Skip to content

Incidents in sector:

Technology

Data breachOngoing

Nintendo employee survey data stolen via third-party TinyPulse platform

Nintendo of America confirmed that threat actors stole internal employee survey data from TinyPulse, a third-party HR engagement platform it used, after the SHADOWBYT3$ group claimed to have exfiltrated about 859 MB of data and demanded a US$2 million ransom — while stressing that Nintendo's own systems and customer data were not affected.

Victim
Nintendo of America
Credential stuffingOngoing

FortiBleed: leaked dataset exposes VPN credentials for ~74,000 Fortinet firewalls

A dataset dubbed FortiBleed exposed valid Fortinet FortiGate VPN credentials — including plaintext passwords — for 73,932 firewall URLs across 194 countries, the product of a Russian-speaking crew that reused passwords from earlier breaches and infostealer logs rather than any new Fortinet vulnerability.

Victim
Organizations running Fortinet FortiGate firewalls worldwide
Supply chainContained

OptinMonster, TrustPulse and PushEngage WordPress plugins backdoored in Awesome Motive CDN supply-chain attack

Attackers stole a CDN API key from Awesome Motive and tampered with JavaScript served to the OptinMonster, TrustPulse and PushEngage WordPress plugins, silently creating rogue administrator accounts and planting backdoors on sites whose logged-in admins loaded the malicious code.

Victim
Awesome Motive (OptinMonster, TrustPulse, PushEngage)
MalwareContained

152 'live wallpaper' Chrome extensions caught harvesting user data and faking Google search traffic

Socket's Threat Research Team uncovered a coordinated family of 152 new-tab 'live wallpaper' Chrome extensions, spread across 38 publisher accounts and three brands, that secretly logged user telemetry and laundered extension-generated visits into fake Google organic search traffic despite declaring they collected no data.

Victim
Google Chrome Web Store users
Supply chainOngoing

'Atomic Arch' supply-chain attack hijacks 400+ Arch Linux AUR packages to deploy a credential stealer and eBPF rootkit

Sonatype researchers uncovered 'Atomic Arch,' a supply-chain campaign in which attackers adopted hundreds of orphaned Arch User Repository packages and rewrote their build scripts to install a malicious npm package that drops a Linux credential stealer with optional eBPF rootkit capabilities.

Victim
Arch User Repository (AUR)
Data breachOngoing

Leak at Once for all (via Actradis)

On 11 May 2026, Once For All disclosed unauthorized access to its Actradis B2B compliance platform, exposing professional contact data (names, professional emails, phone and contact details); a leaked database circulating since early May reportedly held about 305,000 records.

Victim
Once for all
Data breachRansom paid

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim
Instructure (Canvas LMS)
Loss
$10.0M
Records
275.0M
Data breachResolved

Reborn Gaming data breach (2026)

In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned.

Victim
Reborn Gaming
Records
126
Data breachResolved

My Lovely AI data breach (2026)

In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames.

Victim
My Lovely AI
Records
106.3K
Data breachContained

Leak at Cloud Imperium Games

Cloud Imperium Games, developer of Star Citizen and Squadron 42, disclosed in March 2026 that a January attack on its backup systems gave intruders read-only access to player account data including names, usernames, dates of birth and contact details.

Victim
Cloud Imperium Games
Data breachResolved

KomikoAI data breach (2026)

In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.

Victim
KomikoAI
Records
1.1M
Data breachResolved

Lovora data breach (2026)

In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of the app.

Victim
Lovora
Records
495.6K
Supply chainOngoing

Claimed leak at MaSalleDeSport - unspecified volume

On 22 February 2026, a hacker known as "84City" claimed to have breached MaSalleDeSport, a CRM and management provider for 2,000+ French gyms (Basic-Fit, Fitness Park, ON AIR Fitness, L'Orange Bleue), exposing member names, phone numbers, SMS and addresses for a potential 1M+ people.

Victim
MaSalleDeSport (Basic-Fit, Fitness Park..)
Data breachUnknown

Leak at Espace CE

In February 2026, personal data belonging to thousands of employees was found circulating on the dark web after a breach of Espace CE (Espace CSE), a French platform managing benefits for Works Councils; exposed fields included names, contact details, dates of birth and hashed passwords.

Victim
Espace CE
Data breachResolved

Quitbro data breach (2026)

In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time.

Victim
Quitbro
Records
22.9K
Data breachContained

Data leak at Sumsub

In February 2026, identity-verification (KYC) provider Sumsub disclosed a 2024 breach — undetected for ~18 months — in which an attacker reached a customer-support environment and exposed the names, email addresses and phone numbers of clients of crypto and fintech platforms it serves.

Victim
Sumsub
Data breachResolved

Toy Battles data breach (2026)

In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.

Victim
Toy Battles
Records
1.0K
Data breachUnknown

Leak at OpQuast

On 30 January 2026, a data leak at Opquast — the French web-quality assurance and certification company based in Mérignac — exposed the email addresses of around one hundred people.

Victim
OpQuast
Data breachOngoing

Leak at Instagram

In January 2026 a dataset of about 17.5 million Instagram records — usernames, full names, email addresses, phone numbers and partial location data — went up for sale on a dark-web forum, reportedly harvested via a 2024 API scraping leak.

Victim
Instagram
Records
17.5M
Data breachUnknown

Claimed leak at ACRV.FR (web agency)

On 10 January 2026, a threat actor claimed a data leak at French digital agency ACRV.FR, alleging it had exfiltrated archives and databases tied to several client sites the agency hosts or maintains; the claim is unverified and the scale is unconfirmed.

Victim
ACRV.FR (web agency)
Data breachContained

Data leak at DCE Conseil and partners (prisons, armed forces, luxury)

French engineering consultancy DCE Conseil suffered a breach after an employee's cloud account was compromised with stolen credentials, exposing roughly 844 GB of sensitive technical files — including plans of prisons, a military base and luxury and corporate clients — later offered for sale on BreachForums.

Victim
DCE Conseil (Various partners: prisons, armed forces, luxury, etc.)
Data breachUnknown

Leak at Europages

On 28 December 2025, a database of 205,403 B2B prospects from European business directory Europages was reported leaked, exposing contact and company-registration details (names, job titles, employers, postal and email addresses, phone numbers, SIRET and VAT identifiers).

Victim
Europages
Records
205.4K
Data breachContained

Leak at HelloWork

In late December 2025, French recruitment platform HelloWork disclosed that data on roughly 2.8 million jobseekers — names, emails and professional-profile details — was scraped from its CV library via a fraudulently used recruiter account and offered for sale online.

Victim
HelloWork
Records
2.8M
Data breachContained

Data leak at SoundCloud

In December 2025, music-streaming platform SoundCloud disclosed a breach in which an attacker abused an internal system to map roughly 29.8 million private email addresses to public profile data — about 20% of its users; no passwords or payment data were taken.

Victim
SoundCloud
Records
29.8M
Data breachUnknown

Leak at Oui Heberg

On 10 November 2025, French web-hosting and VPS provider OuiHeberg was reported to have leaked customer contact records — names, email addresses, phone numbers and postal addresses — following a security incident affecting its infrastructure.

Victim
Oui Heberg
Data breachUnknown

Leak at MYM

In November 2025, a database of around 5 million records from French adult-content subscription platform MYM was published on a cybercrime forum, exposing creators' and subscribers' names, emails, postal addresses, phone numbers, IP addresses, birthdates and MD5-hashed passwords; the data traces back to a 2021 compromise.

Victim
MYM
Records
5.0M
Supply chainContained

Leak at Discord

On 4 October 2025 Discord disclosed a breach of a third-party customer-support provider that exposed support-ticket data and roughly 70,000 government-ID photos (submitted for age-verification appeals), plus names, emails, IP addresses and partial billing details.

Victim
Discord
Records
70.0K
Data breachContained

Leak at Plex

On 9 September 2025, media-streaming software company Plex disclosed that an unauthorized third party had accessed one of its databases, exposing user emails, usernames, securely hashed passwords and authentication data, and forcing an account-wide password reset.

Victim
Plex
Social engineeringContained

Leak at Google

In August 2025, Google confirmed that a Salesforce CRM instance holding contact data for small-business Google Ads prospects was breached by ShinyHunters (UNC6040) via a vishing attack, exposing roughly 2.55 million records of business names, emails and phone numbers.

Victim
Google
Records
2.5M
RansomwareUnknown

Leak at Partner Immo

On 13 August 2025, Partner Immo, a French provider of online property- and condominium-management software, was reported as the target of a ransomware/data-leak incident; the exact scope and exposed data were not publicly confirmed.

Victim
Partner Immo
Data breachResolved

MaReads data breach (2025)

In June 2025, MaReads, the website for readers and writers of Thai-language fiction and comics suffered a data breach that exposed 74k records. The breach included usernames, email addresses, phone numbers and dates of birth. MaReads is aware of the breach.

Victim
MaReads
Records
74.5K
Data breachResolved

Data Troll Stealer Logs data breach (2025)

In June 2025, headlines erupted over a "16 billion password" breach. In reality, the dataset was a compilation of publicly accessible stealer logs, mostly repurposed from older leaks, with only a small portion of genuinely new material.

Victim
Data Troll Stealer Logs
Records
109.5M
Data breachResolved

ColoCrossing data breach (2025)

In May 2025, hosting provider ColoCrossing identified a data breach that impacted customers of their ColoCloud virtual server product. ColoCrossing advised the incident was isolated to their cloud/VPS platform and stemmed from a single sign-on vulnerability.

Victim
ColoCrossing
Records
7.2K
Data breachResolved

Synthient Stealer Log Threat Data data breach (2025)

During 2025, Synthient aggregated billions of records of "threat data" from various internet sources. The data contained 183M unique email addresses alongside the websites they were entered into and the passwords used.

Victim
Synthient Stealer Log Threat Data
Records
183.0M
Vulnerability exploitContained

Leak at Oracle Cloud

In late March 2025, a threat actor known as 'rose87168' claimed to have stolen roughly 6 million authentication records from an Oracle Cloud SSO/LDAP endpoint, potentially affecting over 140,000 tenants; Oracle initially denied any breach before privately confirming a compromise to customers.

Victim
Oracle Cloud
Records
6.0M
Data breachResolved

ALIEN TXTBASE Stealer Logs data breach (2025)

In February 2025, 23 billion rows of stealer logs were obtained from a Telegram channel known as ALIEN TXTBASE. The data contained 284M unique email addresses alongside the websites they were entered into and the passwords used.

Victim
ALIEN TXTBASE Stealer Logs
Records
284.1M
Supply chainContained

Leak at Espace-Recettes.fr Vorwerk

In early February 2025, Vorwerk's Thermomix recipe community Espace-Recettes.fr (Rezeptwelt) was breached via a compromised third-party server, exposing names, postal addresses, emails, phone numbers, dates of birth and cooking preferences of roughly 3.3 million users across several countries.

Victim
Espace-Recettes.fr Vorwerk
Data breachResolved

Stealer Logs, Jan 2025 data breach (2025)

In January 2025, stealer logs with 71M email addresses were added to HIBP. Consisting of email address, password and the website the credentials were entered against, this breach marks the launch of a new HIBP feature enabling the retrieval of the specific websites the logs were collected against.

Victim
Stealer Logs, Jan 2025
Records
71.0M
RansomwareContained

Leak at Atos

On 28 December 2024, the Space Bears ransomware group claimed to have compromised an Atos database; the French IT giant investigated and concluded its own systems were not breached, attributing the leaked Atos-related data to a compromised external third-party infrastructure.

Victim
Atos
RansomwareOngoing

Leak at Arsoé

A ransomware attack disclosed in late December 2024 crippled Arsoé de Soual, the agricultural IT provider hosting livestock-management software for ~30,000 farmers across some 22 French departments; systems were encrypted and a ransom demanded, with no data exfiltration detected.

Victim
Arsoé
Supply chainContained

Leak at Cyberhaven

On 25 Dec 2024, data-security firm Cyberhaven's Chrome extension was hijacked via a phishing attack and pushed a malicious update that exfiltrated cookies and session tokens from roughly 400,000 users over a 24-hour window.

Victim
Cyberhaven
Data breachUnknown

Leak at JVS

On 26 November 2024, a dataset of user-account records tied to JVS-Mairistem — a leading French software vendor for municipalities and local authorities — was reported leaked, exposing names, email addresses, logins, phone numbers and the associated local authority.

Victim
JVS
Data breachResolved

Senior Dating data breach (2024)

In 2024, the 40+ dating website Senior Dating suffered a data breach. Attributed to an exposed Firebase database, the breach included extensive personal information on 766k users of the service including email addresses, photos, genders, links to Facebook accounts, dates of birth and precise…

Victim
Senior Dating
Records
765.5K
Data breachResolved

FlipaClip data breach (2024)

In November 2024, the animation app FlipaClip suffered a data breach that exposed almost 900k records due to an exposed Firebase server. The impacted data included name, email address, country and date of birth. FlipaClip advised the issue has since been rectified.

Victim
FlipaClip
Records
892.9K
Data breachResolved

SuperDraft data breach (2024)

In October 2024, the fantasy sports platform SuperDraft suffered a data breach that exposed over 300k customer records. The breach contained 24GB of data including email addresses, usernames, purchases, latitudes and longitudes, dates of birth and bcrypt password hashes.

Victim
SuperDraft
Records
300.2K
Data breachResolved

Muah.AI data breach (2024)

In September 2024, the "AI girlfriend" website Muah.AI suffered a data breach. The breach exposed 1.9M email addresses alongside prompts to generate AI-based images. Many of the prompts were highly sexual in nature, with many also describing child exploitation scenarios.

Victim
Muah.AI
Records
1.9M
Supply chainContained

Leak at Cybertek

On 12 September 2024, French computer-hardware retailer Cybertek disclosed a customer data breach stemming from a compromised shared IT provider, exposing names, email and postal addresses and phone numbers; passwords and payment data were not affected.

Victim
Cybertek
Data breachResolved

Explore Talent (August 2024) data breach (2024)

In August 2024, a slew of security vulnerabilities were identified with a conglomerate of online services which included the talent network Explore Talent. A vulnerable API exposed the personal records of 11.4M users of the service of which 8.9M unique email addresses were provided to HIBP.

Victim
Explore Talent (August 2024)
Records
8.9M
Data breachResolved

Tracki data breach (2024)

In August 2024, a slew of security vulnerabilities were identified with a conglomerate of online services which included the GPS tracking service Tracki. Multiple vulnerabilities exposed the personal records of 372k users of the service including names and email addresses.

Victim
Tracki
Records
372.6K
Data breachResolved

Chris Leong data breach (2024)

In August 2024, the website of Master Chris Leong "a leading Tit Tar practitioner in Malaysia" suffered a data breach. The incident exposed 27k unique email addresses along with names, physical addresses, dates of birth, genders, nationalities and in many cases, links to Facebook profiles.

Victim
Chris Leong
Records
27.1K
Data breachResolved

Stealer Logs Posted to Telegram data breach (2024)

In July 2024, info stealer logs with 26M unique email addresses were collated from malicious Telegram channels. The data contained 22GB of logs consisting of email addresses, passwords and the websites they were used on, all obtained by malware running on infected machines.

Victim
Stealer Logs Posted to Telegram
Records
26.1M
Data breachResolved

FNTECH data breach (2024)

In July 2024, the events management platform FNTECH suffered a data breach that exposed 10k unique email addresses. The data contained registrants from various events, including participants of the Roblox Developer Conference registration list. The data also included names and IP addresses.

Victim
FNTECH
Records
10.4K
Data breachResolved

Ladies.com data breach (2024)

In 2024, the lesbian dating website ladies.com suffered a data breach. Attributed to an exposed Firebase database, the breach included extensive personal information on 119k users of the service including email addresses, photos, sexual orientation, genders, dates of birth and precise latitude and…

Victim
Ladies.com
Records
118.8K
Credential stuffingContained

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
Records
560.0M
Data breachResolved

Combolists Posted to Telegram data breach (2024)

In May 2024, 2B rows of data with 361M unique email addresses were collated from malicious Telegram channels. The data contained 122GB across 1.7k files with email addresses, usernames, passwords and in many cases, the website they were entered into.

Victim
Combolists Posted to Telegram
Records
361.5M
Supply chainContained

XZ Utils backdoor (CVE-2024-3094)

A multi-year social-engineering campaign by a maintainer persona named 'Jia Tan' planted a hidden SSH backdoor in the XZ Utils compression library (liblzma) versions 5.6.0 and 5.6.1, scoring CVSS 10.0 — caught by chance days before it could reach stable Linux releases worldwide.

Victim
XZ Utils / Linux open-source ecosystem
Data breachResolved

Mr. Green Gaming data breach (2024)

In March 2024, the online games community Mr. Green Gaming suffered a data breach that exposed 27k user records. Acknowledged on their Discord server, the incident exposed email and IP addresses, usernames, geographic locations and dates of birth.

Victim
Mr. Green Gaming
Records
27.1K
Data breachResolved

Doxbin (TOoDA) data breach (2024)

In February 2025, the "doxing" website Doxbin was compromised by a group calling themselves "TOoDA" and the data dumped publicly. Included in the breach were 336k unique email addresses alongside usernames.

Victim
Doxbin (TOoDA)
Records
136.5K
Data breachResolved

Spoutible data breach (2024)

In January 2024, Spoutible had 207k records scraped from a misconfigured API that inadvertently returned excessive personal information. The data included names, usernames, email and IP addresses, phone numbers (where provided to the platform), genders and bcrypt password hashes.

Victim
Spoutible
Records
207.1K
Data breachResolved

InflateVids data breach (2023)

In December 2023, the inflatable and balloon fetish videos website InflateVids suffered a data breach. The incident exposed over 13k unique email addresses alongside usernames, IP addresses, genders and SHA-1 password hashes.

Victim
InflateVids
Records
13.4K
RansomwareContained

Westpole LockBit ransomware — Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim
Westpole / PA Digitale (Urbi platform)
RansomwareResolved

IFX Networks supply-chain ransomware attack

A ransomware attack on regional cloud provider IFX Networks cascaded into more than 50 Colombian state and private entities — including the Ministry of Health, the Judiciary, and the Superintendency of Industry and Commerce — and affected 762 organisations across Latin America.

Victim
IFX Networks (Colombian government clients)
Data breachResolved

PlayCyberGames data breach (2023)

In August 2023, PlayCyberGames which "allows users to play any games with LAN function or games using IP address" suffered a data breach which exposed 3.7M customer records. The data included email addresses, usernames and MD5 password hashes with a constant value in the "salt" field.

Victim
PlayCyberGames
Records
3.7M
Data breachResolved

MagicDuel data breach (2023)

In August 2023, the MagicDuel Adventure website suffered a data breach that exposed 138k user records. The data included player names, email and IP addresses and bcrypt password hashes.

Victim
MagicDuel
Records
138.4K
RansomwareContained

Xplain Play ransomware and Swiss federal documents leak (2023)

Play ransomware breached Swiss IT services provider Xplain, exfiltrating 1.3 million files. Approximately 65,000 documents belonging to the Swiss Federal Administration — including classified content, personal data, and readable passwords — were published on Play's dark-web leak site in June 2023.

Victim
Xplain (Swiss IT services provider to the Federal Administration)
Records
1.3M
EspionageContained

Microsoft Storm-0558 signing-key theft and US government email access (2023)

China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations — including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.

Victim
Microsoft customers (US State Department, Department of Commerce, ~25 organisations)
Data breachResolved

Tigo data breach (2023)

In Mid-2023, 300GB of data containing over 100M records from the Chinese video chat platform "Tigo" dating back to March that year was discovered. The data contained over 700k unique names, usernames, email and IP addresses, genders, profile photos and private messages.

Victim
Tigo
Records
700.4K
Supply chainResolved

3CX supply-chain attack (DPRK)

North Korea-linked actors trojanized the 3CXDesktopApp softphone client, distributing the SmoothOperator malware through a legitimately-signed update to a customer base of over 600,000 organizations — the first documented cascading software supply-chain compromise, itself enabled by a prior breach of trading software X_TRADER.

Victim
3CX (3CXDesktopApp customers)
Data breachResolved

Abandonia (2022) data breach (2022)

In November 2022, the gaming website dedicated to classic DOS games Abandonia suffered a data breach resulting in the exposure of 920k unique user records. This breach was in addition to another one 7 years earlier in 2015.

Victim
Abandonia (2022)
Records
919.8K
Data breachResolved

GGCorp data breach (2022)

In August 2022, the MMORPG website GGCorp suffered a data breach that exposed almost 2.4M unique email addresses. The data also included IP addresses, usernames and MD5 password hashes.

Victim
GGCorp
Records
2.4M
Data breachResolved

iMenu360 data breach (2022)

In approximately late 2022, 3.4M customer records from iMenu360 ("The world's #1 most trusted online ordering platform") were exposed. The data appeared to be from ordering systems using the platform and contained email and physical addresses, latitudes and longitudes, names and phone numbers.

Victim
iMenu360
Records
3.4M
Data breachResolved

Vultr data breach (2022)

In March 2023, the "AI-first global cloud platform" Vultr disclosed a security incident at a third-party vendor. Dating back to the previous year, the incident was attributed to the ActiveCampaign email marketing service provider and resulted in the exposure of 188k unique email addresses.

Victim
Vultr
Records
187.9K
Data breachResolved

Fanpass data breach (2022)

In April 2022, the UK based website for buying and selling soccer tickets Fanpass suffered a data breach which exposed 112k customer records. Impacted data includes names, phone numbers, physical addresses, purchase histories and salted password hashes.

Victim
Fanpass
Records
112.3K
Insider threatResolved

Yandex.Eda customer data leak

Yandex's food-delivery service Yandex.Eda leaked the names, phone numbers, addresses, intercom codes and order details of more than 58,000 customers, which were later mapped onto an interactive public website. Russian regulator Roskomnadzor opened a case and a Moscow court fined the company 60,000 rubles.

Victim
Yandex.Eda
Loss
$700
Records
58.0K
WiperResolved

WhisperGate wiper attack

On the eve of Russia's invasion, a destructive wiper disguised as ransomware corrupted master boot records and files across dozens of Ukrainian government, IT and non-profit organisations, defacing official websites and signalling the cyber dimension of the coming war.

Victim
Ukrainian government, IT and non-profit organisations
Data breachResolved

Doxbin data breach (2022)

In January 2022, the "doxing" website designed to disclose the personal information of targeted individuals ("doxes") Doxbin suffered a data breach. The breach was subsequently leaked online and included over 370k unique email addresses across user accounts and doxes.

Victim
Doxbin
Records
370.8K
Zero-dayResolved

Log4Shell (Apache Log4j CVE-2021-44228)

A trivially exploitable remote code execution flaw in Apache Log4j 2, the ubiquitous Java logging library, scored a maximum CVSS 10.0 and exposed hundreds of millions of devices and applications worldwide to instant takeover via a single crafted log string.

Victim
Global (Apache Log4j users worldwide)
Data breachResolved

Robinhood data breach (2021)

In November 2021, the online trading platform Robinhood suffered a data breach after a customer service representative was socially engineered. The incident exposed over 5M customer email addresses and 2M customer names.

Victim
Robinhood
Records
5.0M
Data breachResolved

Paragon Cheats data breach (2021)

In May 2021, the Grand Theft Auto Online cheats website Paragon Cheats suffered a data breach that lead to the shutdown of the service. The breach exposed 188k customer records including usernames, email and IP addresses.

Victim
Paragon Cheats
Records
188.1K
Data breachResolved

Gemplex data breach (2021)

In February 2021, the Indian streaming platform Gemplex suffered a data breach that exposed 4.6M user accounts. The impacted data included device information, names, phone numbers, email addresses and bcrypt password hashes.

Victim
Gemplex
Records
4.6M
Insider threatResolved

Yandex mail insider breach

Yandex disclosed that one of three administrators with privileged access to its email service had been selling unauthorized access to user mailboxes, compromising 4,887 inboxes before the company's internal security team detected the abuse during a routine review.

Victim
Yandex
Records
4.9K
Data breachResolved

Date Hot Brunettes data breach (2021)

In January 2021, the now defunct website Date Hot Brunettes which provided a service to "Date Neglected Women Who Can Keep a Secret", suffered a data breach. The incident exposed 1.5M unique email addresses along with IP addresses, usernames, user-entered bios and MD5 password hashes.

Victim
Date Hot Brunettes
Records
1.5M
Data breachResolved

Devil-Torrents.pl data breach (2021)

In early 2021, the Polish torrents website Devil-Torrents.pl suffered a data breach. A subset of the data including 63k unique email addresses and cracked passwords were subsequently socialised on a popular data breach sharing service.

Victim
Devil-Torrents.pl
Records
63.5K
Supply chainContained

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim
SolarWinds (Orion customers — ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss
$100.00B
Data breachResolved

GamingMonk data breach (2020)

In December 2020, India's "largest esports community" GamingMonk (since acquired by and redirected to MPL Esports), suffered a data breach. The incident exposed 655k unique email addresses along with names, usernames, phone numbers, dates of birth and bcrypt password hashes.

Victim
GamingMonk
Records
654.5K
Data breachResolved

Chowbus data breach (2020)

In October 2020, the Asian food delivery app Chowbus suffered a data breach which led to over 800,000 records being emailed to customers. The email contained a link to a CSV file with customer data including physical addresses, names, phone numbers and over 444,000 unique email addresses.

Victim
Chowbus
Records
444.2K
misconfigurationResolved

RedDoorz data breach

A misconfigured cloud database exposed the records of about 5.9 million RedDoorz hotel-booking customers, making it Singapore's largest data breach at the time and drawing a record-context PDPC fine against operator Commeasure.

Victim
RedDoorz (Commeasure Pte Ltd)
Loss
$54.5K
Records
5.9M
Data breachResolved

ShockGore data breach (2020)

In August 2020, the website for sharing graphic videos and images of gore and animal cruelty suffered a data breach. The breach exposed 74k unique email addresses alongside usernames, IP addresses, genders and unsalted SHA-1 password hashes.

Victim
ShockGore
Records
73.9K
Data breachResolved

Covve data breach (2020)

In February 2020, a massive trove of personal information referred to as "db8151dd" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server.

Victim
Covve
Records
22.8M
Data breachResolved

MobiFriends data breach (2020)

In January 2020, the Barcelona-based dating app MobiFriends suffered a data breach that exposed 3.5 million unique email addresses. The data also included usernames, genders, dates of birth and MD5 password hashes.

Victim
MobiFriends
Records
3.5M
Data breachResolved

BtoBet data breach (2019)

In December 2019, a large collection of data from Nigerian gambling company Surebet247 was sent to HIBP. Alongside the Surebet247, database backups from gambling sites BetAlfa, BetWay, BongoBongo and TopBet was also included.

Victim
BtoBet
Records
444.2K
Data breachResolved

GameSprite data breach (2019)

In December 2019, the now defunct gaming platform GameSprite suffered a data breach that exposed over 6M unique email addresses. The impacted data also included usernames, IP addresses and salted MD5 password hashes.

Victim
GameSprite
Records
6.2M
Data breachResolved

Go Ninja data breach (2019)

In December 2019, the now defunct German gaming website Go Ninja suffered a data breach that exposed 5M unique email addresses. The impacted data included usernames, email and IP addresses and salted MD5 password hashes.

Victim
Go Ninja
Records
5.0M
Data breachResolved

SoarGames data breach (2019)

In December 2019, the now defunct gaming website SoarGames suffered a data breach that exposed 4.8M unique email addresses. The impacted data included usernames, email and IP addresses and salted MD5 password hashes.

Victim
SoarGames
Records
4.8M
Data breachResolved

Novaestrat Ecuador data leak

An unsecured Elasticsearch server run by Ecuadorian consultancy Novaestrat exposed 20.8 million records covering nearly the entire population of Ecuador, including 6.7 million children, financial records, and vehicle data.

Victim
Novaestrat
Records
20.8M
Data breachResolved

Minehut data breach (2019)

In May 2019, the Minecraft server website Minehut suffered a data breach. The company advised a database backup had been obtained after which they subsequently notified all impacted users. 397k email addresses from the incident were provided to HIBP.

Victim
Minehut
Records
396.5K
Data breachResolved

Everybody Edits data breach (2019)

In March 2019, the multiplayer platform game Everybody Edits suffered a data breach. The incident exposed 871k unique email addresses alongside usernames and IP addresses. The data was subsequently distributed online across a collection of files.

Victim
Everybody Edits
Records
871.2K
Data breachResolved

Mindjolt data breach (2019)

In March 2019, the online gaming website MindJolt suffered a data breach that exposed 28M unique email addresses. Also impacted were names and dates of birth, but no passwords.

Victim
Mindjolt
Records
28.4M
Data breachResolved

Peatix data breach (2019)

In January 2019, the event organising platform Peatix suffered a data breach. The incident exposed 4.2M email addresses, names and salted password hashes. The data was provided to HIBP by dehashed.com.

Victim
Peatix
Records
4.2M
Credential stuffingResolved

Collection #1 credential dump

A 87GB aggregated credential dump posted to the MEGA cloud service exposed 772.9 million unique email addresses and 21.2 million unique passwords, assembled from thousands of prior breaches to fuel credential-stuffing attacks at industrial scale.

Victim
Internet users worldwide (aggregated multi-breach dump)
Records
772.9M
Data breachResolved

BannerBit data breach (2018)

In approximately December 2018, the online ad platform BannerBit suffered a data breach. Containing 213k unique email addresses and plain text passwords, the data was provided to HIBP by a third party. Multiple attempts were made to contact BannerBit, but no response was received.

Victim
BannerBit
Records
213.4K
Data breachResolved

Ajarn data breach (2018)

In September 2021, the Thai-based English language teaching website Ajarn discovered they'd been the victim of a data breach dating back to December 2018. The breach was self-submitted to HIBP and included 266k email addresses, names, genders, phone numbers and other personal information.

Victim
Ajarn
Records
266.4K
Data breachContained

Quora data breach

The question-and-answer platform Quora disclosed that an unauthorized third party had accessed the data of approximately 100 million users, including names, email addresses, salted-and-hashed passwords, and imported contact and demographic data.

Victim
Quora
Records
100.0M
Data breachResolved

WPSandbox data breach (2018)

In November 2018, the WordPress sandboxing service that allows people to create temporary websites WP Sandbox discovered their service was being used to host a phishing site attempting to collect Microsoft OneDrive accounts.

Victim
WPSandbox
Records
858
Data breachResolved

Wife Lovers data breach (2018)

In October 2018, the site dedicated to posting naked photos and other erotica of wives Wife Lovers suffered a data breach. The underlying database supported a total of 8 different adult websites and contained over 1.2M unique email addresses.

Victim
Wife Lovers
Records
1.3M
Data breachResolved

Lanwar data breach (2018)

In July 2018, staff of the Lanwar gaming site discovered a data breach they believe dates back to sometime over the previous several months. The data contained 45k names, email addresses, usernames and plain text passwords.

Victim
Lanwar
Records
45.1K
Data breachResolved

Exactis data exposure

Data-marketing firm Exactis left a database of nearly 340 million detailed records on individuals and businesses exposed on a publicly accessible server with no firewall. Each record held up to 400 fields of personal profiling data, from contact details to children's ages, religion, and habits.

Victim
Exactis LLC
Records
340.0M
Data breachResolved

Mortal Online data breach (2018)

In June 2018, the massively multiplayer online role-playing game (MMORPG) Mortal Online suffered a data breach. A file containing 570k email addresses and cracked passwords was subsequently distributed online.

Victim
Mortal Online
Records
606.6K
Data breachResolved

Ticketfly data breach (2018)

In May 2018, the website for the ticket distribution service Ticketfly was defaced by an attacker and was subsequently taken offline. The attacker allegedly requested a ransom to share details of the vulnerability with Ticketfly but did not receive a reply and subsequently posted the breached data…

Victim
Ticketfly
Records
26.2M
Data breachResolved

Funny Games data breach (2018)

In April 2018, the online entertainment site Funny Games suffered a data breach that disclosed 764k records including usernames, email and IP addresses and salted MD5 password hashes.

Victim
Funny Games
Records
764.4K
Data breachResolved

EyeEm data breach (2018)

In February 2018, photography website EyeEm suffered a data breach. The breach was identified among a collection of other large incidents and exposed almost 20M unique email addresses, names, usernames, bios and password hashes.

Victim
EyeEm
Records
19.6M
Data breachResolved

MyFitnessPal data breach (2018)

In February 2018, Under Armour's MyFitnessPal app was breached, exposing about 144 million accounts with usernames, emails and passwords hashed using a mix of SHA-1 and bcrypt; the data later surfaced for sale via GnosticPlayers.

Victim
MyFitnessPal (Under Armour)
Records
143.6M
private-keystolen

Coincheck NEM heist

Tokyo-based cryptocurrency exchange Coincheck lost 523 million NEM tokens (~$530M at the time) from a hot wallet that had no multi-signature protection. The largest single crypto-exchange theft at the time — later attributed to North Korea's Lazarus Group.

Victim
Coincheck Inc.
Loss
$530.0M
Data breachResolved

Lyrics Mania data breach (2017)

In December 2017, the song lyrics website known as Lyrics Mania suffered a data breach. The data in the breach included 109k usernames, email addresses and plain text passwords. Numerous attempts were made to contact Lyrics Mania about the incident, however no responses were received.

Victim
Lyrics Mania
Records
109.2K
Data breachResolved

Open CS:GO data breach (2017)

In December 2017, the website for purchasing Counter-Strike skins known as Open CS:GO (Counter-Strike: Global Offensive) suffered a data breach (address since redirects to dropgun.com).

Victim
Open CS:GO
Records
512.3K
Data breachResolved

Uber 2016 data breach and cover-up

Attackers stole personal data on 57 million Uber riders and drivers in October 2016. Rather than disclose, Uber paid the hackers a $100,000 ransom and disguised it as a bug bounty — a cover-up that led to a $148 million multistate settlement and the criminal conviction of Uber's security chief.

Victim
Uber Technologies, Inc.
Loss
$148.0M
Records
57.0M
Data breachResolved

TGBUS data breach (2017)

In approximately 2017, it's alleged that the Chinese gaming site known as TGBUS suffered a data breach that impacted over 10 million unique subscribers.

Victim
TGBUS
Records
10.4M
Data breachResolved

Onliner Spambot data breach (2017)

In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information.

Victim
Onliner Spambot
Records
711.5M
Vulnerability exploitResolved

Cloudflare "Cloudbleed" memory leak

A buffer-overflow bug in Cloudflare's edge servers caused them to leak adjacent chunks of memory — including passwords, cookies, and private messages from other customers — into web pages, where some were cached by search engines. The flaw was active for months before Google's Project Zero discovered it.

Victim
Cloudflare, Inc.
Data breachResolved

Retina-X data breach (2017)

In February 2017, the mobile device monitoring software developer Retina-X was hacked and customer data downloaded before being wiped from their servers.

Victim
Retina-X
Records
71.2K
Data breachResolved

Coachella data breach (2017)

In February 2017, hundreds of thousands of records from the Coachella music festival were discovered being sold online. Allegedly taken from a combination of the main Coachella website and their vBulletin-based message board, the data included almost 600k usernames, IP and email addresses and…

Victim
Coachella
Records
599.8K
Data breachResolved

SwordFantasy data breach (2017)

In January 2019, the now defunct MMO and RPG game SwordFantasy suffered a data breach that exposed 2.7M unique email addresses. Other impacted data included username, IP address and salted MD5 password hashes.

Victim
SwordFantasy
Records
2.7M
Data breachResolved

PayAsUGym data breach (2016)

In December 2016, an attacker breached PayAsUGym's website exposing over 400k customers' personal data. The data was consequently leaked publicly and broadly distributed via Twitter.

Victim
PayAsUGym
Records
400.3K
Data breachResolved

FashionFantasyGame data breach (2016)

In late 2016, the fashion gaming website Fashion Fantasy Game suffered a data breach. The incident exposed 2.3 million unique user accounts and corresponding MD5 password hashes with no salt. The data was contributed to Have I Been Pwned courtesy of rip@creep.im.

Victim
FashionFantasyGame
Records
2.4M
Data breachResolved

Warmane data breach (2016)

In approximately December 2016, the online service for World of Warcraft private servers Warmane suffered a data breach. The incident exposed over 1.1M accounts including usernames, email addresses, dates of birth and salted MD5 password hashes.

Victim
Warmane
Records
1.1M
DDoSResolved

Dyn DNS Mirai DDoS attack

A massive Mirai-botnet DDoS attack against managed DNS provider Dyn knocked Twitter, Netflix, Spotify, GitHub, Reddit, and dozens of other major sites offline across the U.S. and Europe, demonstrating how a botnet of compromised IoT devices could disrupt large swathes of the internet.

Victim
Dyn, Inc.
Data breachResolved

GFAN data breach (2016)

In October 2016, data surfaced that was allegedly obtained from the Chinese website known as GFAN and contained 22.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
GFAN
Records
22.5M
Data breachContained

Leak at Dailymotion

In October 2016, French video-sharing platform Dailymotion was breached, exposing roughly 85.2 million user accounts including email addresses and usernames, with bcrypt password hashes for about 18 million of them.

Victim
Dailymotion
Records
85.2M
Data breachResolved

Aipai.com data breach (2016)

In September 2016, data allegedly obtained from the Chinese gaming website known as Aipai.com and containing 6.5M accounts was leaked online. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Aipai.com
Records
6.5M
Data breachResolved

uuu9 data breach (2016)

In September 2016, data was allegedly obtained from the Chinese website known as uuu9.com and contained 7.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
uuu9
Records
7.5M
Data breachResolved

GeekedIn data breach (2016)

In August 2016, the technology recruitment site GeekedIn left a MongoDB database exposed and over 8M records were extracted by an unknown third party. The breached data was originally scraped from GitHub in violation of their terms of use and contained information exposed in public profiles,…

Victim
GeekedIn
Records
1.1M
Data breachResolved

Wishbone (2016) data breach (2016)

In August 2016, the mobile app to "compare anything" known as Wishbone suffered a data breach. The data contained 9.4 million records with 2.2 million unique email addresses and was allegedly a subset of the complete data set.

Victim
Wishbone (2016)
Records
2.2M
Data breachResolved

AbuseWith.Us data breach (2016)

In 2016, the site dedicated to helping people hack email and online gaming accounts known as Abusewith.us suffered multiple data breaches. The site allegedly had an administrator in common with the nefarious LeakedSource site, both of which have since been shut down.

Victim
AbuseWith.Us
Records
1.4M
Data breachResolved

Kaneva data breach (2016)

In July 2016, now defunct website Kaneva, the service to "build and explore virtual worlds", suffered a data breach that exposed 3.9M user records. The data included email addresses, usernames, dates of birth and salted MD5 password hashes.

Victim
Kaneva
Records
3.9M
Data breachResolved

Muslim Match data breach (2016)

In June 2016, the Muslim Match dating website had 150k email addresses exposed. The data included private chats and messages between relationship seekers and numerous other personal attributes including passwords hashed with MD5.

Victim
Muslim Match
Records
149.8K
Data breachResolved

Facepunch data breach (2016)

In June 2016, the game development studio Facepunch suffered a data breach that exposed 343k users. The breached data included usernames, email and IP addresses, dates of birth and salted MD5 password hashes. Facepunch advised they were aware of the incident and had notified people at the time.

Victim
Facepunch
Records
342.9K
Data breachResolved

Evony data breach (2016)

In June 2016, the online multiplayer game Evony was hacked and over 29 million unique accounts were exposed. The attack led to the exposure of usernames, email and IP addresses and MD5 hashes of passwords (without salt).

Victim
Evony
Records
29.4M
Data breachResolved

MySpace credentials breach

Credentials for roughly 360 million pre-2013 MySpace accounts surfaced for sale on the dark web in 2016. The passwords were stored as unsalted SHA-1 hashes, making one of the largest credential dumps ever disclosed trivially crackable.

Victim
MySpace (Time Inc.)
Records
360.0M
Data breachResolved

Army Force Online data breach (2016)

In May 2016, the online gaming site Army Force Online suffered a data breach that exposed 1.5M accounts. The breached data was found being regularly traded online and included usernames, email and IP addresses and MD5 passwords.

Victim
Army Force Online
Records
1.5M
Data breachResolved

Fur Affinity data breach (2016)

In May 2016, the Fur Affinity website for people with an interest in anthropomorphic animal characters (also known as "furries") was hacked. The attack exposed 1.2M email addresses (many accounts had a different "first" and "last" email against them) and hashed passwords.

Victim
Fur Affinity
Records
1.3M
Data breachResolved

Guns and Robots data breach (2016)

In approximately April 2016, the gaming website Guns and Robots suffered a data breach resulting in the exposure of 143k unique records. The data contained email and IP addresses, usernames and SHA-1 password hashes.

Victim
Guns and Robots
Records
143.6K
Data breachResolved

Nival data breach (2016)

In February 2016, the Russian gaming company Nival was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", Nival was one of several Russian sites in the breach and impacted over 1.5M accounts including…

Victim
Nival
Records
1.5M
Data breachResolved

Minecraft World Map data breach (2016)

In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed. The data included usernames, email and IP addresses along with salted and hashed passwords.

Victim
Minecraft World Map
Records
71.1K
Data breachResolved

XPG data breach (2016)

In approximately early 2016, the gaming website Xpgamesaves (XPG) suffered a data breach resulting in the exposure of 890k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

Victim
XPG
Records
890.3K
Data breachResolved

DaniWeb data breach (2015)

In late 2015, the technology and social site DaniWeb suffered a data breach. The attack resulted in the disclosure of 1.1 million accounts including email and IP addresses which were also accompanied by salted MD5 hashes of passwords.

Victim
DaniWeb
Records
1.1M
Data breachResolved

Beautiful People data breach (2015)

In November 2015, the dating website Beautiful People was hacked and over 1.1M accounts were leaked. The data was being traded in underground circles and included a huge amount of personal information related to dating.

Victim
Beautiful People
Records
1.1M
Data breachResolved

InterPals data breach (2015)

In late 2015, the online penpal site InterPals had their website hacked and 3.4 million accounts exposed. The compromised data included email addresses, geographical locations, birthdates and salted hashes of passwords.

Victim
InterPals
Records
3.4M
Data breachResolved

xat data breach (2015)

In November 2015, the online chatroom known as "xat" was hacked and 6 million user accounts were exposed. Used as a chat engine on websites, the leaked data included usernames, email and IP addresses along with hashed passwords.

Victim
xat
Records
6.0M
Data breachResolved

Abandonia (2015) data breach (2015)

In November 2015, the gaming website dedicated to classic DOS games Abandonia suffered a data breach resulting in the exposure of 776k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

Victim
Abandonia (2015)
Records
776.1K
Data breachResolved

Ashley Madison (Avid Life Media) breach

A group calling itself the Impact Team breached infidelity dating site Ashley Madison, then dumped the account data of roughly 32 million users — names, emails, sexual preferences and payment records — after parent company Avid Life Media refused to shut the site down.

Victim
Avid Life Media (Ashley Madison)
Loss
$1.6M
Records
32.0M
Data breachResolved

Soundwave data breach (2015)

In approximately mid 2015, the music tracking app Soundwave suffered a data breach. The breach stemmed from an incident whereby "production data had been used to populate the test database" and was then inadvertently exposed in a MongoDB.

Victim
Soundwave
Records
130.7K
Data breachResolved

SvenskaMagic data breach (2015)

Sometime in 2015, the Swedish magic website SvenskaMagic suffered a data breach that exposed over 30k records. The compromised data included usernames, email addresses and MD5 password hashes. The data was self-submitted to HIBP by SvenskaMagic.

Victim
SvenskaMagic
Records
30.3K
Data breachResolved

Warframe data breach (2014)

In November 2014, the online game Warframe was hacked and 819k unique email addresses were exposed. Allegedly due to a SQL injection flaw in Drupal, the attack exposed usernames, email addresses and data in a "pass" column which adheres to the salted SHA12 password hashing pattern used by Drupal 7.

Victim
Warframe
Records
819.5K
Data breachResolved

Bin Weevils data breach (2014)

In September 2014, the online game Bin Weevils suffered a data breach. Whilst originally stating that only usernames and passwords had been exposed, a subsequent story on DataBreaches.net indicated that a more extensive set of personal attributes were impacted (comments there also suggest the data…

Victim
Bin Weevils
Records
1.3M
Data breachResolved

Powerbot data breach (2014)

In approximately September 2014, the RuneScape bot website Powerbot suffered a data breach resulting in the exposure of over half a million unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

Victim
Powerbot
Records
503.5K
Data breachResolved

diet.com data breach (2014)

In August 2014, the diet and nutrition website diet.com suffered a data breach resulting in the exposure of 1.4 million unique user records dating back as far as 2004.

Victim
diet.com
Records
1.4M
Data breachResolved

Pokémon Creed data breach (2014)

In August 2014, the Pokémon RPG website Pokémon Creed was hacked after a dispute with rival site, Pokémon Dusk. In a post on Facebook, "Cruz Dusk" announced the hack then pasted the dumped MySQL database on pkmndusk.in.

Victim
Pokémon Creed
Records
116.5K
Data breachResolved

Manga Traders data breach (2014)

In June 2014, the Manga trading website Mangatraders.com had the usernames and passwords of over 900k users leaked on the internet (approximately 855k of the emails were unique). The passwords were weakly hashed with a single iteration of MD5 leaving them vulnerable to being easily cracked.

Victim
Manga Traders
Records
855.2K
Data breachResolved

eBay credentials breach

Attackers used a small number of compromised employee credentials to access eBay's corporate network and exfiltrate a database covering all 145 million users — names, encrypted passwords, email and postal addresses, phone numbers, and dates of birth.

Victim
eBay
Records
145.0M
Data breachResolved

Coupon Mom / Armor Games data breach (2014)

In 2014, a file allegedly containing data hacked from Coupon Mom was created and included 11 million email addresses and plain text passwords. On further investigation, the file was also found to contain data indicating it had been sourced from Armor Games.

Victim
Coupon Mom / Armor Games
Records
11.0M
Data breachResolved

WPT Amateur Poker League data breach (2014)

In January 2014, the World Poker Tour (WPT) Amateur Poker League website was hacked by the Twitter user @smitt3nz. The attack resulted in the public disclosure of 175,000 accounts including 148,000 email addresses. The plain text password for each account was also included in the breach.

Victim
WPT Amateur Poker League
Records
148.4K
Data breachResolved

XSplit data breach (2013)

In November 2013, the makers of gaming live streaming and recording software XSplit was compromised in an online attack. The data breach leaked almost 3M names, email addresses, usernames and hashed passwords.

Victim
XSplit
Records
3.0M
Data breachResolved

Adobe data breach (2013)

Attackers stole roughly 153 million Adobe account records — IDs, emails, weakly encrypted passwords and plaintext password hints — along with source code for several Adobe products, in one of the largest software-company breaches on record.

Victim
Adobe Systems
Loss
$1.0M
Records
152.4M
Data breachResolved

Badoo data breach (2013)

A dataset attributed to the dating and social network Badoo exposed roughly 112 million unique email addresses along with names, birthdates and MD5 password hashes; the data surfaced among traders in 2016 and remains formally unverified.

Victim
Badoo
Records
112.0M
Data breachResolved

Heroes of Gaia data breach (2013)

In early 2013, the online fantasy multiplayer game Heroes of Gaia suffered a data breach. The newest records in the data set indicate a breach date of 4 January 2013 and include usernames, IP and email addresses but no passwords.

Victim
Heroes of Gaia
Records
180.0K
Data breachResolved

Heroes of Newerth data breach (2012)

In December 2012, the multiplayer online battle arena game known as Heroes of Newerth was hacked and over 8 million accounts extracted from the system. The compromised data included usernames, email addresses and passwords.

Victim
Heroes of Newerth
Records
8.1M
Data breachResolved

War Inc. data breach (2012)

In mid-2012, the real-time strategy game War Inc. suffered a data breach. The attack resulted in the exposure of over 1 million accounts including usernames, email addresses and salted MD5 hashes of passwords.

Victim
War Inc.
Records
1.0M
Data breachResolved

LinkedIn password breach

A 2012 intrusion into LinkedIn exposed user passwords stored as unsalted SHA-1 hashes. Initially reported as 6.5 million credentials, the full scope of 117 million accounts only emerged in 2016 when the data surfaced for sale on the dark web.

Victim
LinkedIn
Loss
$1.3M
Records
117.0M
Data breachResolved

Last.fm data breach (2012)

The music platform Last.fm was hacked in March 2012, exposing more than 43 million accounts with usernames, email addresses and unsalted MD5 password hashes; over 96% of passwords were cracked within hours once the data surfaced in 2016.

Victim
Last.fm
Records
37.2M
Data breachResolved

YouPorn data breach (2012)

In February 2012, the adult website YouPorn had over 1.3M user accounts exposed in a data breach. The publicly released data included both email addresses and plain text passwords.

Victim
YouPorn
Records
1.3M
Data breachResolved

Dodonew.com data breach (2011)

In late 2011, data was allegedly obtained from the Chinese website known as Dodonew.com and contained 8.7M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Dodonew.com
Records
8.7M
Data breachResolved

Civil Online data breach (2011)

In mid-2011, data was allegedly obtained from the Chinese engineering website known as Civil Online and contained 7.8M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Civil Online
Records
7.8M
EspionageResolved

RSA SecurID seed compromise

A spear-phishing email carrying a Flash zero-day gave attackers a foothold inside RSA, from which they exfiltrated data tied to the SecurID two-factor authentication system — data later used in an intrusion attempt against Lockheed Martin.

Victim
RSA Security (EMC)
Loss
$66.0M
Data breachResolved

7k7k data breach (2011)

In approximately 2011, it's alleged that the Chinese gaming site known as 7k7k suffered a data breach that impacted 9.1 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
7k7k
Records
9.1M
Data breachResolved

Duowan.com data breach (2011)

In approximately 2011, data was allegedly obtained from the Chinese gaming website known as Duowan.com and contained 2.6M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Duowan.com
Records
2.6M
Data breachResolved

DivX SubTitles data breach (2010)

In approximately 2010, the now defunct website DivX SubTitles suffered a data breach that exposed 783k user accounts including email addresses, usernames and plain text passwords.

Victim
DivX SubTitles
Records
783.1K
Data breachResolved

Elance data breach (2009)

Sometime in 2009, staffing platform Elance suffered a data breach that impacted 1.3 million accounts. Appearing online 8 years later, the data contained usernames, email addresses, phone numbers and SHA1 hashes of passwords, amongst other personal data.

Victim
Elance
Records
1.3M
Data breachResolved

Foxy Bingo data breach (2008)

In April 2007, the online gambling site Foxy Bingo was hacked and 252,000 accounts were obtained by the hackers. The breached records were subsequently sold and traded and included personal information data such as plain text passwords, birth dates and home addresses.

Victim
Foxy Bingo
Records
252.2K