Skip to content

Incidents from

2019

Data breachResolved

Sonicbids data breach (2019)

In December 2019, the booking website Sonicbids suffered a data breach which they attributed to "a data privacy event involving our third-party cloud hosting services". The breach contained 752k user records including names and usernames, email addresses and passwords stored as PBKDF2 hashes.

Victim
Sonicbids
Records
751.7K
Data breachResolved

BtoBet data breach (2019)

In December 2019, a large collection of data from Nigerian gambling company Surebet247 was sent to HIBP. Alongside the Surebet247, database backups from gambling sites BetAlfa, BetWay, BongoBongo and TopBet was also included.

Victim
BtoBet
Records
444.2K
RansomwareRansom paid

Maastricht University Clop ransomware (Netherlands, 2019)

TA505 used Clop ransomware to encrypt 267 Maastricht University servers over Christmas 2019 after two phishing emails on 15โ€“16 October had compromised the network. The university paid 30 BTC (~$220,000). The ransom Bitcoin โ€” later seized from a money mule โ€” was returned and had appreciated, leaving the university ahead by ~$300,000.

Victim
Maastricht University
Loss
$220.0K
Data breachResolved

Avvo data breach (2019)

In approximately December 2019, an alleged data breach of the lawyer directory service Avvo was published to an online hacking forum and used in an extortion scam (it's possible the exposure dates back earlier than that).

Victim
Avvo
Records
4.1M
Data breachResolved

GameSprite data breach (2019)

In December 2019, the now defunct gaming platform GameSprite suffered a data breach that exposed over 6M unique email addresses. The impacted data also included usernames, IP addresses and salted MD5 password hashes.

Victim
GameSprite
Records
6.2M
RansomwareRansom paid

LifeLabs data breach

Canada's largest medical-testing laboratory disclosed that attackers had accessed health data on roughly 15 million customers, paid an undisclosed ransom to retrieve the stolen records, and was later found by privacy regulators to have failed to safeguard the information.

Victim
LifeLabs
Records
15.0M
Data breachResolved

SoarGames data breach (2019)

In December 2019, the now defunct gaming website SoarGames suffered a data breach that exposed 4.8M unique email addresses. The impacted data included usernames, email and IP addresses and salted MD5 password hashes.

Victim
SoarGames
Records
4.8M
Data breachResolved

JoyGames data breach (2019)

In December 2019, the forum for the JoyGames website suffered a data breach that exposed 4.5M unique email addresses. The impacted data also included usernames, IP addresses and salted MD5 password hashes.

Victim
JoyGames
Records
4.5M
Data breachResolved

Unigame data breach (2019)

In December 2019, the now defunct gaming website Unigame (maker of Hunter Online) suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 844k email addresses and salted MD5 password hashes.

Victim
Unigame
Records
843.7K
RansomwareResolved

Beneลกov Hospital Ryuk ransomware attack

An Emotetโ€“TrickBotโ€“Ryuk malware chain crippled the Rudolf and Stefanie Hospital in Beneลกov, Czech Republic, knocking out X-ray, ultrasound, and laboratory systems and paralysing the facility for weeks. The hospital did not pay the ransom and reported no patient-record loss.

Victim
Rudolf and Stefanie Hospital, Beneลกov
Data breachResolved

TaiLieu data breach (2019)

In November 2019, the Vietnamese education website TaiLieu allegedly suffered a data breach exposing 7.3M customer records. Impacted data included names and usernames, email addresses, dates of birth, genders and passwords stored as unsalted MD5 hashes.

Victim
TaiLieu
Records
7.3M
Data breachResolved

Benchmark data breach (2019)

In November 2019, the Serbian technology news website Benchmark suffered a breach of its forum that exposed 93k customer records. The breach exposed IP and email addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Benchmark
Records
93.3K
Data breachResolved

IndiHome data breach (2019)

In mid-2021, reports emerged of a data breach of Indonesia's telecommunications company, IndiHome. Over 26M rows of data alleged to have been sourced from the company was posted to a popular hacking forum and contained 12.6M unique email addresses alongside names, IP addresses, genders andโ€ฆ

Victim
IndiHome
Records
12.6M
Data breachResolved

Universarium data breach (2019)

In approximately November 2019, the Russian "Remote preparatory faculty for IT specialties" Universarium suffered a data breach. The incident exposed 565k email addresses and passwords in plain text. Universarium did not respond to multiple attempts to make contact over a period of many weeks.

Victim
Universarium
Records
565.0K
Data breachResolved

StarTribune data breach (2019)

In October 2019, the Minnesota-based news service StarTribune suffered a data breach which was subsequently sold on the dark web. The breach exposed over 2 million unique email addresses alongside names, usernames, physical addresses, dates of birth, genders and passwords stored as bcrypt hashes.

Victim
StarTribune
Records
2.2M
Data breachResolved

The Halloween Spot data breach (2019)

In September 2019, the Halloween costume store The Halloween Spot suffered a data breach. Originally misattributed to fancy dress store Smiffys, the breach contained 13GB of data with over 10k unique email addresses alongside names, physical and IP addresses, phone numbers and order histories.

Victim
The Halloween Spot
Records
10.7K
Data breachResolved

Zooville data breach (2019)

In September 2019, the zoophilia and bestiality forum Zooville suffered a data breach. The usernames and email addresses of 71k members were accessed via an unpatched vulnerability in the vBulletin forum software then subsequently distributed online.

Victim
Zooville
Records
71.4K
Data breachResolved

KiwiFarms data breach (2019)

In September 2019, the forum for discussing "lolcows" (people who can be milked for laughs) Kiwi Farms suffered a data breach. The disclosure notice advised that email and IP addresses, dates of birth and content created by members were all exposed in the incident.

Victim
KiwiFarms
Records
4.6K
Data breachResolved

EpicBot data breach (2019)

In September 2019, the RuneScape bot provider EpicBot suffered a data breach that impacted 817k subscribers. Data from the breach was subsequently shared on a popular hacking forum and included usernames, email and IP addresses and passwords stored as either salted MD5 or bcrypt hashes.

Victim
EpicBot
Records
816.7K
Data breachResolved

Zynga data breach (2019)

In September 2019, the hacker Gnosticplayers breached game developer Zynga, accessing data for nearly 173 million Words With Friends and Draw Something players. Exposed data included emails, usernames, phone numbers, and salted SHA-1 password hashes.

Victim
Zynga
Records
172.9M
Data breachResolved

AlpineReplay data breach (2019)

In 2019, the snow sports tracking app AlpineReplay suffered a data breach that exposed 900k unique email addresses. Later rolled into the Trace service, the breach included names, usernames, genders, dates of birth, weights and passwords stored as either unsalted MD5 or bcrypt hashes.

Victim
AlpineReplay
Records
898.7K
Data breachResolved

ToonDoo data breach (2019)

In August 2019, the comic strip creation website ToonDoo suffered a data breach. The data was subsequently redistributed on a popular hacking forum in November where the personal information of over 6M subscribers was shared.

Victim
ToonDoo
Records
6.0M
Data breachResolved

Audi data breach (2019)

In August 2019, Audi USA suffered a data breach after a vendor left data unsecured and exposed on the internet. The data contained 2.7M unique email addresses along with names, phone numbers, physical addresses and vehicle information including VIN.

Victim
Audi
Records
2.7M
Data breachResolved

europa.jobs data breach (2019)

In August 2019, the now defunct European jobs website europa.jobs (Google cache link) suffered a data breach. The incident exposed 226k unique email addresses alongside extensive personal information including names, dates of birth, job applications and passwords.

Victim
europa.jobs
Records
226.1K
Data breachResolved

Promofarma data breach (2019)

In August 2019, a data breach from the Spanish online pharmacy Promofarma appeared for sale on a dark web marketplace. The breach exposed over 2.7M records and contained almost 1.3M unique customer email addresses. The data also included customer names and was provided to HIBP by dehashed.com.

Victim
Promofarma
Records
1.3M
Data breachResolved

StockX data breach (2019)

In July 2019, the fashion and sneaker trading platform StockX suffered a data breach which was subsequently sold via a dark webmarketplace. The exposed data included 6.8 million unique email addresses, names, physical addresses, purchases and passwords stored as salted MD5 hashes.

Victim
StockX
Records
6.8M
Data breachResolved

MGM Resorts data breach (2019)

In July 2019, MGM Resorts discovered a data breach of one of their cloud services. The breach included 10.6M guest records with 3.1M unique email addresses stemming back to 2017.

Victim
MGM Resorts
Records
3.1M
Data breachResolved

Cracked.to data breach (2019)

In July 2019, the hacking website Cracked.to suffered a data breach. There were 749k unique email addresses spread across 321k forum users and other tables in the database.

Victim
Cracked.to
Records
749.2K
Data breachResolved

Bulgarian National Revenue Agency data breach (2019)

In July 2019, a massive data breach of the Bulgarian National Revenue Agency began circulating with data on 5 million people. Allegedly obtained in June, the data was broadly shared online and included taxation information alongside names, phone numbers, physical addresses and 471 thousand uniqueโ€ฆ

Victim
Bulgarian National Revenue Agency
Records
471.2K
Data breachResolved

BlackSpigotMC data breach (2019)

In July 2019, the hacking website BlackSpigotMC suffered a data breach. The XenForo forum based site was allegedly compromised by a rival hacking website and resulted in 8.5GB of data being leaked including the database and website itself.

Victim
BlackSpigotMC
Records
140.0K
Data breachResolved

Vedantu data breach (2019)

In mid-2019, the Indian interactive online tutoring platform Vedantu suffered a data breach which exposed the personal data of 687k users. The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored asโ€ฆ

Victim
Vedantu
Records
686.9K
Data breachResolved

Planet Calypso data breach (2019)

In approximately July 2019, the forums for the Planet Calypso game suffered a data breach. The breach of the vBulletin based forum exposed email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Planet Calypso
Records
62.3K
Data breachResolved

Quidd data breach (2019)

In 2019, online marketplace for trading stickers, cards, toys, and other collectibles Quidd suffered a data breach. The breach exposed almost 4 million users' email addresses, usernames and passwords stored as bcrypt hashes.

Victim
Quidd
Records
3.8M
Data breachResolved

XKCD data breach (2019)

In July 2019, the forum for webcomic XKCD suffered a data breach that impacted 562k subscribers. The breached phpBB forum leaked usernames, email and IP addresses and passwords stored in MD5 phpBB3 format. The data was provided to HIBP by white hat security researcher and data analyst Adam Davies.

Victim
XKCD
Records
562.0K
Data breachResolved

Artvalue data breach (2019)

In June 2019, the France-based art valuation website Artvalue.com left their 158k member subscriber base publicly exposed in a text file on their website. The exposed data included names, usernames, email addresses and passwords stored as MD5 hashes.

Victim
Artvalue
Records
157.7K
Data breachResolved

Social Engineered data breach (2019)

In June 2019, the "Art of Human Hacking" site Social Engineered suffered a data breach. The breach of the MyBB forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database.

Victim
Social Engineered
Records
89.4K
Data breachResolved

Void.to data breach (2019)

In June 2019, the hacking website Void.to suffered a data breach. There were 95k unique email addresses spread across 86k forum users and other tables in the database.

Victim
Void.to
Records
95.4K
Data breachResolved

Wiener Bรผchereien data breach (2019)

In June 2019, the library of Vienna (Wiener Bรผchereien) suffered a data breach. The compromised data included 224k unique email addresses, names, physical addresses, phone numbers and dates of birth. The breached data was subsequently posted to Twitter by the alleged perpetrator of the breach.

Victim
Wiener Bรผchereien
Records
224.1K
Data breachResolved

GateHub data breach (2019)

In October 2019, 1.4M accounts from the cryptocurrency wallet service GateHub were posted to a popular hacking forum. GateHub had previously acknowledged a data breach in June, albeit with a smaller number of impacted accounts.

Victim
GateHub
Records
1.4M
Data breachResolved

Condo.com data breach (2019)

In June 2019, now defunct website Condo.com suffered a data breach that was later redistributed as part of a larger corpus of data. The impacted data included 1.5M email addresses alongside names, phone numbers and for a small number of records, physical addresses.

Victim
Condo.com
Records
1.5M
Vulnerability exploitResolved

First American Financial document exposure

An insecure direct object reference (IDOR) flaw on First American Financial's website exposed roughly 885 million title-insurance and mortgage documents โ€” including Social Security numbers, bank account details, and driver's-license images โ€” dating back to 2003, accessible to anyone without authentication.

Victim
First American Financial Corporation
Loss
$1.5M
Records
885.0M
Data breachResolved

Minehut data breach (2019)

In May 2019, the Minecraft server website Minehut suffered a data breach. The company advised a database backup had been obtained after which they subsequently notified all impacted users. 397k email addresses from the incident were provided to HIBP.

Victim
Minehut
Records
396.5K
Data breachResolved

EatStreet data breach (2019)

In May 2019, the online food ordering service EatStreet suffered a data breach affecting 6.4 million customers. An extensive amount of personal data was obtained including names, phone numbers, addresses, partial credit card data and passwords stored as bcrypt hashes.

Victim
EatStreet
Records
6.4M
Data breachResolved

Read Novel data breach (2019)

In May 2019, the Chinese literature website Read Novel allegedly suffered a data breach that exposed 22M unique email addresses. Data also included usernames, genders, phone numbers and passwords stored as salted MD5 hashes. Read more about Chinese data breaches in Have I Been Pwned.

Victim
Read Novel
Records
22.4M
Data breachResolved

Aimware data breach (2019)

In mid-2019, the video game cheats website "Aimware" suffered a data breach that exposed hundreds of thousands of subscribers' personal information. Data included email and IP addresses, usernames, forum posts, private messages, website activity and passwords stored as salted MD5 hashes.

Victim
Aimware
Records
305.5K
Data breachResolved

Deezer data breach (2019)

A 2019 snapshot of Deezer user data, retained by a former third-party partner in violation of its contract, was leaked in November 2022 and exposed roughly 229 million records โ€” including names, emails, dates of birth, and locations. No passwords or payment data were affected.

Victim
Deezer
Records
229.0M
Data breachResolved

ApexSMS data breach (2019)

In May 2019, news broke of a massive SMS spam operation known as "ApexSMS" which was discovered after a MongoDB instance of the same name was found exposed without a password.

Victim
ApexSMS
Records
23.2M
Data breachResolved

Instant Checkmate data breach (2019)

In 2019, the public records search service Instant Checkmate suffered a data breach that later came to light in early 2023. The data included almost 12M unique customer email addresses, names, phone numbers and passwords stored as scrypt hashes.

Victim
Instant Checkmate
Records
11.9M
Data breachResolved

Truth Finder data breach (2019)

In 2019, the public records search service TruthFinder suffered a data breach that later came to light in early 2023. The data included over 8M unique customer email addresses, names, phone numbers and passwords stored as scrypt hashes.

Victim
Truth Finder
Records
8.2M
Data breachResolved

Storenvy data breach (2019)

In mid-2019, the e-commerce website Storenvy suffered a data breach that exposed millions of customer records. A portion of the breached records were subsequently posted to a hacking forum with cracked password hashes, whilst the entire corpus of 23M rows was put up for sale.

Victim
Storenvy
Records
11.1M
Data breachResolved

Lumin PDF data breach (2019)

In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum.

Victim
Lumin PDF
Records
15.5M
Data breachResolved

Hakko Corporation data breach (2019)

In March 2019, the Japanese solder-related business Hakko Corporation suffered a data breach. The incident exposed almost 10k customer records including email and physical addresses, phone numbers, names, usernames, genders, dates of birth and plain text passwords.

Victim
Hakko Corporation
Records
9.7K
Data breachResolved

Everybody Edits data breach (2019)

In March 2019, the multiplayer platform game Everybody Edits suffered a data breach. The incident exposed 871k unique email addresses alongside usernames and IP addresses. The data was subsequently distributed online across a collection of files.

Victim
Everybody Edits
Records
871.2K
Data breachResolved

Utair data breach (2019)

In August 2020, news broke of a data breach of Russian airline Utair that dated back to the previous year. The breach contained over 400k unique email addresses along with extensive personal information including names, physical addresses, dates of birth, passport numbers and loyalty programโ€ฆ

Victim
Utair
Records
401.4K
Data breachResolved

Mindjolt data breach (2019)

In March 2019, the online gaming website MindJolt suffered a data breach that exposed 28M unique email addresses. Also impacted were names and dates of birth, but no passwords.

Victim
Mindjolt
Records
28.4M
Data breachResolved

Hurb data breach (2019)

In approximately March 2019, the online Brazilian travel agency Hurb (formerly Hotel Urbano) suffered a data breach. The data subsequently appeared online for download the following year and included over 20 million customer records with email and IP addresses, names, dates of birth, phone numbersโ€ฆ

Victim
Hurb
Records
20.7M
Data breachResolved

Intelimost data breach (2019)

In March 2019, a spam operation known as "Intelimost" sent millions of emails appearing to come from people the recipients knew. Security researcher Bob Diachenko found over 3 million unique email addresses in an exposed Elasticsearch database, alongside plain text passwords used to access theโ€ฆ

Victim
Intelimost
Records
3.1M
Data breachResolved

MalindoAir data breach (2019)

In early 2019, the Malaysian airline Malindo Air suffered a data breach that exposed tens of millions of customer records. Containing 4.3M unique email addresses, the breach also exposed extensive personal information including names, dates of birth, genders, physical addresses, phone numbers andโ€ฆ

Victim
MalindoAir
Records
4.3M
Data breachResolved

Estante Virtual data breach (2019)

In February 2019, the Brazilian book store Estante Virtual suffered a data breach that impacted 5.4M customers. The exposed data included names, usernames, email and physical addresses, phone numbers, dates of birth and unsalted SHA-1 password hashes.

Victim
Estante Virtual
Records
5.4M
Data breachResolved

Lifebear data breach (2019)

In early 2019, the Japanese schedule app Lifebear appeared for sale on a dark web marketplace amongst a raft of other hacked websites. The breach exposed almost 3.7M unique email addresses, usernames and passwords stored as salted MD5 hashes.

Victim
Lifebear
Records
3.7M
Data breachResolved

Verifications.io data breach (2019)

In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addressesโ€ฆ

Victim
Verifications.io
Records
763.1M
Data breachResolved

GameSalad data breach (2019)

In February 2019, the education and game creation website Game Salad suffered a data breach. The incident impacted 1.5M accounts and exposed email addresses, usernames, IP addresses and passwords stored as SHA-256 hashes.

Victim
GameSalad
Records
1.5M
Data breachResolved

CafePress data breach (2019)

In February 2019, the custom merchandise retailer CafePress suffered a data breach. The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes.

Victim
CafePress
Records
23.2M
Data breachResolved

Demon Forums data breach (2019)

In February 2019, the hacking forum Demon Forums suffered a data breach. The compromise of the vBulletin forum exposed 52k unique email addresses alongside usernames and passwords stored as salted MD5 hashes.

Victim
Demon Forums
Records
52.6K
Data breachResolved

YouNow data breach (2019)

In February 2019, data from the live broadcasting service YouNow appeared for sale on a dark web marketplace. Whilst it's not clear what date the actual breach occurred on, the impacted data included 18M unique email addresses, IP addresses, names, usernames and links to social media profiles.

Victim
YouNow
Records
18.2M
Data breachResolved

LBB data breach (2019)

In August 2022, customer data of the Indian shopping site "LBB" (Little Black Book) was posted to a popular hacking forum. The data contained over 3M records with 39k unique email addresses alongside IP and physical addresses, names and device information with the most recent data dating back toโ€ฆ

Victim
LBB
Records
39.3K
Data breachResolved

devkitPro data breach (2019)

In February 2019, the devkitPro forum suffered a data breach. The phpBB based forum had 1,508 unique email addresses exposed in the breach alongside forum posts, private messages and passwords stored as weak salted hashes. The data breach was self-submitted to HIBP by the forum operator.

Victim
devkitPro
Records
1.5K
Data breachResolved

Youthmanual data breach (2019)

In January 2019, the Indonesian college and career platform Youthmanual suffered a data breach that exposed 1.1M records of data. The breached included 938k unique email addresses along with extensive personal information including names, genders, dates and places of birth, phone numbers, physicalโ€ฆ

Victim
Youthmanual
Records
937.9K
Data breachResolved

Peatix data breach (2019)

In January 2019, the event organising platform Peatix suffered a data breach. The incident exposed 4.2M email addresses, names and salted password hashes. The data was provided to HIBP by dehashed.com.

Victim
Peatix
Records
4.2M
Data breachResolved

ixigo data breach (2019)

In January 2019, the travel and hotel booking site ixigo suffered a data breach. The data appeared for sale on a dark web marketplace the following month and included over 17M unique email addresses alongside names, genders, phone numbers, connections to Facebook profiles and passwords stored asโ€ฆ

Victim
ixigo
Records
17.2M
Data breachResolved

Armor Games data breach (2019)

In January 2019, the game portal website Armor Games suffered a data breach. A total of 10.6 million email addresses were impacted by the breach which also exposed usernames, IP addresses, birthdays of administrator accounts and passwords stored as salted SHA-1 hashes.

Victim
Armor Games
Records
10.6M
Data breachResolved

Royal Enfield data breach (2019)

In January 2020, motorcycle maker Royal Enfield left a database publicly exposed that resulted in the inadvertent publication of over 400k customers. The impacted data included email and physical addresses, names, motorcycle information, social media profiles, passwords, and other personalโ€ฆ

Victim
Royal Enfield
Records
420.9K