Skip to content

Incidents from

2018

Data breachResolved

IIMJobs data breach (2018)

In December 2018, the Indian job portal IIMJobs suffered a data breach that exposed 4.1 million unique email addresses. The data also included names, phone numbers, geographic locations, dates of birth, job titles, job applications and cover letters plus passwords stored as unsalted MD5 hashes.

Victim
IIMJobs
Records
4.2M
Data breachResolved

BannerBit data breach (2018)

In approximately December 2018, the online ad platform BannerBit suffered a data breach. Containing 213k unique email addresses and plain text passwords, the data was provided to HIBP by a third party. Multiple attempts were made to contact BannerBit, but no response was received.

Victim
BannerBit
Records
213.4K
Data breachResolved

BlankMediaGames data breach (2018)

In December 2018, the Town of Salem website produced by BlankMediaGames suffered a data breach. Reported to HIBP by DeHashed, the data contained 7.6M unique user email addresses alongside usernames, IP addresses, purchase histories and passwords stored as phpass hashes.

Victim
BlankMediaGames
Records
7.6M
Data breachResolved

OGUsers (2019 breach) data breach (2018)

In May 2019, the account hijacking and SIM swapping forum OGusers suffered a data breach. The breach exposed a database backup from December 2018 which was published on a rival hacking forum. There were 161k unique email addresses spread across 113k forum users and other tables in the database.

Victim
OGUsers (2019 breach)
Records
161.1K
Data breachResolved

Roll20 data breach (2018)

In December 2018, the tabletop role-playing games website Roll20 suffered a data breach. Almost 4 million customers were impacted by the breach and had email and IP addresses, names, bcrypt hashes of passwords and the last 4 digits of credit cards exposed.

Victim
Roll20
Records
4.0M
Data breachResolved

Ajarn data breach (2018)

In September 2021, the Thai-based English language teaching website Ajarn discovered they'd been the victim of a data breach dating back to December 2018. The breach was self-submitted to HIBP and included 266k email addresses, names, genders, phone numbers and other personal information.

Victim
Ajarn
Records
266.4K
Data breachResolved

Wanelo data breach (2018)

In approximately December 2018, the digital mall Wanelo suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in April 2019.

Victim
Wanelo
Records
23.2M
Data breachResolved

Mappery data breach (2018)

In December 2018, the mapping website Mappery suffered a data breach that exposed over 205k unique email addresses. The incident also exposed usernames, the geographic location of the user and passwords stored as unsalted SHA-1 hashes.

Victim
Mappery
Records
205.2K
Data breachResolved

Bombuj.eu data breach (2018)

In December 2018, the Slovak website for watching movies online for free Bombuj.eu suffered a data breach. The incident exposed over 575k unique email addresses and passwords stored as unsalted MD5 hashes. No response was received from Bombuj.eu when contacted about the incident.

Victim
Bombuj.eu
Records
575.4K
Data breachContained

Quora data breach

The question-and-answer platform Quora disclosed that an unauthorized third party had accessed the data of approximately 100 million users, including names, email addresses, salted-and-hashed passwords, and imported contact and demographic data.

Victim
Quora
Records
100.0M
Data breachResolved

Fotolog data breach (2018)

In December 2018, the photo sharing social network Fotolog suffered a data breach that exposed 16.7 million unique email addresses. The data also included usernames and unsalted SHA-256 password hashes.

Victim
Fotolog
Records
16.7M
Data breachResolved

Technic data breach (2018)

In November 2018, the Minecraft modpack platform known as Technic suffered a data breach. Technic promptly disclosed the breach and advised that the impacted data included over 265k unique users' email and IP addresses, chat logs, private messages and passwords stored as bcrypt hashes with a workโ€ฆ

Victim
Technic
Records
265.4K
Data breachResolved

Morele.net data breach

Attackers stole the customer database of the Polish e-commerce group Morele.net, exposing data on about 2.2 million customers and launching an SMS-phishing campaign that demanded a fake PLN 1 'top-up' via a counterfeit payment gateway. Poland's UODO issued its then-largest GDPR fine of EUR 660,000.

Victim
Morele.net
Records
2.2M
Data breachResolved

Data & Leads data breach (2018)

In November 2018, security researcher Bob Diachenko identified an unprotected database believed to be hosted by a data aggregator. Upon further investigation, the data was linked to marketing company Data & Leads.

Victim
Data & Leads
Records
44.3M
Data breachResolved

Adapt data breach (2018)

In November 2018, security researcher Bob Diachenko identified an unprotected database hosted by data aggregator "Adapt". A provider of "Fresh Quality Contacts", the service exposed over 9.3M unique records of individuals and employer information including their names, employers, job titles,โ€ฆ

Victim
Adapt
Records
9.4M
Data breachResolved

WPSandbox data breach (2018)

In November 2018, the WordPress sandboxing service that allows people to create temporary websites WP Sandbox discovered their service was being used to host a phishing site attempting to collect Microsoft OneDrive accounts.

Victim
WPSandbox
Records
858
Data breachResolved

Elasticsearch Instance of Sales Leads on AWS data breach (2018)

In October 2018, security researcher Bob Diachenko identified multiple exposed databases with hundreds of millions of records. One of those datasets was an Elasticsearch instance on AWS containing sales lead data and 5.8M unique email addresses.

Victim
Elasticsearch Instance of Sales Leads on AWS
Records
5.8M
Data breachResolved

GoldSilver data breach (2018)

In October 2018, the bullion education and dealer services site GoldSilver suffered a data breach that exposed 243k unique email addresses spanning customers and mailing list subscribers.

Victim
GoldSilver
Records
242.7K
Data breachResolved

Eatigo data breach (2018)

In October 2018, the restaurant reservation service Eatigo suffered a data breach that exposed 2.8 million accounts. The data included email addresses, names, phone numbers, social media profiles, genders and passwords stored as unsalted MD5 hashes.

Victim
Eatigo
Records
2.8M
Data breachResolved

Pluto TV data breach (2018)

In October 2018, the internet television service Pluto TV suffered a data breach which was then shared extensively in hacking communities. Pluto TV "decided not to proactively inform users of the breach" which contained 3.2M unique email and IP addresses, names, usernames, genders, dates of birthโ€ฆ

Victim
Pluto TV
Records
3.2M
Data breachResolved

Wife Lovers data breach (2018)

In October 2018, the site dedicated to posting naked photos and other erotica of wives Wife Lovers suffered a data breach. The underlying database supported a total of 8 different adult websites and contained over 1.2M unique email addresses.

Victim
Wife Lovers
Records
1.3M
Data breachResolved

You've Been Scraped data breach (2018)

In October and November 2018, security researcher Bob Diachenko identified several unprotected MongoDB instances believed to be hosted by a data aggregator.

Victim
You've Been Scraped
Records
66.1M
Data breachResolved

VimeWorld data breach (2018)

In October 2018, the Russian Minecraft service VimeWorld suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 3.1M records of usernames, email and IP addresses and passwords stored as either MD5 or bcrypt hashes.

Victim
VimeWorld
Records
3.1M
Data breachResolved

SaverSpy data breach (2018)

In September 2018, security researcher Bob Diachenko discovered a massive collection of personal details exposed in an unprotected Mongo DB instance. The data appears to have been used in marketing campaigns (possibly for spam purposes) but had little identifying data about it other than aโ€ฆ

Victim
SaverSpy
Records
2.5M
Data breachResolved

Color Dating data breach (2018)

In September 2018, the dating app to match people with different ethnicities Color Dating suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed 220k unique email addresses along with bios, names, profile photos and bcrypt password hashes.

Victim
Color Dating
Records
220.5K
Data breachResolved

Knuddels data breach (2018)

In September 2018, the German social media website Knuddels suffered a data breach. The incident exposed 808k unique email addresses alongside usernames, real names, the city of the person and their password in plain text. Knuddels was subsequently fined โ‚ฌ20k for the breach.

Victim
Knuddels
Records
808.3K
Data breachResolved

Atlas Quantum data breach (2018)

In August 2018, the cryptocurrency investment platform Atlas Quantum suffered a data breach. The breach leaked the personal data of 261k investors on the platform including their names, phone numbers, email addresses and account balances.

Victim
Atlas Quantum
Records
261.5K
Data breachResolved

HTH Studios data breach (2018)

In August 2018, the adult furry interactive game creator HTH Studios suffered a data breach impacting multiple repositories of customer data. Several months later, the data surfaced on a popular hacking forum and included 411k unique email addresses along with physical and IP addresses, names,โ€ฆ

Victim
HTH Studios
Records
411.8K
Data breachResolved

SpyFone data breach (2018)

In August 2018, the spyware company SpyFone left terabytes of data publicly exposed. Collected surreptitiously whilst the targets were using their devices, the data included photos, audio recordings, text messages and browsing history which were then exposed via a number of misconfigurations withinโ€ฆ

Victim
SpyFone
Records
44.1K
Data breachResolved

HauteLook data breach (2018)

In mid-2018, the fashion shopping site HauteLook was among a raft of sites that were breached and their data then sold in early-2019. The data included over 28 million unique email addresses alongside names, genders, dates of birth and passwords stored as bcrypt hashes.

Victim
HauteLook
Records
28.5M
Data breachResolved

Rbx.Rocks data breach (2018)

In August 2018, the Roblox trading site Rbx.Rocks suffered a data breach. Almost 25k records were sent to HIBP in November and included names, email addresses and passwords stored as bcrypt hashes. In July 2019, a further 125k records emerged bringing the total size of the incident to 150k.

Victim
Rbx.Rocks
Records
150.0K
Data breachResolved

Lanwar data breach (2018)

In July 2018, staff of the Lanwar gaming site discovered a data breach they believe dates back to sometime over the previous several months. The data contained 45k names, email addresses, usernames and plain text passwords.

Victim
Lanwar
Records
45.1K
EspionageContained

SingHealth data breach

Chinese state-attributed actors exfiltrated personal and outpatient medication records on 1.5 million SingHealth patients โ€” including Prime Minister Lee Hsien Loong โ€” in Singapore's most serious cyber incident.

Victim
Singapore Health Services (SingHealth)
Loss
$7.5M
Records
1.5M
Data breachResolved

Bookmate data breach (2018)

In mid-2018, the social ebook subscription service Bookmate was among a raft of sites that were breached and their data then sold in early-2019. The data included almost 4 million unique email addresses alongside names, genders, dates of birth and passwords stored as salted SHA-512 hashes.

Victim
Bookmate
Records
3.8M
Data breachResolved

500px data breach (2018)

In mid-2018, the online photography community 500px suffered a data breach. The incident exposed almost 15 million unique email addresses alongside names, usernames, genders, dates of birth and either an MD5 or bcrypt password hash.

Victim
500px
Records
14.9M
Data breachResolved

Stronghold Kingdoms data breach (2018)

In July 2018, the massive multiplayer online game Stronghold Kingdoms suffered a data breach. Almost 5.2 million accounts were impacted by the incident which exposed emails addresses, usernames and passwords stored as salted SHA-1 hashes.

Victim
Stronghold Kingdoms
Records
5.2M
Data breachResolved

8fit data breach (2018)

In July 2018, the health and fitness service 8fit suffered a data breach. The data subsequently appeared for sale on a dark web marketplace in February 2019 and included over 15M unique email addresses alongside names, genders, IP addresses and passwords stored as bcrypt hashes.

Victim
8fit
Records
15.0M
Data breachResolved

Zoomcar data breach (2018)

In July 2018, the Indian self-drive car rental company Zoomcar suffered a data breach which was subsequently sold on a dark web marketplace in 2020. The breach exposed over 3.5M records including names, email and IP addresses, phone numbers and passwords stored as bcrypt hashes.

Victim
Zoomcar
Records
3.6M
Data breachResolved

Exactis data exposure

Data-marketing firm Exactis left a database of nearly 340 million detailed records on individuals and businesses exposed on a publicly accessible server with no firewall. Each record held up to 400 fields of personal profiling data, from contact details to children's ages, religion, and habits.

Victim
Exactis LLC
Records
340.0M
Data breachResolved

Light's Hope data breach (2018)

In June 2018, the World of Warcraft service Light's Hope suffered a data breach which they subsequently self-submitted to HIBP. Over 30K unique users were impacted and their exposed data included email addresses, dates of birth, private messages and passwords stored as bcrypt hashes.

Victim
Light's Hope
Records
30.5K
Data breachResolved

Mortal Online data breach (2018)

In June 2018, the massively multiplayer online role-playing game (MMORPG) Mortal Online suffered a data breach. A file containing 570k email addresses and cracked passwords was subsequently distributed online.

Victim
Mortal Online
Records
606.6K
Data breachResolved

Trik Spam Botnet data breach (2018)

In June 2018, the command and control server of a malicious botnet known as the "Trik Spam Botnet" was misconfigured such that it exposed the email addresses of more than 43 million people.

Victim
Trik Spam Botnet
Records
43.4M
Data breachResolved

Romwe data breach (2018)

In mid-2018, the Hong Kong-based retailer Romwe suffered a data breach which exposed almost 20 million customers. The data was subsequently sold online and includes names, phone numbers, email and IP addresses, customer geographic locations and passwords stored as salted SHA-1 hashes.

Victim
Romwe
Records
19.5M
Data breachResolved

SHEIN data breach (2018)

In June 2018, fast-fashion retailer SHEIN suffered a breach of its payment systems exposing about 39 million account credentials. In 2022, New York fined parent company Zoetop $1.9 million for understating the breach and failing to notify most victims.

Victim
SHEIN
Loss
$1.9M
Records
39.1M
Data breachResolved

Ticketfly data breach (2018)

In May 2018, the website for the ticket distribution service Ticketfly was defaced by an attacker and was subsequently taken offline. The attacker allegedly requested a ransom to share details of the vulnerability with Ticketfly but did not receive a reply and subsequently posted the breached dataโ€ฆ

Victim
Ticketfly
Records
26.2M
Data breachResolved

Adult-FanFiction.Org data breach (2018)

In May 2018, the website for sharing adult-orientated works of fiction known as Adult-FanFiction.Org had 186k records exposed in a data breach. The data contained names, email addresses, dates of birth and passwords stored as both MD5 hashes and plain text.

Victim
Adult-FanFiction.Org
Records
186.1K
Data breachResolved

Houzz data breach (2018)

In mid-2018, the home-design platform Houzz had a file containing user data obtained by an unauthorized third party. The company learned of it in late 2018 and disclosed it in early 2019. Roughly 49 million accounts were exposed, including emails, usernames, salted password hashes and IP-derived locations.

Victim
Houzz
Records
48.9M
Data breachResolved

Lolzteam data breach (2018)

In May 2018, the Russian hacking forum Lolzteam suffered a data breach that exposed 400k members. The impacted data included usernames and email addresses which were later redistributed via another hacking forum.

Victim
Lolzteam
Records
398.0K
Data breachResolved

ViewFines data breach (2018)

In May 2018, the South African website for viewing traffic fines online known as ViewFines suffered a data breach. Over 934k records containing 778k unique email addresses were exposed and included names, phone numbers, government issued IDs and passwords stored in plain text.

Victim
ViewFines
Records
777.6K
Data breachResolved

Creative data breach (2018)

In May 2018, the forum for Singaporean hardware company Creative Technology suffered a data breach which resulted in the disclosure of 483k unique email addresses. Running on an old version of vBulletin, the breach also disclosed usernames, IP addresses and salted MD5 password hashes.

Victim
Creative
Records
483.0K
Data breachResolved

Linux Forums data breach (2018)

In May 2018, the Linux Forums website suffered a data breach which resulted in the disclosure of 276k unique email addresses. Running on an old version of vBulletin, the breach also disclosed usernames, IP addresses and salted MD5 password hashes.

Victim
Linux Forums
Records
275.8K
Data breachResolved

Funny Games data breach (2018)

In April 2018, the online entertainment site Funny Games suffered a data breach that disclosed 764k records including usernames, email and IP addresses and salted MD5 password hashes.

Victim
Funny Games
Records
764.4K
Data breachResolved

Pemiblanc data breach (2018)

In April 2018, a credential stuffing list containing 111 million email addresses and passwords known as Pemiblanc was discovered on a French server. The list contained email addresses and passwords collated from different data breaches and used to mount account takeover attacks against otherโ€ฆ

Victim
Pemiblanc
Records
111.0M
Data breachResolved

AerServ data breach (2018)

In April 2018, the ad management platform known as AerServ suffered a data breach. Acquired by InMobi earlier in the year, the AerServ breach impacted over 66k unique email addresses and also included contact information and passwords stored as salted SHA-512 hashes.

Victim
AerServ
Records
66.3K
Data breachResolved

Artsy data breach (2018)

In April 2018, the online arts database Artsy suffered a data breach which consequently appeared for sale on a dark web marketplace. Over 1M accounts were impacted and included IP and email addresses, names and passwords stored as salted SHA-512 hashes.

Victim
Artsy
Records
1.1M
Data breachResolved

Emuparadise data breach (2018)

In April 2018, the self-proclaimed "biggest retro gaming website on earth", Emuparadise, suffered a data breach. The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.

Victim
Emuparadise
Records
1.1M
Data breachResolved

Wendy's data breach (2018)

In March 2018, Wendy's in the Philippines suffered a data breach which impacted over 52k customers and job applicants. The breach exposed extensive personal information including names, email and IP addresses, physical addresses, phone numbers and passwords stored as MD5 hashes.

Victim
Wendy's
Records
52.5K
Data breachResolved

Bestialitysextaboo data breach (2018)

In March 2018, the animal bestiality website known as Bestialitysextaboo was hacked. A collection of various sites running on the same service were also compromised and details of the hack (including links to the data) were posted on a popular forum.

Victim
Bestialitysextaboo
Records
3.2K
Social engineeringResolved

Facebookโ€“Cambridge Analytica data scandal

Political consultancy Cambridge Analytica improperly obtained the personal data of up to 87 million Facebook users via a personality-quiz app, exploiting Facebook's permissive third-party API to harvest friend networks and build voter-targeting profiles. The scandal triggered a record $5 billion FTC penalty.

Victim
Facebook
Loss
$5.00B
Records
87.0M
Data breachResolved

EyeEm data breach (2018)

In February 2018, photography website EyeEm suffered a data breach. The breach was identified among a collection of other large incidents and exposed almost 20M unique email addresses, names, usernames, bios and password hashes.

Victim
EyeEm
Records
19.6M
Data breachResolved

2,844 Separate Data Breaches data breach (2018)

In February 2018, a massive collection of almost 3,000 alleged data breaches was found online. Whilst some of the data had previously been seen in Have I Been Pwned, 2,844 of the files consisting of more than 80 million unique email addresses had not previously been seen.

Victim
2,844 Separate Data Breaches
Records
80.1M
Data breachResolved

Florida Virtual School data breach (2018)

In March 2018, the Florida Virtual School (FLVS) posted a data breach notification to their website. The school had identified a data breach which had occurred sometime between 6 May 2016 and 12 Feb 2018 and an XML file containing 368k student records was subsequently found circulating.

Victim
Florida Virtual School
Records
542.9K
Data breachResolved

Jobandtalent data breach (2018)

In approximately February 2018, the employment website Jobandtalent suffered a data breach which then appeared for sale alongside other breaches a year later. The incident impacted 11 million subscribers and exposed their names, email and IP addresses and passwords stored as salted SHA-1 hashes.

Victim
Jobandtalent
Records
11.0M
Data breachResolved

JoomlArt data breach (2018)

In January 2018, the Joomla template website JoomlArt inadvertently exposed more than 22k unique customer records in a Jira ticket. The exposed data was from iJoomla and JomSocial, both services that JoomlArt acquired the previous year.

Victim
JoomlArt
Records
22.5K
Data breachResolved

PropTiger data breach (2018)

In January 2018, the Indian property website PropTiger suffered a data breach which resulted in a 3.46GB database file being exposed and subsequently shared extensively on a popular hacking forum 2 years later.

Victim
PropTiger
Records
2.2M
private-keystolen

Coincheck NEM heist

Tokyo-based cryptocurrency exchange Coincheck lost 523 million NEM tokens (~$530M at the time) from a hot wallet that had no multi-signature protection. The largest single crypto-exchange theft at the time โ€” later attributed to North Korea's Lazarus Group.

Victim
Coincheck Inc.
Loss
$530.0M
Data breachResolved

Netshoes customer data breach

Brazilian e-commerce giant Netshoes exposed the personal data โ€” names, CPF tax IDs, emails and purchase histories โ€” of about 2 million customers, drawing one of the first major enforcement actions by Brazilian prosecutors over a data breach.

Victim
Netshoes
Loss
$135.0K
Records
2.0M
Data breachUnknown

Aadhaar database exposure

Tribune India journalists demonstrated that paid intermediaries could provide full Aadhaar records โ€” including biometric-linked identity data on roughly 1.1 billion Indian residents โ€” for 500 rupees per record.

Victim
Unique Identification Authority of India (UIDAI) / Aadhaar
Records
1.10B
Data breachResolved

DailyObjects data breach (2018)

In approximately January 2018, a collection of more than 464k customer records from the Indian online retailer DailyObjects were leaked online. The data included names, physical and email addresses, phone numbers and "pincodes" stored in plain text.

Victim
DailyObjects
Records
464.3K
Data breachResolved

Elanic data breach (2018)

In January 2020, the Indian fashion marketplace Elanic had 2.8M records with 2.3M unique email addresses posted publicly to a popular hacking forum. Elanic confirmed that they had "verified the data and it was pulled from one of our test servers where this data was exposed publicly" and that theโ€ฆ

Victim
Elanic
Records
2.3M