Skip to content

Incidents from

2016

Data breachResolved

Data Enrichment Records data breach (2016)

In December 2016, more than 200 million "data enrichment profiles" were found for sale on the darknet. The seller claimed the data was sourced from Experian and whilst that claim was rejected by the company, the data itself was found to be legitimate suggesting it may have been sourced from otherโ€ฆ

Victim
Data Enrichment Records
Records
8.2M
Data breachResolved

Anti Public Combo List data breach (2016)

In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems.

Victim
Anti Public Combo List
Records
458.0M
Data breachResolved

Ethereum data breach (2016)

In December 2016, the forum for the public blockchain-based distributed computing platform Ethereum suffered a data breach. The database contained over 16k unique email addresses along with IP addresses, private forum messages and (mostly) bcrypt hashed passwords.

Victim
Ethereum
Records
16.4K
Data breachResolved

PayAsUGym data breach (2016)

In December 2016, an attacker breached PayAsUGym's website exposing over 400k customers' personal data. The data was consequently leaked publicly and broadly distributed via Twitter.

Victim
PayAsUGym
Records
400.3K
Data breachResolved

MrExcel data breach (2016)

In December 2016, the forum for the Microsoft Excel tips and solutions site Mr Excel suffered a data breach. The hack of the vBulletin forum led to the exposure of over 366k accounts along with email and IP addresses, dates of birth and salted passwords hashed with MD5.

Victim
MrExcel
Records
366.1K
Data breachResolved

Biohack.me data breach (2016)

In December 2016, the forum for the biohacking website Biohack.me suffered a data breach that exposed 3.4k accounts. The data included usernames, email addresses and hashed passwords along with the private messages of forum members. The data was self-submitted to HIBP by the Biohack.me operators.

Victim
Biohack.me
Records
3.4K
Data breachResolved

FashionFantasyGame data breach (2016)

In late 2016, the fashion gaming website Fashion Fantasy Game suffered a data breach. The incident exposed 2.3 million unique user accounts and corresponding MD5 password hashes with no salt. The data was contributed to Have I Been Pwned courtesy of rip@creep.im.

Victim
FashionFantasyGame
Records
2.4M
Data breachResolved

Warmane data breach (2016)

In approximately December 2016, the online service for World of Warcraft private servers Warmane suffered a data breach. The incident exposed over 1.1M accounts including usernames, email addresses, dates of birth and salted MD5 password hashes.

Victim
Warmane
Records
1.1M
Data breachResolved

Youku data breach (2016)

In late 2016, China's leading online video platform Youku suffered a data breach exposing roughly 92 million unique user accounts together with usernames and MD5-hashed passwords, which later circulated on dark-web marketplaces.

Victim
Youku
Records
91.9M
Data breachResolved

xHamster data breach (2016)

In November 2016, news broke that hackers were trading hundreds of thousands of xHamster porn account details. In total, the data contained almost 380k unique user records including email addresses, usernames and unsalted MD5 password hashes.

Victim
xHamster
Records
377.4K
Data breachResolved

RankWatch data breach (2016)

In approximately November 2016, the search engine optimisation management company RankWatch exposed a Mongo DB with no password publicly whereupon their data was exfiltrated and posted to an online forum.

Victim
RankWatch
Records
7.4M
Data breachResolved

CashCrate data breach (2016)

In June 2017, news broke that CashCrate had suffered a data breach exposing 6.8 million records. The breach of the cash-for-surveys site dated back to November 2016 and exposed names, physical addresses, email addresses and passwords stored in plain text for older accounts along with weak MD5โ€ฆ

Victim
CashCrate
Records
6.8M
Data breachResolved

SubaGames data breach (2016)

In November 2016, the game developer Suba Games suffered a data breach which led to the exposure of 6.1M unique email addresses. Impacted data also included usernames and passwords, most of which appeared circulating in the breached file in plain text after being cracked from salted MD5 hashes.

Victim
SubaGames
Records
6.1M
Data breachResolved

MCBans data breach (2016)

In October 2016, the Minecraft banning service known as MCBans suffered a data breach resulting in the exposure of 120k unique user records. The data contained email and IP addresses, usernames and password hashes of unknown format.

Victim
MCBans
Records
119.9K
DDoSResolved

Dyn DNS Mirai DDoS attack

A massive Mirai-botnet DDoS attack against managed DNS provider Dyn knocked Twitter, Netflix, Spotify, GitHub, Reddit, and dozens of other major sites offline across the U.S. and Europe, demonstrating how a botnet of compromised IoT devices could disrupt large swathes of the internet.

Victim
Dyn, Inc.
Data breachResolved

Adult FriendFinder (2016) data breach (2016)

In October 2016, the adult entertainment company Friend Finder Networks suffered a massive data breach. The incident impacted multiple separate online assets owned by the company, the largest of which was the Adult FriendFinder website alleged to be "the world's largest sex & swinger community".

Victim
Adult FriendFinder (2016)
Records
169.7M
Data breachResolved

Exploit.In data breach (2016)

In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems.

Victim
Exploit.In
Records
593.4M
Data breachResolved

GFAN data breach (2016)

In October 2016, data surfaced that was allegedly obtained from the Chinese website known as GFAN and contained 22.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
GFAN
Records
22.5M
Data breachResolved

Modern Business Solutions data breach (2016)

In October 2016, a large Mongo DB file containing tens of millions of accounts was shared publicly on Twitter (the file has since been removed). The database contained over 58M unique email addresses along with IP addresses, names, home addresses, genders, job titles, dates of birth and phoneโ€ฆ

Victim
Modern Business Solutions
Records
58.8M
Data breachContained

Leak at Dailymotion

In October 2016, French video-sharing platform Dailymotion was breached, exposing roughly 85.2 million user accounts including email addresses and usernames, with bcrypt password hashes for about 18 million of them.

Victim
Dailymotion
Records
85.2M
Data breachResolved

Pokรฉmon Negro data breach (2016)

In approximately October 2016, the Spanish Pokรฉmon site Pokรฉmon Negro suffered a data breach. The attack resulted in the disclosure of 830k accounts including email and IP addresses along with plain text passwords. Pokรฉmon Negro did not respond when contacted about the breach.

Victim
Pokรฉmon Negro
Records
830.2K
Data breachResolved

Aipai.com data breach (2016)

In September 2016, data allegedly obtained from the Chinese gaming website known as Aipai.com and containing 6.5M accounts was leaked online. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
Aipai.com
Records
6.5M
Data breachResolved

Leet data breach (2016)

In August 2016, the service for creating and running Pocket Minecraft edition servers known as Leet was reported as having suffered a data breach that impacted 6 million subscribers.

Victim
Leet
Records
5.1M
Data breachResolved

Real Estate Mogul data breach (2016)

In September 2016, the real estate investment site Real Estate Mogul had a Mongo DB instance compromised and 5GB of data downloaded by an unauthorised party. The data contained real estate listings including addresses and the names, phone numbers and 308k unique email addresses of the sellers.

Victim
Real Estate Mogul
Records
307.8K
Data breachResolved

uuu9 data breach (2016)

In September 2016, data was allegedly obtained from the Chinese website known as uuu9.com and contained 7.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified".

Victim
uuu9
Records
7.5M
Data breachResolved

Digimon data breach (2016)

In September 2016, over 16GB of logs from a service indicated to be digimon.co.in were obtained, most likely from an unprotected Mongo DB instance. The service ceased running shortly afterwards and no information remains about the precise nature of it.

Victim
Digimon
Records
7.7M
Data breachResolved

ClixSense data breach (2016)

In September 2016, the paid-to-click site ClixSense suffered a data breach which exposed 2.4 million subscriber identities. The breached data was then posted online by the attackers who claimed it was a subset of a larger data breach totalling 6.6 million records.

Victim
ClixSense
Records
2.4M
Data breachResolved

NemoWeb data breach (2016)

In September 2016, almost 21GB of data from the French website used for "standardised and decentralized means of exchange for publishing newsgroup articles" NemoWeb was leaked from what appears to have been an unprotected Mongo DB.

Victim
NemoWeb
Records
3.5M
Data breachResolved

NetProspex data breach (2016)

In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet's NetProspex service was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them.

Victim
NetProspex
Records
33.7M
Data breachResolved

MDPI data breach (2016)

In August 2016, the Swiss scholarly open access publisher known as MDPI had 17.5GB of data obtained from an unprotected Mongo DB instance. The data contained email exchanges between MDPI and their authors and reviewers which included 845k unique email addresses.

Victim
MDPI
Records
845.0K
Data breachResolved

PPCGeeks data breach (2016)

In August 2016, the pocket PC fan site forum PPCGeeks suffered a data breach that exposed over 490k records. The breach of the vBulletin forum exposed email and IP addresses, usernames, dates of birth and passwords stored as salted MD5 hashes.

Victim
PPCGeeks
Records
492.5K
Data breachResolved

GeekedIn data breach (2016)

In August 2016, the technology recruitment site GeekedIn left a MongoDB database exposed and over 8M records were extracted by an unknown third party. The breached data was originally scraped from GitHub in violation of their terms of use and contained information exposed in public profiles,โ€ฆ

Victim
GeekedIn
Records
1.1M
Data breachResolved

Epic Games data breach (2016)

In August 2016, the Epic Games forum suffered a data breach, allegedly due to a SQL injection vulnerability in vBulletin. The attack resulted in the exposure of 252k accounts including usernames, email addresses and salted MD5 hashes of passwords.

Victim
Epic Games
Records
251.7K
Data breachResolved

Unreal Engine data breach (2016)

In August 2016, the Unreal Engine Forum suffered a data breach, allegedly due to a SQL injection vulnerability in vBulletin. The attack resulted in the exposure of 530k accounts including usernames, email addresses and salted MD5 hashes of passwords.

Victim
Unreal Engine
Records
530.1K
Data breachResolved

Cross Fire data breach (2016)

In August 2016, the Russian gaming forum known as Cross Fire (or cfire.mail.ru) was hacked along with a number of other forums on the Russian mail provider, mail.ru. The vBulletin forum contained 12.8 million accounts including usernames, email addresses and passwords stored as salted MD5 hashes.

Victim
Cross Fire
Records
12.9M
Data breachResolved

ะŸะฐั€ะฐ ะŸะฐ data breach (2016)

In August 2016, the Russian gaming site known as ะŸะฐั€ะฐ ะŸะฐ (or parapa.mail.ru) was hacked along with a number of other forums on the Russian mail provider, mail.ru. The vBulletin forum contained 4.9 million accounts including usernames, email addresses and passwords stored as salted MD5 hashes.

Victim
ะŸะฐั€ะฐ ะŸะฐ
Records
4.9M
Data breachResolved

Wishbone (2016) data breach (2016)

In August 2016, the mobile app to "compare anything" known as Wishbone suffered a data breach. The data contained 9.4 million records with 2.2 million unique email addresses and was allegedly a subset of the complete data set.

Victim
Wishbone (2016)
Records
2.2M
Data breachResolved

GSM Hosting data breach (2016)

In August 2016, breached data from the vBulletin forum for GSM-Hosting appeared for sale alongside dozens of other hacked services. The breach impacted 2.6M users of the service and included email and IP addresses, usernames and salted MD5 password hashes.

Victim
GSM Hosting
Records
2.6M
Data breachResolved

GTAGaming data breach (2016)

In August 2016, the Grand Theft Auto forum GTAGaming was hacked and nearly 200k user accounts were leaked. The vBulletin based forum included usernames, email addresses and password hashes.

Victim
GTAGaming
Records
197.2K
Data breachResolved

DLH.net data breach (2016)

In July 2016, the gaming news site DLH.net suffered a data breach which exposed 3.3M subscriber identities. Along with the keys used to redeem and activate games on the Steam platform, the breach also resulted in the exposure of email addresses, birth dates and salted MD5 password hashes.

Victim
DLH.net
Records
3.3M
Data breachResolved

Roblox data breach (2016)

In August 2016, Roblox disclosed a data breach that affected over 50k users. The security incident impacted email and IP addresses, usernames, purchases and Robux balances which were left exposed on a test server.

Victim
Roblox
Records
52.5K
Data breachResolved

i-Dressup data breach (2016)

In June 2016, the teen social site known as i-Dressup was hacked and over 2 million user accounts were exposed. At the time the hack was reported, the i-Dressup operators were not contactable and the underlying SQL injection flaw remained open, allegedly exposing a total of 5.5 million accounts.

Victim
i-Dressup
Records
2.2M
Data breachResolved

Clash of Kings data breach (2016)

In July 2016, the forum for the game "Clash of Kings" suffered a data breach that impacted 1.6 million subscribers. The impacted data included usernames, IP and email addresses and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
Clash of Kings
Records
1.6M
Data breachResolved

Dota2 data breach (2016)

In July 2016, the Dota2 official developers forum suffered a data breach that exposed almost 2 million users. The hack of the vBulletin forum led to the disclosure of email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Dota2
Records
1.9M
Data breachResolved

Shadi.com data breach (2016)

In July 2016, the Muslim dating site Shadi.com suffered a data breach that exposed over 2M members' email addresses. The breach also exposed passwords stored as MD5 hashes alongside their plain text equivalents.

Victim
Shadi.com
Records
2.0M
Data breachResolved

dBforums data breach (2016)

In July 2016, a data breach of the now defunct database forum "dBforums" appeared for sale alongside several others hacked from the parent company, Penton.

Victim
dBforums
Records
363.5K
Data breachResolved

Mac Forums data breach (2016)

In July 2016, the self-proclaimed "Ultimate Source For Your Mac" website Mac Forums suffered a data breach. The vBulletin-based system exposed over 326k usernames, email and IP addresses, dates of birth and passwords stored as salted MD5 hashes.

Victim
Mac Forums
Records
326.7K
Data breachResolved

CrackingForum data breach (2016)

In approximately mid-2016, the cracking community forum known as CrackingForum suffered a data breach. The vBulletin based forum exposed 660k email and IP addresses, usernames and salted MD5 hashes.

Victim
CrackingForum
Records
660.3K
Data breachResolved

FreshMenu data breach (2016)

In July 2016, the India-based food delivery service FreshMenu suffered a data breach. The incident exposed the personal data of over 110k customers and included their names, email addresses, phone numbers, home addresses and order histories.

Victim
FreshMenu
Records
110.4K
Data breachResolved

Funimation data breach (2016)

In July 2016, the anime site Funimation suffered a data breach that impacted 2.5 million accounts. The data contained usernames, email addresses, dates of birth and salted SHA1 hashes of passwords.

Victim
Funimation
Records
2.5M
Data breachResolved

GPS Underground data breach (2016)

In early 2017, GPS Underground was amongst a collection of compromised vBulletin websites that were found being sold online. The breach dated back to mid-2016 and included 670k records with usernames, email and IP addresses, dates of birth and salted MD5 password hashes.

Victim
GPS Underground
Records
669.6K
Data breachResolved

Kaneva data breach (2016)

In July 2016, now defunct website Kaneva, the service to "build and explore virtual worlds", suffered a data breach that exposed 3.9M user records. The data included email addresses, usernames, dates of birth and salted MD5 password hashes.

Victim
Kaneva
Records
3.9M
Data breachResolved

OnRPG data breach (2016)

In July 2016, the now defunct free online games list website OnRPG suffered a data breach that was later redistributed as part of a larger corpus of data. The incident exposed just over 1M email and IP addresses alongside usernames and passwords stored as salted MD5 hashes.

Victim
OnRPG
Records
1.0M
Data breachResolved

Tunngle data breach (2016)

In 2016, the now defunct global LAN gaming network Tunngle suffered a data breach that exposed 8.2M unique email addresses. The compromised data also included usernames, IP addresses and passwords stored as salted MD5 hashes.

Victim
Tunngle
Records
8.2M
Data breachResolved

Web Hosting Talk data breach (2016)

In July 2016, the Web Hosting Talk forum suffered a data breach that was subsequently listed for sale. The breach of the vBulletin based forum exposed 515k user records including usernames, email addresses, IP addresses and salted MD5 password hashes.

Victim
Web Hosting Talk
Records
515.1K
Data breachResolved

StreetEasy data breach (2016)

In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019.

Victim
StreetEasy
Records
988.2K
Data breachResolved

Whitepages data breach (2016)

In mid-2016, the telephone and address directory service Whitepages was among a raft of sites that were breached and their data then sold in early-2019. The data included over 11 million unique email addresses alongside names and passwords stored as either a SHA-1 or bcrypt hash.

Victim
Whitepages
Records
11.7M
Data breachResolved

Muslim Match data breach (2016)

In June 2016, the Muslim Match dating website had 150k email addresses exposed. The data included private chats and messages between relationship seekers and numerous other personal attributes including passwords hashed with MD5.

Victim
Muslim Match
Records
149.8K
Data breachResolved

HLTV data breach (2016)

In June 2016, the "home of competitive Counter Strike" website HLTV was hacked and 611k accounts were exposed. The attack led to the exposure of names, usernames, email addresses and bcrypt hashes of passwords.

Victim
HLTV
Records
611.1K
EspionageResolved

Democratic National Committee hack

Russian GRU Units 26165 (APT28) and 31165 (APT29) compromised the Democratic National Committee, Hillary Clinton campaign, and DCCC. Stolen emails were selectively released via 'DCLeaks', 'Guccifer 2.0', and WikiLeaks to influence the 2016 U.S. presidential election.

Victim
Democratic National Committee + Clinton campaign + DCCC
Loss
$50.0M
Records
50.0K
Data breachResolved

Facepunch data breach (2016)

In June 2016, the game development studio Facepunch suffered a data breach that exposed 343k users. The breached data included usernames, email and IP addresses, dates of birth and salted MD5 password hashes. Facepunch advised they were aware of the incident and had notified people at the time.

Victim
Facepunch
Records
342.9K
Data breachResolved

Evony data breach (2016)

In June 2016, the online multiplayer game Evony was hacked and over 29 million unique accounts were exposed. The attack led to the exposure of usernames, email and IP addresses and MD5 hashes of passwords (without salt).

Victim
Evony
Records
29.4M
Data breachResolved

ForumCommunity data breach (2016)

In approximately mid-2016, the Italian-based service for creating forums known as ForumCommunity suffered a data breach. The incident impacted over 776k unique email addresses along with usernames and unsalted MD5 password hashes. No response was received from ForumCommunity when contacted.

Victim
ForumCommunity
Records
776.6K
Data breachResolved

MangaFox.me data breach (2016)

In approximately July 2016, the manga website known as mangafox.me suffered a data breach. The vBulletin based forum exposed 1.3 million accounts including usernames, email and IP addresses, dates of birth and salted MD5 password hashes.

Victim
MangaFox.me
Records
1.3M
Data breachResolved

Uiggy data breach (2016)

In June 2016, the Facebook application known as Uiggy was hacked and 4.3M accounts were exposed, 2.7M of which had email addresses against them. The leaked accounts also exposed names, genders and the Facebook ID of the owners.

Victim
Uiggy
Records
2.7M
Data breachResolved

Teracod data breach (2016)

In May 2015, almost 100k user records were extracted from the Hungarian torrent site known as Teracod. The data was later discovered being torrented itself and included email addresses, passwords, private messages between members and the peering history of IP addresses using the service.

Victim
Teracod
Records
97.2K
Data breachResolved

Regpack data breach (2016)

In July 2016, a tweet was posted with a link to an alleged data breach of BlueSnap, a global payment gateway and merchant account provider. The data contained 324k payment records across 105k unique email addresses and included personal attributes such as name, home address and phone number.

Victim
Regpack
Records
105.0K
Data breachResolved

Army Force Online data breach (2016)

In May 2016, the online gaming site Army Force Online suffered a data breach that exposed 1.5M accounts. The breached data was found being regularly traded online and included usernames, email and IP addresses and MD5 passwords.

Victim
Army Force Online
Records
1.5M
Data breachResolved

Fur Affinity data breach (2016)

In May 2016, the Fur Affinity website for people with an interest in anthropomorphic animal characters (also known as "furries") was hacked. The attack exposed 1.2M email addresses (many accounts had a different "first" and "last" email against them) and hashed passwords.

Victim
Fur Affinity
Records
1.3M
Data breachResolved

Rosebutt Board data breach (2016)

Some time prior to May 2016, the forum known as "Rosebutt Board" was hacked and 107k accounts were exposed. The self-described "top one board for anal fisting, prolapse, huge insertions and rosebutt fans" had email and IP addresses, usernames and weakly stored salted MD5 password hashes hacked fromโ€ฆ

Victim
Rosebutt Board
Records
107.3K
Data breachResolved

Shotbow data breach (2016)

In May 2016, the multiplayer server for Minecraft service Shotbow announced they'd suffered a data breach. The incident resulted in the exposure of over 1 million unique email addresses, usernames and salted SHA-256 password hashes.

Victim
Shotbow
Records
1.1M
Data breachResolved

Nulled.cr data breach (2016)

In May 2016, the cracking community forum known as Nulled.cr was hacked and 599k user accounts were leaked publicly. The compromised data included email and IP addresses, weak salted MD5 password hashes and hundreds of thousands of private messages between members.

Victim
Nulled.cr
Records
599.1K
Data breachResolved

GameVN data breach (2016)

In May 2016, the Vietnamese gaming forum GameVN suffered a data breach that was later redistributed as part of a larger corpus of data. Data breached from the XenForo-based forum included 1.4M unique email addresses, usernames, IP addresses and salted MD5 password hashes.

Victim
GameVN
Records
1.4M
Data breachResolved

Qatar National Bank data breach

A 1.4 GB archive of internal files, customer account records, and nearly one million payment card numbers stored in clear text was leaked online, including dossiers on Qatar's Al Thani royal family, Al Jazeera staff, and apparent intelligence targets.

Victim
Qatar National Bank (QNB)
Records
100.0K
Data breachResolved

Foodora data breach (2016)

In April 2016, the online food delivery service Foodora suffered a data breach which was then extensively redistributed online. The breach included the personal information of hundreds of thousands of customers from multiple countries including their names, delivery addresses, phone numbers andโ€ฆ

Victim
Foodora
Records
582.6K
Data breachResolved

17 data breach (2016)

In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.

Victim
17
Records
4.0M
Data breachResolved

KnownCircle data breach (2016)

In approximately April 2016, the "marketing automation for agents and professional service providers" company KnownCircle had a large volume of data obtained by an external party.

Victim
KnownCircle
Records
2.0M
Data breachResolved

Guns and Robots data breach (2016)

In approximately April 2016, the gaming website Guns and Robots suffered a data breach resulting in the exposure of 143k unique records. The data contained email and IP addresses, usernames and SHA-1 password hashes.

Victim
Guns and Robots
Records
143.6K
Data breachResolved

Tuned Global data breach (2016)

In January 2021, data from a number of breached services including Tuned Global were released to a public hacking forum. The breach appears to date back to 2016 and includes 985k records containing email addresses, names, a small number of physical addresses and phone numbers and passwords storedโ€ฆ

Victim
Tuned Global
Records
985.6K
Data breachResolved

Naughty America data breach (2016)

In March 2016, the adult website Naughty America was hacked and the data consequently sold online. The breach included data from numerous systems with various personal identity attributes, the largest of which had passwords stored as easily crackable MD5 hashes.

Victim
Naughty America
Records
1.4M
Data breachResolved

Staminus data breach (2016)

In March 2016, the DDoS protection service Staminus was "massively hacked" resulting in an outage of more than 20 hours and the disclosure of customer credentials (with unsalted MD5 hashes), support tickets, credit card numbers and other sensitive data.

Victim
Staminus
Records
26.8K
Data breachResolved

CD Projekt RED data breach (2016)

In March 2016, Polish game developer CD Projekt RED suffered a data breach. The hack of their forum led to the exposure of almost 1.9 million accounts along with usernames, email addresses and salted SHA1 passwords.

Victim
CD Projekt RED
Records
1.9M
Data breachResolved

KM.RU data breach (2016)

In February 2016, the Russian portal and email service KM.RU was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", KM.RU was one of several Russian sites in the breach and impacted almost 1.5M accountsโ€ฆ

Victim
KM.RU
Records
1.5M
Data breachResolved

Mate1.com data breach (2016)

In February 2016, the dating site mate1.com suffered a huge data breach resulting in the disclosure of over 27 million subscribers' information. The data included deeply personal information about their private lives including drug and alcohol habits, incomes levels and sexual fetishes as well asโ€ฆ

Victim
Mate1.com
Records
27.4M
Data breachResolved

Nival data breach (2016)

In February 2016, the Russian gaming company Nival was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", Nival was one of several Russian sites in the breach and impacted over 1.5M accounts includingโ€ฆ

Victim
Nival
Records
1.5M
Data breachResolved

TruckersMP data breach (2016)

In February 2016, the online trucking simulator mod TruckersMP suffered a data breach which exposed 84k user accounts. In a first for "Have I Been Pwned", the breached data was self-submitted directly by the organisation that was breached itself.

Victim
TruckersMP
Records
84.0K
Data breachResolved

Linux Mint data breach (2016)

In February 2016, the website for the Linux distro known as Linux Mint was hacked and the ISO infected with a backdoor. The site also ran a phpBB forum which was subsequently put up for sale complete with almost 145k email addresses, passwords and other personal subscriber information.

Victim
Linux Mint
Records
145.0K
Data breachResolved

SkTorrent data breach (2016)

In February 2016, the Slovak torrent tracking site SkTorrent was hacked and over 117k records leaked online. The data dump included usernames, email addresses and passwords stored in plain text.

Victim
SkTorrent
Records
117.1K
Data breachResolved

V-Tight Gel data breach (2016)

In approximately February 2016, data surfaced which was allegedly obtained from V-Tight Gel (vaginal tightening gel). Whilst the data set was titled V-Tight, within there were 50 other (predominantly wellness-related) domain names, most owned by the same entity.

Victim
V-Tight Gel
Records
2.0M
Data breachResolved

Flash Flash Revolution (2016 breach) data breach (2016)

In February 2016, the music-based rhythm game known as Flash Flash Revolution was hacked and 1.8M accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.

Victim
Flash Flash Revolution (2016 breach)
Records
1.8M
Data breachResolved

Minecraft World Map data breach (2016)

In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed. The data included usernames, email and IP addresses along with salted and hashed passwords.

Victim
Minecraft World Map
Records
71.1K
Data breachResolved

uTorrent data breach (2016)

In early 2016, the forum for the uTorrent BitTorrent client suffered a data breach which came to light later in the year. The database from the IP.Board based forum contained 395k accounts including usernames, email addresses and MD5 password hashes without a salt.

Victim
uTorrent
Records
395.0K
Data breachResolved

Battlefy data breach (2016)

In January 2016, the esports website Battlefy suffered a data breach that exposed 83k customer records. The impacted data included email addresses, usernames and passwords stored as bcrypt hashes.

Victim
Battlefy
Records
83.6K
Data breachResolved

EpicNPC data breach (2016)

In January 2016, the hacked account reseller EpicNPC suffered a data breach that impacted 409k subscribers. The impacted data included usernames, IP and email addresses and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
EpicNPC
Records
408.8K
Data breachResolved

Anime-Planet data breach (2016)

In approximately 2016, the anime website Anime-Planet suffered a data breach that impacted 369k subscribers. The exposed data included usernames, IP and email addresses, dates of birth and passwords stored as unsalted MD5 hashes and for newer accounts, bcrypt hashes.

Victim
Anime-Planet
Records
368.5K
Data breachResolved

BitTorrent data breach (2016)

In January 2016, the forum for the popular torrent software BitTorrent was hacked. The IP.Board based forum stored passwords as weak SHA1 salted hashes and the breached data also included usernames, email and IP addresses.

Victim
BitTorrent
Records
34.2K
Data breachResolved

D3Scene data breach (2016)

In January 2016, the gaming website D3Scene, suffered a data breach. The compromised vBulletin forum exposed 569k million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
D3Scene
Records
568.8K
Data breachResolved

Lifeboat data breach (2016)

In January 2016, the Minecraft community known as Lifeboat was hacked and more than 7 million accounts leaked. Lifeboat knew of the incident for three months before the breach was made public but elected not to advise customers.

Victim
Lifeboat
Records
7.1M
Data breachResolved

MoDaCo data breach (2016)

In approximately January 2016, the UK based Android community known as MoDaCo suffered a data breach which exposed 880k subscriber identities. The data included email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
MoDaCo
Records
879.7K
Data breachResolved

Onverse data breach (2016)

In January 2016, the online virtual world known as Onverse was hacked and 800k accounts were exposed. Along with email and IP addresses, the site also exposed salted MD5 password hashes.

Victim
Onverse
Records
800.2K
Data breachResolved

ServerPact data breach (2016)

In mid-2015, the Dutch Minecraft site ServerPact was hacked and 73k accounts were exposed. Along with birth dates, email and IP addresses, the site also exposed SHA1 password hashes with the username as the salt.

Victim
ServerPact
Records
73.6K
Data breachResolved

XPG data breach (2016)

In approximately early 2016, the gaming website Xpgamesaves (XPG) suffered a data breach resulting in the exposure of 890k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.

Victim
XPG
Records
890.3K