics retailer Electro Dépôt surfaced as one of at least 17 French breaches consolidated on an open database, exposing names, contact details, IP addresses and partial payment data.

Victim
Electro Dépôt
Data breachUnknown

Leak at Go Sport

In December 2024, French sporting-goods retailer Go Sport was named in dark-web claims of a customer data leak; the alleged fresh breach was debunked, with the data tracing back to a 'go-sport.com' file in an earlier compilation of past French breaches.

Victim
Go Sport
Data breachResolved

Data leak at Sport 2000

Customer database of French sporting-goods retailer Sport 2000 — covering roughly 4.3 million people — was stolen and circulated on hacking forums and the dark web, exposing names, contact details, dates of birth and purchase history.

Victim
Sport 2000
Records
4.4M
Data breachContained

Data leak at Top Achat

On 12 December 2024, French PC-hardware e-tailer Top Achat (LDLC group) disclosed a breach exposing customer names, email and postal addresses; no passwords or payment data were affected. The intrusion was linked to an earlier compromise at parent company LDLC.

Victim
Top Achat
Data breachOngoing

Leak at LDLC

On 10 December 2024, French high-tech e-commerce retailer LDLC disclosed a data breach exposing personal data (names, email addresses, phone numbers) of both its online and in-store customers — potentially several million people — though it stated no financial or sensitive data was affected.

Victim
LDLC
Data breachContained

Leak at Guy Demarle

French bakeware and kitchenware brand Guy Demarle disclosed in December 2024 that a cyberattack had copied part of its customer database, exposing names, postal addresses, email addresses and phone numbers; passwords and banking data were not affected.

Victim
Guy Demarle
Data breachContained

Leak at Auchan

On 19 November 2024, French retailer Auchan disclosed a breach of its loyalty programme exposing the personal data of more than 500,000 customers — names, contact details, dates of birth, family composition and loyalty-card/balance information; no bank data or passwords were affected.

Victim
Auchan
Records
500.0K
Credential stuffingContained

Leak at Picard

On 12 November 2024, French frozen-food retailer Picard disclosed a credential-stuffing attack that compromised the loyalty accounts of around 45,000 customers, exposing personal and loyalty-programme data; no banking data was affected and the company notified the CNIL.

Victim
Picard
Records
45.0K
Data breachResolved

The Club Penguin Experience data breach (2024)

In October 2024, The Club Penguin Experience (TCPE) suffered a data breach. The incident exposed over 6k subscribers' email addresses alongside usernames, age groups, passwords stored as bcrypt hashes and in some cases, plain text password hints.

Victim
The Club Penguin Experience
Records
6.3K
Data breachResolved

digiDirect data breach (2024)

In September 2024, a data breach sourced from the Australian retailer digiDirect was published to a popular hacking forum. The breach exposed over 300k rows of data including email and physical address, name, phone number and date of birth.

Victim
digiDirect
Records
304.3K
Supply chainContained

Leak at Cultura

On 10 September 2024, French cultural-goods retailer Cultura disclosed that a breach at a shared third-party IT provider exposed the personal data of about 1.5 million customers, including names, contact details and order history; passwords and bank data were not affected.

Victim
Cultura
Records
1.5M
Supply chainContained

Leak at Boulanger

On the night of 6-7 September 2024, French electronics retailer Boulanger suffered a data breach traced to a shared third-party delivery/IT provider, exposing the names, postal and email addresses and phone numbers of several hundred thousand customers; no banking data was affected.

Victim
Boulanger
Data breachResolved

schenkYOU data breach (2024)

In September 2024, data from the online German gift store schenkYOU was put up for sale on a popular hacking forum. Obtained the month before, the data included 237k unique email addresses alongside names, dates of birth and salted SHA-256 password hashes.

Victim
schenkYOU
Records
237.3K
Data breachResolved

The Heritage Foundation data breach (2024)

In July 2024, hacktivists published almost 2GB of data taken from The Heritage Foundation and their media arm, The Daily Signal. The data contained 72k unique email addresses, primarily used for commenting on articles (along with names, IP addresses and the comments left) and by content…

Victim
The Heritage Foundation
Records
72.0K
Data breachResolved

LuLu data breach (2024)

In July 2024, the Emirati-based LuLu retail store suffered a data breach. The impacted data included 190k email addresses and associated phone numbers which were subsequently shared on a popular hacking forum.

Victim
LuLu
Records
2.8M
Data breachResolved

Central Tickets data breach (2024)

In September 2024, data from the ticketing service Central Tickets was publicly posted to a hacking forum. The data suggests the breach occurred several months earlier and exposed 723k unique email addresses alongside names, phone numbers, IP addresses, purchases and passwords stored as unsalted…

Victim
Central Tickets
Records
722.9K
Data breachResolved

Robinsons Malls data breach (2024)

In June 2024, the Philippines' largest shopping-mall operators Robinsons Malls suffered a data breach stemming from their mobile app. The incident exposed 195k unique email addresses along with names, phone numbers, dates of birth, genders and the user's city and province.

Victim
Robinsons Malls
Records
195.6K
Credential stuffingContained

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
Records
560.0M
Data breachResolved

T2 data breach (2024)

In April 2024, 95k records from the T2 tea store were posted to a popular hacking forum. Data included email and physical addresses, names, phone numbers, dates of birth, purchases and passwords stored as scrypt hashes.

Victim
T2
Records
94.6K
Data breachContained

Leak at Le Slip Français

In April 2024, French apparel brand Le Slip Français disclosed a customer data breach exposing names, phone numbers, postal and email addresses and order numbers; roughly 1.5 million email addresses and close to 700,000 full customer profiles were affected. No passwords or payment data were involved.

Victim
Le Slip Français
Data breachResolved

Neiman Marcus data breach (2024)

In 2024, the luxury retailer Neiman Marcus had data stolen from its Snowflake cloud environment via stolen credentials. The company reported about 64,000 individuals to regulators, but the leaked dataset exposed roughly 31 million unique email addresses along with names, contact details and gift-card numbers.

Victim
Neiman Marcus
Records
31.2M
Data breachResolved

Pandabuy data breach (2024)

In March 2024, 1.3M unique email addresses from the online store for purchasing goods from China, Pandabuy, were posted to a popular hacking forum. The data also included IP and physical addresses, names, phone numbers and order enquiries.

Victim
Pandabuy
Records
1.3M
Data breachResolved

Giant Tiger data breach (2024)

In March 2024, Canadian discount store Giant Tiger suffered a data breach that exposed 2.8M customer records. Attributed to a vendor of the retailer, the breach included physical and email addresses, names and phone numbers.

Victim
Giant Tiger
Records
2.8M
Data breachContained

Leak at LDLC

In early March 2024, French electronics retailer LDLC confirmed a data breach affecting roughly 1.5 million in-store customers, exposing names, postal addresses, email addresses and phone numbers, though no banking or sensitive data.

Victim
LDLC
Records
1.5M
Data breachResolved

SurveyLama data breach (2024)

In February 2024, the paid survey website SurveyLama suffered a data breach that exposed 4.4M customer email addresses. The incident also exposed names, physical and IP addresses, phone numbers, dates of birth and passwords stored as either salted SHA-1, bcrypt or argon2 hashes.

Victim
SurveyLama
Records
4.4M
Data breachResolved

GLAMIRA data breach (2023)

In late 2023, the online jewellery store GLAMIRA suffered a data breach they attributed to "an unauthorised individual [who] briefly accessed one of our servers". The data was subsequently published on a popular hacking forum and included 875k email addresses, names, phone numbers and purchases.

Victim
GLAMIRA
Records
874.6K
Data breachResolved

Welhof data breach (2023)

In late 2023, the Dutch appliance store Welhof suffered a data breach. The incident exposed over 100k unique email addresses along with names, physical addresses and the value of purchases made.

Victim
Welhof
Records
107.3K
Data breachResolved

Facebook Marketplace data breach (2023)

In February 2024, 200k Facebook Marketplace records allegedly obtained from a Meta contractor in October 2023 were posted to a popular hacking forum. The data contained 77k unique email addresses alongside names, phone numbers, Facebook profile IDs and geographic locations.

Victim
Facebook Marketplace
Records
77.3K
Data breachResolved

Dymocks data breach (2023)

In September 2023, the Australian book retailer Dymocks announced a data breach. The data dated back to June 2023 and contained 1.2M records with 836k unique email addresses. The breach also exposed names, dates of birth, genders, phone numbers and physical addresses.

Victim
Dymocks
Records
836.1K
Data breachResolved

CityJerks data breach (2023)

In early 2023, the "mutual masturbation" website CityJerks suffered a data breach that exposed 177k unique email addresses. The breach also included data from the TruckerSucker "dating app for REAL TRUCKERS and REAL MEN" with the combined corpus of data also exposing usernames, IP addresses, dates…

Victim
CityJerks
Records
177.6K
Data breachResolved

The Kodi Foundation data breach (2023)

In February 2023, The Kodi Foundation suffered a data breach that exposed more than 400k user records. Attributed to an account belonging to "a trusted but currently inactive member of the forum admin team", the breach involved the administrator account creating a database backup that was…

Victim
The Kodi Foundation
Records
400.6K
Data breachResolved

Planet Ice data breach (2023)

In January 2023, the UK-based ice skating rink booking service Planet Ice suffered a data breach. The incident exposed the personal data of 240k people including email and physical addresses, phone numbers, genders, dates of birth and passwords stored as MD5 hashes.

Victim
Planet Ice
Records
240.5K
Data breachResolved

Autotrader data breach (2023)

In January 2023, 1.4M records from the Autotrader online vehicle marketplace appeared on a popular hacking forum. Autotrader stated that the "data in question relates to aged listing data that was generally publicly available on our site at the time and open to automated collection methods".

Victim
Autotrader
Records
20.0K
Data breachResolved

BreachForums data breach (2022)

In November 2022, the well-known hacking forum "BreachForums" was itself, breached. Later the following year, the operator of the website was arrested and the site seized by law enforcement agencies.

Victim
BreachForums
Records
212.2K
Data breachResolved

Movie Forums data breach (2022)

In December 2022, the Movie Forums website suffered a data breach that affected 40k users. The breach exposed email and IP addresses, usernames, dates of birth and passwords stored as easily crackable salted MD5 hashes. The data was subsequently posted a popular clear web hacking forum.

Victim
Movie Forums
Records
39.9K
Data breachResolved

Avito data breach (2022)

In November 2022, the Moroccan e-commerce service Avito suffered a data breach that exposed the personal information of 2.7M customers. The data included name, email, phone, IP address and geographic location.

Victim
Avito
Records
2.7M
Data breachResolved

ClickASnap data breach (2022)

In September 2022, the online photo sharing platform ClickASnap suffered a data breach. The incident exposed almost 3.3M personal records including email addresses, usernames and passwords stored as SHA-512 hashes.

Victim
ClickASnap
Records
3.3M
Data breachResolved

Traderie data breach (2022)

In September 2022, the in-game trading marketplace Traderie suffered a data breach that exposed almost 400k records (this preceded a subsequent breach the following year). The incident exposed email and IP addresses, usernames and links to social media profiles.

Victim
Traderie
Records
364.9K
Data breachResolved

Brand New Tube data breach (2022)

In August 2022, the streaming website Brand New Tube suffered a data breach that exposed the personal information of almost 350k subscribers. The impacted data included email and IP addresses, usernames, genders, passwords stored as unsalted SHA-1 hashes and private messages.

Victim
Brand New Tube
Records
349.6K
Data breachResolved

Hjedd data breach (2022)

In July 2022, the Chinese adult website Hjedd was found to be leaking more than 13M customer records which subsequently appeared on a popular hacking forum. The exposed data included email and IP addresses, usernames and passwords stored as bcrypt hashes.

Victim
Hjedd
Records
13.2M
Data breachResolved

OGUsers (2022 breach) data breach (2022)

In July 2022, the account hijacking and SIM swapping forum OGusers suffered a data breach, the fifth since December 2018. The breach contained usernames, email and IP addresses and passwords stored as argon2 hashes. A total of 529k unique email addresses appeared in the breach.

Victim
OGUsers (2022 breach)
Records
529.0K
Data breachResolved

Disk Union data breach (2022)

In June 2022, the Japanese record chain store Disk Union suffered a data breach. The incident exposed 690k unique email addresses along with names, post codes, phone numbers and plain text passwords.

Victim
Disk Union
Records
690.7K
Data breachResolved

WiredBucks data breach (2022)

In May 2022, the now defunct social media influencer platform WiredBucks suffered a data breach that was later redistributed as part of a larger corpus of data.

Victim
WiredBucks
Records
918.5K
Data breachResolved

Mangatoon data breach (2022)

In May 2022, the Hong Kong based Manga service Mangatoon suffered a data breach that exposed 23M subscriber records. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and passwords stored as salted MD5 hashes.

Victim
Mangatoon
Records
23.0M
Data breachResolved

BlackBerry Fans data breach (2022)

In May 2022, the Chinese BlackBerry enthusiasts website BlackBerry Fans suffered a data breach that exposed 174k member records. The impacted data included usernames, email and IP addresses and passwords stored as salted MD5 hashes.

Victim
BlackBerry Fans
Records
174.2K
Data breachResolved

Leaked Reality data breach (2022)

In January 2022, the now defunct uncensored video website Leaked Reality suffered a data breach that exposed 115k unique email addresses. The data also included usernames, IP addresses and passwords stored as either MD5 or phpass hashes.

Victim
Leaked Reality
Records
114.9K
Data breachResolved

MacGeneration data breach (2022)

In January 2022, the French Apple news website MacGeneration suffered a data breach. The incident exposed over 100k usernames, email addresses and passwords stored as salted SHA-512 hashes. After discovering the incident, MacGeneration self-submitted data to HIBP.

Victim
MacGeneration
Records
101.0K
Data breachResolved

Sundry Files data breach (2022)

In January 2022, the now defunct file upload service Sundry Files suffered a data breach that exposed 274k unique email addresses. The data also included usernames, IP addresses and passwords stored as salted SHA-256 hashes.

Victim
Sundry Files
Records
274.5K
Data breachResolved

Aditya Birla Fashion and Retail data breach (2021)

In December 2021, Indian retailer Aditya Birla Fashion and Retail Ltd was breached and ransomed. The ransom demand was allegedly rejected and data containing 5.4M unique email addresses was subsequently dumped publicly on a popular hacking forum the next month.

Victim
Aditya Birla Fashion and Retail
Records
5.5M
Data breachResolved

Fitmart data breach (2021)

In October 2021, data from the German fitness supplies store Fitmart was obtained and later redistributed online. The data included 214k unique email addresses accompanied by plain text passwords, allegedly "dehashed" from the original stored version.

Victim
Fitmart
Records
214.5K
Data breachResolved

Epik data breach (2021)

In September 2021, the domain registrar and web host Epik suffered a significant data breach, allegedly in retaliation for hosting alt-right websites. The breach exposed a huge volume of data not just of Epik customers, but also scraped WHOIS records belonging to individuals and organisations who…

Victim
Epik
Records
15.0M
Data breachResolved

Dennis Kirk data breach (2021)

In October 2024, almost 20GB of data containing 1.3M unique email addresses from motorcycle supplies store Dennis Kirk was circulated. Dating back to September 2021, the data also contained purchases from the online store along with customer names, phone numbers and postcodes.

Victim
Dennis Kirk
Records
1.4M
Data breachResolved

DatPiff data breach (2021)

In late 2021, email address and plain text password pairs from the rap mixtape website DatPiff appeared for sale on a popular hacking forum. The data allegedly dated back to an earlier breach and in total, contained almost 7.5M email addresses and cracked password pairs.

Victim
DatPiff
Records
7.5M
Data breachResolved

Open Subtitles data breach (2021)

In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers' personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

Victim
Open Subtitles
Records
6.8M
Data breachResolved

AndroidLista data breach (2021)

In July 2021, the Android applications and games review site AndroidLista suffered a data breach. The incident exposed 6.6M user records containing email addresses, names, usernames and passwords stored as salted SHA-1 hashes, all of which were subsequently posted to a popular hacking forum.

Victim
AndroidLista
Records
6.6M
Data breachResolved

Guntrader data breach (2021)

In July 2021, the United Kingdom based website Guntrader suffered a data breach that exposed 112k unique email addresses. Extensive personal information was also exposed including names, phone numbers, geolocation data, IP addresses and various physical address attributes (cities for all users,…

Victim
Guntrader
Records
112.0K
Data breachResolved

Qraved data breach (2021)

In July 2021, the Indonesian restaurant website Qraved suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed almost 1M unique email addresses along with names, phone numbers, dates of birth and passwords stored as MD5 hashes.

Victim
Qraved
Records
984.5K
Data breachResolved

Jam Tangan data breach (2021)

In July 2021, the online Indonesian watch store, Jam Tangan (AKA Machtwatch), suffered a data breach that exposed over 400k customer records which were subsequently posted to a popular hacking forum.

Victim
Jam Tangan
Records
434.8K
Data breachResolved

Short Édition data breach (2021)

In June 2021, the French publishing house of short literature Short Édition suffered a data breach that exposed 505k records. Impacted data included email and physical addresses, names, usernames, phone numbers, dates of birth, genders and passwords stored as either salted SHA-1 or salted SHA-512…

Victim
Short Édition
Records
505.5K
Data breachResolved

IndiaMART data breach (2021)

In August 2021, 38 million records from Indian e-commerce company IndiaMART were found being traded on a popular hacking forum. Dated several months earlier, the data included over 20 million unique email addresses alongside names, phone numbers and physical addresses.

Victim
IndiaMART
Records
20.2M
Data breachResolved

SirHurt data breach (2021)

In April 2021, the the Roblox cheats website SirHurt suffered a data breach that exposed over 90k customer records. The exposed data included email and IP addresses, usernames and passwords stored as MD5 hashes.

Victim
SirHurt
Records
90.7K
Data breachResolved

OGUsers (2021 breach) data breach (2021)

In April 2021, the account hijacking and SIM swapping forum OGusers suffered a data breach, the fourth since December 2018. The breach was subsequently sold on a rival hacking forum and contained usernames, email and IP addresses and passwords stored as either salted MD5 or argon2 hashes.

Victim
OGUsers (2021 breach)
Records
348.3K
Data breachResolved

Phone House España data breach (2021)

In April 2021, the Spanish retailer Phone House allegedly suffered a ransomware attack that also exposed significant volumes of customer data. Attributed to the Babuk ransomware, a collection of data alleged to be a subset of a larger corpus was posted to a dark web site and contained 5.2M email…

Victim
Phone House España
Records
5.2M
Data breachResolved

SlideTeam data breach (2021)

In April 2021, the "world’s largest collection of pre-designed presentation slides" SlideTeam had 1.4M records breached and later published to a popular hacking forum the following year.

Victim
SlideTeam
Records
1.5M
Data breachResolved

MangaDex data breach (2021)

In March 2021, the manga fan site MangaDex suffered a data breach that resulted in the exposure of almost 3 million subscribers. The data included email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was subsequently circulated within hacking groups.

Victim
MangaDex
Records
3.0M
Data breachResolved

ParkMobile data breach (2021)

In March 2021, the mobile parking app service ParkMobile suffered a data breach which exposed 21 million customers' personal data. The impacted data included email addresses, names, phone numbers, vehicle licence plates and passwords stored as bcrypt hashes.

Victim
ParkMobile
Records
20.9M
Data breachResolved

IDC Games data breach (2021)

In March 2021, 4 million records sourced from IDC Games were shared on a public hacking forum. The data included usernames, email addresses and passwords stored as salted MD5 hashes.

Victim
IDC Games
Records
4.0M
Data breachResolved

Gab data breach (2021)

In February 2021, the alt-tech social network service Gab suffered a data breach. The incident exposed almost 70GB of data including 4M user accounts, a small number of private chat logs and a list of public groups and public posts made to the service.

Victim
Gab
Records
66.5K
Data breachResolved

KomplettFritid data breach (2021)

In January 2023, the online Norwegian store KomplettFritid was reported as having had a data breach dating back to February 2021. The incident exposed 140k customer records including physical, email and IP addresses, names, phone numbers and passwords.

Victim
KomplettFritid
Records
139.4K
Data breachResolved

Raychat data breach (2021)

In January 2021, the now defunct Iranian social media platform Raychat suffered a data breach that exposed 939 thousand unique email addresses. The data included names, IP addresses, browser user agent strings and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.

Victim
Raychat
Records
939.0K
Data breachResolved

Ducks Unlimited data breach (2021)

In mid-2021, Risk Based Security reported on a database sourced from Ducks Unlimited being traded online. The data dated back to January 2021 and contained 1.3M unique email addresses across both a membership list and a list of website users.

Victim
Ducks Unlimited
Records
1.3M
Data breachResolved

Bookchor data breach (2021)

In January 2021, the Indian book trading website Bookchor suffered a data breach that exposed half a million customer records. The exposed data included email and IP addresses, names, genders, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes.

Victim
Bookchor
Records
498.3K
Data breachResolved

Daily Quiz data breach (2021)

In January 2021, the quiz website Daily Quiz suffered a data breach that exposed over 8 million unique email addresses. The data also included usernames, IP addresses and passwords stored in plain text.

Victim
Daily Quiz
Records
8.0M
Data breachResolved

Adecco data breach (2021)

In March 2021, news broke of a massive data breach impacting millions of Adecco customers in South America which was subsequently sold on a popular hacking forum.

Victim
Adecco
Records
4.3M
Data breachResolved

MEO data breach (2020)

In early 2023, a corpus of data sourced from the New Zealand based face mask company MEO was discovered. Dating back to December 2020, the data contained over 8k customer records including names, addresses, phone numbers and passwords stored as MD5 Wordpress hashes.

Victim
MEO
Records
8.2K
Data breachResolved

NetGalley data breach (2020)

In December 2020, the book promotion site NetGalley suffered a data breach. The incident exposed 1.4 million unique email addresses alongside names, usernames, physical and IP addresses, phone numbers, dates of birth and passwords stored as salted SHA-1 hashes.

Victim
NetGalley
Records
1.4M
Data breachResolved

DriveSure data breach (2020)

In December 2020, the car dealership service provider DriveSure suffered a data breach. The incident resulted in 26GB of data being downloaded and later shared on a hacking forum. Impacted personal information included 3.6 million unique email addresses, names, phone numbers and physical addresses.

Victim
DriveSure
Records
3.7M
Data breachResolved

Wongnai data breach (2020)

In October 2020, 17 previously undisclosed data breaches appeared for sale including the Thai restaurant, hotel and attraction finding service, Wongnai.

Victim
Wongnai
Records
3.9M
Data breachResolved

bigbasket data breach (2020)

In October 2020, the Indian grocery platform bigbasket suffered a data breach that exposed over 20 million customer records. The data was originally sold before being leaked publicly in April the following year and included email, IP and physical addresses, names, phones numbers, dates of birth…

Victim
bigbasket
Records
24.5M
Data breachResolved

Thingiverse data breach (2020)

In October 2021, a database backup taken from the 3D model sharing service Thingiverse began extensively circulating within the hacking community. Dating back to October 2020, the 36GB file contained 228 thousand unique email addresses, mostly alongside comments left on 3D models.

Victim
Thingiverse
Records
228.1K
Data breachResolved

Animal Jam data breach (2020)

In October 2020, the online game for kids Animal Jam suffered a data breach which was subsequently shared through online hacking communities the following month. The data contained 46 million user accounts with over 7 million unique email addresses.

Victim
Animal Jam
Records
7.1M
Data breachResolved

Famm data breach (2020)

In late 2020, the Japanese family photos website Famm suffered a data breach that subsequently exposed 1.3M customer records, including 535k unique email addresses. Impacted data also included names, dates of birth, genders and passwords stored as SHA-256 hashes.

Victim
Famm
Records
535.2K
Data breachResolved

LimeVPN data breach (2020)

In October 2020, the VPN provider LimeVPN suffered a data breach that exposed the personal information of tens of thousands of customers. The data included email, IP and physical addresses, names, phone numbers, purchase histories and passwords stored as salted MD5 hashes.

Victim
LimeVPN
Records
23.3K
Data breachResolved

Pixlr data breach (2020)

In October 2020, the online photo editing application Pixlr suffered a data breach exposing 1.9 million subscribers. Impacted data included names, email addresses, social media profiles, the country signed up from and passwords stored as SHA-512 hashes. The data was provided to HIBP by dehashed.com.

Victim
Pixlr
Records
1.9M
Data breachResolved

GeniusU data breach (2020)

In November 2020, a collection of data breaches were made public including the "Entrepreneur Success Platform", GeniusU. Dating back to the previous month, the data included 1.3M names, email and IP addresses, genders, links to social media profiles and passwords stored as bcrypt hashes.

Victim
GeniusU
Records
1.3M
Data breachResolved

Eskimi data breach (2020)

In late 2020, the AdTech platform Eskimi suffered a data breach that exposed 26M records with 1.2M unique email addresses. The data included usernames, dates of birth, genders and passwords stored as unsalted MD5 hashes.

Victim
Eskimi
Records
1.2M
Data breachResolved

RaidForums data breach (2020)

In May 2023, 478k user records from the now defunct hacking forum known as "RaidForums" was posted to another hacking forum. The data dated back to September 2020 and included email addresses, usernames, dates of birth, IP addresses and passwords stored as Argon2 hashes.

Victim
RaidForums
Records
478.6K
Data breachResolved

Games Box data breach (2020)

In September 2020, now defunct website Games Box suffered a data breach that was later redistributed as part of a larger corpus of data. The impacted data included 1.4M email addresses alongside usernames, genders, ages and passwords stored as either a hash or plain text.

Victim
Games Box
Records
1.4M
Data breachResolved

Horse Isle data breach (2020)

In June 2020 then again in September that same year, Horse Isle "The Secrent Land of Horses" suffered a data breach. The incident exposed 28k unique email addresses along with names, usernames, IP addresses, genders, purchases and plain text passwords.

Victim
Horse Isle
Records
27.8K
Data breachResolved

ShopBack data breach (2020)

In September 2020, the cashback reward program ShopBack suffered a data breach. The incident exposed over 20 million unique email addresses along with names, phone numbers, country of residence and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by dehashed.com.

Victim
ShopBack
Records
20.5M
Data breachResolved

Shopper+ data breach (2020)

In March 2023, "Canada's online shopping mall" Shopper+ disclosed a data breach discovered on a public hacking forum. The breach dated back to September 2020 and included 878k customer records with email and physical addresses, names, phone numbers and in some cases, genders and dates of birth.

Victim
Shopper+
Records
878.3K
Data breachResolved

RedDoorz data breach (2020)

In September 2020, the hotel management & booking platform RedDoorz suffered a data breach that exposed over 5.8M user accounts. The breached data included names, email addresses, phone numbers, genders, dates of birth and passwords stored as bcrypt hashes.

Victim
RedDoorz
Records
5.9M
Data breachResolved

Livpure data breach (2020)

In August 2020, the Indian retailer Livpure suffered a data breach which exposed over 1 million customer purchases with 270 thousand unique email addresses. The data also included names, phone numbers, physical addresses and details of purchased items.

Victim
Livpure
Records
269.6K
Data breachResolved

Jefit data breach (2020)

In August 2020, the workout tracking app Jefit suffered a data breach. The data was subsequently sold within the hacking community and included over 9 million email and IP addresses, usernames and passwords stored as either vBulletin or argon2 hashes.

Victim
Jefit
Records
9.1M
Data breachResolved

WiziShop data breach (2020)

In July 2020, the French e-commerce platform WiziShop suffered a data breach. The breach exposed 18GB worth of data including names, phone numbers, dates of birth, physical and IP addresses, SHA-1 password hashes and almost 3 million unique email addresses.

Victim
WiziShop
Records
2.9M
Data breachResolved

StreamCraft data breach (2020)

In July 2020, the Russian Minecraft service StreamCraft suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 1.8M records of usernames, email and IP addresses and passwords stored as either MD5 or bcrypt hashes.

Victim
StreamCraft
Records
1.8M
Data breachResolved

Drizly data breach (2020)

In approximately July 2020, the US-based online alcohol delivery service Drizly suffered a data breach. The data was sold online before being extensively redistributed and contained 2.5 million unique email addresses alongside names, physical and IP addresses, phone numbers, dates of birth and…

Victim
Drizly
Records
2.5M
Data breachResolved

OrderSnapp data breach (2020)

In June 2020, the restaurant solutions provider OrderSnapp suffered a data breach which exposed 1.3M unique email addresses. Impacted data also included names, phone numbers, dates of birth and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.

Victim
OrderSnapp
Records
1.3M
Data breachResolved

Wattpad data breach (2020)

In mid-2020, the user-generated stories platform Wattpad suffered a breach exposing roughly 268.8 million records, including names, email addresses, dates of birth, and bcrypt-hashed passwords. The database was first sold privately, then leaked for free on a hacking forum.

Victim
Wattpad
Records
268.8M
Data breachResolved

Havenly data breach (2020)

In June 2020, the interior design website Havenly suffered a data breach which impacted almost 1.4 million members of the service. The exposed data included email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes, all of which was subsequently shared…

Victim
Havenly
Records
1.4M
Data breachResolved

Appen data breach (2020)

In June 2020, the AI training data company Appen suffered a data breach exposing the details of almost 5.9 million users which were subsequently sold online. Included in the breach were names, email addresses and passwords stored as bcrypt hashes.

Victim
Appen
Records
5.9M
Data breachResolved

Scentbird data breach (2020)

In June 2020, the online fragrance service Scentbird suffered a data breach that exposed the personal information of over 5.8 million customers. Personal information including names, email addresses, genders, dates of birth, passwords stored as bcrypt hashes and indicators of password strength were…

Victim
Scentbird
Records
5.8M
Data breachResolved

Vakinha data breach (2020)

In June 2020, the Brazilian fund raising service Vakinha suffered a data breach which impacted almost 4.8 million members. The exposed data included email addresses, names, phone numbers, geographic locations and passwords stored as bcrypt hashes, all of which was subsequently shared extensively…

Victim
Vakinha
Records
4.8M
Data breachResolved

yotepresto.com data breach (2020)

In June 2020, the Mexican lending platform yotepresto.com suffered a data breach. Over 1.4 million customers were impacted by the breach which disclosed email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.

Victim
yotepresto.com
Records
1.4M
Data breachResolved

SitePoint data breach (2020)

In June 2020, the web development site SitePoint suffered a data breach that exposed over 1M customer records. Impacted data included email and IP addresses, names, usernames, bios and passwords stored as bcrypt hashes.

Victim
SitePoint
Records
1.0M
Data breachResolved

LiveAuctioneers data breach (2020)

In June 2020, the online antiques marketplace LiveAuctioneers suffered a data breach which was subsequently sold online then extensively redistributed in the hacking community.

Victim
LiveAuctioneers
Records
3.4M
Data breachResolved

Nulled.ch data breach (2020)

In May 2020, the hacking forum Nulled.ch was breached and the data published to a rival hacking forum. Over 43k records were compromised and included IP and email addresses, usernames and passwords stored as salted MD5 hashes alongside the private message history of the website's admin.

Victim
Nulled.ch
Records
43.5K
Data breachResolved

Zacks data breach (2020)

In December 2022, the investment research company Zacks announced a data breach. The following month, reports emerged of the incident impacting 820k customers. However, in June 2023, a corpus of data with almost 9M Zacks customers appeared before being broadly circulated on a popular hacking forum.

Victim
Zacks
Records
8.9M
Data breachResolved

Minted data breach (2020)

In May 2020, the online marketplace for independent artists Minted suffered a data breach that exposed 4.4M unique customer records subsequently sold on a dark web marketplace. Exposed data also included names, physical addresses, phone numbers and passwords stored as bcrypt hashes.

Victim
Minted
Records
4.4M
Data breachResolved

Stalker Online data breach (2020)

In May 2020, over 1.3M records from the MMO game Stalker Online were breached. The data included email and IP addresses, usernames and hashed passwords.

Victim
Stalker Online
Records
1.4M
Data breachResolved

Aptoide data breach (2020)

In April 2020, the independent Android app store Aptoide suffered a data breach. The incident resulted in the exposure of 20M customer records which were subsequently shared online via a popular hacking forum.

Victim
Aptoide
Records
20.0M
Data breachResolved

HomeRefill data breach (2020)

In April 2020, now defunct Brazilian e-commerce platform HomeRefill suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 187k unique email addresses along with names, phone numbers, dates of birth and salted password hashes.

Victim
HomeRefill
Records
187.5K
Data breachResolved

OGUsers (2020 breach) data breach (2020)

In April 2020, the account hijacking and SIM swapping forum OGUsers suffered their second data breach in less than a year. As with the previous breach, the exposed data included email and IP addresses, usernames, private messages and passwords stored as salted MD5 hashes.

Victim
OGUsers (2020 breach)
Records
263.2K
Data breachResolved

Glofox data breach (2020)

In March 2020, the Irish gym management software company Glofox suffered a data breach which exposed 2.3M membership records. The data included email addresses, names, phone numbers, genders, dates of birth and passwords stored as unsalted MD5 hashes.

Victim
Glofox
Records
2.3M
Data breachResolved

Chatbooks data breach (2020)

In March 2020, the photo print service Chatbooks suffered a data breach which was subsequently put up for sale on a dark web marketplace. The breach contained 15 million user records with 2.5 million unique email addresses alongside names, phone numbers, social media profiles and salted SHA-512…

Victim
Chatbooks
Records
2.5M
Data breachResolved

James data breach (2020)

In June 2020, 14 previously undisclosed data breaches appeared for sale including the Brazilian delivery service, "James". The breach occurred in March 2020 and exposed 1.5M unique email addresses, customer locations expressed in longitude and latitude and passwords stored as bcrypt hashes.

Victim
James
Records
1.5M
Data breachResolved

123RF data breach (2020)

In March 2020, the stock photo site 123RF suffered a data breach which impacted over 8 million subscribers and was subsequently sold online. The breach included email, IP and physical addresses, names, phone numbers and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
123RF
Records
8.7M
Data breachResolved

Catho data breach (2020)

In approximately March 2020, the Brazilian recruitment website Catho was compromised and subsequently appeared alongside 20 other breached websites listed for sale on a dark web marketplace. The breach included almost 11 million records with 1.2 million unique email addresses.

Victim
Catho
Records
1.2M
Data breachResolved

Tamodo data breach (2020)

In February 2020, the affiliate marketing network Tamodo suffered a data breach which was subsequently shared on a popular hacking forum. The incident exposed almost 500k accounts including names, email addresses, dates of birth and passwords stored as bcrypt hashes.

Victim
Tamodo
Records
494.9K
Data breachResolved

AnimeGame data breach (2020)

In February 2020, the gaming website AnimeGame suffered a data breach. The incident affected 1.4M subscribers and exposed email addresses, usernames and passwords stored as salted MD5 hashes. The data was subsequently shared on a popular hacking forum and was provided to HIBP by dehashed.com.

Victim
AnimeGame
Records
1.4M
Data breachResolved

Slickwraps data breach (2020)

In February 2020, the online store for consumer electronics wraps Slickwraps suffered a data breach. The incident resulted in the exposure of 858k unique email addresses across customer records and newsletter subscribers.

Victim
Slickwraps
Records
857.6K
Data breachResolved

Bhinneka data breach (2020)

In early 2020, the Indonesian consumer electronics website Bhinneka suffered a data breach that exposed almost 1.3M customer records. The data included email and physical addresses, names, genders, dates of birth, phone numbers and salted password hashes.

Victim
Bhinneka
Records
1.3M
Data breachResolved

Wishbone (2020) data breach (2020)

In January 2020, the mobile app to "compare anything" Wishbone suffered another data breach which followed their breach from 2016. An extensive amount of personal information including almost 10M unique email addresses alongside names, phone numbers geographic locations and other personal…

Victim
Wishbone (2020)
Records
9.7M
Data breachResolved

MeetMindful data breach (2020)

In early 2020, the online dating service MeetMindful suffered a data breach that exposed 1.4 million unique customer email addresses. Included in the data was an extensive array of personal information used to find romantic matches including physical attributes, use of alcohol, drugs and…

Victim
MeetMindful
Records
1.4M
Data breachResolved

Ulmon data breach (2020)

In January 2020, the travel app creator Ulmon suffered a data breach. The service had almost 1.3M records with 777k unique email addresses, names, passwords stored as bcrypt hashes and in some cases, social media profile IDs, telephone numbers and bios.

Victim
Ulmon
Records
777.8K
Data breachResolved

Mathway data breach (2020)

In January 2020, the math solving website Mathway suffered a data breach that exposed over 25M records. The data was subsequently sold on a dark web marketplace and included names, Google and Facebook IDs, email addresses and salted password hashes.

Victim
Mathway
Records
25.7M
Data breachResolved

Pampling data breach (2020)

In January 2020, the online clothing retailer Pampling suffered a data breach that exposed 383k unique customer email addresses. The data was later shared on a popular hacking forum and also included names, usernames and unsalted MD5 password hashes.

Victim
Pampling
Records
383.5K
Data breachResolved

Benchmark data breach (2019)

In November 2019, the Serbian technology news website Benchmark suffered a breach of its forum that exposed 93k customer records. The breach exposed IP and email addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Benchmark
Records
93.3K
Data breachResolved

StarTribune data breach (2019)

In October 2019, the Minnesota-based news service StarTribune suffered a data breach which was subsequently sold on the dark web. The breach exposed over 2 million unique email addresses alongside names, usernames, physical addresses, dates of birth, genders and passwords stored as bcrypt hashes.

Victim
StarTribune
Records
2.2M
Data breachResolved

The Halloween Spot data breach (2019)

In September 2019, the Halloween costume store The Halloween Spot suffered a data breach. Originally misattributed to fancy dress store Smiffys, the breach contained 13GB of data with over 10k unique email addresses alongside names, physical and IP addresses, phone numbers and order histories.

Victim
The Halloween Spot
Records
10.7K
Data breachResolved

Zooville data breach (2019)

In September 2019, the zoophilia and bestiality forum Zooville suffered a data breach. The usernames and email addresses of 71k members were accessed via an unpatched vulnerability in the vBulletin forum software then subsequently distributed online.

Victim
Zooville
Records
71.4K
Data breachResolved

EpicBot data breach (2019)

In September 2019, the RuneScape bot provider EpicBot suffered a data breach that impacted 817k subscribers. Data from the breach was subsequently shared on a popular hacking forum and included usernames, email and IP addresses and passwords stored as either salted MD5 or bcrypt hashes.

Victim
EpicBot
Records
816.7K
Data breachResolved

Zynga data breach (2019)

In September 2019, the hacker Gnosticplayers breached game developer Zynga, accessing data for nearly 173 million Words With Friends and Draw Something players. Exposed data included emails, usernames, phone numbers, and salted SHA-1 password hashes.

Victim
Zynga
Records
172.9M
Data breachResolved

AlpineReplay data breach (2019)

In 2019, the snow sports tracking app AlpineReplay suffered a data breach that exposed 900k unique email addresses. Later rolled into the Trace service, the breach included names, usernames, genders, dates of birth, weights and passwords stored as either unsalted MD5 or bcrypt hashes.

Victim
AlpineReplay
Records
898.7K
Data breachResolved

StockX data breach (2019)

In July 2019, the fashion and sneaker trading platform StockX suffered a data breach which was subsequently sold via a dark webmarketplace. The exposed data included 6.8 million unique email addresses, names, physical addresses, purchases and passwords stored as salted MD5 hashes.

Victim
StockX
Records
6.8M
Data breachResolved

Cracked.to data breach (2019)

In July 2019, the hacking website Cracked.to suffered a data breach. There were 749k unique email addresses spread across 321k forum users and other tables in the database.

Victim
Cracked.to
Records
749.2K
Data breachResolved

BlackSpigotMC data breach (2019)

In July 2019, the hacking website BlackSpigotMC suffered a data breach. The XenForo forum based site was allegedly compromised by a rival hacking website and resulted in 8.5GB of data being leaked including the database and website itself.

Victim
BlackSpigotMC
Records
140.0K
Data breachResolved

Vedantu data breach (2019)

In mid-2019, the Indian interactive online tutoring platform Vedantu suffered a data breach which exposed the personal data of 687k users. The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored as…

Victim
Vedantu
Records
686.9K
Data breachResolved

Planet Calypso data breach (2019)

In approximately July 2019, the forums for the Planet Calypso game suffered a data breach. The breach of the vBulletin based forum exposed email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Planet Calypso
Records
62.3K
Data breachResolved

Quidd data breach (2019)

In 2019, online marketplace for trading stickers, cards, toys, and other collectibles Quidd suffered a data breach. The breach exposed almost 4 million users' email addresses, usernames and passwords stored as bcrypt hashes.

Victim
Quidd
Records
3.8M
Data breachResolved

XKCD data breach (2019)

In July 2019, the forum for webcomic XKCD suffered a data breach that impacted 562k subscribers. The breached phpBB forum leaked usernames, email and IP addresses and passwords stored in MD5 phpBB3 format. The data was provided to HIBP by white hat security researcher and data analyst Adam Davies.

Victim
XKCD
Records
562.0K
Data breachResolved

Artvalue data breach (2019)

In June 2019, the France-based art valuation website Artvalue.com left their 158k member subscriber base publicly exposed in a text file on their website. The exposed data included names, usernames, email addresses and passwords stored as MD5 hashes.

Victim
Artvalue
Records
157.7K
Data breachResolved

Social Engineered data breach (2019)

In June 2019, the "Art of Human Hacking" site Social Engineered suffered a data breach. The breach of the MyBB forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database.

Victim
Social Engineered
Records
89.4K
Data breachResolved

Void.to data breach (2019)

In June 2019, the hacking website Void.to suffered a data breach. There were 95k unique email addresses spread across 86k forum users and other tables in the database.

Victim
Void.to
Records
95.4K
Data breachResolved

Read Novel data breach (2019)

In May 2019, the Chinese literature website Read Novel allegedly suffered a data breach that exposed 22M unique email addresses. Data also included usernames, genders, phone numbers and passwords stored as salted MD5 hashes. Read more about Chinese data breaches in Have I Been Pwned.

Victim
Read Novel
Records
22.4M
Data breachResolved

Aimware data breach (2019)

In mid-2019, the video game cheats website "Aimware" suffered a data breach that exposed hundreds of thousands of subscribers' personal information. Data included email and IP addresses, usernames, forum posts, private messages, website activity and passwords stored as salted MD5 hashes.

Victim
Aimware
Records
305.5K
Data breachResolved

Deezer data breach (2019)

A 2019 snapshot of Deezer user data, retained by a former third-party partner in violation of its contract, was leaked in November 2022 and exposed roughly 229 million records — including names, emails, dates of birth, and locations. No passwords or payment data were affected.

Victim
Deezer
Records
229.0M
Data breachResolved

Instant Checkmate data breach (2019)

In 2019, the public records search service Instant Checkmate suffered a data breach that later came to light in early 2023. The data included almost 12M unique customer email addresses, names, phone numbers and passwords stored as scrypt hashes.

Victim
Instant Checkmate
Records
11.9M
Data breachResolved

Truth Finder data breach (2019)

In 2019, the public records search service TruthFinder suffered a data breach that later came to light in early 2023. The data included over 8M unique customer email addresses, names, phone numbers and passwords stored as scrypt hashes.

Victim
Truth Finder
Records
8.2M
Data breachResolved

Storenvy data breach (2019)

In mid-2019, the e-commerce website Storenvy suffered a data breach that exposed millions of customer records. A portion of the breached records were subsequently posted to a hacking forum with cracked password hashes, whilst the entire corpus of 23M rows was put up for sale.

Victim
Storenvy
Records
11.1M
Data breachResolved

Estante Virtual data breach (2019)

In February 2019, the Brazilian book store Estante Virtual suffered a data breach that impacted 5.4M customers. The exposed data included names, usernames, email and physical addresses, phone numbers, dates of birth and unsalted SHA-1 password hashes.

Victim
Estante Virtual
Records
5.4M
Data breachResolved

Lifebear data breach (2019)

In early 2019, the Japanese schedule app Lifebear appeared for sale on a dark web marketplace amongst a raft of other hacked websites. The breach exposed almost 3.7M unique email addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Lifebear
Records
3.7M
Data breachResolved

Verifications.io data breach (2019)

In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses…

Victim
Verifications.io
Records
763.1M
Data breachResolved

CafePress data breach (2019)

In February 2019, the custom merchandise retailer CafePress suffered a data breach. The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes.

Victim
CafePress
Records
23.2M
Data breachResolved

Demon Forums data breach (2019)

In February 2019, the hacking forum Demon Forums suffered a data breach. The compromise of the vBulletin forum exposed 52k unique email addresses alongside usernames and passwords stored as salted MD5 hashes.

Victim
Demon Forums
Records
52.6K
Data breachResolved

YouNow data breach (2019)

In February 2019, data from the live broadcasting service YouNow appeared for sale on a dark web marketplace. Whilst it's not clear what date the actual breach occurred on, the impacted data included 18M unique email addresses, IP addresses, names, usernames and links to social media profiles.

Victim
YouNow
Records
18.2M
Data breachResolved

LBB data breach (2019)

In August 2022, customer data of the Indian shopping site "LBB" (Little Black Book) was posted to a popular hacking forum. The data contained over 3M records with 39k unique email addresses alongside IP and physical addresses, names and device information with the most recent data dating back to…

Victim
LBB
Records
39.3K
Data breachResolved

devkitPro data breach (2019)

In February 2019, the devkitPro forum suffered a data breach. The phpBB based forum had 1,508 unique email addresses exposed in the breach alongside forum posts, private messages and passwords stored as weak salted hashes. The data breach was self-submitted to HIBP by the forum operator.

Victim
devkitPro
Records
1.5K
Data breachResolved

ixigo data breach (2019)

In January 2019, the travel and hotel booking site ixigo suffered a data breach. The data appeared for sale on a dark web marketplace the following month and included over 17M unique email addresses alongside names, genders, phone numbers, connections to Facebook profiles and passwords stored as…

Victim
ixigo
Records
17.2M
Data breachResolved

Armor Games data breach (2019)

In January 2019, the game portal website Armor Games suffered a data breach. A total of 10.6 million email addresses were impacted by the breach which also exposed usernames, IP addresses, birthdays of administrator accounts and passwords stored as salted SHA-1 hashes.

Victim
Armor Games
Records
10.6M
Data breachResolved

IIMJobs data breach (2018)

In December 2018, the Indian job portal IIMJobs suffered a data breach that exposed 4.1 million unique email addresses. The data also included names, phone numbers, geographic locations, dates of birth, job titles, job applications and cover letters plus passwords stored as unsalted MD5 hashes.

Victim
IIMJobs
Records
4.2M
Data breachResolved

BlankMediaGames data breach (2018)

In December 2018, the Town of Salem website produced by BlankMediaGames suffered a data breach. Reported to HIBP by DeHashed, the data contained 7.6M unique user email addresses alongside usernames, IP addresses, purchase histories and passwords stored as phpass hashes.

Victim
BlankMediaGames
Records
7.6M
Data breachResolved

OGUsers (2019 breach) data breach (2018)

In May 2019, the account hijacking and SIM swapping forum OGusers suffered a data breach. The breach exposed a database backup from December 2018 which was published on a rival hacking forum. There were 161k unique email addresses spread across 113k forum users and other tables in the database.

Victim
OGUsers (2019 breach)
Records
161.1K
Data breachResolved

Wanelo data breach (2018)

In approximately December 2018, the digital mall Wanelo suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in April 2019.

Victim
Wanelo
Records
23.2M
Data breachResolved

Mappery data breach (2018)

In December 2018, the mapping website Mappery suffered a data breach that exposed over 205k unique email addresses. The incident also exposed usernames, the geographic location of the user and passwords stored as unsalted SHA-1 hashes.

Victim
Mappery
Records
205.2K
Data breachResolved

Bombuj.eu data breach (2018)

In December 2018, the Slovak website for watching movies online for free Bombuj.eu suffered a data breach. The incident exposed over 575k unique email addresses and passwords stored as unsalted MD5 hashes. No response was received from Bombuj.eu when contacted about the incident.

Victim
Bombuj.eu
Records
575.4K
Data breachResolved

Dubsmash data breach (2018)

The video-messaging app Dubsmash was breached in December 2018, exposing roughly 162 million accounts with email addresses, usernames and PBKDF2 password hashes that later surfaced for sale on the Dream Market dark-web bazaar via the broker GnosticPlayers.

Victim
Dubsmash
Records
161.7M
Data breachResolved

Technic data breach (2018)

In November 2018, the Minecraft modpack platform known as Technic suffered a data breach. Technic promptly disclosed the breach and advised that the impacted data included over 265k unique users' email and IP addresses, chat logs, private messages and passwords stored as bcrypt hashes with a work…

Victim
Technic
Records
265.4K
Data breachResolved

Morele.net data breach

Attackers stole the customer database of the Polish e-commerce group Morele.net, exposing data on about 2.2 million customers and launching an SMS-phishing campaign that demanded a fake PLN 1 'top-up' via a counterfeit payment gateway. Poland's UODO issued its then-largest GDPR fine of EUR 660,000.

Victim
Morele.net
Records
2.2M
Data breachResolved

Eatigo data breach (2018)

In October 2018, the restaurant reservation service Eatigo suffered a data breach that exposed 2.8 million accounts. The data included email addresses, names, phone numbers, social media profiles, genders and passwords stored as unsalted MD5 hashes.

Victim
Eatigo
Records
2.8M
Data breachResolved

Pluto TV data breach (2018)

In October 2018, the internet television service Pluto TV suffered a data breach which was then shared extensively in hacking communities. Pluto TV "decided not to proactively inform users of the breach" which contained 3.2M unique email and IP addresses, names, usernames, genders, dates of birth…

Victim
Pluto TV
Records
3.2M
Data breachResolved

VimeWorld data breach (2018)

In October 2018, the Russian Minecraft service VimeWorld suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 3.1M records of usernames, email and IP addresses and passwords stored as either MD5 or bcrypt hashes.

Victim
VimeWorld
Records
3.1M
Data breachResolved

HauteLook data breach (2018)

In mid-2018, the fashion shopping site HauteLook was among a raft of sites that were breached and their data then sold in early-2019. The data included over 28 million unique email addresses alongside names, genders, dates of birth and passwords stored as bcrypt hashes.

Victim
HauteLook
Records
28.5M
Data breachResolved

Rbx.Rocks data breach (2018)

In August 2018, the Roblox trading site Rbx.Rocks suffered a data breach. Almost 25k records were sent to HIBP in November and included names, email addresses and passwords stored as bcrypt hashes. In July 2019, a further 125k records emerged bringing the total size of the incident to 150k.

Victim
Rbx.Rocks
Records
150.0K
Data breachResolved

Bookmate data breach (2018)

In mid-2018, the social ebook subscription service Bookmate was among a raft of sites that were breached and their data then sold in early-2019. The data included almost 4 million unique email addresses alongside names, genders, dates of birth and passwords stored as salted SHA-512 hashes.

Victim
Bookmate
Records
3.8M
Data breachResolved

500px data breach (2018)

In mid-2018, the online photography community 500px suffered a data breach. The incident exposed almost 15 million unique email addresses alongside names, usernames, genders, dates of birth and either an MD5 or bcrypt password hash.

Victim
500px
Records
14.9M
Data breachResolved

Stronghold Kingdoms data breach (2018)

In July 2018, the massive multiplayer online game Stronghold Kingdoms suffered a data breach. Almost 5.2 million accounts were impacted by the incident which exposed emails addresses, usernames and passwords stored as salted SHA-1 hashes.

Victim
Stronghold Kingdoms
Records
5.2M
Data breachResolved

Zoomcar data breach (2018)

In July 2018, the Indian self-drive car rental company Zoomcar suffered a data breach which was subsequently sold on a dark web marketplace in 2020. The breach exposed over 3.5M records including names, email and IP addresses, phone numbers and passwords stored as bcrypt hashes.

Victim
Zoomcar
Records
3.6M
Data breachResolved

Light's Hope data breach (2018)

In June 2018, the World of Warcraft service Light's Hope suffered a data breach which they subsequently self-submitted to HIBP. Over 30K unique users were impacted and their exposed data included email addresses, dates of birth, private messages and passwords stored as bcrypt hashes.

Victim
Light's Hope
Records
30.5K
Data breachResolved

SHEIN data breach (2018)

In June 2018, fast-fashion retailer SHEIN suffered a breach of its payment systems exposing about 39 million account credentials. In 2022, New York fined parent company Zoetop $1.9 million for understating the breach and failing to notify most victims.

Victim
SHEIN
Loss
$1.9M
Records
39.1M
Data breachResolved

Adult-FanFiction.Org data breach (2018)

In May 2018, the website for sharing adult-orientated works of fiction known as Adult-FanFiction.Org had 186k records exposed in a data breach. The data contained names, email addresses, dates of birth and passwords stored as both MD5 hashes and plain text.

Victim
Adult-FanFiction.Org
Records
186.1K
Data breachResolved

Poshmark data breach (2018)

In May 2018, the social-commerce marketplace Poshmark was breached and roughly 36 million user accounts were exposed, including email addresses, names, usernames, genders, locations and bcrypt-hashed passwords. The company confirmed the incident in August 2019.

Victim
Poshmark
Records
36.4M
Data breachResolved

AerServ data breach (2018)

In April 2018, the ad management platform known as AerServ suffered a data breach. Acquired by InMobi earlier in the year, the AerServ breach impacted over 66k unique email addresses and also included contact information and passwords stored as salted SHA-512 hashes.

Victim
AerServ
Records
66.3K
Data breachResolved

Artsy data breach (2018)

In April 2018, the online arts database Artsy suffered a data breach which consequently appeared for sale on a dark web marketplace. Over 1M accounts were impacted and included IP and email addresses, names and passwords stored as salted SHA-512 hashes.

Victim
Artsy
Records
1.1M
Data breachResolved

Emuparadise data breach (2018)

In April 2018, the self-proclaimed "biggest retro gaming website on earth", Emuparadise, suffered a data breach. The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
Emuparadise
Records
1.1M
Data breachResolved

Wendy's data breach (2018)

In March 2018, Wendy's in the Philippines suffered a data breach which impacted over 52k customers and job applicants. The breach exposed extensive personal information including names, email and IP addresses, physical addresses, phone numbers and passwords stored as MD5 hashes.

Victim
Wendy's
Records
52.5K
Data breachResolved

Jobandtalent data breach (2018)

In approximately February 2018, the employment website Jobandtalent suffered a data breach which then appeared for sale alongside other breaches a year later. The incident impacted 11 million subscribers and exposed their names, email and IP addresses and passwords stored as salted SHA-1 hashes.

Victim
Jobandtalent
Records
11.0M
Data breachResolved

JoomlArt data breach (2018)

In January 2018, the Joomla template website JoomlArt inadvertently exposed more than 22k unique customer records in a Jira ticket. The exposed data was from iJoomla and JomSocial, both services that JoomlArt acquired the previous year.

Victim
JoomlArt
Records
22.5K
Data breachResolved

PropTiger data breach (2018)

In January 2018, the Indian property website PropTiger suffered a data breach which resulted in a 3.46GB database file being exposed and subsequently shared extensively on a popular hacking forum 2 years later.

Victim
PropTiger
Records
2.2M
Data breachResolved

Netshoes customer data breach

Brazilian e-commerce giant Netshoes exposed the personal data — names, CPF tax IDs, emails and purchase histories — of about 2 million customers, drawing one of the first major enforcement actions by Brazilian prosecutors over a data breach.

Victim
Netshoes
Loss
$135.0K
Records
2.0M
Data breachResolved

DailyObjects data breach (2018)

In approximately January 2018, a collection of more than 464k customer records from the Indian online retailer DailyObjects were leaked online. The data included names, physical and email addresses, phone numbers and "pincodes" stored in plain text.

Victim
DailyObjects
Records
464.3K
Data breachResolved

Elanic data breach (2018)

In January 2020, the Indian fashion marketplace Elanic had 2.8M records with 2.3M unique email addresses posted publicly to a popular hacking forum. Elanic confirmed that they had "verified the data and it was pulled from one of our test servers where this data was exposed publicly" and that the…

Victim
Elanic
Records
2.3M
Data breachResolved

PetFlow data breach (2017)

In December 2017, the pet care delivery service PetFlow suffered a data breach which consequently appeared for sale on a dark web marketplace. Almost 1M accounts were impacted and exposed email addresses and passwords stored as unsalted MD5 hashes.

Victim
PetFlow
Records
990.9K
Data breachResolved

piZap data breach (2017)

In approximately December 2017, the online photo editing site piZap suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in February 2019.

Victim
piZap
Records
41.8M
Data breachResolved

Bukalapak data breach (2017)

In March 2019, the Indonesian e-commerce website Bukalapak discovered a data breach of the organisation's backups dating back to October 2017. The incident exposed approximately 13 million unique email addresses alongside IP addresses, names and passwords stored as bcrypt and salted SHA-512 hashes.

Victim
Bukalapak
Records
13.4M
Data breachResolved

DaFont data breach (2017)

In May 2017, font sharing site DaFont suffered a data breach resulting in the exposure of 637k records. Allegedly due to a SQL injection vulnerability exploited by multiple parties, the exposed data included usernames, email addresses and passwords stored as MD5 without a salt.

Victim
DaFont
Records
637.3K
Data breachResolved

Reincubate data breach (2017)

In October 2020, the app data company Reincubate suffered a data breach which exposed a backup from November 2017 (the newest record in the data appeared several months earlier). The data included over 616k unique email addresses, names and passwords stored as PBKDF2 hashes.

Victim
Reincubate
Records
616.1K
Data breachResolved

Ge.tt data breach (2017)

In May 2017, the file sharing platform Ge.tt suffered a data breach. The data was subsequently put up for sale on a dark web marketplace in February 2019 alongside a raft of other breaches.

Victim
Ge.tt
Records
2.5M
Data breachResolved

Dueling Network data breach (2017)

In March 2017, the Flash game based on the Yu-Gi-Oh trading card game Dueling Network suffered a data breach. The site itself was taken offline in 2016 due to a cease-and-desist order but the forum remained online for another year.

Victim
Dueling Network
Records
6.5M
Data breachResolved

Appartoo data breach (2017)

In March 2017, the French Flatsharing site known as Appartoo suffered a data breach. The incident exposed an extensive amount of personal information on almost 50k members including email addresses, genders, ages, private messages sent between users of the service and passwords stored as SHA-256…

Victim
Appartoo
Records
49.7K
Data breachResolved

DataCamp data breach (2017)

In December 2018, the data science website DataCamp suffered a data breach of records dating back to January 2017. The incident exposed 760k unique email and IP addresses along with names and passwords stored as bcrypt hashes.

Victim
DataCamp
Records
760.6K
Data breachResolved

Sephora data breach (2017)

In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information.

Victim
Sephora
Records
780.1K
Data breachResolved

Hub4Tech data breach (2017)

On an unknown date in approximately 2017, the Indian training and assessment service known as Hub4Tech suffered a data breach via a SQL injection attack. The incident exposed almost 37k unique email addresses and passwords stored as unsalted MD5 hashes.

Victim
Hub4Tech
Records
36.9K
Data breachResolved

Russian America data breach (2017)

In approximately 2017, the website for Russian speakers in America known as Russian America suffered a data breach. The incident exposed 183k unique records including names, email addresses, phone numbers and passwords stored in both plain text and as MD5 hashes.

Victim
Russian America
Records
182.7K
Data breachResolved

CashCrate data breach (2016)

In June 2017, news broke that CashCrate had suffered a data breach exposing 6.8 million records. The breach of the cash-for-surveys site dated back to November 2016 and exposed names, physical addresses, email addresses and passwords stored in plain text for older accounts along with weak MD5…

Victim
CashCrate
Records
6.8M
Data breachResolved

Adult FriendFinder (2016) data breach (2016)

In October 2016, the adult entertainment company Friend Finder Networks suffered a massive data breach. The incident impacted multiple separate online assets owned by the company, the largest of which was the Adult FriendFinder website alleged to be "the world's largest sex & swinger community".

Victim
Adult FriendFinder (2016)
Records
169.7M
Data breachResolved

ClixSense data breach (2016)

In September 2016, the paid-to-click site ClixSense suffered a data breach which exposed 2.4 million subscriber identities. The breached data was then posted online by the attackers who claimed it was a subset of a larger data breach totalling 6.6 million records.

Victim
ClixSense
Records
2.4M
Data breachResolved

PPCGeeks data breach (2016)

In August 2016, the pocket PC fan site forum PPCGeeks suffered a data breach that exposed over 490k records. The breach of the vBulletin forum exposed email and IP addresses, usernames, dates of birth and passwords stored as salted MD5 hashes.

Victim
PPCGeeks
Records
492.5K
Data breachResolved

Cross Fire data breach (2016)

In August 2016, the Russian gaming forum known as Cross Fire (or cfire.mail.ru) was hacked along with a number of other forums on the Russian mail provider, mail.ru. The vBulletin forum contained 12.8 million accounts including usernames, email addresses and passwords stored as salted MD5 hashes.

Victim
Cross Fire
Records
12.9M
Data breachResolved

Пара Па data breach (2016)

In August 2016, the Russian gaming site known as Пара Па (or parapa.mail.ru) was hacked along with a number of other forums on the Russian mail provider, mail.ru. The vBulletin forum contained 4.9 million accounts including usernames, email addresses and passwords stored as salted MD5 hashes.

Victim
Пара Па
Records
4.9M
Data breachResolved

i-Dressup data breach (2016)

In June 2016, the teen social site known as i-Dressup was hacked and over 2 million user accounts were exposed. At the time the hack was reported, the i-Dressup operators were not contactable and the underlying SQL injection flaw remained open, allegedly exposing a total of 5.5 million accounts.

Victim
i-Dressup
Records
2.2M
Data breachResolved

Clash of Kings data breach (2016)

In July 2016, the forum for the game "Clash of Kings" suffered a data breach that impacted 1.6 million subscribers. The impacted data included usernames, IP and email addresses and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
Clash of Kings
Records
1.6M
Data breachResolved

Dota2 data breach (2016)

In July 2016, the Dota2 official developers forum suffered a data breach that exposed almost 2 million users. The hack of the vBulletin forum led to the disclosure of email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Dota2
Records
1.9M
Data breachResolved

Shadi.com data breach (2016)

In July 2016, the Muslim dating site Shadi.com suffered a data breach that exposed over 2M members' email addresses. The breach also exposed passwords stored as MD5 hashes alongside their plain text equivalents.

Victim
Shadi.com
Records
2.0M
Data breachResolved

Mac Forums data breach (2016)

In July 2016, the self-proclaimed "Ultimate Source For Your Mac" website Mac Forums suffered a data breach. The vBulletin-based system exposed over 326k usernames, email and IP addresses, dates of birth and passwords stored as salted MD5 hashes.

Victim
Mac Forums
Records
326.7K
Data breachResolved

OnRPG data breach (2016)

In July 2016, the now defunct free online games list website OnRPG suffered a data breach that was later redistributed as part of a larger corpus of data. The incident exposed just over 1M email and IP addresses alongside usernames and passwords stored as salted MD5 hashes.

Victim
OnRPG
Records
1.0M
Data breachResolved

Tunngle data breach (2016)

In 2016, the now defunct global LAN gaming network Tunngle suffered a data breach that exposed 8.2M unique email addresses. The compromised data also included usernames, IP addresses and passwords stored as salted MD5 hashes.

Victim
Tunngle
Records
8.2M
Data breachResolved

StreetEasy data breach (2016)

In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019.

Victim
StreetEasy
Records
988.2K
Data breachResolved

Whitepages data breach (2016)

In mid-2016, the telephone and address directory service Whitepages was among a raft of sites that were breached and their data then sold in early-2019. The data included over 11 million unique email addresses alongside names and passwords stored as either a SHA-1 or bcrypt hash.

Victim
Whitepages
Records
11.7M
Data breachResolved

Rosebutt Board data breach (2016)

Some time prior to May 2016, the forum known as "Rosebutt Board" was hacked and 107k accounts were exposed. The self-described "top one board for anal fisting, prolapse, huge insertions and rosebutt fans" had email and IP addresses, usernames and weakly stored salted MD5 password hashes hacked from…

Victim
Rosebutt Board
Records
107.3K
Data breachResolved

Foodora data breach (2016)

In April 2016, the online food delivery service Foodora suffered a data breach which was then extensively redistributed online. The breach included the personal information of hundreds of thousands of customers from multiple countries including their names, delivery addresses, phone numbers and…

Victim
Foodora
Records
582.6K
Data breachResolved

17 data breach (2016)

In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.

Victim
17
Records
4.0M
Data breachResolved

Tuned Global data breach (2016)

In January 2021, data from a number of breached services including Tuned Global were released to a public hacking forum. The breach appears to date back to 2016 and includes 985k records containing email addresses, names, a small number of physical addresses and phone numbers and passwords stored…

Victim
Tuned Global
Records
985.6K
Data breachResolved

Naughty America data breach (2016)

In March 2016, the adult website Naughty America was hacked and the data consequently sold online. The breach included data from numerous systems with various personal identity attributes, the largest of which had passwords stored as easily crackable MD5 hashes.

Victim
Naughty America
Records
1.4M
Data breachResolved

Mate1.com data breach (2016)

In February 2016, the dating site mate1.com suffered a huge data breach resulting in the disclosure of over 27 million subscribers' information. The data included deeply personal information about their private lives including drug and alcohol habits, incomes levels and sexual fetishes as well as…

Victim
Mate1.com
Records
27.4M
Data breachResolved

SkTorrent data breach (2016)

In February 2016, the Slovak torrent tracking site SkTorrent was hacked and over 117k records leaked online. The data dump included usernames, email addresses and passwords stored in plain text.

Victim
SkTorrent
Records
117.1K
Data breachResolved

Battlefy data breach (2016)

In January 2016, the esports website Battlefy suffered a data breach that exposed 83k customer records. The impacted data included email addresses, usernames and passwords stored as bcrypt hashes.

Victim
Battlefy
Records
83.6K
Data breachResolved

EpicNPC data breach (2016)

In January 2016, the hacked account reseller EpicNPC suffered a data breach that impacted 409k subscribers. The impacted data included usernames, IP and email addresses and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
EpicNPC
Records
408.8K
Data breachResolved

Anime-Planet data breach (2016)

In approximately 2016, the anime website Anime-Planet suffered a data breach that impacted 369k subscribers. The exposed data included usernames, IP and email addresses, dates of birth and passwords stored as unsalted MD5 hashes and for newer accounts, bcrypt hashes.

Victim
Anime-Planet
Records
368.5K
Data breachResolved

BitTorrent data breach (2016)

In January 2016, the forum for the popular torrent software BitTorrent was hacked. The IP.Board based forum stored passwords as weak SHA1 salted hashes and the breached data also included usernames, email and IP addresses.

Victim
BitTorrent
Records
34.2K
Data breachResolved

D3Scene data breach (2016)

In January 2016, the gaming website D3Scene, suffered a data breach. The compromised vBulletin forum exposed 569k million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
D3Scene
Records
568.8K
Data breachResolved

Lifeboat data breach (2016)

In January 2016, the Minecraft community known as Lifeboat was hacked and more than 7 million accounts leaked. Lifeboat knew of the incident for three months before the breach was made public but elected not to advise customers.

Victim
Lifeboat
Records
7.1M
Data breachResolved

MoDaCo data breach (2016)

In approximately January 2016, the UK based Android community known as MoDaCo suffered a data breach which exposed 880k subscriber identities. The data included email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
MoDaCo
Records
879.7K
Data breachResolved

Trillian data breach (2015)

In December 2015, the instant messaging application Trillian suffered a data breach. The breach became known in July 2016 and exposed various personal data attributes including names, email addresses and passwords stored as salted MD5 hashes.

Victim
Trillian
Records
3.8M
Data breachResolved

R2Games data breach (2015)

In late 2015, the gaming website R2Games was hacked and more than 2.1M personal records disclosed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
R2Games
Records
22.3M
Data breachResolved

Go Games data breach (2015)

In approximately October 2015, the manga website Go Games suffered a data breach. The exposed data included 3.4M customer records including email and IP addresses, usernames and passwords stored as salted MD5 hashes. Go Games did not respond when contacted about the incident.

Victim
Go Games
Records
3.4M
Data breachResolved

Gamerzplanet data breach (2015)

In approximately October 2015, the online gaming forum known as Gamerzplanet was hacked and more than 1.2M accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Gamerzplanet
Records
1.2M
Data breachResolved

NapsGear data breach (2015)

In October 2015, the anabolic steroids retailer NapsGear suffered a data breach. An extensive amount of personal information on 287k customers was exposed including email addresses, names, addresses, phone numbers, purchase histories and salted MD5 password hashes.

Victim
NapsGear
Records
287.1K
Data breachResolved

Patreon data breach (2015)

In October 2015, the crowdfunding site Patreon was hacked and over 16GB of data was released publicly. The dump included almost 14GB of database records with more than 2.3M unique email addresses, millions of personal messages and passwords stored as bcrypt hashes.

Victim
Patreon
Records
2.3M
Data breachResolved

StoryBird data breach (2015)

In August 2015, the storytelling service StoryBird suffered a data breach exposing 4 million records with 1 million unique email addresses. Impacted data also included names, usernames and passwords stored as PBKDF2 hashes. The data was provided to HIBP by dehashed.com.

Victim
StoryBird
Records
1.0M
Data breachResolved

Pokébip data breach (2015)

In July 2015, the French Pokémon site Pokébip suffered a data breach which exposed 657k subscriber identities. The data included email and IP addresses, usernames and passwords stored as unsalted MD5 hashes.

Victim
Pokébip
Records
657.0K
Data breachResolved

Seedpeer data breach (2015)

In July 2015, the torrent site Seedpeer was hacked and 282k member records were exposed. The data included usernames, email addresses and passwords stored as weak MD5 hashes.

Victim
Seedpeer
Records
281.9K
Data breachResolved

Plex data breach (2015)

In July 2015, the discussion forum for Plex media centre was hacked and over 327k accounts exposed. The IP.Board forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Plex
Records
327.3K
Data breachResolved

iPmart data breach (2015)

During 2015, the iPmart forum (now known as Mobi NUKE) was hacked and over 2 million forum members' details were exposed. The vBulletin forum included IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
iPmart
Records
2.5M
Data breachResolved

PS3Hax data breach (2015)

In approximately July 2015, the Sony Playstation hacks and mods forum known as PS3Hax was hacked and more than 447k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
PS3Hax
Records
447.4K
Data breachResolved

Minefield data breach (2015)

In June 2015, the French Minecraft server known as Minefield was hacked and 188k member records were exposed. The IP.Board forum included email and IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Minefield
Records
188.3K
Data breachResolved

Gaadi data breach (2015)

In May 2015, the Indian motoring website known as Gaadi had 4.3 million records exposed in a data breach. The data contained usernames, email and IP addresses, genders, the city of users as well as passwords stored in both plain text and as MD5 hashes.

Victim
Gaadi
Records
4.3M
Data breachResolved

mSpy data breach (2015)

In May 2015, the "monitoring" software known as mSpy suffered a major data breach. The software (allegedly often used to spy on unsuspecting victims), stored extensive personal information within their online service which after being breached, was made freely available on the internet.

Victim
mSpy
Records
699.8K
Data breachResolved

Kimsufi data breach (2015)

In mid-2015, the forum for the providers of affordable dedicated servers known as Kimsufi suffered a data breach. The vBulletin forum contained over half a million accounts including usernames, email and IP addresses and passwords stored as salted MD5 hashes.

Victim
Kimsufi
Records
504.6K
Data breachResolved

OVH data breach (2015)

In mid-2015, the forum for the hosting provider known as OVH suffered a data breach. The vBulletin forum contained 453k accounts including usernames, email and IP addresses and passwords stored as salted MD5 hashes.

Victim
OVH
Records
452.9K
Data breachResolved

SweClockers.com data breach (2015)

In early 2015, the Swedish tech news site SweClockers was hacked and 255k accounts were exposed. The attack led to the exposure of usernames, email addresses and salted hashes of passwords stored with a combination of MD5 and SHA512.

Victim
SweClockers.com
Records
254.9K
Data breachResolved

Snail data breach (2015)

In March 2015, the gaming website Snail suffered a data breach that impacted 1.4 million subscribers. The impacted data included usernames, IP and email addresses and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
Snail
Records
1.4M
Data breachResolved

PSX-Scene data breach (2015)

In approximately February 2015, the Sony Playstation forum known as PSX-Scene was hacked and more than 340k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
PSX-Scene
Records
341.1K
Data breachResolved

Xbox-Scene data breach (2015)

In approximately February 2015, the Xbox forum known as Xbox-Scene was hacked and more than 432k accounts were exposed. The IP.Board forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Xbox-Scene
Records
432.6K
Data breachResolved

Lizard Squad data breach (2015)

In January 2015, the hacker collective known as "Lizard Squad" created a DDoS service by the name of "Lizard Stresser" which could be procured to mount attacks against online targets.

Victim
Lizard Squad
Records
13.5K
Data breachResolved

Malwarebytes data breach (2014)

In November 2014, the Malwarebytes forum was hacked and 111k member records were exposed. The IP.Board forum included email and IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
Malwarebytes
Records
111.6K
Data breachResolved

Bot of Legends data breach (2014)

In November 2014, the forum for Bot of Legends suffered a data breach. The IP.Board forum contained 238k accounts including usernames, email and IP addresses and passwords stored as salted MD5 hashes.

Victim
Bot of Legends
Records
238.4K
Data breachResolved

Tout data breach (2014)

In approximately September 2014, the now defunct social networking service Tout suffered a data breach. The breach subsequently appeared years later and included 653k unique email addresses, names, IP addresses, the location of the user, their bio and passwords stored as bcrypt hashes.

Victim
Tout
Records
652.7K
Data breachResolved

Sumo Torrent data breach (2014)

In June 2014, the torrent site Sumo Torrent was hacked and 285k member records were exposed. The data included IP addresses, email addresses and passwords stored as weak MD5 hashes.

Victim
Sumo Torrent
Records
285.2K
Data breachResolved

Domino's data breach (2014)

In June 2014, Domino's Pizza in France and Belgium was hacked by a group going by the name "Rex Mundi" and their customer data held to ransom. Domino's refused to pay the ransom and six months later, the attackers released the data along with troves of other hacked accounts.

Victim
Domino's
Records
648.2K
Data breachResolved

BigMoneyJobs data breach (2014)

In April 2014, the job site bigmoneyjobs.com was hacked by an attacker known as "ProbablyOnion". The attack resulted in the exposure of over 36,000 user accounts including email addresses, usernames and passwords which were stored in plain text.

Victim
BigMoneyJobs
Records
36.8K
Data breachResolved

HiAPK data breach (2014)

In approximately 2014, it's alleged that the Chinese Android store known as HIAPK suffered a data breach that impacted 13.8 million unique subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as…

Victim
HiAPK
Records
13.9M
Data breachResolved

Mecho Download data breach (2013)

In October 2013, the (now defunct) downloads website "Mecho Download" suffered a data breach that exposed 438k records. Data from the vBulletin based website included email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Mecho Download
Records
437.9K
Data breachResolved

Yatra data breach (2013)

In September 2013, the Indian bookings website known as Yatra had 5 million records exposed in a data breach. The data contained email and physical addresses, dates of birth and phone numbers along with both PINs and passwords stored in plain text.

Victim
Yatra
Records
5.0M
Data breachResolved

Evite data breach (2013)

An archived 2013 database from social-invitations site Evite was accessed by an attacker and later traded online, exposing roughly 101 million unique email addresses along with names, phone numbers, postal addresses, dates of birth and plaintext passwords.

Victim
Evite
Records
101.0M
Data breachResolved

OwnedCore data breach (2013)

In approximately August 2013, the World of Warcraft exploits forum known as OwnedCore was hacked and more than 880k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

Victim
OwnedCore
Records
880.3K
Data breachResolved

Nexus Mods data breach (2013)

In December 2015, the game modding site Nexus Mods released a statement notifying users that they had been hacked. They subsequently dated the hack as having occurred in July 2013 although there is evidence to suggest the data was being traded months in advance of that.

Victim
Nexus Mods
Records
5.9M
Data breachResolved

Neopets data breach (2013)

In May 2016, a set of breached data originating from the virtual pet website "Neopets" was found being traded online. Allegedly hacked "several years earlier", the data contains sensitive personal information including birthdates, genders and names as well as almost 27 million unique email…

Victim
Neopets
Records
26.9M
Data breachResolved

Brazzers data breach (2013)

In April 2013, the adult website known as Brazzers was hacked and 790k accounts were exposed publicly. Each record included a username, email address and password stored in plain text. The breach was brought to light by the Vigilante.pw data breach reporting site in September 2016.

Victim
Brazzers
Records
790.7K
Data breachResolved

Xiaomi data breach (2012)

In August 2012, the Xiaomi user forum website suffered a data breach. In all, 7 million email addresses appeared in the breach although a significant portion of them were numeric aliases on the bbs_ml_as_uid.xiaomi.com domain.

Victim
Xiaomi
Records
7.1M
Data breachResolved

Yahoo data breach (2012)

In July 2012, Yahoo! had their online publishing service "Voices" compromised via a SQL injection attack. The breach resulted in the disclosure of nearly half a million usernames and passwords stored in plain text.

Victim
Yahoo
Records
453.4K
Data breachResolved

Gamigo data breach (2012)

In March 2012, the German online game publisher Gamigo was hacked and more than 8 million accounts publicly leaked. The breach included email addresses and passwords stored as weak MD5 hashes with no salt.

Victim
Gamigo
Records
8.2M
Data breachResolved

Taobao data breach (2012)

In approximately 2012, it's alleged that the Chinese shopping site known as Taobao suffered a data breach that impacted over 21 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as…

Victim
Taobao
Records
21.1M
Data breachResolved

hemmelig.com data breach (2011)

In December 2011, Norway's largest online sex shop hemmelig.com was hacked by a collective calling themselves "Team Appunity". The attack exposed over 28,000 usernames and email addresses along with nicknames, gender, year of birth and unsalted MD5 password hashes.

Victim
hemmelig.com
Records
28.6K
Data breachResolved

Android Forums data breach (2011)

In October 2011, the Android Forums website was hacked and 745k user accounts were subsequently leaked publicly. The compromised data included email addresses, user birth dates and passwords stored as a salted MD5 hash.

Victim
Android Forums
Records
745.4K
Data breachResolved

Battlefield Heroes data breach (2011)

In June 2011 as part of a final breached data dump, the hacker collective "LulzSec" obtained and released over half a million usernames and passwords from the game Battlefield Heroes.

Victim
Battlefield Heroes
Records
530.3K
Data breachResolved

Dangdang data breach (2011)

In 2011, the Chinese e-commerce site Dangdang suffered a data breach. The incident exposed over 4.8 million unique email addresses which were subsequently traded online over the ensuing years.

Victim
Dangdang
Records
4.8M
Data breachResolved

Fling data breach (2011)

In 2011, the self-proclaimed "World's Best Adult Social Network" website known as Fling was hacked and more than 40 million accounts obtained by the attacker.

Victim
Fling
Records
40.8M
Data breachResolved

Baby Names data breach (2008)

In approximately 2008, the site to help parents name their children known as Baby Names suffered a data breach. The incident exposed 846k email addresses and passwords stored as salted MD5 hashes.

Victim
Baby Names
Records
846.7K
Data breachResolved

gPotato data breach (2007)

In July 2007, the multiplayer game portal known as gPotato (link to archive of the site at that time) suffered a data breach and over 2 million user accounts were exposed. The site later merged into the Webzen portal where the original accounts still exist today.

Victim
gPotato
Records
2.1M
Data breachResolved

TJX Companies (T.J. Maxx) card breach

Attackers led by Albert Gonzalez sniffed weakly-encrypted in-store Wi-Fi at a Marshalls outlet and pivoted to TJX's central systems, exfiltrating an estimated 94 million payment-card records over an 18-month intrusion — the largest U.S. retail data breach of its era.

Victim
The TJX Companies, Inc.
Loss
$256.0M
Records
94.0M