Breached websites & Apps, Information leakages.
A security/data breach is the intentional or unintentional security incident in which information was accessed without authorization. Release of secure or private/confidential information to public can hurt businesses and consumers in a many of ways.
Other reference: security compromise, data leak, information disclosure, information leakage, data spill.
List of all known breaches.
- In June 2016, the "home of competitive Counter Strike" website HLTV was hacked and 611k accounts were exposed. The attack led to the exposure of names, usernames, email addresses and bcrypt hashes of passwords.
- In June 2016, the game development studio Facepunch suffered a data breach that exposed 343k users. The breached data included usernames, email and IP addresses, dates of birth and salted MD5 password hashes. Facepunch advised they were aware of the incident and had notified people at the time. The data was provided to HIBP by whitehat security researcher and data analyst Adam Davies.
- In approximately July 2016, the manga website known as mangafox.me suffered a data breach. The vBulletin based forum exposed 1.3 million accounts including usernames, email and IP addresses, dates of birth and salted MD5 password hashes.
- In June 2016, the Facebook application known as Uiggy was hacked and 4.3M accounts were exposed, 2.7M of which had email addresses against them. The leaked accounts also exposed names, genders and the Facebook ID of the owners.
- In approximately mid-2016, the Italian-based service for creating forums known as ForumCommunity suffered a data breach. The incident impacted over 776k unique email addresses along with usernames and unsalted MD5 password hashes. No response was received from ForumCommunity when contacted.
- In June 2016, the online multiplayer game Evony was hacked and over 29 million unique accounts were exposed. The attack led to the exposure of usernames, email and IP addresses and MD5 hashes of passwords (without salt).
- In May 2015, almost 100k user records were extracted from the Hungarian torrent site known as Teracod. The data was later discovered being torrented itself and included email addresses, passwords, private messages between members and the peering history of IP addresses using the service.
- In July 2016, a tweet was posted with a link to an alleged data breach of BlueSnap, a global payment gateway and merchant account provider. The data contained 324k payment records across 105k unique email addresses and included personal attributes such as name, home address and phone number.
- In May 2016, the the online gaming site Army Force Online suffered a data breach that exposed 1.5M accounts. The breached data was found being regularly traded online and included usernames, email and IP addresses and MD5 passwords.
- In May 2016, the Fur Affinity website for people with an interest in anthropomorphic animal characters (also known as "furries") was hacked. The attack exposed 1.2M email addresses (many accounts had a different "first" and "last" email against them) and hashed passwords.
- In May 2016, the multiplayer server for Minecraft service Shotbow announced they'd suffered a data breach. The incident resulted in the exposure of over 1 million unique email addresses, usernames and salted SHA-256 password hashes.
- Some time prior to May 2016, the forum known as "Rosebutt Board" was hacked and 107k accounts were exposed. The self-described "top one board for anal fisting, prolapse, huge insertions and rosebutt fans" had email and IP addresses, usernames and weakly stored salted MD5 password hashes hacked from the IP.Board based forum.
- In May 2016, the cracking community forum known as Nulled was hacked and 599k user accounts were leaked publicly. The compromised data included email and IP addresses, weak salted MD5 password hashes and hundreds of thousands of private messages between members.
- In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.
- In approximately April 2016, the "marketing automation for agents and professional service providers" company KnownCircle had a large volume of data obtained by an external party. The data belonging to the now defunct service appeared in JSON format and contained gigabytes of data related to the real estate and insurance sectors.
- In approximately April 2016, the gaming website Guns and Robots suffered a data breach resulting in the exposure of 143k unique records. The data contained email and IP addresses, usernames and SHA-1 password hashes. The site was previously reported as compromised on the Vigilante.pw breached database directory.
- In March 2016, the adult website Naughty America was hacked and the data consequently sold online. The breach included data from numerous systems with various personal identity attributes, the largest of which had passwords stored as easily crackable MD5 hashes. There were 1.4 million unique email addresses in the breach.
- In March 2016, the DDoS protection service Staminus was "massively hacked" resulting in an outage of more than 20 hours and the disclosure of customer credentials (with unsalted MD5 hashes), support tickets, credit card numbers and other sensitive data. 27k unique email addresses were found in the data which was subsequently released to the public.
- In March 2016, Polish game developer CD Projekt RED suffered a data breach. The hack of their forum led to the exposure of almost 1.9 million accounts along with usernames, email addresses and salted SHA1 passwords.
- In February 2016, the Russian gaming company Nival was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", Nival was one of several Russian sites in the breach and impacted over 1.5M accounts including sensitive personal information.
- In February 2016, the dating site mate1.com suffered a huge data breach resulting in the disclosure of over 27 million subscribers' information. The data included deeply personal information about their private lives including drug and alcohol habits, incomes levels and sexual fetishes as well as passwords stored in plain text.
- In February 2016, the online trucking simulator mod TruckersMP suffered a data breach which exposed 84k user accounts. In a first for "Have I Been Pwned", the breached data was self-submitted directly by the organisation that was breached itself.
- In February 2016, the website for the Linux distro known as Linux Mint was hacked and the ISO infected with a backdoor. The site also ran a phpBB forum which was subsequently put up for sale complete with almost 145k email addresses, passwords and other personal subscriber information.
- In February 2016, the Slovak torrent tracking site SkTorrent was hacked and over 117k records leaked online. The data dump included usernames, email addresses and passwords stored in plain text.
- In approximately February 2016, data surfaced which was allegedly obtained from V-Tight Gel (vaginal tightening gel). Whilst the data set was titled V-Tight, within there were 50 other (predominantly wellness-related) domain names, most owned by the same entity.
- In February 2016, the music-based rhythm game known as Flash Flash Revolution was hacked and 1.8M accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.
- In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed. The data included usernames, email and IP addresses along with salted and hashed passwords.
- In early 2016, the forum for the uTorrent BitTorrent client suffered a data breach which came to light later in the year. The database from the IP.Board based forum contained 395k accounts including usernames, email addresses and MD5 password hashes without a salt.