Skip to content

Incidents from

2017

Data breachResolved

The Fly on the Wall data breach (2017)

In December 2017, the stock market news website The Fly on the Wall suffered a data breach. The data in the breach included 84k unique email addresses as well as purchase histories and credit card data.

Victim
The Fly on the Wall
Records
84.0K
Data breachResolved

HoundDawgs data breach (2017)

In December 2017, the Danish torrent tracker known as HoundDawgs suffered a data breach. More than 55GB of data was dumped publicly and whilst there was initially contention as to the severity of the incident, the data did indeed contain more than 45k unique email addresses complete extensive logs…

Victim
HoundDawgs
Records
45.7K
Data breachResolved

Lyrics Mania data breach (2017)

In December 2017, the song lyrics website known as Lyrics Mania suffered a data breach. The data in the breach included 109k usernames, email addresses and plain text passwords. Numerous attempts were made to contact Lyrics Mania about the incident, however no responses were received.

Victim
Lyrics Mania
Records
109.2K
Data breachResolved

2fast4u data breach (2017)

In December 2017, the Belgian motorcycle forum 2fast4u discovered a data breach of their system. The breach of the vBulletin message board impacted over 17k individual users and exposed email addresses, usersnames and salted MD5 passwords.

Victim
2fast4u
Records
17.7K
Data breachResolved

PetFlow data breach (2017)

In December 2017, the pet care delivery service PetFlow suffered a data breach which consequently appeared for sale on a dark web marketplace. Almost 1M accounts were impacted and exposed email addresses and passwords stored as unsalted MD5 hashes.

Victim
PetFlow
Records
990.9K
Data breachResolved

piZap data breach (2017)

In approximately December 2017, the online photo editing site piZap suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in February 2019.

Victim
piZap
Records
41.8M
Data breachResolved

ai.type data breach (2017)

In December 2017, the virtual keyboard application ai.type was found to have left a huge amount of data publicly facing in an unsecured MongoDB instance.

Victim
ai.type
Records
20.6M
Data breachResolved

Open CS:GO data breach (2017)

In December 2017, the website for purchasing Counter-Strike skins known as Open CS:GO (Counter-Strike: Global Offensive) suffered a data breach (address since redirects to dropgun.com).

Victim
Open CS:GO
Records
512.3K
Data breachResolved

TheTVDB.com data breach (2017)

In November 2017, the open television database known as TheTVDB.com suffered a data breach. The breached data was posted to a hacking forum and included 182k records with usernames, email addresses and MySQL password hashes.

Victim
TheTVDB.com
Records
181.9K
Data breachunresolved

Malaysia telecommunications mega data breach

Personal data of 46.2 million Malaysian mobile subscribers — names, ID card numbers, SIM and IMSI numbers, and addresses from at least a dozen telcos and MVNOs — was leaked and offered for sale online, in the largest data breach in Malaysian history.

Victim
Malaysian mobile operators (Maxis, Celcom, DiGi, U Mobile and others)
Records
46.2M
Data breachResolved

Bukalapak data breach (2017)

In March 2019, the Indonesian e-commerce website Bukalapak discovered a data breach of the organisation's backups dating back to October 2017. The incident exposed approximately 13 million unique email addresses alongside IP addresses, names and passwords stored as bcrypt and salted SHA-512 hashes.

Victim
Bukalapak
Records
13.4M
Data breachResolved

Legendas.TV data breach (2017)

In October 2017, the now defunct Brazilian service for retrieving subtitles in Portuguese Legendas.TV suffered a data breach that exposed nearly 4M customer records. The impacted data included names, usernames, email and IP addresses and unsalted SHA-1 hashes.

Victim
Legendas.TV
Records
3.9M
Data breachResolved

Smogon data breach (2017)

In April 2018, the Pokémon website known as Smogon announced they'd suffered a data breach. The breach dated back to September 2017 and affected their XenForo based forum. The exposed data included usernames, email addresses, genders and both bcrypt and MD5 password hashes.

Victim
Smogon
Records
386.5K
Data breachResolved

Moneycontrol data breach (2017)

In April 2021, hackers posted data for sale originating from the online Indian financial platform, Moneycontrol. The data included 763 thousand unique email addresses (allegedly a subset of a larger 40 million account breach), alongside geographic locations, phone numbers, genders, dates of birth…

Victim
Moneycontrol
Records
762.9K
Data breachResolved

TGBUS data breach (2017)

In approximately 2017, it's alleged that the Chinese gaming site known as TGBUS suffered a data breach that impacted over 10 million unique subscribers.

Victim
TGBUS
Records
10.4M
Data breachResolved

Onliner Spambot data breach (2017)

In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moÊžuÆŽq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information.

Victim
Onliner Spambot
Records
711.5M
Data breachResolved

Coinmama data breach (2017)

In August 2017, the crypto coin brokerage service Coinmama suffered a data breach that impacted 479k subscribers. The breach was discovered in February 2019 with exposed data including email addresses, usernames and passwords stored as MD5 WordPress hashes.

Victim
Coinmama
Records
478.8K
Data breachResolved

Taringa data breach (2017)

In September 2017, news broke that Taringa had suffered a data breach exposing 28 million records. Known as "The Latin American Reddit", Taringa's breach disclosure notice indicated the incident dated back to August that year.

Victim
Taringa
Records
28.0M
Data breachResolved

B2B USA Businesses data breach (2017)

In mid-2017, a spam list of over 105 million individuals in corporate America was discovered online. Referred to as "B2B USA Businesses", the list categorised email addresses by employer, providing information on individuals' job titles plus their work phone numbers and physical addresses.

Victim
B2B USA Businesses
Records
105.1M
Data breachResolved

Swedish Transport Agency data leak

A botched IT outsourcing deal exposed Sweden's entire vehicle and driver-licence database — including data on protected identities, police, and military personnel — to foreign IT workers without security clearance, triggering a national political crisis.

Victim
Swedish Transport Agency (Transportstyrelsen)
Data breachResolved

8tracks data breach (2017)

In June 2017, the online playlists service known as 8Tracks suffered a data breach which impacted 18 million accounts. In their disclosure, 8Tracks advised that "the vector for the attack was an employee’s GitHub account, which was not secured using two-factor authentication".

Victim
8tracks
Records
18.0M
Data breachResolved

Exposed VINs data breach (2017)

In June 2017, an unsecured database with more than 10 million VINs (vehicle identification numbers) was discovered by researchers. Believed to be sourced from US car dealerships, the data included a raft of personal information and vehicle data along with 397k unique email addresses.

Victim
Exposed VINs
Records
396.6K
EspionageResolved

Qatar News Agency hack

Attackers planted malware on Qatar's state news agency in April 2017 and exploited it on 24 May to publish fabricated quotes attributed to the Emir, providing the pretext used by Saudi Arabia, the UAE, Bahrain, and Egypt to launch a blockade of Qatar.

Victim
Qatar News Agency (QNA)
Data breachResolved

Zomato data breach (2017)

In May 2017, the restaurant guide website Zomato was hacked resulting in the exposure of almost 17 million accounts. The data was consequently redistributed online and contains email addresses, usernames and salted MD5 hashes of passwords (the password hash was not present on all accounts).

Victim
Zomato
Records
16.5M
Data breachResolved

DaFont data breach (2017)

In May 2017, font sharing site DaFont suffered a data breach resulting in the exposure of 637k records. Allegedly due to a SQL injection vulnerability exploited by multiple parties, the exposed data included usernames, email addresses and passwords stored as MD5 without a salt.

Victim
DaFont
Records
637.3K
Data breachResolved

Bell (2017 breach) data breach (2017)

In May 2017, the Bell telecommunications company in Canada suffered a data breach resulting in the exposure of millions of customer records. The data was consequently leaked online with a message from the attacker stating that they were "releasing a significant portion of Bell.ca's data due to the…

Victim
Bell (2017 breach)
Records
2.2M
Data breachResolved

Reincubate data breach (2017)

In October 2020, the app data company Reincubate suffered a data breach which exposed a backup from November 2017 (the newest record in the data appeared several months earlier). The data included over 616k unique email addresses, names and passwords stored as PBKDF2 hashes.

Victim
Reincubate
Records
616.1K
Data breachResolved

Ge.tt data breach (2017)

In May 2017, the file sharing platform Ge.tt suffered a data breach. The data was subsequently put up for sale on a dark web marketplace in February 2019 alongside a raft of other breaches.

Victim
Ge.tt
Records
2.5M
Data breachResolved

Underworld Empire data breach (2017)

In April 2017, the vBulletin forum for the Underworld Empire game suffered a data breach that exposed 429k accounts. The data was then posted to a hacking forum in mid-February 2018 where it was made available to download.

Victim
Underworld Empire
Records
428.8K
Data breachResolved

Dueling Network data breach (2017)

In March 2017, the Flash game based on the Yu-Gi-Oh trading card game Dueling Network suffered a data breach. The site itself was taken offline in 2016 due to a cease-and-desist order but the forum remained online for another year.

Victim
Dueling Network
Records
6.5M
Data breachResolved

Appartoo data breach (2017)

In March 2017, the French Flatsharing site known as Appartoo suffered a data breach. The incident exposed an extensive amount of personal information on almost 50k members including email addresses, genders, ages, private messages sent between users of the service and passwords stored as SHA-256…

Victim
Appartoo
Records
49.7K
Data breachResolved

Health Now Networks data breach (2017)

In March 2017, the telemarketing service Health Now Networks left a database containing hundreds of thousands of medical records exposed. There were over 900,000 records in total containing significant volumes of personal information including names, dates of birth, various medical conditions and…

Victim
Health Now Networks
Records
321.9K
Data breachResolved

Factual data breach (2017)

In March 2017, a file containing 8M rows of data allegedly sourced from data aggregator Factual was compiled and later exchanged on the premise it was a "breach". The data contained 2.5M unique email addresses alongside business names, addresses and phone numbers.

Victim
Factual
Records
2.5M
Data breachResolved

Master Deeds data breach (2017)

In March 2017, a 27GB database backup file named "Master Deeds" was sent to HIBP by a supporter of the project. Upon detailed analysis later that year, the file was found to contain the personal data of tens of millions of living and deceased South African residents.

Victim
Master Deeds
Records
2.3M
Data breachResolved

Bolt data breach (2017)

In approximately March 2017, the file sharing website Bolt suffered a data breach resulting in the exposure of 995k unique user records. The data was sourced from their vBulletin forum and contained email and IP addresses, usernames and salted MD5 password hashes.

Victim
Bolt
Records
995.3K
EspionageResolved

MINDEF I-net breach

A targeted intrusion into Singapore's Ministry of Defence I-net web-surfing system stole the NRIC numbers, phone numbers and birth dates of 850 national servicemen and staff in the country's first publicly disclosed breach of a government defence network.

Victim
Singapore Ministry of Defence (MINDEF)
Records
850
Data breachResolved

Retina-X data breach (2017)

In February 2017, the mobile device monitoring software developer Retina-X was hacked and customer data downloaded before being wiped from their servers.

Victim
Retina-X
Records
71.2K
Data breachResolved

Coachella data breach (2017)

In February 2017, hundreds of thousands of records from the Coachella music festival were discovered being sold online. Allegedly taken from a combination of the main Coachella website and their vBulletin-based message board, the data included almost 600k usernames, IP and email addresses and…

Victim
Coachella
Records
599.8K
Data breachResolved

FreeOnes data breach (2017)

In February 2017, the forum for the adult website FreeOnes suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 960k unique email addresses alongside usernames, IP addresses and salted MD5 password hashes.

Victim
FreeOnes
Records
960.2K
Data breachResolved

Freedom Hosting II data breach (2017)

In January 2017, the free hidden service host Freedom Hosting II suffered a data breach. The attack allegedly took down 20% of dark web sites running behind Tor hidden services with the attacker claiming that of the 10,613 impacted sites, more than 50% of the content was child pornography.

Victim
Freedom Hosting II
Records
380.8K
Data breachResolved

DataCamp data breach (2017)

In December 2018, the data science website DataCamp suffered a data breach of records dating back to January 2017. The incident exposed 760k unique email and IP addresses along with names and passwords stored as bcrypt hashes.

Victim
DataCamp
Records
760.6K
Data breachResolved

SwordFantasy data breach (2017)

In January 2019, the now defunct MMO and RPG game SwordFantasy suffered a data breach that exposed 2.7M unique email addresses. Other impacted data included username, IP address and salted MD5 password hashes.

Victim
SwordFantasy
Records
2.7M
Data breachResolved

CrimeAgency vBulletin Hacks data breach (2017)

In January 2016, a large number of unpatched vBulletin forums were compromised by an actor known as "CrimeAgency". A total of 140 forums had data including usernames, email addresses and passwords (predominantly stored as salted MD5 hashes), extracted and then distributed.

Victim
CrimeAgency vBulletin Hacks
Records
942.0K
Data breachResolved

Sephora data breach (2017)

In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information.

Victim
Sephora
Records
780.1K
Data breachResolved

CloudPets data breach (2017)

In January, the maker of teddy bears that record children's voices and sends them to family and friends via the internet CloudPets left their database publicly exposed and it was subsequently downloaded by external parties (the data was also subject to 3 different ransom demands).

Victim
CloudPets
Records
583.5K
Data breachResolved

Hub4Tech data breach (2017)

On an unknown date in approximately 2017, the Indian training and assessment service known as Hub4Tech suffered a data breach via a SQL injection attack. The incident exposed almost 37k unique email addresses and passwords stored as unsalted MD5 hashes.

Victim
Hub4Tech
Records
36.9K
Data breachResolved

Little Monsters data breach (2017)

In approximately January 2017, the Lady Gaga fan site known as "Little Monsters" suffered a data breach that impacted 1 million accounts. The data contained usernames, email addresses, dates of birth and bcrypt hashes of passwords.

Victim
Little Monsters
Records
995.7K
Data breachResolved

LiveJournal data breach (2017)

In mid-2019, news broke of an alleged LiveJournal data breach. This followed multiple reports of credential abuse against Dreamwidth beginning in 2018, a fork of LiveJournal with a significant crossover in user base.

Victim
LiveJournal
Records
26.4M
Data breachResolved

R2 (2017 forum breach) data breach (2017)

In early 2017, the forum for the gaming website R2 Games was hacked. R2 had previously appeared on HIBP in 2015 after a prior incident. This one exposed over 1 million unique user accounts and corresponding MD5 password hashes with no salt.

Victim
R2 (2017 forum breach)
Records
1.0M
Data breachResolved

River City Media Spam List data breach (2017)

In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation.

Victim
River City Media Spam List
Records
393.4M
Data breachResolved

Russian America data breach (2017)

In approximately 2017, the website for Russian speakers in America known as Russian America suffered a data breach. The incident exposed 183k unique records including names, email addresses, phone numbers and passwords stored in both plain text and as MD5 hashes.

Victim
Russian America
Records
182.7K
Data breachResolved

Victory Phones data breach (2017)

In January 2017, the automated telephony services company Victory Phones left a Mongo DB database publicly facing without a password. Subsequently, 213GB of data was downloaded by an unauthorised party including names, addresses, phone numbers and over 166k unique email addresses.

Victim
Victory Phones
Records
166.0K