Breached websites & Apps, Information leakages.
A security/data breach is the intentional or unintentional security incident in which information was accessed without authorization. Release of secure or private/confidential information to public can hurt businesses and consumers in a many of ways.
Other reference: security compromise, data leak, information disclosure, information leakage, data spill.
List of all known breaches.
- In December 2018, the data science website DataCamp suffered a data breach of records dating back to January 2017. The incident exposed 760k unique email and IP addresses along with names and passwords stored as bcrypt hashes.
In January 2016, a large number of unpatched vBulletin forums were compromised by an actor known as "CrimeAgency". A total of 140 forums had data including usernames, email addresses and passwords (predominantly stored as salted MD5 hashes), extracted and then distributed.
- In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information.
- In approximately 2017, the website for Russian speakers in America known as Russian America suffered a data breach. The incident exposed 183k unique records including names, email addresses, phone numbers and passwords stored in both plain text and as MD5 hashes. Russian America was contacted about the breach but did not respond.
- In January 2017, the automated telephony services company Victory Phones left a Mongo DB database publicly facing without a password. Subsequently, 213GB of data was downloaded by an unauthorised party including names, addresses, phone numbers and over 166k unique email addresses.
- On an unknown date in approximately 2017, the Indian training and assessment service known as Hub4Tech suffered a data breach via a SQL injection attack. The incident exposed almost 37k unique email addresses and passwords stored as unsalted MD5 hashes. No response was received from Hub4Tech when contacted about the incident.
- In early 2017, the forum for the gaming website R2 Games was hacked. R2 had previously appeared on HIBP in 2015 after a prior incident. This one exposed over 1 million unique user accounts and corresponding MD5 password hashes with no salt.
- In approximately January 2017, the Lady Gaga fan site known as "Little Monsters" suffered a data breach that impacted 1 million accounts. The data contained usernames, email addresses, dates of birth and bcrypt hashes of passwords.
- In January, the maker of teddy bears that record children's voices and sends them to family and friends via the internet CloudPets left their database publicly exposed and it was subsequently downloaded by external parties (the data was also subject to 3 different ransom demands).
- In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation.
In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password.
- In December 2016, the forum for the public blockchain-based distributed computing platform Ethereum suffered a data breach. The database contained over 16k unique email addresses along with IP addresses, private forum messages and (mostly) bcrypt hashed passwords.
- In December 2016, an attacker breached PayAsUGym's website exposing over 400k customers' personal data. The data was consequently leaked publicly and broadly distributed via Twitter. The leaked data contained personal information including email addresses and passwords hashed using MD5 without a salt.
- In December 2016, the forum for the Microsoft Excel tips and solutions site Mr Excel suffered a data breach. The hack of the vBulletin forum led to the exposure of over 366k accounts along with email and IP addresses, dates of birth and salted passwords hashed with MD5. The owner of the MrExcel forum subsequently self-submitted the data to HIBP.
- In December 2016, the forum for the biohacking website Biohack.me suffered a data breach that exposed 3.4k accounts. The data included usernames, email addresses and hashed passwords along with the private messages of forum members. The data was self-submitted to HIBP by the Biohack.me operators.
- In late 2016, the fashion gaming website Fashion Fantasy Game suffered a data breach. The incident exposed 2.3 million unique user accounts and corresponding MD5 password hashes with no salt. The data was contributed to Have I Been Pwned courtesy of firstname.lastname@example.org.
- In approximately December 2016, the online service for World of Warcraft private servers Warmane suffered a data breach. The incident exposed over 1.1M accounts including usernames, email addresses, dates of birth and salted MD5 password hashes. The data was subsequently extensively circulated online and was later provided to HIBP by whitehat security researcher and data analyst Adam Davies.
- In late 2016, the online Chinese video service Youku suffered a data breach. The incident exposed 92 million unique user accounts and corresponding MD5 password hashes. The data was contributed to Have I Been Pwned courtesy of email@example.com.
- In November 2016, news broke that hackers were trading hundreds of thousands of xHamster porn account details. In total, the data contained almost 380k unique user records including email addresses, usernames and unsalted MD5 password hashes.
- In approximately November 2016, the search engine optimisation management company RankWatch exposed a Mongo DB with no password publicly whereupon their data was exfiltrated and posted to an online forum. The data contained 7.4 million unique email addresses along with names, employers, phone numbers and job titles in a table called "us_emails".
- In June 2017, news broke that CashCrate had suffered a data breach exposing 6.8 million records. The breach of the cash-for-surveys site dated back to November 2016 and exposed names, physical addresses, email addresses and passwords stored in plain text for older accounts along with weak MD5 hashes for newer ones.
- In October 2016, the Minecraft banning service known as MCBans suffered a data breach resulting in the exposure of 120k unique user records. The data contained email and IP addresses, usernames and password hashes of unknown format. The site was previously reported as compromised on the Vigilante.pw breached database directory.
- In October 2016, the video sharing platform Dailymotion suffered a data breach. The attack led to the exposure of more than 85 million user accounts and included email addresses, usernames and bcrypt hashes of passwords.
- In October 2016, the adult entertainment company Friend Finder Networks suffered a massive data breach. The incident impacted multiple separate online assets owned by the company, the largest of which was the Adult FriendFinder website alleged to be "the world's largest sex & swinger community".
In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password.
- In October 2016, data surfaced that was allegedly obtained from the Chinese website known as GFAN and contained 22.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email and IP addresses, user names and salted and hashed passwords.
- In October 2016, a large Mongo DB file containing tens of millions of accounts was shared publicly on Twitter (the file has since been removed). The database contained over 58M unique email addresses along with IP addresses, names, home addresses, genders, job titles, dates of birth and phone numbers.
- In approximately October 2016, the Spanish Pokémon site Pokémon Negro suffered a data breach. The attack resulted in the disclosure of 830k accounts including email and IP addresses along with plain text passwords. Pokémon Negro did not respond when contacted about the breach.
- An alleged breach of the dating website Justdate.com began circulating in approximately September 2016. Comprised of over 24 million records, the data contained various personal attributes such as email addresses, dates of birth and physical locations.