Have I Been Pwned: Pwned websites
source link: https://haveibeenpwned.com/PwnedWebsites
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
123RF
In March 2020, the stock photo site 123RF suffered a data breach which impacted over 8 million subscribers and was subsequently sold online. The breach included email, IP and physical addresses, names, phone numbers and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com.
Breach date: 22 March 2020
Date added to HIBP: 15 November 2020
Compromised accounts: 8,661,578
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
In approximately 2012, it's alleged that the Chinese email service known as 126 suffered a data breach that impacted 6.4 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 1 January 2012
Date added to HIBP: 8 October 2016
Compromised accounts: 6,414,191
Compromised data: Email addresses, Passwords
Permalink
17173
In late 2011, a series of data breaches in China affected up to 100 million users, including 7.5 million from the gaming site known as 17173. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains usernames, email addresses and salted MD5 password hashes and was provided with support from dehashed.com. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 28 December 2011
Date added to HIBP: 28 April 2018
Compromised accounts: 7,485,802
Compromised data: Email addresses, Passwords, Usernames
Permalink
2,844 Separate Data Breaches
In February 2018, a massive collection of almost 3,000 alleged data breaches was found online. Whilst some of the data had previously been seen in Have I Been Pwned, 2,844 of the files consisting of more than 80 million unique email addresses had not previously been seen. Each file contained both an email address and plain text password and were consequently loaded as a single "unverified" data breach.
Breach date: 19 February 2018
Date added to HIBP: 26 February 2018
Compromised accounts: 80,115,532
Compromised data: Email addresses, Passwords
Permalink
500px
In mid-2018, the online photography community 500px suffered a data breach. The incident exposed almost 15 million unique email addresses alongside names, usernames, genders, dates of birth and either an MD5 or bcrypt password hash. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Breach date: 5 July 2018
Date added to HIBP: 25 March 2019
Compromised accounts: 14,867,999
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Usernames
Permalink
In approximately 2011, it's alleged that the Chinese gaming site known as 7k7k suffered a data breach that impacted 9.1 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains usernames, email addresses and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 1 January 2011
Date added to HIBP: 26 September 2017
Compromised accounts: 9,121,434
Compromised data: Email addresses, Passwords, Usernames
Permalink
In July 2018, the health and fitness service 8fit suffered a data breach. The data subsequently appeared for sale on a dark web marketplace in February 2019 and included over 15M unique email addresses alongside names, genders, IP addresses and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 1 July 2018
Date added to HIBP: 21 March 2019
Compromised accounts: 15,025,407
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords
Permalink
8tracks
In June 2017, the online playlists service known as 8Tracks suffered a data breach which impacted 18 million accounts. In their disclosure, 8Tracks advised that "the vector for the attack was an employee’s GitHub account, which was not secured using two-factor authentication". Salted SHA-1 password hashes for users who didn't sign up with either Google or Facebook authentication were also included. The data was provided to HIBP by whitehat security researcher and data analyst Adam Davies and contained almost 8 million unique email addresses. The complete set of 18M records was later provided by [email protected] and updated in HIBP accordingly.
Breach date: 27 June 2017
Date added to HIBP: 16 February 2018
Compromised accounts: 17,979,961
Compromised data: Email addresses, Passwords
Permalink
AbuseWith.Us
In 2016, the site dedicated to helping people hack email and online gaming accounts known as Abusewith.us suffered multiple data breaches. The site allegedly had an administrator in common with the nefarious LeakedSource site, both of which have since been shut down. The exposed data included more than 1.3 million unique email addresses, often accompanied by usernames, IP addresses and plain text or hashed passwords retrieved from various sources and intended to be used to compromise the victims' accounts.
Breach date: 1 July 2016
Date added to HIBP: 9 October 2017
Compromised accounts: 1,372,550
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Adapt
In November 2018, security researcher Bob Diachenko identified an unprotected database hosted by data aggregator "Adapt". A provider of "Fresh Quality Contacts", the service exposed over 9.3M unique records of individuals and employer information including their names, employers, job titles, contact information and data relating to the employer including organisation description, size and revenue. No response was received from Adapt when contacted.
Breach date: 5 November 2018
Date added to HIBP: 22 November 2018
Compromised accounts: 9,363,740
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Social media profiles
Permalink
Adobe
In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.
Breach date: 4 October 2013
Date added to HIBP: 4 December 2013
Compromised accounts: 152,445,165
Compromised data: Email addresses, Password hints, Passwords, Usernames
Permalink
Adult FriendFinder (2015)
In May 2015, the adult hookup site Adult FriendFinder was hacked and nearly 4 million records dumped publicly. The data dump included extremely sensitive personal information about individuals and their relationship statuses and sexual preferences combined with personally identifiable information.
Breach date: 21 May 2015
Date added to HIBP: 22 May 2015
Compromised accounts: 3,867,997
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Races, Relationship statuses, Sexual orientations, Spoken languages, Usernames
Permalink
Adult FriendFinder (2016)
In October 2016, the adult entertainment company Friend Finder Networks suffered a massive data breach. The incident impacted multiple separate online assets owned by the company, the largest of which was the Adult FriendFinder website alleged to be "the world's largest sex & swinger community". Exposed data included usernames, passwords stored as SHA-1 hashes and 170 million unique email addresses. This incident is separate to the 2015 data breach Adult FriendFinder also suffered. The data was provided to HIBP by dehashed.com.
Breach date: 16 October 2016
Date added to HIBP: 6 February 2020
Compromised accounts: 169,746,810
Compromised data: Email addresses, Passwords, Spoken languages, Usernames
Permalink
Adult-FanFiction.Org
In May 2018, the website for sharing adult-orientated works of fiction known as Adult-FanFiction.Org had 186k records exposed in a data breach. The data contained names, email addresses, dates of birth and passwords stored as both MD5 hashes and plain text. AFF did not respond when contacted about the breach and the site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 30 May 2018
Date added to HIBP: 6 August 2018
Compromised accounts: 186,082
Compromised data: Dates of birth, Email addresses, Names, Passwords
Permalink
AerServ
In April 2018, the ad management platform known as AerServ suffered a data breach. Acquired by InMobi earlier in the year, the AerServ breach impacted over 66k unique email addresses and also included contact information and passwords stored as salted SHA-512 hashes. The data was publicly posted to Twitter later in 2018 after which InMobi was notified and advised they were aware of the incident.
Breach date: 1 April 2018
Date added to HIBP: 6 December 2018
Compromised accounts: 66,308
Compromised data: Email addresses, Employers, Job titles, Names, Passwords, Phone numbers, Physical addresses
Permalink
AhaShare.com
In May 2013, the torrent site AhaShare.com suffered a breach which resulted in more than 180k user accounts being published publicly. The breach included a raft of personal information on registered users plus despite assertions of not distributing personally identifiable information, the site also leaked the IP addresses used by the registered identities.
Breach date: 30 May 2013
Date added to HIBP: 6 November 2014
Compromised accounts: 180,468
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Partial dates of birth, Passwords, Usernames, Website activity
Permalink
ai.type
In December 2017, the virtual keyboard application ai.type was found to have left a huge amount of data publicly facing in an unsecured MongoDB instance. Discovered by researchers at The Kromtech Security Center, the 577GB data set included extensive personal information including over 20 million unique email addresses, social media profiles and address book contacts. The email addresses alone were provided to HIBP to enable impacted users to assess their exposure.
Breach date: 5 December 2017
Date added to HIBP: 8 December 2017
Compromised accounts: 20,580,060
Compromised data: Address book contacts, Apps installed on devices, Cellular network names, Dates of birth, Device information, Email addresses, Genders, Geographic locations, IMEI numbers, IMSI numbers, IP addresses, Names, Phone numbers, Profile photos, Social media profiles
Permalink
Aipai.com
In September 2016, data allegedly obtained from the Chinese gaming website known as Aipai.com and containing 6.5M accounts was leaked online. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and MD5 password hashes. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 27 September 2016
Date added to HIBP: 7 November 2016
Compromised accounts: 6,496,778
Compromised data: Email addresses, Passwords
Permalink
Animal Jam
In October 2020, the online game for kids Animal Jam suffered a data breach which was subsequently shared through online hacking communities the following month. The data contained 46 million user accounts with over 7 million unique email addresses. Impacted data also included usernames, IP addresses and for some records, dates of birth (sometimes in partial form), physical addresses, parent names and passwords stored as PBKDF2 hashes.
Breach date: 12 October 2020
Date added to HIBP: 12 November 2020
Compromised accounts: 7,104,998
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Physical addresses, Usernames
Permalink
Anime-Planet
In approximately 2016, the anime website Anime-Planet suffered a data breach that impacted 369k subscribers. The exposed data included usernames, IP and email addresses, dates of birth and passwords stored as unsalted MD5 hashes and for newer accounts, bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 1 January 2016
Date added to HIBP: 28 July 2019
Compromised accounts: 368,507
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Animoto
In July 2018, the cloud-based video making service Animoto suffered a data breach. The breach exposed 22 million unique email addresses alongside names, dates of birth, country of origin and salted password hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 10 July 2018
Date added to HIBP: 18 July 2019
Compromised accounts: 22,437,749
Compromised data: Dates of birth, Email addresses, Geographic locations, Names, Passwords
Permalink
Anti Public Combo List
In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.
Breach date: 16 December 2016
Date added to HIBP: 4 May 2017
Compromised accounts: 457,962,538
Compromised data: Email addresses, Passwords
Permalink
Apollo
In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned. The data left exposed by Apollo was used in their "revenue acceleration platform" and included personal information such as names and email addresses as well as professional information including places of employment, the roles people hold and where they're located. Apollo stressed that the exposed data did not include sensitive information such as passwords, social security numbers or financial data. The Apollo website has a contact form for those looking to get in touch with the organisation.
Breach date: 23 July 2018
Date added to HIBP: 5 October 2018
Compromised accounts: 125,929,660
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Salutations, Social media profiles
Permalink
Appartoo
In March 2017, the French Flatsharing site known as Appartoo suffered a data breach. The incident exposed an extensive amount of personal information on almost 50k members including email addresses, genders, ages, private messages sent between users of the service and passwords stored as SHA-256 hashes. Appartoo advised that all subscribers were notified of the incident in early 2017.
Breach date: 25 March 2017
Date added to HIBP: 2 May 2019
Compromised accounts: 49,681
Compromised data: Ages, Auth tokens, Email addresses, Employment statuses, Genders, IP addresses, Marital statuses, Names, Passwords, Physical addresses, Private messages, Social media profiles
Permalink
Appen
In June 2020, the AI training data company Appen suffered a data breach exposing the details of almost 5.9 million users which were subsequently sold online. Included in the breach were names, email addresses and passwords stored as bcrypt hashes. Some records also contained phone numbers, employers and IP addresses. The data was provided to HIBP by dehashed.com.
Breach date: 22 June 2020
Date added to HIBP: 30 July 2020
Compromised accounts: 5,888,405
Compromised data: Email addresses, Employers, IP addresses, Names, Passwords, Phone numbers
Permalink
Aptoide
In April 2020, the independent Android app store Aptoide suffered a data breach. The incident resulted in the exposure of 20M customer records which were subsequently shared online via a popular hacking forum. Impacted data included email and IP addresses, names, IP addresses and passwords stored as SHA-1 hashes without a salt.
Breach date: 13 April 2020
Date added to HIBP: 19 April 2020
Compromised accounts: 20,012,235
Compromised data: Browser user agent details, Email addresses, IP addresses, Names, Passwords
Permalink
Armor Games
In January 2019, the game portal website website Armor Games suffered a data breach. A total of 10.6 million email addresses were impacted by the breach which also exposed usernames, IP addresses, birthdays of administrator accounts and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 1 January 2019
Date added to HIBP: 20 July 2019
Compromised accounts: 10,604,307
Compromised data: Bios, Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Usernames
Permalink
Artvalue
In June 2019, the France-based art valuation website Artvalue.com left their 158k member subscriber base publicly exposed in a text file on their website. The exposed data included names, usernames, email addresses and passwords stored as MD5 hashes. The site operator did not respond when contacted about the incident, although the exposed file was subsequently removed.
Breach date: 19 June 2019
Date added to HIBP: 19 July 2019
Compromised accounts: 157,692
Compromised data: Email addresses, Names, Passwords, Salutations, Usernames
Permalink
Ashley Madison
In July 2015, the infidelity website Ashley Madison suffered a serious data breach. The attackers threatened Ashley Madison with the full disclosure of the breach unless the service was shut down. One month later, the database was dumped including more than 30M unique email addresses. This breach has been classed as "sensitive" and is not publicly searchable, although individuals may discover if they've been impacted by registering for notifications. Read about this approach in detail.
Breach date: 19 July 2015
Date added to HIBP: 18 August 2015
Compromised accounts: 30,811,934
Compromised data: Dates of birth, Email addresses, Ethnicities, Genders, Names, Passwords, Payment histories, Phone numbers, Physical addresses, Security questions and answers, Sexual orientations, Usernames, Website activity
Permalink
Astoria
In January 2021, the lead generation company Astoria Company allegedly suffered a data breach which exposed over 11M unique email addresses. The data was discovered by Night Lion Security and contained an extensive amount of personal information including names, physical and IP addresses, phone numbers and dates of birth. Some records also contained social security numbers, drivers license details, personal financial information and health-related data, depending on where the information was sourced from. When approached by the press, Astoria did not confirm the origin of the breach and it has consequently been flagged as "unverified" in HIBP.
Breach date: 26 January 2021
Date added to HIBP: 24 March 2021
Compromised accounts: 11,498,146
Compromised data: Bank account numbers, Credit status information, Dates of birth, Email addresses, Employers, Health insurance information, Income levels, IP addresses, Names, Personal health data, Phone numbers, Physical addresses, Smoking habits, Social security numbers
Permalink
Astropid
In December 2013, the vBulletin forum for the social engineering site known as "AstroPID" was breached and leaked publicly. The site provided tips on fraudulently obtaining goods and services, often by providing a legitimate "PID" or Product Information Description. The breach resulted in nearly 6k user accounts and over 220k private messages between forum members being exposed.
Breach date: 19 December 2013
Date added to HIBP: 6 July 2014
Compromised accounts: 5,788
Compromised data: Email addresses, Instant messenger identities, IP addresses, Names, Passwords, Private messages, Usernames, Website activity
Permalink
B2B USA Businesses
In mid-2017, a spam list of over 105 million individuals in corporate America was discovered online. Referred to as "B2B USA Businesses", the list categorised email addresses by employer, providing information on individuals' job titles plus their work phone numbers and physical addresses. Read more about spam lists in HIBP.
Breach date: 18 July 2017
Date added to HIBP: 18 July 2017
Compromised accounts: 105,059,554
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
Permalink
Baby Names
In approximately 2008, the site to help parents name their children known as Baby Names suffered a data breach. The incident exposed 846k email addresses and passwords stored as salted MD5 hashes. When contacted in October 2018, Baby Names advised that "the breach happened at least ten years ago" and that members were notified at the time.
Breach date: 24 October 2008
Date added to HIBP: 24 October 2018
Compromised accounts: 846,742
Compromised data: Email addresses, Passwords
Permalink
Badoo
In June 2016, a data breach allegedly originating from the social website Badoo was found to be circulating amongst traders. Likely obtained several years earlier, the data contained 112 million unique email addresses with personal data including names, birthdates and passwords stored as MD5 hashes. Whilst there are many indicators suggesting Badoo did indeed suffer a data breach, the legitimacy of the data could not be emphatically proven so this breach has been categorised as "unverified".
Breach date: 1 June 2013
Date added to HIBP: 6 July 2016
Compromised accounts: 112,005,531
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Usernames
Permalink
Beautiful People
In November 2015, the dating website Beautiful People was hacked and over 1.1M accounts were leaked. The data was being traded in underground circles and included a huge amount of personal information related to dating.
Breach date: 11 November 2015
Date added to HIBP: 25 April 2016
Compromised accounts: 1,100,089
Compromised data: Beauty ratings, Car ownership statuses, Dates of birth, Drinking habits, Education levels, Email addresses, Genders, Geographic locations, Home ownership statuses, Income levels, IP addresses, Job titles, Names, Passwords, Personal descriptions, Personal interests, Physical attributes, Sexual orientations, Smoking habits, Website activity
Permalink
Bell (2014 breach)
In February 2014, Bell Canada suffered a data breach via the hacker collective known as NullCrew. The breach included data from multiple locations within Bell and exposed email addresses, usernames, user preferences and a number of unencrypted passwords and credit card data from 40,000 records containing just over 20,000 unique email addresses and usernames.
Breach date: 1 February 2014
Date added to HIBP: 1 February 2014
Compromised accounts: 20,902
Compromised data: Credit cards, Genders, Passwords, Usernames
Permalink
Bell (2017 breach)
In May 2017, the Bell telecommunications company in Canada suffered a data breach resulting in the exposure of millions of customer records. The data was consequently leaked online with a message from the attacker stating that they were "releasing a significant portion of Bell.ca's data due to the fact that they have failed to cooperate with us" and included a threat to leak more. The impacted data included over 2 million unique email addresses and 153k survey results dating back to 2011 and 2012. There were also 162 Bell employee records with more comprehensive personal data including names, phone numbers and plain text "passcodes". Bell suffered another breach in 2014 which exposed 40k records.
Breach date: 15 May 2017
Date added to HIBP: 16 May 2017
Compromised accounts: 2,231,256
Compromised data: Email addresses, Geographic locations, IP addresses, Job titles, Names, Passwords, Phone numbers, Spoken languages, Survey results, Usernames
Permalink
Bestialitysextaboo
In March 2018, the animal bestiality website known as Bestialitysextaboo was hacked. A collection of various sites running on the same service were also compromised and details of the hack (including links to the data) were posted on a popular forum. In all, more than 3.2k unique email addresses were included alongside usernames, IP addresses, dates of birth, genders and bcrypt hashes of passwords.
Breach date: 19 March 2018
Date added to HIBP: 29 March 2018
Compromised accounts: 3,204
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Private messages, Usernames
Permalink
BigMoneyJobs
In April 2014, the job site bigmoneyjobs.com was hacked by an attacker known as "ProbablyOnion". The attack resulted in the exposure of over 36,000 user accounts including email addresses, usernames and passwords which were stored in plain text. The attack was allegedly mounted by exploiting a SQL injection vulnerability.
Breach date: 3 April 2014
Date added to HIBP: 8 April 2014
Compromised accounts: 36,789
Compromised data: Career levels, Education levels, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations, User website URLs, Website activity
Permalink
Bin Weevils
In September 2014, the online game Bin Weevils suffered a data breach. Whilst originally stating that only usernames and passwords had been exposed, a subsequent story on DataBreaches.net indicated that a more extensive set of personal attributes were impacted (comments there also suggest the data may have come from a later breach). Data matching that pattern was later provided to Have I Been Pwned by @akshayindia6 and included almost 1.3m unique email addresses, genders, ages and plain text passwords.
Breach date: 1 September 2014
Date added to HIBP: 18 August 2017
Compromised accounts: 1,287,073
Compromised data: Ages, Email addresses, Genders, IP addresses, Passwords, Usernames
Permalink
Bitcoin Security Forum Gmail Dump
In September 2014, a large dump of nearly 5M usernames and passwords was posted to a Russian Bitcoin forum. Whilst commonly reported as 5M "Gmail passwords", the dump also contained 123k yandex.ru addresses. Whilst the origin of the breach remains unclear, the breached credentials were confirmed by multiple source as correct, albeit a number of years old.
Breach date: 9 January 2014
Date added to HIBP: 10 September 2014
Compromised accounts: 4,789,599
Compromised data: Email addresses, Passwords
Permalink
Bitcoin Talk
In May 2015, the Bitcoin forum Bitcoin Talk was hacked and over 500k unique email addresses were exposed. The attack led to the exposure of a raft of personal data including usernames, email and IP addresses, genders, birth dates, security questions and MD5 hashes of their answers plus hashes of the passwords themselves.
Breach date: 22 May 2015
Date added to HIBP: 27 March 2017
Compromised accounts: 501,407
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Passwords, Security questions and answers, Usernames, Website activity
Permalink
Black Hat World
In June 2014, the search engine optimisation forum Black Hat World had three quarters of a million accounts breached from their system. The breach included various personally identifiable attributes which were publicly released in a MySQL database script.
Breach date: 23 June 2014
Date added to HIBP: 3 November 2015
Compromised accounts: 777,387
Compromised data: Dates of birth, Email addresses, Instant messenger identities, IP addresses, Passwords, Usernames, Website activity
Permalink
BlackSpigotMC
In July 2019, the hacking website BlackSpigotMC suffered a data breach. The XenForo forum based site was allegedly compromised by a rival hacking website and resulted in 8.5GB of data being leaked including the database and website itself. The exposed data included 140k unique email addresses, usernames, IP addresses, genders, geographic locations and passwords stored as bcrypt hashes.
Breach date: 14 July 2019
Date added to HIBP: 17 July 2019
Compromised accounts: 140,029
Compromised data: Device information, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Usernames
Permalink
BlankMediaGames
In December 2018, the Town of Salem website produced by BlankMediaGames suffered a data breach. Reported to HIBP by DeHashed, the data contained 7.6M unique user email addresses alongside usernames, IP addresses, purchase histories and passwords stored as phpass hashes. DeHashed made multiple attempts to contact BlankMediaGames over various channels and many days but had yet to receive a response at the time of publishing.
Breach date: 28 December 2018
Date added to HIBP: 2 January 2019
Compromised accounts: 7,633,234
Compromised data: Browser user agent details, Email addresses, IP addresses, Passwords, Purchases, Usernames, Website activity
Permalink
In approximately March 2017, the file sharing website Bolt suffered a data breach resulting in the exposure of 995k unique user records. The data was sourced from their vBulletin forum and contained email and IP addresses, usernames and salted MD5 password hashes. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 1 March 2017
Date added to HIBP: 24 November 2017
Compromised accounts: 995,274
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Bonobos
In August 2020, the clothing store Bonobos suffered a data breach that exposed almost 70GB of data containing 2.8 million unique email addresses. The breach also exposed names, physical and IP addresses, phone numbers, order histories and passwords stored as salted SHA-512 hashes, including historical passwords. The breach also exposed partial credit card data including card type, the name on the card, expiry date and the last 4 digits of the card. The data was provided to HIBP by dehashed.com.
Breach date: 14 August 2020
Date added to HIBP: 31 January 2021
Compromised accounts: 2,811,929
Compromised data: Email addresses, Historical passwords, IP addresses, Names, Partial credit card data, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
Bookmate
In mid-2018, the social ebook subscription service Bookmate was among a raft of sites that were breached and their data then sold in early-2019. The data included almost 4 million unique email addresses alongside names, genders, dates of birth and passwords stored as salted SHA-512 hashes. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Breach date: 8 July 2018
Date added to HIBP: 22 March 2019
Compromised accounts: 3,830,916
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Usernames
Permalink
Boxee
In March 2014, the home theatre PC software maker Boxee had their forums compromised in an attack. The attackers obtained the entire vBulletin MySQL database and promptly posted it for download on the Boxee forum itself. The data included 160k users, password histories, private messages and a variety of other data exposed across nearly 200 publicly exposed tables.
Breach date: 29 March 2014
Date added to HIBP: 30 March 2014
Compromised accounts: 158,093
Compromised data: Dates of birth, Email addresses, Geographic locations, Historical passwords, Instant messenger identities, IP addresses, Passwords, Private messages, User website URLs, Usernames
Permalink
BtoBet
In December 2019, a large collection of data from Nigerian gambling company Surebet247 was sent to HIBP. Alongside the Surebet247, database backups from gambling sites BetAlfa, BetWay, BongoBongo and TopBet was also included. Further investigation implicated betting platform provider BtoBet as being the common source of the data. Impacted data included user records and extensive information on gambling histories.
Breach date: 26 December 2019
Date added to HIBP: 11 January 2020
Compromised accounts: 444,241
Compromised data: Dates of birth, Email addresses, Financial transactions, Geographic locations, IP addresses, Names, Usernames
Permalink
Bukalapak
In March 2019, the Indonesian e-commerce website Bukalapak discovered a data breach of the organisation's backups dating back to October 2017. The incident exposed approximately 13 million unique email addresses alongside IP addresses, names and passwords stored as bcrypt and salted SHA-512 hashes. The data was provided to HIBP by a source who requested it to be attributed to "Maxime Thalet".
Breach date: 23 October 2017
Date added to HIBP: 18 April 2019
Compromised accounts: 13,369,666
Compromised data: Email addresses, IP addresses, Names, Passwords, Usernames
Permalink
Bulgarian National Revenue Agency
In July 2019, a massive data breach of the Bulgarian National Revenue Agency began circulating with data on 5 million people. Allegedly obtained in June, the data was broadly shared online and included taxation information alongside names, phone numbers, physical addresses and 471 thousand unique email addresses. The breach is said to have affected "nearly all adults in Bulgaria".
Breach date: 15 July 2019
Date added to HIBP: 18 July 2019
Compromised accounts: 471,167
Compromised data: Email addresses, Names, Phone numbers, Physical addresses, Taxation records
Permalink
CafePress
In February 2019, the custom merchandise retailer CafePress suffered a data breach. The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 20 February 2019
Date added to HIBP: 5 August 2019
Compromised accounts: 23,205,290
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Cannabis.com
In February 2014, the vBulletin forum for the Marijuana site cannabis.com was breached and leaked publicly. Whilst there has been no public attribution of the breach, the leaked data included over 227k accounts and nearly 10k private messages between users of the forum.
Breach date: 5 February 2014
Date added to HIBP: 1 June 2014
Compromised accounts: 227,746
Compromised data: Dates of birth, Email addresses, Geographic locations, Historical passwords, Instant messenger identities, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
Canva
In May 2019, the graphic design tool website Canva suffered a data breach that impacted 137 million subscribers. The exposed data included email addresses, usernames, names, cities of residence and passwords stored as bcrypt hashes for users not using social logins. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 24 May 2019
Date added to HIBP: 9 August 2019
Compromised accounts: 137,272,116
Compromised data: Email addresses, Geographic locations, Names, Passwords, Usernames
Permalink
Chatbooks
In March 2020, the photo print service Chatbooks suffered a data breach which was subsequently put up for sale on a dark web marketplace. The breach contained 15 million user records with 2.5 million unique email addresses alongside names, phone numbers, social media profiles and salted SHA-512 password hashes. The data was provided to HIBP by dehashed.com.
Breach date: 26 March 2020
Date added to HIBP: 29 July 2020
Compromised accounts: 2,520,441
Compromised data: Email addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
Chegg
In April 2018, the textbook rental service Chegg suffered a data breach that impacted 40 million subscribers. The exposed data included email addresses, usernames, names and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 28 April 2018
Date added to HIBP: 16 August 2019
Compromised accounts: 39,721,127
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
Cit0day
In November 2020, a collection of more than 23,000 allegedly breached websites known as Cit0day were made available for download on several hacking forums. The data consisted of 226M unique email address alongside password pairs, often represented as both password hashes and the cracked, plain text versions. Independent verification of the data established it contains many legitimate, previously undisclosed breaches. The data was provided to HIBP by dehashed.com.
Breach date: 4 November 2020
Date added to HIBP: 19 November 2020
Compromised accounts: 226,883,414
Compromised data: Email addresses, Passwords
Permalink
Civil Online
In mid-2011, data was allegedly obtained from the Chinese engineering website known as Civil Online and contained 7.8M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email and IP addresses, user names and MD5 password hashes. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 10 July 2011
Date added to HIBP: 7 November 2016
Compromised accounts: 7,830,195
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
ClixSense
In September 2016, the paid-to-click site ClixSense suffered a data breach which exposed 2.4 million subscriber identities. The breached data was then posted online by the attackers who claimed it was a subset of a larger data breach totalling 6.6 million records. The leaked data was extensive and included names, physical, email and IP addresses, genders and birth dates, account balances and passwords stored as plain text.
Breach date: 4 September 2016
Date added to HIBP: 11 September 2016
Compromised accounts: 2,424,784
Compromised data: Account balances, Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Payment histories, Payment methods, Physical addresses, Usernames, Website activity
Permalink
CloudPets
In January, the maker of teddy bears that record children's voices and sends them to family and friends via the internet CloudPets left their database publicly exposed and it was subsequently downloaded by external parties (the data was also subject to 3 different ransom demands). 583k records were provided to HIBP via a data trader and included email addresses and bcrypt hashes, but the full extent of user data exposed by the system was over 821k records and also included children's names and references to portrait photos and voice recordings.
Breach date: 1 January 2017
Date added to HIBP: 27 February 2017
Compromised accounts: 583,503
Compromised data: Email addresses, Family members' names, Passwords
Permalink
Club Penguin Rewritten (January 2018)
In January 2018, the children's gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach (note: CPRewritten is an independent recreation of Disney's Club Penguin game). The incident exposed almost 1.7 million unique email addresses alongside IP addresses, usernames and passwords stored as bcrypt hashes. When contacted, CPRewritten advised they were aware of the breach and had "contacted affected users".
Breach date: 21 January 2018
Date added to HIBP: 23 April 2019
Compromised accounts: 1,688,176
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Club Penguin Rewritten (July 2019)
In July 2019, the children's gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach (note: CPRewritten is an independent recreation of Disney's Club Penguin game). In addition to an earlier data breach that impacted 1.7 million accounts, the subsequent breach exposed 4 million unique email addresses alongside IP addresses, usernames and passwords stored as bcrypt hashes.
Breach date: 27 July 2019
Date added to HIBP: 30 July 2019
Compromised accounts: 4,007,909
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Coinmama
In August 2017, the crypto coin brokerage service Coinmama suffered a data breach that impacted 479k subscribers. The breach was discovered in February 2019 with exposed data including email addresses, usernames and passwords stored as MD5 WordPress hashes. The data was provided to HIBP by white hat security researcher and data analyst Adam Davies.
Breach date: 3 August 2017
Date added to HIBP: 30 August 2019
Compromised accounts: 478,824
Compromised data: Email addresses, Passwords, Usernames
Permalink
Collection #1
In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.
Breach date: 7 January 2019
Date added to HIBP: 16 January 2019
Compromised accounts: 772,904,991
Compromised data: Email addresses, Passwords
Permalink
COMELEC (Philippines Voters)
In March 2016, the Philippines Commission of Elections website (COMELEC) was attacked and defaced, allegedly by Anonymous Philippines. Shortly after, data on 55 million Filipino voters was leaked publicly and included sensitive information such as genders, marital statuses, height and weight and biometric fingerprint data. The breach only included 228k email addresses.
Breach date: 27 March 2016
Date added to HIBP: 14 April 2016
Compromised accounts: 228,605
Compromised data: Biometric data, Dates of birth, Email addresses, Family members' names, Genders, Job titles, Marital statuses, Names, Passport numbers, Phone numbers, Physical addresses, Physical attributes
Permalink
Coupon Mom / Armor Games
In 2014, a file allegedly containing data hacked from Coupon Mom was created and included 11 million email addresses and plain text passwords. On further investigation, the file was also found to contain data indicating it had been sourced from Armor Games. Subsequent verification with HIBP subscribers confirmed the passwords had previously been used and many subscribers had used either Coupon Mom or Armor Games in the past. On disclosure to both organisations, each found that the data did not represent their entire customer base and possibly includes records from other sources with common subscribers. The breach has subsequently been flagged as "unverified" as the source cannot be emphatically proven. In July 2020, the data was also found to contain BeerAdvocate accounts sourced from a previously unknown breach.
Breach date: 8 February 2014
Date added to HIBP: 9 November 2017
Compromised accounts: 11,010,525
Compromised data: Email addresses, Passwords
Permalink
Covve
In February 2020, a massive trove of personal information referred to as "db8151dd" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. Later identified as originating from the Covve contacts app, the exposed data included extensive personal information and interactions between Covve users and their contacts. The data was provided to HIBP by dehashed.com.
Breach date: 20 February 2020
Date added to HIBP: 15 May 2020
Compromised accounts: 22,802,117
Compromised data: Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles
Permalink
Cracked.to
In July 2019, the hacking website Cracked.to suffered a data breach. There were 749k unique email addresses spread across 321k forum users and other tables in the database. A rival hacking website claimed responsibility for breaching the MyBB based forum which disclosed email and IP addresses, usernames, private messages and passwords stored as bcrypt hashes.
Breach date: 21 July 2019
Date added to HIBP: 12 August 2019
Compromised accounts: 749,161
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
Creative
In May 2018, the forum for Singaporean hardware company Creative Technology suffered a data breach which resulted in the disclosure of 483k unique email addresses. Running on an old version of vBulletin, the breach also disclosed usernames, IP addresses and salted MD5 password hashes. After being notified of the incident, Creative permanently shut down the forum.
Breach date: 1 May 2018
Date added to HIBP: 7 June 2018
Compromised accounts: 483,015
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
DailyObjects
In approximately January 2018, a collection of more than 464k customer records from the Indian online retailer DailyObjects were leaked online. The data included names, physical and email addresses, phone numbers and "pincodes" stored in plain text. After multiple attempts to contact them, DailyObjects responded and received a copy of the data for verification, however failed to respond to multiple contact attempts following that.
Breach date: 1 January 2018
Date added to HIBP: 28 January 2020
Compromised accounts: 464,260
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
DaniWeb
In late 2015, the technology and social site DaniWeb suffered a data breach. The attack resulted in the disclosure of 1.1 million accounts including email and IP addresses which were also accompanied by salted MD5 hashes of passwords. However, DaniWeb have advised that "the breached password hashes and salts are incorrect" and that they have since switched to new infrastructure and software.
Breach date: 1 December 2015
Date added to HIBP: 28 December 2016
Compromised accounts: 1,131,636
Compromised data: Email addresses, IP addresses, Passwords
Permalink
Data & Leads
In November 2018, security researcher Bob Diachenko identified an unprotected database believed to be hosted by a data aggregator. Upon further investigation, the data was linked to marketing company Data & Leads. The exposed Elasticsearch instance contained over 44M unique email addresses along with names, IP and physical addresses, phone numbers and employment information. No response was received from Data & Leads when contacted by Bob and their site subsequently went offline.
Breach date: 14 November 2018
Date added to HIBP: 28 November 2018
Compromised accounts: 44,320,330
Compromised data: Email addresses, Employers, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Permalink
Data Enrichment Exposure From PDL Customer
In October 2019, security researchers Vinny Troia and Bob Diachenko identified an unprotected Elasticsearch server holding 1.2 billion records of personal data. The exposed data included an index indicating it was sourced from data enrichment company People Data Labs (PDL) and contained 622 million unique email addresses. The server was not owned by PDL and it's believed a customer failed to properly secure the database. Exposed information included email addresses, phone numbers, social media profiles and job history data.
Breach date: 16 October 2019
Date added to HIBP: 22 November 2019
Compromised accounts: 622,161,052
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Social media profiles
Permalink
Data Enrichment Records
In December 2016, more than 200 million "data enrichment profiles" were found for sale on the darknet. The seller claimed the data was sourced from Experian and whilst that claim was rejected by the company, the data itself was found to be legitimate suggesting it may have been sourced from other legitimate locations. In total, there were more than 8 million unique email addresses in the data which also contained a raft of other personal attributes including credit ratings, home ownership status, family structure and other fields described in the story linked to above. The email addresses alone were provided to HIBP.
Breach date: 23 December 2016
Date added to HIBP: 8 June 2017
Compromised accounts: 8,176,132
Compromised data: Buying preferences, Charitable donations, Credit status information, Dates of birth, Email addresses, Family structure, Financial investments, Home ownership statuses, Income levels, Job titles, Marital statuses, Names, Net worths, Phone numbers, Physical addresses, Political donations
Permalink
DataCamp
In December 2018, the data science website DataCamp suffered a data breach of records dating back to January 2017. The incident exposed 760k unique email and IP addresses along with names and passwords stored as bcrypt hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Breach date: 30 January 2017
Date added to HIBP: 9 April 2019
Compromised accounts: 760,561
Compromised data: Email addresses, Geographic locations, IP addresses, Names, Passwords
Permalink
In June 2020, the digital banking app Dave suffered a data breach which exposed 7.5 million rows of data and subsequently appeared for public download on a hacking forum. The breach exposed extensive personal information including almost 3 million unique email addresses alongside names, dates of birth, encrypted social security numbers and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 28 June 2020
Date added to HIBP: 27 July 2020
Compromised accounts: 2,964,182
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Social security numbers
Permalink
diet.com
In August 2014, the diet and nutrition website diet.com suffered a data breach resulting in the exposure of 1.4 million unique user records dating back as far as 2004. The data contained email and IP addresses, usernames, plain text passwords and dietary information about the site members including eating habits, BMI and birth date. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 10 August 2014
Date added to HIBP: 13 October 2017
Compromised accounts: 1,383,759
Compromised data: Dates of birth, Eating habits, Email addresses, IP addresses, Names, Passwords, Physical attributes, Usernames
Permalink
Digimon
In September 2016, over 16GB of logs from a service indicated to be digimon.co.in were obtained, most likely from an unprotected Mongo DB instance. The service ceased running shortly afterwards and no information remains about the precise nature of it. Based on enquiries made via Twitter, it appears to have been a mail service possibly based on PowerMTA and used for delivering spam. The logs contained information including 7.7M unique email recipients (names and addresses), mail server IP addresses, email subjects and tracking information including mail opens and clicks.
Breach date: 5 September 2016
Date added to HIBP: 28 September 2018
Compromised accounts: 7,687,679
Compromised data: Email addresses, Email messages, IP addresses, Names
Permalink
Disqus
In October 2017, the blog commenting service Disqus announced they'd suffered a data breach. The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced. The breach contained over 17.5 million unique email addresses and usernames. Users who created logins on Disqus had salted SHA1 hashes of passwords whilst users who logged in via social providers only had references to those accounts.
Breach date: 1 July 2012
Date added to HIBP: 6 October 2017
Compromised accounts: 17,551,044
Compromised data: Email addresses, Passwords, Usernames
Permalink
DLH.net
In July 2016, the gaming news site DLH.net suffered a data breach which exposed 3.3M subscriber identities. Along with the keys used to redeem and activate games on the Steam platform, the breach also resulted in the exposure of email addresses, birth dates and salted MD5 password hashes. The data was donated to Have I Been Pwned by data breach monitoring service Vigilante.pw.
Breach date: 31 July 2016
Date added to HIBP: 7 September 2016
Compromised accounts: 3,264,710
Compromised data: Dates of birth, Email addresses, Names, Passwords, Usernames, Website activity
Permalink
Dodonew.com
In late 2011, data was allegedly obtained from the Chinese website known as Dodonew.com and contained 8.7M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and user names. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 1 December 2011
Date added to HIBP: 10 November 2016
Compromised accounts: 8,718,404
Compromised data: Email addresses, Usernames
Permalink
Domino's
In June 2014, Domino's Pizza in France and Belgium was hacked by a group going by the name "Rex Mundi" and their customer data held to ransom. Domino's refused to pay the ransom and six months later, the attackers released the data along with troves of other hacked accounts. Amongst the customer data was passwords stored with a weak MD5 hashing algorithm and no salt.
Breach date: 13 June 2014
Date added to HIBP: 4 January 2015
Compromised accounts: 648,231
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Drizly
In approximately July 2020, the US-based online alcohol delivery service Drizly suffered a data breach. The data was sold online before being extensively redistributed and contained 2.5 million unique email addresses alongside names, physical and IP addresses, phone numbers, dates of birth and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 2 July 2020
Date added to HIBP: 28 July 2020
Compromised accounts: 2,479,044
Compromised data: Dates of birth, Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Dubsmash
In December 2018, the video messaging service Dubsmash suffered a data breach. The incident exposed 162 million unique email addresses alongside usernames and PBKDF2 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Breach date: 1 December 2018
Date added to HIBP: 25 February 2019
Compromised accounts: 161,749,950
Compromised data: Email addresses, Geographic locations, Names, Passwords, Phone numbers, Spoken languages, Usernames
Permalink
Dueling Network
In March 2017, the Flash game based on the Yu-Gi-Oh trading card game Dueling Network suffered a data breach. The site itself was taken offline in 2016 due to a cease-and-desist order but the forum remained online for another year. The data breach exposed usernames, IP and email addresses and passwords stored as MD5 hashes. The data was provided to HIBP by a source who requested it be attributed to "burger vault".
Breach date: 29 March 2017
Date added to HIBP: 30 March 2020
Compromised accounts: 6,486,626
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Dunzo
In approximately June 2019, the Indian delivery service Dunzo suffered a data breach. Exposing 3.5 million unique email addresses, the Dunzo breach also included names, phone numbers and IP addresses which were all broadly distributed online via a hacking forum. The data was provided to HIBP by dehashed.com.
Breach date: 19 June 2020
Date added to HIBP: 29 July 2020
Compromised accounts: 3,465,259
Compromised data: Device information, Email addresses, Geographic locations, IP addresses, Names, Phone numbers
Permalink
Duowan.com
In approximately 2011, data was allegedly obtained from the Chinese gaming website known as Duowan.com and contained 2.6M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses, user names and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 1 January 2011
Date added to HIBP: 7 November 2016
Compromised accounts: 2,639,894
Compromised data: Email addresses, Passwords, Usernames
Permalink
EatStreet
In May 2019, the online food ordering service EatStreet suffered a data breach affecting 6.4 million customers. An extensive amount of personal data was obtained including names, phone numbers, addresses, partial credit card data and passwords stored as bcrypt hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 3 May 2019
Date added to HIBP: 19 July 2019
Compromised accounts: 6,353,564
Compromised data: Dates of birth, Email addresses, Genders, Names, Partial credit card data, Passwords, Phone numbers, Physical addresses, Social media profiles
Permalink
Edmodo
In May 2017, the education platform Edmodo was hacked resulting in the exposure of 77 million records comprised of over 43 million unique customer email addresses. The data was consequently published to a popular hacking forum and made freely available. The records in the breach included usernames, email addresses and bcrypt hashes of passwords.
Breach date: 11 May 2017
Date added to HIBP: 1 June 2017
Compromised accounts: 43,423,561
Compromised data: Email addresses, Passwords, Usernames
Permalink
Elanic
In January 2020, the Indian fashion marketplace Elanic had 2.8M records with 2.3M unique email addresses posted publicly to a popular hacking forum. Elanic confirmed that they had "verified the data and it was pulled from one of our test servers where this data was exposed publicly" and that the data was "old" (the hacking forum reported it as being from 2016-2018). When asked about disclosure to impacted customers, Elanic advised that they had "decided to not have as such any communication and public disclosure".
Breach date: 1 January 2018
Date added to HIBP: 4 May 2020
Compromised accounts: 2,325,283
Compromised data: Email addresses, Geographic locations, Usernames
Permalink
Elasticsearch Instance of Sales Leads on AWS
In October 2018, security researcher Bob Diachenko identified multiple exposed databases with hundreds of millions of records. One of those datasets was an Elasticsearch instance on AWS containing sales lead data and 5.8M unique email addresses. The data contained information relating to individuals and the companies they worked for including their names, email addresses and company name and contact information. Despite best efforts, it was not possible to identify the owner of the data hence this breach as been titled "Elasticsearch Sales Leads".
Breach date: 29 October 2018
Date added to HIBP: 17 November 2018
Compromised accounts: 5,788,169
Compromised data: Email addresses, Employers, Names, Physical addresses
Permalink
EpicBot
In September 2019, the RuneScape bot provider EpicBot suffered a data breach that impacted 817k subscribers. Data from the breach was subsequently shared on a popular hacking forum and included usernames, email and IP addresses and passwords stored as either salted MD5 or bcrypt hashes. EpicBot did not respond when contacted about the incident.
Breach date: 1 September 2019
Date added to HIBP: 19 November 2019
Compromised accounts: 816,662
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Eroticy
In mid-2016, it's alleged that the adult website known as Eroticy was hacked. Almost 1.4 million unique accounts were found circulating in late 2016 which contained a raft of personal information ranging from email addresses to phone numbers to plain text passwords. Whilst many HIBP subscribers confirmed their data was legitimate, the actual source of the breach remains inconclusive. A detailed account of the data has been published in the hope of identifying the origin of the breach.
Breach date: 1 June 2015
Date added to HIBP: 10 January 2017
Compromised accounts: 1,370,175
Compromised data: Email addresses, IP addresses, Names, Passwords, Payment histories, Phone numbers, Physical addresses, Usernames, Website activity
Permalink
Estonian Citizens (via Estonian Cybercrime Bureau)
In June 2018, the Cybercrime Bureau of the Estonian Central Criminal Police contacted HIBP and asked for assistance in making a data set of 655k email addresses searchable. The Estonian police suspected the email addresses and passwords they obtained were being used to access mailboxes, cryptocurrency exchanges, cloud service accounts and other similar online assets. They've requested that individuals who find themselves in the data set and also identify that cryptocurrency has been stolen contact them at [email protected].
Breach date: 7 June 2018
Date added to HIBP: 11 June 2018
Compromised accounts: 655,161
Compromised data: Email addresses, Passwords
Permalink
eThekwini Municipality
In September 2016, the new eThekwini eServices website in South Africa was launched with a number of security holes that lead to the leak of over 98k residents' personal information and utility bills across 82k unique email addresses. Emails were sent prior to launch containing passwords in plain text and the site allowed anyone to download utility bills without sufficient authentication. Various methods of customer data enumeration was possible and phishing attacks began appearing the day after launch.
Breach date: 7 September 2016
Date added to HIBP: 15 September 2016
Compromised accounts: 81,830
Compromised data: Dates of birth, Deceased date, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Passwords, Phone numbers, Physical addresses, Utility bills
Permalink
Ethereum
In December 2016, the forum for the public blockchain-based distributed computing platform Ethereum suffered a data breach. The database contained over 16k unique email addresses along with IP addresses, private forum messages and (mostly) bcrypt hashed passwords. Ethereum elected to self-submit the data to HIBP, providing the service with a list of email addresses impacted by the incident.
Breach date: 16 December 2016
Date added to HIBP: 20 December 2016
Compromised accounts: 16,431
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
europa.jobs
In August 2019, the now defunct European jobs website europa.jobs (Google cache link) suffered a data breach. The incident exposed 226k unique email addresses alongside extensive personal information including names, dates of birth, job applications and passwords. The data was subsequently redistributed on a popular hacking forum.
Breach date: 11 August 2019
Date added to HIBP: 15 January 2020
Compromised accounts: 226,095
Compromised data: Dates of birth, Email addresses, Geographic locations, Job applications, Names, Passwords, Phone numbers, Spoken languages
Permalink
Evermotion
In May 2015, the Polish 3D modelling website known as Evermotion suffered a data breach resulting in the exposure of 435k unique user records. The data was sourced from a vBulletin forum and contained email addresses, usernames, dates of birth and salted MD5 hashes of passwords. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 7 May 2015
Date added to HIBP: 2 July 2017
Compromised accounts: 435,510
Compromised data: Dates of birth, Email addresses, Passwords, Usernames
Permalink
Evite
In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 11 August 2013
Date added to HIBP: 14 July 2019
Compromised accounts: 100,985,047
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses
Permalink
Exactis
In June 2018, the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data. The data was collected as part of Exactis' service as a "compiler and aggregator of premium business & consumer data" which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
Breach date: 1 June 2018
Date added to HIBP: 25 July 2018
Compromised accounts: 131,577,763
Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages
Permalink
Experian (2015)
In September 2015, the US based credit bureau and consumer data broker Experian suffered a data breach that impacted 15 million customers who had applied for financing from T-Mobile. An alleged data breach was subsequently circulated containing personal information including names, physical and email addresses, birth dates and various other personal attributes. Multiple Have I Been Pwned subscribers verified portions of the data as being accurate, but the actual source of it was inconclusive therefor this breach has been flagged as "unverified".
Breach date: 16 September 2015
Date added to HIBP: 6 September 2016
Compromised accounts: 7,196,890
Compromised data: Credit status information, Dates of birth, Email addresses, Ethnicities, Family structure, Genders, Home ownership statuses, Income levels, IP addresses, Names, Phone numbers, Physical addresses, Purchasing habits
Permalink
Experian (South Africa)
In August 2020, Experian South Africa suffered a data breach which exposed the personal information of tens of millions of individuals. Only 1.3M of the records contained email addresses, whilst most contained government issued identity numbers, names, addresses, occupations and employers, amongst other person information.
Breach date: 19 August 2020
Date added to HIBP: 1 September 2020
Compromised accounts: 1,284,637
Compromised data: Email addresses, Employers, Government issued IDs, Names, Occupations, Phone numbers
Permalink
Exploit.In
In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.
Breach date: 13 October 2016
Date added to HIBP: 6 May 2017
Compromised accounts: 593,427,119
Compromised data: Email addresses, Passwords
Permalink
EyeEm
In February 2018, photography website EyeEm suffered a data breach. The breach was identified among a collection of other large incidents and exposed almost 20M unique email addresses, names, usernames, bios and password hashes. The data was provided to HIBP by a source who asked for it to be attributed to "Kuroi'sh or Gabriel Kimiaie-Asadi Bildstein".
Breach date: 28 February 2018
Date added to HIBP: 16 February 2019
Compromised accounts: 19,611,022
Compromised data: Bios, Email addresses, Names, Passwords, Usernames
Permalink
In April 2021, a large data set of 533 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook's subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer.
Breach date: 1 August 2019
Date added to HIBP: 4 April 2021
Compromised accounts: 2,529,621
Compromised data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, Names, Phone numbers, Relationship statuses
Permalink
Facepunch
In June 2016, the game development studio Facepunch suffered a data breach that exposed 343k users. The breached data included usernames, email and IP addresses, dates of birth and salted MD5 password hashes. Facepunch advised they were aware of the incident and had notified people at the time. The data was provided to HIBP by whitehat security researcher and data analyst Adam Davies.
Breach date: 3 June 2016
Date added to HIBP: 17 October 2018
Compromised accounts: 342,913
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
FaceUP
In 2013, the Danish social media site FaceUP suffered a data breach. The incident exposed 87k unique email addresses alongside genders, dates of birth, names, phone numbers and passwords stored as unsalted MD5 hashes. When notified of the incident, FaceUP advised they had identified a SQL injection vulnerability at the time and forced password resets on impacted customers.
Breach date: 1 January 2013
Date added to HIBP: 13 January 2019
Compromised accounts: 87,633
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Usernames
Permalink
Factual
In March 2017, a file containing 8M rows of data allegedly sourced from data aggregator Factual was compiled and later exchanged on the premise it was a "breach". The data contained 2.5M unique email addresses alongside business names, addresses and phone numbers. After consultation with Factual, they advised the data was "publicly available information about businesses and other points of interest that Factual makes available on its website and to customers".
Breach date: 22 March 2017
Date added to HIBP: 24 December 2019
Compromised accounts: 2,461,696
Compromised data: Email addresses, Employers, Phone numbers, Physical addresses
Permalink
Fashion Nexus
In July 2018, UK-based ecommerce company Fashion Nexus suffered a data breach which exposed 1.4 million records. Multiple websites developed by sister company White Room Solutions were impacted in the breach amongst which were sites including Jaded London and AX Paris. The various sites exposed in the incident included a range of different data types including names, phone numbers, addresses and passwords stored as a mix of salted MD5 and SHA-1 as well as unsalted MD5 passwords. When asked by reporter Graham Cluley if a public statement on the incident was available, a one-word response of "No" was received.
Breach date: 9 July 2018
Date added to HIBP: 31 July 2018
Compromised accounts: 1,279,263
Compromised data: Browser user agent details, Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
Flash Flash Revolution (2019 breach)
In July 2019, the music-based rhythm game Flash Flash Revolution suffered a data breach. The 2019 breach imapcted almost 1.9 million members and is in addition to the 2016 data breach of the same service. Email and IP addesses, usernames, dates of birth and salted MD5 hashes were all exposed in the breach. The data was provided with support from dehashed.com.
Breach date: 16 July 2019
Date added to HIBP: 21 July 2019
Compromised accounts: 1,858,124
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Flashback
In February 2015, the Swedish forum known as Flashback had sensitive internal data on 40k members published via the tabloid newspaper Aftonbladet. The data was allegedly sold to them via Researchgruppen (The Research Group) who have a history of exposing otherwise anonymous users, primarily those who they believe participate in "troll like" behaviour. The compromised data includes social security numbers, home and email addresses.
Breach date: 11 February 2015
Date added to HIBP: 12 February 2015
Compromised accounts: 40,256
Compromised data: Email addresses, Government issued IDs, Physical addresses
Permalink
Fling
In 2011, the self-proclaimed "World's Best Adult Social Network" website known as Fling was hacked and more than 40 million accounts obtained by the attacker. The breached data included highly sensitive personal attributes such as sexual orientation and sexual interests as well as email addresses and passwords stored in plain text.
Breach date: 10 March 2011
Date added to HIBP: 28 May 2016
Compromised accounts: 40,767,652
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Phone numbers, Sexual fetishes, Sexual orientations, Usernames, Website activity
Permalink
Florida Virtual School
In March 2018, the Florida Virtual School (FLVS) posted a data breach notification to their website. The school had identified a data breach which had occurred sometime between 6 May 2016 and 12 Feb 2018 and an XML file containing 368k student records was subsequently found circulating. Each record contained student name, date of birth, password, grade, email and parent email resulting in a total of 543k unique email addresses. Due to the prevalence of email addresses belonging to individuals who are still legally children, the data breach has been flagged as "sensitive".
Breach date: 12 February 2018
Date added to HIBP: 18 March 2018
Compromised accounts: 542,902
Compromised data: Dates of birth, Email addresses, Names, Passwords, School grades (class levels), Usernames
Permalink
Foodora
In April 2016, the online food delivery service Foodora suffered a data breach which was then extensively redistributed online. The breach included the personal information of hundreds of thousands of customers from multiple countries including their names, delivery addresses, phone numbers and passwords stored as either a salted MD5 or a bcrypt hash.
Breach date: 22 April 2016
Date added to HIBP: 16 June 2020
Compromised accounts: 582,578
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Foxy Bingo
In April 2007, the online gambling site Foxy Bingo was hacked and 252,000 accounts were obtained by the hackers. The breached records were subsequently sold and traded and included personal information data such as plain text passwords, birth dates and home addresses.
Breach date: 4 April 2008
Date added to HIBP: 22 November 2015
Compromised accounts: 252,216
Compromised data: Account balances, Browser user agent details, Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Usernames, Website activity
Permalink
Freedom Hosting II
In January 2017, the free hidden service host Freedom Hosting II suffered a data breach. The attack allegedly took down 20% of dark web sites running behind Tor hidden services with the attacker claiming that of the 10,613 impacted sites, more than 50% of the content was child pornography. The hack led to the exposure of MySQL databases for the sites which included a vast amount of information on the hidden services Freedom Hosting II was managing. The impacted data classes far exceeds those listed for the breach and differ between the thousands of impacted sites.
Breach date: 31 January 2017
Date added to HIBP: 5 February 2017
Compromised accounts: 380,830
Compromised data: Email addresses, Passwords, Usernames
Permalink
FreshMenu
In July 2016, the India-based food delivery service FreshMenu suffered a data breach. The incident exposed the personal data of over 110k customers and included their names, email addresses, phone numbers, home addresses and order histories. When advised of the incident, FreshMenu acknowledged being already aware of the breach but stated they had decided not to notify impacted customers.
Breach date: 1 July 2016
Date added to HIBP: 10 September 2018
Compromised accounts: 110,355
Compromised data: Device information, Email addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
Fridae
In May 2014, over 25,000 user accounts were breached from the Asian lesbian, gay, bisexual and transgender website known as "Fridae". The attack which was announced on Twitter appears to have been orchestrated by Deletesec who claim that "Digital weapons shall annihilate all secrecy within governments and corporations". The exposed data included password stored in plain text.
Breach date: 2 May 2014
Date added to HIBP: 6 May 2014
Compromised accounts: 35,368
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
Funny Games
In April 2018, the online entertainment site Funny Games suffered a data breach that disclosed 764k records including usernames, email and IP addresses and salted MD5 password hashes. The incident was disclosed to Funny Games in July who acknowledged the breach and identified it had been caused by legacy code no longer in use. The record count in the breach constitute approximately half of the user base.
Breach date: 28 April 2018
Date added to HIBP: 24 July 2018
Compromised accounts: 764,357
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Gaadi
In May 2015, the Indian motoring website known as Gaadi had 4.3 million records exposed in a data breach. The data contained usernames, email and IP addresses, genders, the city of users as well as passwords stored in both plain text and as MD5 hashes. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 14 May 2015
Date added to HIBP: 1 July 2018
Compromised accounts: 4,261,179
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Usernames
Permalink
In February 2021, the alt-tech social network service Gab suffered a data breach. The incident exposed almost 70GB of data including 4M user accounts, a small number of private chat logs and a list of public groups and public posts made to the service. Only a small number of accounts included email addresses and / or passwords stored as bcrypt hashes with a total of 66.5k unique email addresses being exposed across the corpus of data.
Breach date: 26 February 2021
Date added to HIBP: 3 March 2021
Compromised accounts: 66,521
Compromised data: Avatars, Email addresses, Names, Passwords, Private messages, Usernames
Permalink
GameSalad
In February 2019, the education and game creation website Game Salad suffered a data breach. The incident impacted 1.5M accounts and exposed email addresses, usernames, IP addresses and passwords stored as SHA-256 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 24 February 2019
Date added to HIBP: 21 July 2019
Compromised accounts: 1,506,242
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Gawker
In December 2010, Gawker was attacked by the hacker collective "Gnosis" in retaliation for what was reported to be a feud between Gawker and 4Chan. Information about Gawkers 1.3M users was published along with the data from Gawker's other web presences including Gizmodo and Lifehacker. Due to the prevalence of password reuse, many victims of the breach then had their Twitter accounts compromised to send Acai berry spam.
Breach date: 11 December 2010
Date added to HIBP: 4 December 2013
Compromised accounts: 1,247,574
Compromised data: Email addresses, Passwords, Usernames
Permalink
Ge.tt
In May 2017, the file sharing platform Ge.tt suffered a data breach. The data was subsequently put up for sale on a dark web marketplace in February 2019 alongside a raft of other breaches. The Ge.tt breach included names, social media profile identifiers, SHA256 password hashes and almost 2.5M unique email addresses. The data was provided to HIBP by a source who requested it be attributed to BreachDirectory.
Breach date: 4 May 2017
Date added to HIBP: 16 February 2021
Compromised accounts: 2,481,121
Compromised data: Email addresses, Names, Passwords, Social media profiles
Permalink
GeekedIn
In August 2016, the technology recruitment site GeekedIn left a MongoDB database exposed and over 8M records were extracted by an unknown third party. The breached data was originally scraped from GitHub in violation of their terms of use and contained information exposed in public profiles, including over 1 million members' email addresses. Full details on the incident (including how impacted members can see their leaked data) are covered in the blog post on 8 million GitHub profiles were leaked from GeekedIn's MongoDB - here's how to see yours.
Breach date: 15 August 2016
Date added to HIBP: 17 November 2016
Compromised accounts: 1,073,164
Compromised data: Email addresses, Geographic locations, Names, Professional skills, Usernames, Years of professional experience
Permalink
In October 2016, data surfaced that was allegedly obtained from the Chinese website known as GFAN and contained 22.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email and IP addresses, user names and salted and hashed passwords. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 10 October 2016
Date added to HIBP: 10 October 2016
Compromised accounts: 22,526,334
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Go Games
In approximately October 2015, the manga website Go Games suffered a data breach. The exposed data included 3.4M customer records including email and IP addresses, usernames and passwords stored as salted MD5 hashes. Go Games did not respond when contacted about the incident. The data was provided to HIBP by dehashed.com.
Breach date: 24 October 2015
Date added to HIBP: 11 January 2020
Compromised accounts: 3,430,083
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
GoldSilver
In October 2018, the bullion education and dealer services site GoldSilver suffered a data breach that exposed 243k unique email addresses spanning customers and mailing list subscribers. An extensive amount of personal information on customers was obtained including names, addresses, phone numbers, purchases and passwords and answers to security questions stored as MD5 hashes. In a small number of cases, passport, social security numbers and partial credit card data was also exposed. The data breach and source code belonging to GoldSilver was publicly posted on a dark web service where it remained months later. When notified about the incident, GoldSilver advised that "all affected customers have been directly notified".
Breach date: 21 October 2018
Date added to HIBP: 27 December 2018
Compromised accounts: 242,715
Compromised data: Bank account numbers, Email addresses, IP addresses, Names, Partial credit card data, Passport numbers, Phone numbers, Physical addresses, Purchases, Security questions and answers, Social security numbers
Permalink
gPotato
In July 2007, the multiplayer game portal known as gPotato (link to archive of the site at that time) suffered a data breach and over 2 million user accounts were exposed. The site later merged into the Webzen portal where the original accounts still exist today. The exposed data included usernames, email and IP addresses, MD5 hashes and personal attributes such as gender, birth date, physical address and security questions and answers stored in plain text.
Breach date: 12 July 2007
Date added to HIBP: 24 September 2016
Compromised accounts: 2,136,520
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Physical addresses, Security questions and answers, Usernames, Website activity
Permalink
Guns and Robots
In approximately April 2016, the gaming website Guns and Robots suffered a data breach resulting in the exposure of 143k unique records. The data contained email and IP addresses, usernames and SHA-1 password hashes. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 1 April 2016
Date added to HIBP: 14 February 2018
Compromised accounts: 143,569
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
hackforums.net
In June 2011, the hacktivist group known as "LulzSec" leaked one final large data breach they titled "50 days of lulz". The compromised data came from sources such as AT&T, Battlefield Heroes and the hackforums.net website. The leaked Hack Forums data included credentials and personal information of nearly 200,000 registered forum users.
Breach date: 25 June 2011
Date added to HIBP: 11 May 2014
Compromised accounts: 191,540
Compromised data: Dates of birth, Email addresses, Instant messenger identities, IP addresses, Passwords, Social connections, Spoken languages, Time zones, User website URLs, Usernames, Website activity
Permalink
Havenly
In June 2020, the interior design website Havenly suffered a data breach which impacted almost 1.4 million members of the service. The exposed data included email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes, all of which was subsequently shared extensively throughout online hacking communities. The data was provided to HIBP by dehashed.com.
Breach date: 25 June 2020
Date added to HIBP: 1 August 2020
Compromised accounts: 1,369,180
Compromised data: Email addresses, Geographic locations, Names, Passwords, Phone numbers
Permalink
Health Now Networks
In March 2017, the telemarketing service Health Now Networks left a database containing hundreds of thousands of medical records exposed. There were over 900,000 records in total containing significant volumes of personal information including names, dates of birth, various medical conditions and operator notes on the individuals' health. The data included over 320k unique email addresses.
Breach date: 25 March 2017
Date added to HIBP: 7 April 2017
Compromised accounts: 321,920
Compromised data: Dates of birth, Email addresses, Genders, Health insurance information, IP addresses, Names, Personal health data, Phone numbers, Physical addresses, Security questions and answers, Social connections
Permalink
Hemmakväll
In July 2015, the Swedish video store chain Hemmakväll was hacked and nearly 50k records dumped publicly. The disclosed data included various attributes of their customers including email and physical addresses, names and phone numbers. Passwords were also leaked, stored with a weak MD5 hashing algorithm.
Breach date: 8 July 2015
Date added to HIBP: 9 July 2015
Compromised accounts: 47,297
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
HiAPK
In approximately 2014, it's alleged that the Chinese Android store known as HIAPK suffered a data breach that impacted 13.8 million unique subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains usernames, email addresses and salted MD5 password hashes and was provided to HIBP by white hat security researcher and data analyst Adam Davies. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 1 January 2014
Date added to HIBP: 1 April 2018
Compromised accounts: 13,873,674
Compromised data: Email addresses, Passwords, Usernames
Permalink
Home Chef
In early 2020, the food delivery service Home Chef suffered a data breach which was subsequently sold online. The breach exposed the personal information of almost 9 million customers including names, IP addresses, post codes, the last 4 digits of credit card numbers and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 10 February 2020
Date added to HIBP: 13 November 2020
Compromised accounts: 8,815,692
Compromised data: Email addresses, Geographic locations, IP addresses, Names, Partial credit card data, Passwords, Phone numbers
Permalink
Hookers.nl
In October 2019, the Dutch prostitution forum Hookers.nl suffered a data breach which exposed the personal information of sex workers and their customers. The IP and email addresses, usernames and either bcrypt or salted MD5 password hashes of 291k members were accessed via an unpatched vulnerability in the vBulletin forum software.
Breach date: 10 October 2019
Date added to HIBP: 23 October 2019
Compromised accounts: 290,955
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Houzz
In mid-2018, the housing design website Houzz suffered a data breach. The company learned of the incident later that year then disclosed it to impacted members in February 2019. Almost 49 million unique email addresses were in the breach alongside names, IP addresses, geographic locations and either salted hashes of passwords or links to social media profiles used to authenticate to the service. The data was provided to HIBP by dehashed.com.
Breach date: 23 May 2018
Date added to HIBP: 12 March 2019
Compromised accounts: 48,881,308
Compromised data: Email addresses, Geographic locations, IP addresses, Names, Passwords, Social media profiles, Usernames
Permalink
HTC Mania
In January 2020, the Spanish mobile phone forum HTC Mania suffered a data breach of the vBulletin based site. The incident exposed 1.5M member email addresses, usernames, IP addresses, dates of birth and salted MD5 password hashes and password histories. Data from the breach was subsequently redistributed on popular hacking websites.
Breach date: 4 January 2020
Date added to HIBP: 6 April 2020
Compromised accounts: 1,488,089
Compromised data: Dates of birth, Email addresses, Historical passwords, IP addresses, Passwords, Usernames
Permalink
HTH Studios
In August 2018, the adult furry interactive game creator HTH Studios suffered a data breach impacting multiple repositories of customer data. Several months later, the data surfaced on a popular hacking forum and included 411k unique email addresses along with physical and IP addresses, names, orders, salted SHA-1 and salted MD5 hashes. HTH Studios is aware of the incident.
Breach date: 24 August 2018
Date added to HIBP: 20 November 2018
Compromised accounts: 411,755
Compromised data: Browser user agent details, Dates of birth, Email addresses, IP addresses, Names, Phone numbers, Physical addresses, Purchases, Usernames
Permalink
Hub4Tech
On an unknown date in approximately 2017, the Indian training and assessment service known as Hub4Tech suffered a data breach via a SQL injection attack. The incident exposed almost 37k unique email addresses and passwords stored as unsalted MD5 hashes. No response was received from Hub4Tech when contacted about the incident.
Breach date: 1 January 2017
Date added to HIBP: 9 December 2018
Compromised accounts: 36,916
Compromised data: Email addresses, Passwords
Permalink
In approximately March 2019, the online Brazilian travel agency Hurb (formerly Hotel Urbano) suffered a data breach. The data subsequently appeared online for download the following year and included over 20 million customer records with email and IP addresses, names, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by dehashed.com.
Breach date: 14 March 2019
Date added to HIBP: 27 July 2020
Compromised accounts: 20,727,771
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
i-Dressup
In June 2016, the teen social site known as i-Dressup was hacked and over 2 million user accounts were exposed. At the time the hack was reported, the i-Dressup operators were not contactable and the underlying SQL injection flaw remained open, allegedly exposing a total of 5.5 million accounts. The breach included email addresses and passwords stored in plain text.
Breach date: 15 July 2016
Date added to HIBP: 26 September 2016
Compromised accounts: 2,191,565
Compromised data: Email addresses, Passwords
Permalink
imgur
In September 2013, the online image sharing community imgur suffered a data breach. A selection of the data containing 1.7 million email addresses and passwords surfaced more than 4 years later in November 2017. Although imgur stored passwords as SHA-256 hashes, the data in the breach contained plain text passwords suggesting that many of the original hashes had been cracked. imgur advises that they rolled over to bcrypt hashes in 2016.
Breach date: 1 September 2013
Date added to HIBP: 25 November 2017
Compromised accounts: 1,749,806
Compromised data: Email addresses, Passwords
Permalink
iPmart
During 2015, the iPmart forum (now known as Mobi NUKE) was hacked and over 2 million forum members' details were exposed. The vBulletin forum included IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked. A further 368k accounts were added to "Have I Been Pwned" in March 2016 bringing the total to over 2.4M.
Breach date: 1 July 2015
Date added to HIBP: 23 February 2016
Compromised accounts: 2,460,787
Compromised data: Dates of birth, Email addresses, Passwords, Usernames
Permalink
ixigo
In January 2019, the travel and hotel booking site ixigo suffered a data breach. The data appeared for sale on a dark web marketplace the following month and included over 17M unique email addresses alongside names, genders, phone numbers, connections to Facebook profiles and passwords stored as MD5 hashes. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Breach date: 3 January 2019
Date added to HIBP: 17 March 2019
Compromised accounts: 17,204,697
Compromised data: Auth tokens, Device information, Email addresses, Genders, Names, Passwords, Phone numbers, Salutations, Social media profiles, Usernames
Permalink
JobStreet
In October 2017, the Malaysian website lowyat.net ran a story on a massive set of breached data affecting millions of Malaysians after someone posted it for sale on their forums. The data spanned multiple separate breaches including the JobStreet jobs website which contained almost 4 million unique email addresses. The dates in the breach indicate the incident occurred in March 2012. The data later appeared freely downloadable on a Tor hidden service and contained extensive information on job seekers including names, genders, birth dates, phone numbers, physical addresses and passwords.
Breach date: 7 March 2012
Date added to HIBP: 30 October 2017
Compromised accounts: 3,883,455
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Government issued IDs, Marital statuses, Names, Nationalities, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
JoomlArt
In January 2018, the Joomla template website JoomlArt inadvertently exposed more than 22k unique customer records in a Jira ticket. The exposed data was from iJoomla and JomSocial, both services that JoomlArt acquired the previous year. The data included usernames, email addresses, purchases and passwords stored as MD5 hashes. When contacted, JoomlArt advised they were aware of the incident and had previously notified impacted parties.
Breach date: 30 January 2018
Date added to HIBP: 1 November 2018
Compromised accounts: 22,477
Compromised data: Email addresses, Names, Passwords, Payment histories, Usernames
Permalink
Justdate.com
An alleged breach of the dating website Justdate.com began circulating in approximately September 2016. Comprised of over 24 million records, the data contained various personal attributes such as email addresses, dates of birth and physical locations. However, upon verification with HIBP subscribers, only a fraction of the data was found to be accurate and no account owners recalled using the Justdate.com service. This breach has consequently been flagged as fabricated; it's highly unlikely the data was sourced from Justdate.com.
Breach date: 29 September 2016
Date added to HIBP: 7 February 2017
Compromised accounts: 24,451,312
Compromised data: Dates of birth, Email addresses, Geographic locations, Names
Permalink
Kayo.moe Credential Stuffing List
In September 2018, a collection of almost 42 million email address and plain text password pairs was uploaded to the anonymous file sharing service kayo.moe. The operator of the service contacted HIBP to report the data which, upon further investigation, turned out to be a large credential stuffing list. For more information, read about The 42M Record kayo.moe Credential Stuffing Data.
Breach date: 11 September 2018
Date added to HIBP: 13 September 2018
Compromised accounts: 41,826,763
Compromised data: Email addresses, Passwords
Permalink
KM.RU
In February 2016, the Russian portal and email service KM.RU was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", KM.RU was one of several Russian sites in the breach and impacted almost 1.5M accounts including sensitive personal information.
Breach date: 29 February 2016
Date added to HIBP: 3 March 2016
Compromised accounts: 1,476,783
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Recovery email addresses, Security questions and answers, Usernames
Permalink
KnownCircle
In approximately April 2016, the "marketing automation for agents and professional service providers" company KnownCircle had a large volume of data obtained by an external party. The data belonging to the now defunct service appeared in JSON format and contained gigabytes of data related to the real estate and insurance sectors. The personal data in the breach appears to have primarily been used for marketing purposes, including logs of emails sent and tracking of gift cards. A small number of passwords for KnownCircle staff were also present and were stored as bcrypt hashes.
Breach date: 12 April 2016
Date added to HIBP: 17 November 2018
Compromised accounts: 1,957,600
Compromised data: Email addresses, Email messages, Genders, Names, Passwords, Phone numbers, Physical addresses
Permalink
Kreditplus
In June 2020, the Indonesian credit service Kreditplus suffered a data breach which exposed 896k records containing 769k unique email addresses. The breach exposed extensive personal information including names, family makeup, information on spouses, income and expenses, religions and employment information. The data was provided to HIBP by breachbase.pw.
Breach date: 23 June 2020
Date added to HIBP: 3 August 2020
Compromised accounts: 768,890
Compromised data: Dates of birth, Email addresses, Employers, Family structure, Genders, Income levels, Living costs, Marital statuses, Mothers maiden names, Names, Phone numbers, Physical addresses, Places of birth, Religions, Spouses names
Permalink
Lanwar
In July 2018, staff of the Lanwar gaming site discovered a data breach they believe dates back to sometime over the previous several months. The data contained 45k names, email addresses, usernames and plain text passwords. A Lanwar staff member self-submitted the breach to HIBP and has also contacted the relevant authorities about the incident after identifying a phishing attempt to extort Bitcoin from a user.
Breach date: 28 July 2018
Date added to HIBP: 8 August 2018
Compromised accounts: 45,120
Compromised data: Email addresses, Names, Passwords, Physical addresses, Usernames
Permalink
Last.fm
In March 2012, the music website Last.fm was hacked and 43 million user accounts were exposed. Whilst Last.fm knew of an incident back in 2012, the scale of the hack was not known until the data was released publicly in September 2016. The breach included 37 million unique email addresses, usernames and passwords stored as unsalted MD5 hashes.
Breach date: 22 March 2012
Date added to HIBP: 20 September 2016
Compromised accounts: 37,217,682
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
Lazada RedMart
In October 2020, news broke of Lazada RedMart data breach containing records as recent as July 2020 and being sold via an online marketplace. In all, the data contained 1.1 million customer email addresses alongside names, phone numbers, physical addresses, partial credit card numbers and passwords stored as SHA-1 hashes.
Breach date: 30 July 2020
Date added to HIBP: 10 November 2020
Compromised accounts: 1,107,789
Compromised data: Email addresses, Names, Partial credit card data, Passwords, Phone numbers, Physical addresses
Permalink
Lead Hunter
In March 2020, a massive trove of personal information referred to as "Lead Hunter" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. The data contained 69 million unique email addresses across 110 million rows of data accompanied by additional personal information including names, phone numbers, genders and physical addresses. At the time of publishing, the breach could not be attributed to those responsible for obtaining and exposing it. The data was provided to HIBP by dehashed.com.
Breach date: 4 March 2020
Date added to HIBP: 3 June 2020
Compromised accounts: 68,693,853
Compromised data: Email addresses, Genders, IP addresses, Names, Phone numbers, Physical addresses
Permalink
League of Legends
In June 2012, the multiplayer online game League of Legends suffered a data breach. At the time, the service had more than 32 million registered accounts and the breach affected various personal data attributes including "encrypted" passwords. In 2018, a 339k record subset of the data emerged with email addresses, usernames and plain text passwords, likely cracked from the original cryptographically protected ones.
Breach date: 11 June 2012
Date added to HIBP: 28 July 2018
Compromised accounts: 339,487
Compromised data: Email addresses, Passwords, Usernames
Permalink
In August 2016, the service for creating and running Pocket Minecraft edition servers known as Leet was reported as having suffered a data breach that impacted 6 million subscribers. The incident reported by Softpedia had allegedly taken place earlier in the year, although the data set sent to HIBP was dated as recently as early September but contained only 2 million subscribers. The data included usernames, email and IP addresses and SHA512 hashes. A further 3 million accounts were obtained and added to HIBP several days after the initial data was loaded bringing the total to over 5 million.
Breach date: 10 September 2016
Date added to HIBP: 30 September 2016
Compromised accounts: 5,081,689
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Light's Hope
In June 2018, the World of Warcraft service Light's Hope suffered a data breach which they subsequently self-submitted to HIBP. Over 30K unique users were impacted and their exposed data included email addresses, dates of birth, private messages and passwords stored as bcrypt hashes.
Breach date: 25 June 2018
Date added to HIBP: 4 July 2018
Compromised accounts: 30,484
Compromised data: Dates of birth, Email addresses, Geographic locations, IP addresses, Passwords, Private messages, Usernames
Permalink
Liker
In March 2021, the self-proclaimed "kinder, smarter social network" Liker suffered a data breach, allegedly in retaliation for the Gab data breach and scraping of data from Parler. The site remained offline after the breach which exposed 465k email addresses in addition to names, dates of birth, education levels, private messages, security questions and answers in plain text, passwords stored as bcrypt hashes and other personal data attributes. Liker did not respond when contacted about the breach.
Breach date: 8 March 2021
Date added to HIBP: 13 March 2021
Compromised accounts: 465,141
Compromised data: Auth tokens, Dates of birth, Education levels, Email addresses, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Private messages, Security questions and answers, Social media profiles, Usernames
Permalink
Linux Forums
In May 2018, the Linux Forums website suffered a data breach which resulted in the disclosure of 276k unique email addresses. Running on an old version of vBulletin, the breach also disclosed usernames, IP addresses and salted MD5 password hashes. Linux Forums did not respond to multiple attempts to contact them about the breach.
Breach date: 1 May 2018
Date added to HIBP: 7 June 2018
Compromised accounts: 275,785
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Linux Mint
In February 2016, the website for the Linux distro known as Linux Mint was hacked and the ISO infected with a backdoor. The site also ran a phpBB forum which was subsequently put up for sale complete with almost 145k email addresses, passwords and other personal subscriber information.
Breach date: 21 February 2016
Date added to HIBP: 22 February 2016
Compromised accounts: 144,989
Compromised data: Avatars, Dates of birth, Email addresses, Geographic locations, IP addresses, Passwords, Time zones, Website activity
Permalink
LiveAuctioneers
In June 2020, the online antiques marketplace LiveAuctioneers suffered a data breach which was subsequently sold online then extensively redistributed in the hacking community. The data contained 3.4 million records including names, email and IP addresses, physical addresses, phones numbers and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by breachbase.pw.
Breach date: 19 June 2020
Date added to HIBP: 22 August 2020
Compromised accounts: 3,385,862
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
LiveJournal
In mid-2019, news broke of an alleged LiveJournal data breach. This followed multiple reports of credential abuse against Dreamwidth beginning in 2018, a fork of LiveJournal with a significant crossover in user base. The breach allegedly dates back to 2017 and contains 26M unique usernames and email addresses (both of which have been confirmed to exist on LiveJournal) alongside plain text passwords. An archive of the data was subsequently shared on a popular hacking forum in May 2020 and redistributed broadly. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 1 January 2017
Date added to HIBP: 26 May 2020
Compromised accounts: 26,372,781
Compromised data: Email addresses, Passwords, Usernames
Permalink
Lizard Squad
In January 2015, the hacker collective known as "Lizard Squad" created a DDoS service by the name of "Lizard Stresser" which could be procured to mount attacks against online targets. Shortly thereafter, the service suffered a data breach which resulted in the public disclosure of over 13k user accounts including passwords stored in plain text.
Breach date: 16 January 2015
Date added to HIBP: 18 January 2015
Compromised accounts: 13,451
Compromised data: Email addresses, Passwords, Usernames
Permalink
Lumin PDF
In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been "contacted multiple times, but ignored all the queries". The exposed data included names, email addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 1 April 2019
Date added to HIBP: 18 September 2019
Compromised accounts: 15,453,048
Compromised data: Auth tokens, Email addresses, Genders, Names, Passwords, Spoken languages, Usernames
Permalink
Mac Forums
In July 2016, the self-proclaimed "Ultimate Source For Your Mac" website Mac Forums suffered a data breach. The vBulletin-based system exposed over 326k usernames, email and IP addresses, dates of birth and passwords stored as salted MD5 hashes. The data was later discovered being traded on a popular hacking forum. Mac Forums did not respond when contacted about the incident via their contact us form.
Breach date: 3 July 2016
Date added to HIBP: 29 October 2018
Compromised accounts: 326,714
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
mail.ru Dump
In September 2014, several large dumps of user accounts appeared on the Russian Bitcoin Security Forum including one with nearly 5M email addresses and passwords, predominantly on the mail.ru domain. Whilst unlikely to be the result of a direct attack against mail.ru, the credentials were confirmed by many as legitimate for other services they had subscribed to. Further data allegedly valid for mail.ru and containing email addresses and plain text passwords was added in January 2018 bringing to total to more than 16M records. The incident was also then flagged as "unverified", a concept that was introduced after the initial data load in 2014.
Breach date: 10 September 2014
Date added to HIBP: 12 September 2014
Compromised accounts: 16,630,988
Compromised data: Email addresses, Passwords
Permalink
MALL.cz
In July 2017, the Czech Republic e-commerce site MALL.cz suffered a data breach after which 735k unique accounts including email addresses, names, phone numbers and passwords were later posted online. Whilst passwords were stored as hashes, a number of different algorithms of varying strength were used over time. All passwords included in the publicly distributed data were in plain text and were likely just those that had been successfully cracked (members with strong passwords don't appear to be included). According to MALL.cz, the breach only impacted accounts created before 2015.
Breach date: 27 July 2017
Date added to HIBP: 4 September 2017
Compromised accounts: 735,405
Compromised data: Email addresses, Names, Passwords, Phone numbers
Permalink
Mappery
In December 2018, the mapping website Mappery suffered a data breach that exposed over 205k unique email addresses. The incident also exposed usernames, the geographic location of the user and passwords stored as unsalted SHA-1 hashes. No response was received from Mappery when contacted about the incident.
Breach date: 11 December 2018
Date added to HIBP: 18 December 2018
Compromised accounts: 205,242
Compromised data: Email addresses, Geographic locations, Passwords, Usernames
Permalink
Mashable
In approximately mid-2020, Mashable suffered a data breach that subsequently turned up publicly in November 2020. The data included 1.4 million unique email addresses along with names, genders, expired auth tokens, physical locations, links to social media profiles and days and months of birth. The data was provided to HIBP by dehashed.com.
Breach date: 1 June 2020
Date added to HIBP: 10 November 2020
Compromised accounts: 1,414,677
Compromised data: Auth tokens, Email addresses, Genders, Geographic locations, IP addresses, Names, Partial dates of birth, Social media profiles
Permalink
Master Deeds
In March 2017, a 27GB database backup file named "Master Deeds" was sent to HIBP by a supporter of the project. Upon detailed analysis later that year, the file was found to contain the personal data of tens of millions of living and deceased South African residents. The data included extensive personal attributes such as names, addresses, ethnicities, genders, birth dates, government issued personal identification numbers and 2.2 million email addresses. At the time of publishing, it's alleged the data was sourced from Dracore Data Sciences (Dracore is yet to publicly confirm or deny the data was sourced from their systems). On 18 October 2017, the file was found to have been published to a publicly accessible web server where it was located at the root of an IP address with directory listing enabled. The file was dated 8 April 2015.
Breach date: 14 March 2017
Date added to HIBP: 18 October 2017
Compromised accounts: 2,257,930
Compromised data: Dates of birth, Deceased statuses, Email addresses, Employers, Ethnicities, Genders, Government issued IDs, Home ownership statuses, Job titles, Names, Nationalities, Phone numbers, Physical addresses
Permalink
Mastercard Priceless Specials
In August 2019, the German Mastercard bonus program "Priceless Specials" suffered a data breach. Personal data on almost 90k program members was subsequently extensively circulated online and included names, email and IP addresses, phone numbers and partial credit card data. Following the incident, the program was subsequently suspended.
Breach date: 20 August 2019
Date added to HIBP: 1 September 2019
Compromised accounts: 89,388
Compromised data: Email addresses, IP addresses, Names, Partial credit card data, Phone numbers, Salutations
Permalink
Mate1.com
In February 2016, the dating site mate1.com suffered a huge data breach resulting in the disclosure of over 27 million subscribers' information. The data included deeply personal information about their private lives including drug and alcohol habits, incomes levels and sexual fetishes as well as passwords stored in plain text.
Breach date: 29 February 2016
Date added to HIBP: 14 April 2016
Compromised accounts: 27,393,015
Compromised data: Astrological signs, Dates of birth, Drinking habits, Drug habits, Education levels, Email addresses, Ethnicities, Fitness levels, Genders, Geographic locations, Income levels, Job titles, Names, Parenting plans, Passwords, Personal descriptions, Physical attributes, Political views, Relationship statuses, Religions, Sexual fetishes, Travel habits, Usernames, Website activity, Work habits
Permalink
MCBans
In October 2016, the Minecraft banning service known as MCBans suffered a data breach resulting in the exposure of 120k unique user records. The data contained email and IP addresses, usernames and password hashes of unknown format. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 27 October 2016
Date added to HIBP: 23 July 2017
Compromised accounts: 119,948
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
In August 2016, the Swiss scholarly open access publisher known as MDPI had 17.5GB of data obtained from an unprotected Mongo DB instance. The data contained email exchanges between MDPI and their authors and reviewers which included 845k unique email addresses. MDPI have confirmed that the system has since been protected and that no data of a sensitive nature was impacted. As such, they concluded that notification to their subscribers was not necessary due to the fact that all their authors and reviewers are available online on their website.
Breach date: 30 August 2016
Date added to HIBP: 25 March 2018
Compromised accounts: 845,012
Compromised data: Email addresses, Email messages, IP addresses, Names
Permalink
MeetMindful
In early 2020, the online dating service MeetMindful suffered a data breach that exposed 1.4 million unique customer email addresses. Included in the data was an extensive array of personal information used to find romantic matches including physical attributes, use of alcohol, drugs and cigarettes, marital statuses, birthdates, genders and the gender being sought. Additional personal information such as names, geographical locations and IP addresses were also exposed, along with passwords stored as bcrypt hashes.
Breach date: 26 January 2020
Date added to HIBP: 31 January 2021
Compromised accounts: 1,422,717
Compromised data: Dates of birth, Drinking habits, Drug habits, Email addresses, Genders, Geographic locations, IP addresses, Marital statuses, Names, Passwords, Physical attributes, Religions, Sexual orientations, Smoking habits, Social media profiles, Usernames
Permalink
MGM Resorts
In July 2019, MGM Resorts discovered a data breach of one of their cloud services. The breach included 10.6M guest records with 3.1M unique email addresses stemming back to 2017. The exposed data included email and physical addresses, names, phone numbers and dates of birth and was subsequently shared on a popular hacking forum in February 2020 where it was extensively redistributed. The data was provided to HIBP by Under The Breach.
Breach date: 25 July 2019
Date added to HIBP: 20 February 2020
Compromised accounts: 3,081,321
Compromised data: Dates of birth, Email addresses, Names, Phone numbers, Physical addresses
Permalink
Minefield
In June 2015, the French Minecraft server known as Minefield was hacked and 188k member records were exposed. The IP.Board forum included email and IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
Breach date: 28 June 2015
Date added to HIBP: 9 March 2016
Compromised accounts: 188,343
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Minehut
In May 2019, the Minecraft server website Minehut suffered a data breach. The company advised a database backup had been obtained after which they subsequently notified all impacted users. 397k email addresses from the incident were provided to HIBP. A data set with both email addresses and bcrypt password hashes was also later provided to HIBP.
Breach date: 17 May 2019
Date added to HIBP: 17 September 2019
Compromised accounts: 396,533
Compromised data: Email addresses, Passwords
Permalink
Minted
In May 2020, the online marketplace for independent artists Minted suffered a data breach that exposed 4.4M unique customer records subsequently sold on a dark web marketplace. Exposed data also included names, physical addresses, phone numbers and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 6 May 2020
Date added to HIBP: 3 November 2020
Compromised accounts: 4,418,182
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Modern Business Solutions
In October 2016, a large Mongo DB file containing tens of millions of accounts was shared publicly on Twitter (the file has since been removed). The database contained over 58M unique email addresses along with IP addresses, names, home addresses, genders, job titles, dates of birth and phone numbers. The data was subsequently attributed to "Modern Business Solutions", a company that provides data storage and database hosting solutions. They've yet to acknowledge the incident or explain how they came to be in possession of the data.
Breach date: 8 October 2016
Date added to HIBP: 12 October 2016
Compromised accounts: 58,843,488
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Permalink
Mortal Online
In June 2018, the massively multiplayer online role-playing game (MMORPG) Mortal Online suffered a data breach. A file containing 570k email addresses and cracked passwords was subsequently distributed online. A larger more complete file containing 607k email addresses with original unsalted MD5 password hashes along with names, usernames and physical addresses was later provided and the original breach in HIBP was updated accordingly. The data was provided to HIBP by whitehat security researcher and data analyst Adam Davies.
Breach date: 17 June 2018
Date added to HIBP: 31 August 2018
Compromised accounts: 606,637
Compromised data: Email addresses, Names, Passwords, Physical addresses, Usernames
Permalink
MrExcel
In December 2016, the forum for the Microsoft Excel tips and solutions site Mr Excel suffered a data breach. The hack of the vBulletin forum led to the exposure of over 366k accounts along with email and IP addresses, dates of birth and salted passwords hashed with MD5. The owner of the MrExcel forum subsequently self-submitted the data to HIBP.
Breach date: 5 December 2016
Date added to HIBP: 22 January 2017
Compromised accounts: 366,140
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Social connections, Usernames, Website activity
Permalink
Muslim Directory
In February 2014, the UK guide to services and business known as the Muslim Directory was attacked by the hacker known as @th3inf1d3l. The data was consequently dumped publicly and included the web accounts of tens of thousands of users which contained data including their names, home address, age group, email, website activity and password in plain text.
Breach date: 17 February 2014
Date added to HIBP: 23 February 2014
Compromised accounts: 37,784
Compromised data: Age groups, Email addresses, Employers, Names, Passwords, Phone numbers, Physical addresses, Website activity
Permalink
MyFHA
In approximately February 2015, the home financing website MyFHA suffered a data breach which disclosed the personal information of nearly 1 million people. The data included extensive personal information relating to home financing including personal contact info, credit statuses, household incomes, loan amounts and notes on personal circumstances, often referring to legal issues, divorces and health conditions. Multiple parties contacted HIBP with the data after which MyFHA was alerted in mid-July and acknowledged the legitimacy of the breach then took the site offline.
Breach date: 18 February 2015
Date added to HIBP: 9 August 2018
Compromised accounts: 972,629
Compromised data: Credit status information, Email addresses, Home loan information, Income levels, IP addresses, Names, Passwords, Personal descriptions, Physical addresses
Permalink
MyFitnessPal
In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Breach date: 1 February 2018
Date added to HIBP: 21 February 2019
Compromised accounts: 143,606,147
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
MyHeritage
In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 26 October 2017
Date added to HIBP: 20 February 2019
Compromised accounts: 91,991,358
Compromised data: Email addresses, Passwords
Permalink
NapsGear
In October 2015, the anabolic steroids retailer NapsGear suffered a data breach. An extensive amount of personal information on 287k customers was exposed including email addresses, names, addresses, phone numbers, purchase histories and salted MD5 password hashes.
Breach date: 21 October 2015
Date added to HIBP: 10 September 2018
Compromised accounts: 287,071
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
Naughty America
In March 2016, the adult website Naughty America was hacked and the data consequently sold online. The breach included data from numerous systems with various personal identity attributes, the largest of which had passwords stored as easily crackable MD5 hashes. There were 1.4 million unique email addresses in the breach.
Breach date: 14 March 2016
Date added to HIBP: 24 April 2016
Compromised accounts: 1,398,630
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
NemoWeb
In September 2016, almost 21GB of data from the French website used for "standardised and decentralized means of exchange for publishing newsgroup articles" NemoWeb was leaked from what appears to have been an unprotected Mongo DB. The data consisted of a large volume of emails sent to the service and included almost 3.5M unique addresses, albeit many of them auto-generated. Multiple attempts were made to contact the operators of NemoWeb but no response was received.
Breach date: 4 September 2016
Date added to HIBP: 19 September 2018
Compromised accounts: 3,472,916
Compromised data: Email addresses, Names
Permalink
Neopets
In May 2016, a set of breached data originating from the virtual pet website "Neopets" was found being traded online. Allegedly hacked "several years earlier", the data contains sensitive personal information including birthdates, genders and names as well as almost 27 million unique email addresses. Passwords were stored in plain text and IP addresses were also present in the breach.
Breach date: 5 May 2013
Date added to HIBP: 7 July 2016
Compromised accounts: 26,892,897
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Usernames
Permalink
NetEase
In October 2015, the Chinese site known as NetEase (located at 163.com) was reported as having suffered a data breach that impacted hundreds of millions of subscribers. Whilst there is evidence that the data itself is legitimate (multiple HIBP subscribers confirmed a password they use is in the data), due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 19 October 2015
Date added to HIBP: 9 October 2016
Compromised accounts: 234,842,089
Compromised data: Email addresses, Passwords
Permalink
Neteller
In May 2010, the e-wallet service known as Neteller suffered a data breach which exposed over 3.6M customers. The breach was not discovered until October 2015 and included names, email addresses, home addresses and account balances.
Breach date: 17 May 2010
Date added to HIBP: 30 November 2015
Compromised accounts: 3,619,948
Compromised data: Account balances, Dates of birth, Email addresses, Genders, IP addresses, Names, Phone numbers, Physical addresses, Security questions and answers, Website activity
Permalink
NetGalley
In December 2020, the book promotion site NetGalley suffered a data breach. The incident exposed 1.4 million unique email addresses alongside names, usernames, physical and IP addresses, phone numbers, dates of birth and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to [email protected].
Breach date: 21 December 2020
Date added to HIBP: 23 February 2021
Compromised accounts: 1,436,435
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Netlog
In July 2018, the Belgian social networking site Netlog identified a data breach of their systems dating back to November 2012 (PDF). Although the service was discontinued in 2015, the data breach still impacted 49 million subscribers for whom email addresses and plain text passwords were exposed. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 1 November 2012
Date added to HIBP: 15 July 2019
Compromised accounts: 49,038,354
Compromised data: Email addresses, Passwords
Permalink
NetProspex
In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet's NetProspex service was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them. It contained extensive personal and corporate information including names, email addresses, job titles and general information about the employer.
Breach date: 1 September 2016
Date added to HIBP: 15 March 2017
Compromised accounts: 33,698,126
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
Permalink
Netshoes
In December 2017, the online Brazilian retailer known as Netshoes had half a million records allegedly hacked from their system posted publicly. The company was contacted by local Brazilian media outlet Tecmundo and subsequently advised that no indications have been identified of an invasion of the company's systems. However, Netshoes' own systems successfully confirm the presence of matching identifiers and email addresses from the data set, indicating a high likelihood that the data originated from them.
Breach date: 7 December 2017
Date added to HIBP: 10 December 2017
Compromised accounts: 499,836
Compromised data: Dates of birth, Email addresses, Names, Purchases
Permalink
Nival
In February 2016, the Russian gaming company Nival was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", Nival was one of several Russian sites in the breach and impacted over 1.5M accounts including sensitive personal information.
Breach date: 29 February 2016
Date added to HIBP: 3 March 2016
Compromised accounts: 1,535,473
Compromised data: Avatars, Dates of birth, Email addresses, Genders, Names, Spoken languages, Usernames, Website activity
Permalink
Nulled.ch
In May 2020, the hacking forum Nulled.ch was breached and the data published to a rival hacking forum. Over 43k records were compromised and included IP and email addresses, usernames and passwords stored as salted MD5 hashes alongside the private message history of the website's admin. The data was provided to HIBP by a source who requested it be attributed to "Split10".
Breach date: 20 May 2020
Date added to HIBP: 24 May 2020
Compromised accounts: 43,491
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
Nulled.cr
In May 2016, the cracking community forum known as Nulled.cr was hacked and 599k user accounts were leaked publicly. The compromised data included email and IP addresses, weak salted MD5 password hashes and hundreds of thousands of private messages between members.
Breach date: 6 May 2016
Date added to HIBP: 9 May 2016
Compromised accounts: 599,080
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
OGUsers (2019 breach)
In May 2019, the account hijacking and SIM swapping forum OGusers suffered a data breach. The breach exposed a database backup from December 2018 which was published on a rival hacking forum. There were 161k unique email addresses spread across 113k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes.
Breach date: 26 December 2018
Date added to HIBP: 19 May 2019
Compromised accounts: 161,143
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
OGUsers (2020 breach)
In April 2020, the account hijacking and SIM swapping forum OGUsers suffered their second data breach in less than a year. As with the previous breach, the exposed data included email and IP addresses, usernames, private messages and passwords stored as salted MD5 hashes. A total of 263k email addresses across user accounts and other tables were posted to a rival hacking forum.
Breach date: 2 April 2020
Date added to HIBP: 4 April 2020
Compromised accounts: 263,189
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
Onliner Spambot
In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.
Breach date: 28 August 2017
Date added to HIBP: 29 August 2017
Compromised accounts: 711,477,622
Compromised data: Email addresses, Passwords
Permalink
Open CS:GO
In December 2017, the website for purchasing Counter-Strike skins known as Open CS:GO (Counter-Strike: Global Offensive) suffered a data breach (address since redirects to dropgun.com). The 10GB file contained an extensive amount of personal information including email and IP addresses, phone numbers, physical addresses and purchase histories. Numerous attempts were made to contact Open CS:GO about the incident, however no responses were received.
Breach date: 28 November 2017
Date added to HIBP: 15 January 2018
Compromised accounts: 512,311
Compromised data: Avatars, Email addresses, IP addresses, Phone numbers, Physical addresses, Purchases, Social media profiles, Usernames
Permalink
Ordine Avvocati di Roma
In May 2019, the Lawyers Order of Rome suffered a data breach by a group claiming to be Anonymous Italy. Data on tens of thousands of Roman lawyers was taken from the breached system and redistributed online. The data included contact information, email addresses and email messages themselves encompassing tens of thousands of unique email addresses. A total of 42k unique addresses appeared in the breach.
Breach date: 7 May 2019
Date added to HIBP: 26 May 2019
Compromised accounts: 41,960
Compromised data: Email addresses, Email messages, Geographic locations, Passwords, Phone numbers
Permalink
Oxfam
In January 2021, Oxfam Australia was the victim of a data breach which exposed 1.8M unique email addresses of supporters of the charity. The data was put up for sale on a popular hacking forum and also included names, phone numbers, addresses, genders and dates of birth. A small number of people also had partial credit card data exposed (the first 6 and last 3 digits of the card, plus card type and expiry) and in some cases the bank name, account number and BSB were also exposed. The data was subsequently made freely available on the hacking forum later the following month.
Breach date: 20 January 2021
Date added to HIBP: 2 March 2021
Compromised accounts: 1,834,006
Compromised data: Bank account numbers, Dates of birth, Email addresses, Genders, Names, Partial credit card data, Payment histories, Phone numbers, Physical addresses
Permalink
Paddy Power
In October 2010, the Irish bookmaker Paddy Power suffered a data breach that exposed 750,000 customer records with nearly 600,000 unique email addresses. The breach was not disclosed until July 2014 and contained extensive personal information including names, addresses, phone numbers and plain text security questions and answers.
Breach date: 25 October 2010
Date added to HIBP: 11 October 2015
Compromised accounts: 590,954
Compromised data: Account balances, Dates of birth, Email addresses, IP addresses, Names, Phone numbers, Physical addresses, Security questions and answers, Usernames, Website activity
Permalink
PayAsUGym
In December 2016, an attacker breached PayAsUGym's website exposing over 400k customers' personal data. The data was consequently leaked publicly and broadly distributed via Twitter. The leaked data contained personal information including email addresses and passwords hashed using MD5 without a salt.
Breach date: 15 December 2016
Date added to HIBP: 17 December 2016
Compromised accounts: 400,260
Compromised data: Browser user agent details, Email addresses, IP addresses, Names, Partial credit card data, Passwords, Phone numbers, Website activity
Permalink
People's Energy
In December 2020, the UK power company People's Energy suffered a data breach. The breach exposed almost 7GB of files containing 359k unique email addresses along with names, phones numbers, physical addresses and dates of birth. The incident also included People's Energy staff email addresses and bcrypt password hashes (no customer passwords were exposed). The data was provided to HIBP by a source who requested it be attributed to [email protected].
Breach date: 16 December 2020
Date added to HIBP: 23 February 2021
Compromised accounts: 358,822
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Pixlr
In October 2020, the online photo editing application Pixlr suffered a data breach exposing 1.9 million subscribers. Impacted data included names, email addresses, social media profiles, the country signed up from and passwords stored as SHA-512 hashes. The data was provided to HIBP by dehashed.com.
Breach date: 7 October 2020
Date added to HIBP: 1 February 2021
Compromised accounts: 1,906,808
Compromised data: Email addresses, Geographic locations, Names, Passwords, Social media profiles
Permalink
piZap
In approximately December 2017, the online photo editing site piZap suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in February 2019. A total of 42 million unique email addresses were included in the breach alongside names, genders and links to Facebook profiles when the social media platform was used to authenticate to piZap. When accounts were created directly on piZap without using Facebook for authentication, passwords stored as SHA-1 hashes were also exposed. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 7 December 2017
Date added to HIBP: 16 July 2019
Compromised accounts: 41,817,893
Compromised data: Email addresses, Genders, Geographic locations, Names, Passwords, Social media profiles, Usernames, Website activity
Permalink
Pluto TV
In October 2018, the internet television service Pluto TV suffered a data breach which was then shared extensively in hacking communities. Pluto TV "decided not to proactively inform users of the breach" which contained 3.2M unique email and IP addresses, names, usernames, genders, dates of birth and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 12 October 2018
Date added to HIBP: 5 December 2020
Compromised accounts: 3,225,080
Compromised data: Dates of birth, Device information, Email addresses, Genders, IP addresses, Names, Passwords, Social media profiles, Usernames
Permalink
PoliceOne
In February 2017, the law enforcement website PoliceOne confirmed they'd suffered a data breach. The breach contained over 700k accounts which appeared for sale by a data broker and included email and IP addresses, usernames and salted MD5 password hashes. The file the data was contained in indicated the original breach dated back to July 2014.
Breach date: 1 July 2014
Date added to HIBP: 15 November 2017
Compromised accounts: 709,926
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Poshmark
In mid-2018, social commerce marketplace Poshmark suffered a data breach that exposed 36M user accounts. The compromised data included email addresses, names, usernames, genders, locations and passwords stored as bcrypt hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 16 May 2018
Date added to HIBP: 2 September 2019
Compromised accounts: 36,395,491
Compromised data: Email addresses, Genders, Geographic locations, Names, Passwords, Usernames
Permalink
Powerbot
In approximately September 2014, the RuneScape bot website Powerbot suffered a data breach resulting in the exposure of over half a million unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 1 September 2014
Date added to HIBP: 1 July 2017
Compromised accounts: 503,501
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
ProctorU
In June 2020, the online exam service ProctorU suffered a data breach which was subsequently shared extensively across online hacking communities. The breach contained 444k user records including names, email and physical addresses, phones numbers and passwords stored as bcrypt hashes. The data was provided to HIBP by breachbase.pw.
Breach date: 26 June 2020
Date added to HIBP: 6 August 2020
Compromised accounts: 444,453
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Programming Forums
In approximately late 2015, the programming forum at programmingforums.org suffered a data breach resulting in the exposure of 707k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 1 December 2015
Date added to HIBP: 1 July 2017
Compromised accounts: 707,432
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Promo
In July 2020, the self-proclaimed "World's #1 Marketing Video Maker" Promo suffered a data breach which was then shared extensively on a hacking forum. The incident exposed 22 million records containing almost 15 million unique email addresses alongside IP addresses, genders, names and salted SHA-256 password hashes. The data was provided to HIBP by dehashed.com.
Breach date: 22 June 2020
Date added to HIBP: 26 July 2020
Compromised accounts: 14,610,585
Compromised data: Email addresses, Genders, IP addresses, Names, Passwords
Permalink
PropTiger
In January 2018, the Indian property website PropTiger suffered a data breach which resulted in a 3.46GB database file being exposed and subsequently shared extensively on a popular hacking forum 2 years later. The exposed data contained both user records and login histories with over 2M unique customer email addresses. Exposed data also included additional personal attributes such as names, dates of birth, genders, IP addresses and passwords stored as MD5 hashes. PropTiger advised they believe the usability of the data is "limited" due to how certain data attributes were generated and stored. The data was provided to HIBP by dehashed.com.
Breach date: 30 January 2018
Date added to HIBP: 24 March 2020
Compromised accounts: 2,156,921
Compromised data: Dates of birth, Device information, Email addresses, Genders, IP addresses, Names, Passwords
Permalink
Qatar National Bank
In July 2015, the Qatar National Bank suffered a data breach which exposed 15k documents totalling 1.4GB and detailing more than 100k accounts with passwords and PINs. The incident was made public some 9 months later in April 2016 when the documents appeared publicly on a file sharing site. Analysis of the breached data suggests the attack began by exploiting a SQL injection flaw in the bank's website.
Breach date: 1 July 2015
Date added to HIBP: 1 May 2016
Compromised accounts: 88,678
Compromised data: Bank account numbers, Customer feedback, Dates of birth, Financial transactions, Genders, Geographic locations, Government issued IDs, IP addresses, Marital statuses, Names, Passwords, Phone numbers, Physical addresses, PINs, Security questions and answers, Spoken languages
Permalink
Quantum Booter
In March 2014, the booter service Quantum Booter (also referred to as Quantum Stresser) suffered a breach which lead to the disclosure of their internal database. The leaked data included private discussions relating to malicious activity Quantum Booter users were performing against online adversaries, including the IP addresses of those using the service to mount DDoS attacks.
Breach date: 18 March 2014
Date added to HIBP: 4 April 2015
Compromised accounts: 48,592
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
QuinStreet
In approximately late 2015, the maker of "performance marketing products" QuinStreet had a number of their online assets compromised. The attack impacted 28 separate sites, predominantly technology forums such as flashkit.com, codeguru.com and webdeveloper.com (view a full list of sites). QuinStreet advised that impacted users have been notified and passwords reset. The data contained details on over 4.9 million people and included email addresses, dates of birth and salted MD5 hashes.
Breach date: 14 December 2015
Date added to HIBP: 17 December 2016
Compromised accounts: 4,907,802
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
R2Games
In late 2015, the gaming website R2Games was hacked and more than 2.1M personal records disclosed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked. A further 11M accounts were added to "Have I Been Pwned" in March 2016 and another 9M in July 2016 bringing the total to over 22M.
Breach date: 1 November 2015
Date added to HIBP: 9 February 2016
Compromised accounts: 22,281,337
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Rambler
In late 2016, a data dump of almost 100M accounts from Rambler, sometimes referred to as "The Russian Yahoo", was discovered being traded online. The data set provided to Have I Been Pwned included 91M unique usernames (which also form part of Rambler email addresses) and plain text passwords. According to Rambler, the data dates back to March 2014.
Breach date: 1 March 2014
Date added to HIBP: 1 November 2016
Compromised accounts: 91,436,280
Compromised data: Email addresses, Passwords, Usernames
Permalink
RankWatch
In approximately November 2016, the search engine optimisation management company RankWatch exposed a Mongo DB with no password publicly whereupon their data was exfiltrated and posted to an online forum. The data contained 7.4 million unique email addresses along with names, employers, phone numbers and job titles in a table called "us_emails". When contacted and advised of the incident, RankWatch would not reveal the purpose of the data, where it had been acquired from and whether the data owners had consented to its collection. The forum which originally posted the data explained it as being "in the same vein as the modbsolutions leak", a large list of corporate data allegedly used for spam purposes.
Breach date: 19 November 2016
Date added to HIBP: 3 November 2017
Compromised accounts: 7,445,067
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers
Permalink
Rbx.Rocks
In August 2018, the Roblox trading site Rbx.Rocks suffered a data breach. Almost 25k records were sent to HIBP in November and included names, email addresses and passwords stored as bcrypt hashes. In July 2019, a further 125k records emerged bringing the total size of the incident to 150k. The website has since gone offline with a message stating that "Rbx.Rocks v2.0 is currently under construction".
Breach date: 6 August 2018
Date added to HIBP: 7 November 2018
Compromised accounts: 149,958
Compromised data: Email addresses, Names, Passwords
Permalink
Real Estate Mogul
In September 2016, the real estate investment site Real Estate Mogul had a Mongo DB instance compromised and 5GB of data downloaded by an unauthorised party. The data contained real estate listings including addresses and the names, phone numbers and 308k unique email addresses of the sellers. Real Estate Mogul was advised of the incident in September 2018 and stated that they "found no instance of user account credentials like usernames and passwords nor billing information within this file".
Breach date: 6 September 2016
Date added to HIBP: 24 September 2018
Compromised accounts: 307,768
Compromised data: Email addresses, Names, Phone numbers, Physical addresses
Permalink
Regpack
In July 2016, a tweet was posted with a link to an alleged data breach of BlueSnap, a global payment gateway and merchant account provider. The data contained 324k payment records across 105k unique email addresses and included personal attributes such as name, home address and phone number. The data was verified with multiple Have I Been Pwned subscribers who confirmed it also contained valid transactions, partial credit card numbers, expiry dates and CVVs. A downstream consumer of BlueSnap services known as Regpack was subsequently identified as the source of the data after they identified human error had left the transactions exposed on a publicly facing server. A full investigation of the data and statement by Regpack is detailed in the post titled Someone just lost 324k payment records, complete with CVVs.
Breach date: 20 May 2016
Date added to HIBP: 13 September 2016
Compromised accounts: 104,977
Compromised data: Browser user agent details, Credit card CVV, Email addresses, IP addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases
Permalink
Retina-X
In February 2017, the mobile device monitoring software developer Retina-X was hacked and customer data downloaded before being wiped from their servers. The incident was covered in the Motherboard article titled Inside the 'Stalkerware' Surveillance Market, Where Ordinary People Tap Each Other's Phones. The service, used to monitor mobile devices, had 71k email addresses and MD5 hashes with no salt exposed. Retina-X disclosed the incident in a blog post on April 27, 2017.
Breach date: 23 February 2017
Date added to HIBP: 30 April 2017
Compromised accounts: 71,153
Compromised data: Email addresses, Passwords
Permalink
River City Media Spam List
In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation. Once de-duplicated, there were 393 million unique email addresses within the exposed data.
Breach date: 1 January 2017
Date added to HIBP: 8 March 2017
Compromised accounts: 393,430,309
Compromised data: Email addresses, IP addresses, Names, Physical addresses
Permalink
Roll20
In December 2018, the tabletop role-playing games website Roll20 suffered a data breach. Almost 4 million customers were impacted by the breach and had email and IP addresses, names, bcrypt hashes of passwords and the last 4 digits of credit cards exposed. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 26 December 2018
Date added to HIBP: 19 July 2019
Compromised accounts: 3,994,436
Compromised data: Email addresses, IP addresses, Names, Partial credit card data, Passwords
Permalink
Russian America
In approximately 2017, the website for Russian speakers in America known as Russian America suffered a data breach. The incident exposed 183k unique records including names, email addresses, phone numbers and passwords stored in both plain text and as MD5 hashes. Russian America was contacted about the breach but did not respond.
Breach date: 1 January 2017
Date added to HIBP: 13 September 2018
Compromised accounts: 182,717
Compromised data: Email addresses, Names, Passwords, Phone numbers
Permalink
SaverSpy
In September 2018, security researcher Bob Diachenko discovered a massive collection of personal details exposed in an unprotected Mongo DB instance. The data appears to have been used in marketing campaigns (possibly for spam purposes) but had little identifying data about it other than a description of "Yahoo_090618_ SaverSpy". The data set provided to HIBP had almost 2.5M unique email addresses (all of which were from Yahoo!) alongside names, genders and physical addresses.
Breach date: 18 September 2018
Date added to HIBP: 25 September 2018
Compromised accounts: 2,457,420
Compromised data: Email addresses, Genders, Names, Physical addresses
Permalink
Scentbird
In June 2020, the online fragrance service Scentbird suffered a data breach that exposed the personal information of over 5.8 million customers. Personal information including names, email addresses, genders, dates of birth, passwords stored as bcrypt hashes and indicators of password strength were all exposed. The data was provided to HIBP by breachbase.pw.
Breach date: 22 June 2020
Date added to HIBP: 30 July 2020
Compromised accounts: 5,814,988
Compromised data: Dates of birth, Email addresses, Genders, Names, Password strengths, Passwords
Permalink
Sephora
In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 9 January 2017
Date added to HIBP: 6 October 2019
Compromised accounts: 780,073
Compromised data: Dates of birth, Email addresses, Ethnicities, Genders, Names, Physical attributes
Permalink
ShareThis
In July 2018, the social bookmarking and sharing service ShareThis suffered a data breach. The incident exposed 41 million unique email addresses alongside names and in some cases, dates of birth and password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by dehashed.com.
Breach date: 9 July 2018
Date added to HIBP: 3 March 2019
Compromised accounts: 40,960,499
Compromised data: Dates of birth, Email addresses, Names, Passwords
Permalink
SHEIN
In June 2018, online fashion retailer SHEIN suffered a data breach. The company discovered the breach 2 months later in August then disclosed the incident another month after that. A total of 39 million unique email addresses were found in the breach alongside MD5 password hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 1 June 2018
Date added to HIBP: 17 July 2019
Compromised accounts: 39,086,762
Compromised data: Email addresses, Passwords
Permalink
Slickwraps
In February 2020, the online store for consumer electronics wraps Slickwraps suffered a data breach. The incident resulted in the exposure of 858k unique email addresses across customer records and newsletter subscribers. Additional impacted data included names, physical addresses, phone numbers and purchase histories.
Breach date: 16 February 2020
Date added to HIBP: 22 February 2020
Compromised accounts: 857,611
Compromised data: Email addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
Snapchat
In January 2014 just one week after Gibson Security detailed vulnerabilities in the service, Snapchat had 4.6 million usernames and phone number exposed. The attack involved brute force enumeration of a large number of phone numbers against the Snapchat API in what appears to be a response to Snapchat's assertion that such an attack was "theoretical". Consequently, the breach enabled individual usernames (which are often used across other services) to be resolved to phone numbers which users usually wish to keep private.
Breach date: 1 January 2014
Date added to HIBP: 2 January 2014
Compromised accounts: 4,609,615
Compromised data: Geographic locations, Phone numbers, Usernames
Permalink
Social Engineered
In June 2019, the "Art of Human Hacking" site Social Engineered suffered a data breach. The breach of the MyBB forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes.
Breach date: 13 June 2019
Date added to HIBP: 23 June 2019
Compromised accounts: 89,392
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
Sonicbids
In December 2019, the booking website Sonicbids suffered a data breach which they attributed to "a data privacy event involving our third-party cloud hosting services". The breach contained 752k user records including names and usernames, email addresses and passwords stored as PBKDF2 hashes. The data was provided to HIBP by breachbase.pw.
Breach date: 30 December 2019
Date added to HIBP: 18 August 2020
Compromised accounts: 751,700
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
In 2011, Sony suffered breach after breach after breach — it was a very bad year for them. The breaches spanned various areas of the business ranging from the PlayStation network all the way through to the motion picture arm, Sony Pictures. A SQL Injection vulnerability in sonypictures.com lead to tens of thousands of accounts across multiple systems being exposed complete with plain text passwords.
Breach date: 2 June 2011
Date added to HIBP: 4 December 2013
Compromised accounts: 37,103
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Soundwave
In approximately mid 2015, the music tracking app Soundwave suffered a data breach. The breach stemmed from an incident whereby "production data had been used to populate the test database" and was then inadvertently exposed in a MongoDB. The data contained 130k records and included email addresses, dates of birth, genders and MD5 hashes of passwords without a salt.
Breach date: 16 July 2015
Date added to HIBP: 17 March 2017
Compromised accounts: 130,705
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Social connections
Permalink
Spirol
In February 2014, Connecticut based Spirol Fastening Solutions suffered a data breach that exposed over 70,000 customer records. The attack was allegedly mounted by exploiting a SQL injection vulnerability which yielded data from Spirol’s CRM system ranging from customers’ names, companies, contact information and over 55,000 unique email addresses.
Breach date: 22 February 2014
Date added to HIBP: 22 February 2014
Compromised accounts: 55,622
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
Permalink
SpyFone
In August 2018, the spyware company SpyFone left terabytes of data publicly exposed. Collected surreptitiously whilst the targets were using their devices, the data included photos, audio recordings, text messages and browsing history which were then exposed via a number of misconfigurations within SpyFone's systems. The data belonged the thousands of SpyFone customers and included 44k unique email addresses, many likely belonging to people the targeted phones had contact with.
Breach date: 16 August 2018
Date added to HIBP: 24 August 2018
Compromised accounts: 44,109
Compromised data: Audio recordings, Browsing histories, Device information, Email addresses, Geographic locations, IMEI numbers, IP addresses, Names, Passwords, Photos, SMS messages
Permalink
Staminus
In March 2016, the DDoS protection service Staminus was "massively hacked" resulting in an outage of more than 20 hours and the disclosure of customer credentials (with unsalted MD5 hashes), support tickets, credit card numbers and other sensitive data. 27k unique email addresses were found in the data which was subsequently released to the public. Staminus is no longer in operation.
Breach date: 11 March 2016
Date added to HIBP: 5 October 2017
Compromised accounts: 26,815
Compromised data: Credit cards, Email addresses, IP addresses, Passwords, Support tickets, Usernames
Permalink
StarNet
In February 2015, the Moldavian ISP "StarNet" had it's database published online. The dump included nearly 140k email addresses, many with personal details including contact information, usage patterns of the ISP and even passport numbers.
Breach date: 26 February 2015
Date added to HIBP: 11 April 2015
Compromised accounts: 139,395
Compromised data: Customer interactions, Dates of birth, Email addresses, Genders, IP addresses, MAC addresses, Names, Passport numbers, Passwords, Phone numbers
Permalink
StarTribune
In October 2019, the Minnesota-based news service StarTribune suffered a data breach which was subsequently sold on the dark web. The breach exposed over 2 million unique email addresses alongside names, usernames, physical addresses, dates of birth, genders and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 10 October 2019
Date added to HIBP: 30 October 2020
Compromised accounts: 2,192,857
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Physical addresses, Usernames
Permalink
Ster-Kinekor
In 2016, the South African cinema company Ster-Kinekor had a security flaw which leaked a large amount of customer data via an enumeration vulnerability in the API of their old website. Whilst more than 6 million accounts were leaked by the flaw, the exposed data only contained 1.6 million unique email addresses. The data also included extensive personal information such as names, addresses, birthdates, genders and plain text passwords.
Breach date: 9 March 2017
Date added to HIBP: 13 March 2017
Compromised accounts: 1,619,544
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Spoken languages
Permalink
StockX
In July 2019, the fashion and sneaker trading platform StockX suffered a data breach which was subsequently sold via a dark webmarketplace. The exposed data included 6.8 million unique email addresses, names, physical addresses, purchases and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.
Breach date: 26 July 2019
Date added to HIBP: 10 August 2019
Compromised accounts: 6,840,339
Compromised data: Email addresses, Names, Passwords, Physical addresses, Purchases, Usernames
Permalink
Straffic
In February 2020, Israeli marketing company Straffic exposed a database with 140GB of personal data. The publicly accessible Elasticsearch database contained over 300M rows with 49M unique email addresses. Exposed data also included names, phone numbers, physical addresses and genders. In their breach disclosure message, Straffic stated that "it is impossible to create a totally immune system, and these things can occur".
Breach date: 14 February 2020
Date added to HIBP: 27 February 2020
Compromised accounts: 48,580,249
Compromised data: Email addresses, Genders, Names, Phone numbers, Physical addresses
Permalink
Stratfor
In December 2011, "Anonymous" attacked the global intelligence company known as "Stratfor" and consequently disclosed a veritable treasure trove of data including hundreds of gigabytes of email and tens of thousands of credit card details which were promptly used by the attackers to make charitable donations (among other uses). The breach also included 860,000 user accounts complete with email address, time zone, some internal system data and MD5 hashed passwords with no salt.
Breach date: 24 December 2011
Date added to HIBP: 4 December 2013
Compromised accounts: 859,777
Compromised data: Credit cards, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
StreetEasy
In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 28 June 2016
Date added to HIBP: 6 October 2019
Compromised accounts: 988,230
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
Stronghold Kingdoms
In July 2018, the massive multiplayer online game Stronghold Kingdoms suffered a data breach. Almost 5.2 million accounts were impacted by the incident which exposed emails addresses, usernames and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 4 July 2018
Date added to HIBP: 21 July 2019
Compromised accounts: 5,187,305
Compromised data: Email addresses, Passwords, Usernames
Permalink
SuperVPN & GeckoVPN
In February 2021, a series of "free" VPN services were breached including SuperVPN and GeckoVPN, exposing over 20M records. The data appeared together in a single file with a small number of records also included from FlashVPN, suggesting that all three brands may share the same platform. Impacted data also included email addresses, the country logged in from and the date and time each login occurred alongside device information including the make and model, IMSI number and serial number. The data was provided to HIBP by a source who requested it be attributed to [email protected].
Breach date: 25 February 2021
Date added to HIBP: 28 February 2021
Compromised accounts: 20,339,937
Compromised data: Device information, Device serial numbers, Email addresses, Geographic locations, IMSI numbers, Login histories
Permalink
In June 2020, the Egyptian bus operator Swvl suffered a data breach which impacted over 4 million members of the service. The exposed data included names, email addresses, phone numbers, profile photos, partial credit card data (type and last 4 digits) and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities. The data was provided to HIBP by breachbase.pw.
Breach date: 23 June 2020
Date added to HIBP: 31 July 2020
Compromised accounts: 4,195,918
Compromised data: Email addresses, Names, Partial credit card data, Passwords, Phone numbers, Profile photos
Permalink
TaiLieu
In November 2019, the Vietnamese education website TaiLieu allegedly suffered a data breach exposing 7.3M customer records. Impacted data included names and usernames, email addresses, dates of birth, genders and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by dehashed.com after being shared on a popular hacking forum. TaiLieu did not respond when contacted about the incident.
Breach date: 24 November 2019
Date added to HIBP: 3 May 2020
Compromised accounts: 7,327,477
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Phone numbers, Usernames
Permalink
Tamodo
In February 2020, the affiliate marketing network Tamodo suffered a data breach which was subsequently shared on a popular hacking forum. The incident exposed almost 500k accounts including names, email addresses, dates of birth and passwords stored as bcrypt hashes. Tamodo failed to respond to multiple attempts to report the breach via published communication channels.
Breach date: 28 February 2020
Date added to HIBP: 24 March 2020
Compromised accounts: 494,945
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords
Permalink
Taobao
In approximately 2012, it's alleged that the Chinese shopping site known as Taobao suffered a data breach that impacted over 21 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 1 January 2012
Date added to HIBP: 8 October 2016
Compromised accounts: 21,149,008
Compromised data: Email addresses, Passwords
Permalink
Technic
In November 2018, the Minecraft modpack platform known as Technic suffered a data breach. Technic promptly disclosed the breach and advised that the impacted data included over 265k unique users' email and IP addresses, chat logs, private messages and passwords stored as bcrypt hashes with a work factor of 13. Technic self-submitted the breach to HIBP.
Breach date: 30 November 2018
Date added to HIBP: 4 December 2018
Compromised accounts: 265,410
Compromised data: Chat logs, Email addresses, IP addresses, Passwords, Private messages, Time zones
Permalink
Telecom Regulatory Authority of India
In April 2015, the Telecom Regulatory Authority of India (TRAI) published tens of thousand of emails sent by Indian citizens supporting net neutrality as part of the SaveTheInternet campaign. The published data included lists of emails including the sender's name and email address as well as the contents of the email as well, often with signatures including other personal data.
Breach date: 27 April 2015
Date added to HIBP: 27 April 2015
Compromised accounts: 107,776
Compromised data: Email addresses, Email messages
Permalink
Teracod
In May 2015, almost 100k user records were extracted from the Hungarian torrent site known as Teracod. The data was later discovered being torrented itself and included email addresses, passwords, private messages between members and the peering history of IP addresses using the service.
Breach date: 28 May 2016
Date added to HIBP: 22 August 2016
Compromised accounts: 97,151
Compromised data: Avatars, Email addresses, IP addresses, Passwords, Payment histories, Private messages, Usernames, Website activity
Permalink
TGBUS
In approximately 2017, it's alleged that the Chinese gaming site known as TGBUS suffered a data breach that impacted over 10 million unique subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains usernames, email addresses and salted MD5 password hashes and was provided with support from dehashed.com. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 1 September 2017
Date added to HIBP: 28 April 2018
Compromised accounts: 10,371,766
Compromised data: Email addresses, Passwords, Usernames
Permalink
The Fly on the Wall
In December 2017, the stock market news website The Fly on the Wall suffered a data breach. The data in the breach included 84k unique email addresses as well as purchase histories and credit card data. Numerous attempts were made to contact The Fly on the Wall about the incident, however no responses were received.
Breach date: 31 December 2017
Date added to HIBP: 15 January 2018
Compromised accounts: 84,011
Compromised data: Age groups, Credit cards, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Purchases, Usernames
Permalink
The Halloween Spot
In September 2019, the Halloween costume store The Halloween Spot suffered a data breach. Originally misattributed to fancy dress store Smiffys, the breach contained 13GB of data with over 10k unique email addresses alongside names, physical and IP addresses, phone numbers and order histories. The Halloween Spot advised customers the breach was traced back to "an old shipping information database".
Breach date: 27 September 2019
Date added to HIBP: 16 March 2020
Compromised accounts: 10,653
Compromised data: Email addresses, IP addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
ThisHabbo Forum
In 2014, the ThisHabbo forum (a fan site for Habbo.com, a Finnish social networking site) appeared among a list of compromised sites which has subsequently been removed from the internet. Whilst the actual date of the exploit is not clear, the breached data includes usernames, email addresses, IP addresses and salted hashes of passwords. A further 584k records were added from a more comprehensive breach file provided in October 2016.
Breach date: 1 January 2014
Date added to HIBP: 28 March 2015
Compromised accounts: 612,414
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Ticketcounter
In August 2020, the Dutch ticketing service Ticketcounter inadvertently published a database backup to a publicly accessible location where it was then found and downloaded in February 2021. The data contained 1.9M unique email addresses which were offered for sale on a hacking forum alongside names, physical and IP addresses, genders, dates of birth, payment histories and in some cases, bank account numbers. Ticketcounter was later held to ransom with the threat of the breached being released publicly. The data was provided to HIBP by a source who requested it be attributed to [email protected].
Breach date: 22 February 2021
Date added to HIBP: 1 March 2021
Compromised accounts: 1,921,722
Compromised data: Bank account numbers, Dates of birth, Email addresses, Genders, IP addresses, Names, Payment histories, Phone numbers, Physical addresses
Permalink
Ticketfly
In May 2018, the website for the ticket distribution service Ticketfly was defaced by an attacker and was subsequently taken offline. The attacker allegedly requested a ransom to share details of the vulnerability with Ticketfly but did not receive a reply and subsequently posted the breached data online to a publicly accessible location. The data included over 26 million unique email addresses along with names, physical addresses and phone numbers. Whilst there were no passwords in the publicly leaked data, Ticketfly later issued an incident update and stated that "It is possible, however, that hashed values of password credentials could have been accessed".
Breach date: 31 May 2018
Date added to HIBP: 3 June 2018
Compromised accounts: 26,151,608
Compromised data: Email addresses, Names, Phone numbers, Physical addresses
Permalink
Tokopedia
In April 2020, Indonesia's largest online store Tokopedia suffered a data breach. The incident resulted in 15M rows of data being posted to a popular hacking forum. An additional 76M rows were later provided to HIBP in July 2020. In total, the data included over 71M unique email addresses alongside names, genders, birth dates and passwords stored as SHA2-384 hashes.
Breach date: 17 April 2020
Date added to HIBP: 2 May 2020
Compromised accounts: 71,443,698
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords
Permalink
ToonDoo
In August 2019, the comic strip creation website ToonDoo suffered a data breach. The data was subsequently redistributed on a popular hacking forum in November where the personal information of over 6M subscribers was shared. Impacted data included email and IP addresses, usernames, genders, the location of the individual and salted password hashes.
Breach date: 21 August 2019
Date added to HIBP: 11 November 2019
Compromised accounts: 6,002,694
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Passwords, Usernames
Permalink
In approximately September 2014, the now defunct social networking service Tout suffered a data breach. The breach subsequently appeared years later and included 653k unique email addresses, names, IP addresses, the location of the user, their bio and passwords stored as bcrypt hashes. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Breach date: 11 September 2014
Date added to HIBP: 25 January 2020
Compromised accounts: 652,683
Compromised data: Bios, Email addresses, Geographic locations, IP addresses, Names, Passwords, Usernames
Permalink
Travel Oklahoma
In December 2020, the Oklahoma state Tourism and Recreation Department suffered a data breach. The incident exposed 637k email addresses across a variety of tables including age ranges against brochure orders and dates of birth against contest entries. Genders, names and physical addresses were also exposed. The data was provided to HIBP by a source who requested it be attributed to "badhou3a".
Breach date: 17 December 2020
Date added to HIBP: 10 March 2021
Compromised accounts: 637,279
Compromised data: Age groups, Dates of birth, Email addresses, Genders, Names, Physical addresses
Permalink
TrueFire
In February 2020, the guitar tuition website TrueFire suffered a data breach which impacted 600k members. The breach exposed extensive personal information including names, email and physical addresses, account balances and unsalted MD5 password hashes. The data was provided to HIBP by dehashed.com.
Breach date: 21 February 2020
Date added to HIBP: 2 August 2020
Compromised accounts: 599,667
Compromised data: Account balances, Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Ulmon
In January 2020, the travel app creator Ulmon suffered a data breach. The service had almost 1.3M records with 777k unique email addresses, names, passwords stored as bcrypt hashes and in some cases, social media profile IDs, telephone numbers and bios. The data was subsequently posted to a popular hacking forum.
Breach date: 26 January 2020
Date added to HIBP: 8 May 2020
Compromised accounts: 777,769
Compromised data: Bios, Email addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
UN Internet Governance Forum
In February 2014, the Internet Governance Forum (formed by the United Nations for policy dialogue on issues of internet governance) was attacked by hacker collective known as Deletesec. Although tasked with "ensuring the security and stability of the Internet", the IGF’s website was still breached and resulted in the leak of 3,200 email addresses, names, usernames and cryptographically stored passwords.
Breach date: 20 February 2014
Date added to HIBP: 23 February 2014
Compromised accounts: 3,200
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
Universarium
In approximately November 2019, the Russian "Remote preparatory faculty for IT specialties" Universarium suffered a data breach. The incident exposed 565k email addresses and passwords in plain text. Universarium did not respond to multiple attempts to make contact over a period of many weeks. The data was provided to HIBP by dehashed.com.
Breach date: 1 November 2019
Date added to HIBP: 3 January 2020
Compromised accounts: 564,962
Compromised data: Email addresses, Passwords
Permalink
In September 2016, data was allegedly obtained from the Chinese website known as uuu9.com and contained 7.5M accounts. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and user names. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 6 September 2016
Date added to HIBP: 27 December 2016
Compromised accounts: 7,485,802
Compromised data: Email addresses, Passwords, Usernames
Permalink
Vakinha
In June 2020, the Brazilian fund raising service Vakinha suffered a data breach which impacted almost 4.8 million members. The exposed data included email addresses, names, phone numbers, geographic locations and passwords stored as bcrypt hashes, all of which was subsequently shared extensively throughout online hacking communities. The data was provided to HIBP by dehashed.com.
Breach date: 22 June 2020
Date added to HIBP: 1 August 2020
Compromised accounts: 4,775,203
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers
Permalink
vBulletin
In November 2015, the forum software maker vBulletin suffered a serious data breach. The attack lead to the release of both forum user and customer accounts totalling almost 519k records. The breach included email addresses, birth dates, security questions and answers for customers and salted hashes of passwords for both sources.
Breach date: 3 November 2015
Date added to HIBP: 24 January 2016
Compromised accounts: 518,966
Compromised data: Dates of birth, Email addresses, Homepage URLs, Instant messenger identities, IP addresses, Passwords, Security questions and answers, Spoken languages, Website activity
Permalink
Vedantu
In mid-2019, the Indian interactive online tutoring platform Vedantu suffered a data breach which exposed the personal data of 687k users. The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored as bcrypt hashes. When contacted about the incident, Vedantu advised that they were aware of the breach and were in the process of informing their customers.
Breach date: 8 July 2019
Date added to HIBP: 1 November 2019
Compromised accounts: 686,899
Compromised data: Browser user agent details, Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Spoken languages, Time zones, Website activity
Permalink
Verifications.io
In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.
Breach date: 25 February 2019
Date added to HIBP: 9 March 2019
Compromised accounts: 763,117,241
Compromised data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Permalink
In April 2018, news broke of a massive data breach impacting the Vietnamese company known as VNG after data was discovered being traded on a popular hacking forum where it was extensively redistributed. The breach dated back to an incident in May of 2015 and included of over 163 million customers. The data in the breach contained a wide range of personal attributes including usernames, birth dates, genders and home addresses along with unsalted MD5 hashes and 25 million unique email addresses. The data was provided to HIBP by dehashed.com.
Breach date: 19 May 2015
Date added to HIBP: 28 April 2018
Compromised accounts: 24,853,850
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Marital statuses, Names, Occupations, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Vodafone
In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources.
Breach date: 30 November 2013
Date added to HIBP: 30 November 2013
Compromised accounts: 56,021
Compromised data: Credit cards, Email addresses, Government issued IDs, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases, SMS messages, Usernames
Permalink
Void.to
In June 2019, the hacking website Void.to suffered a data breach. There were 95k unique email addresses spread across 86k forum users and other tables in the database. A rival hacking website claimed responsibility for breaching the MyBB based forum which disclosed email and IP addresses, usernames, private messages and passwords stored as either salted MD5 or bcrypt hashes.
Breach date: 13 June 2019
Date added to HIBP: 11 September 2019
Compromised accounts: 95,431
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
VTech
In November 2015, hackers extracted more than 4.8 million parents' and 227k children's accounts from VTech's Learning Lodge website. The Hong Kong company produces learning products for children including software sold via the compromised website. The data breach exposed extensive personal details including home addresses, security questions and answers and passwords stored as weak MD5 hashes. Furthermore, children's details including names, ages, genders and associations to their parents' records were also exposed.
Breach date: 13 November 2015
Date added to HIBP: 25 November 2015
Compromised accounts: 4,833,678
Compromised data: Dates of birth, Email addresses, Family members' names, Genders, IP addresses, Names, Passwords, Physical addresses, Security questions and answers, Usernames, Website activity
Permalink
V-Tight Gel
In approximately February 2016, data surfaced which was allegedly obtained from V-Tight Gel (vaginal tightening gel). Whilst the data set was titled V-Tight, within there were 50 other (predominantly wellness-related) domain names, most owned by the same entity. Multiple HIBP subscribers confirmed that although they couldn't recall providing data specifically to V-Tight, their personal information including name, phone and physical address was accurate. V-Tight Gel did not reply to multiple requests for comment.
Breach date: 13 February 2016
Date added to HIBP: 17 November 2017
Compromised accounts: 2,013,164
Compromised data: Email addresses, IP addresses, Names, Phone numbers, Physical addresses
Permalink
Wanelo
In approximately December 2018, the digital mall Wanelo suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in April 2019. A total of 23 million unique email addresses were included in the breach alongside passwords stored as either MD5 or bcrypt hashes. After the initial HIBP load, further data containing names, shipping addresses and IP addresses were also provided to HIBP, albeit without direct association to the email addresses and passwords. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 13 December 2018
Date added to HIBP: 30 September 2019
Compromised accounts: 23,165,793
Compromised data: Email addresses, IP addresses, Names, Passwords, Physical addresses
Permalink
Warframe
In November 2014, the online game Warframe was hacked and 819k unique email addresses were exposed. Allegedly due to a SQL injection flaw in Drupal, the attack exposed usernames, email addresses and data in a "pass" column which adheres to the salted SHA12 password hashing pattern used by Drupal 7. Digital Extremes (the developers of Warframe), asserts the salted hashes are of "alias names" rather than passwords.
Breach date: 24 November 2014
Date added to HIBP: 21 July 2016
Compromised accounts: 819,478
Compromised data: Email addresses, Usernames, Website activity
Permalink
Warmane
In approximately December 2016, the online service for World of Warcraft private servers Warmane suffered a data breach. The incident exposed over 1.1M accounts including usernames, email addresses, dates of birth and salted MD5 password hashes. The data was subsequently extensively circulated online and was later provided to HIBP by whitehat security researcher and data analyst Adam Davies.
Breach date: 1 December 2016
Date added to HIBP: 8 September 2018
Compromised accounts: 1,116,256
Compromised data: Dates of birth, Email addresses, Passwords, Usernames
Permalink
Wattpad
In June 2020, the user-generated stories website Wattpad suffered a huge data breach that exposed almost 270 million records. The data was initially sold then published on a public hacking forum where it was broadly shared. The incident exposed extensive personal information including names and usernames, email and IP addresses, genders, birth dates and passwords stored as bcrypt hashes.
Breach date: 29 June 2020
Date added to HIBP: 19 July 2020
Compromised accounts: 268,765,495
Compromised data: Bios, Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Social media profiles, User website URLs, Usernames
Permalink
WeLeakInfo
In March 2021, the Stripe account of the now-defunct WeLeakInfo service was taken over by "pompompurin" after acquiring an expired domain name with an email address used to manage the account. Access to Stripe then exposed almost 12k unique email addresses from customers who'd made credit card payments in order to obtain breached data hosted by WeLeakInfo. The data was subsequently leaked publicly and also included names, payment histories, IP addresses, billing addresses, partial credit card data and the organisation making the purchase. The data was provided to HIBP by a source who requested it be attributed to "breachbase.pw".
Breach date: 8 March 2021
Date added to HIBP: 15 March 2021
Compromised accounts: 11,788
Compromised data: Browser user agent details, Email addresses, Employers, IP addresses, Names, Partial credit card data, Physical addresses, Purchases
Permalink
WHMCS
In May 2012, the web hosting, billing and automation company WHMCS suffered a data breach that exposed 134k email addresses. The breach included extensive information about customers and payment histories including partial credit card numbers.
Breach date: 21 May 2012
Date added to HIBP: 28 June 2016
Compromised accounts: 134,047
Compromised data: Email addresses, Email messages, Employers, IP addresses, Names, Partial credit card data, Passwords, Payment histories, Physical addresses, Website activity
Permalink
Wife Lovers
In October 2018, the site dedicated to posting naked photos and other erotica of wives Wife Lovers suffered a data breach. The underlying database supported a total of 8 different adult websites and contained over 1.2M unique email addresses. Wife Lovers acknowledged the breach which impacted names, usernames, email and IP addresses and passwords hashed using the weak DEScrypt algorithm. The breach has been marked as "sensitive" due to the nature of the site.
Breach date: 7 October 2018
Date added to HIBP: 20 October 2018
Compromised accounts: 1,274,051
Compromised data: Email addresses, IP addresses, Names, Passwords, Usernames
Permalink
Win7Vista Forum
In September 2013, the Win7Vista Windows forum (since renamed to the "Beyond Windows 9" forum) was hacked and later had its internal database dumped. The dump included over 200k members’ personal information and other internal data extracted from the forum.
Breach date: 3 September 2013
Date added to HIBP: 1 June 2014
Compromised accounts: 202,683
Compromised data: Email addresses, Instant messenger identities, IP addresses, Names, Passwords, Private messages, Usernames, Website activity
Permalink
Wishbone (2016)
In August 2016, the mobile app to "compare anything" known as Wishbone suffered a data breach. The data contained 9.4 million records with 2.2 million unique email addresses and was allegedly a subset of the complete data set. The exposed data included genders, birthdates, email addresses and phone numbers for an audience predominantly composed of teenagers and young adults.
Breach date: 7 August 2016
Date added to HIBP: 15 March 2017
Compromised accounts: 2,247,314
Compromised data: Auth tokens, Dates of birth, Email addresses, Genders, Names, Phone numbers, Usernames
Permalink
Wishbone (2020)
In January 2020, the mobile app to "compare anything" Wishbone suffered another data breach which followed their breach from 2016. An extensive amount of personal information including almost 10M unique email addresses alongside names, phone numbers geographic locations and other personal attributes were leaked online and extensively redistributed. Passwords stored as unsalted MD5 hashes were also included in the breach. The data was provided to HIBP by a source who requested it be attributed to "All3in".
Breach date: 27 January 2020
Date added to HIBP: 28 May 2020
Compromised accounts: 9,705,172
Compromised data: Auth tokens, Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Profile photos, Social media profiles, Usernames
Permalink
WiziShop
In July 2020, the French e-commerce platform WiziShop suffered a data breach. The breach exposed 18GB worth of data including names, phone numbers, dates of birth, physical and IP addresses, SHA-1 password hashes and almost 3 million unique email addresses. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 14 July 2020
Date added to HIBP: 5 October 2020
Compromised accounts: 2,856,769
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Wongnai
In October 2020, 17 previously undisclosed data breaches appeared for sale including the Thai restaurant, hotel and attraction finding service, Wongnai. The breach exposed almost 4M unique customer records from some time during 2020 along with names, phone numbers, links to social media profiles and passwords stored as MD5 hashes. The data was self-submitted to HIBP by Wongnai.
Breach date: 28 October 2020
Date added to HIBP: 4 November 2020
Compromised accounts: 3,924,454
Compromised data: Dates of birth, Email addresses, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
WPSandbox
In November 2018, the WordPress sandboxing service that allows people to create temporary websites WP Sandbox discovered their service was being used to host a phishing site attempting to collect Microsoft OneDrive accounts. After identifying the malicious site, WP Sandbox took it offline, contacted the 858 people who provided information to it then self-submitted their addresses to HIBP. The phishing page requested both email addresses and passwords.
Breach date: 4 November 2018
Date added to HIBP: 6 November 2018
Compromised accounts: 858
Compromised data: Email addresses, Passwords
Permalink
Xiaomi
In August 2012, the Xiaomi user forum website suffered a data breach. In all, 7 million email addresses appeared in the breach although a significant portion of them were numeric aliases on the bbs_ml_as_uid.xiaomi.com domain. Usernames, IP addresses and passwords stored as salted MD5 hashes were also exposed. The data was provided with support from dehashed.com. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 1 August 2012
Date added to HIBP: 21 July 2019
Compromised accounts: 7,088,010
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
In approximately early 2016, the gaming website Xpgamesaves (XPG) suffered a data breach resulting in the exposure of 890k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords. The site was previously reported as compromised on the Vigilante.pw breached database directory. This data was provided by security researcher and data analyst, Adam Davies.
Breach date: 1 January 2016
Date added to HIBP: 1 July 2017
Compromised accounts: 890,341
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Yatra
In September 2013, the Indian bookings website known as Yatra had 5 million records exposed in a data breach. The data contained email and physical addresses, dates of birth and phone numbers along with both PINs and passwords stored in plain text. The site was previously reported as compromised on the Vigilante.pw breached database directory.
Breach date: 1 September 2013
Date added to HIBP: 4 July 2018
Compromised accounts: 5,033,997
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, PINs
Permalink
YouNow
In February 2019, data from the live broadcasting service YouNow appeared for sale on a dark web marketplace. Whilst it's not clear what date the actual breach occurred on, the impacted data included 18M unique email addresses, IP addresses, names, usernames and links to social media profiles. As authentication is performed via social providers, no passwords were exposed in the breach. Many records didn't have associated email addresses thus the unique number is lower than the reported total number of accounts. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Breach date: 15 February 2019
Date added to HIBP: 18 July 2019
Compromised accounts: 18,241,518
Compromised data: Email addresses, IP addresses, Names, Social media profiles, Usernames
Permalink
You've Been Scraped
In October and November 2018, security researcher Bob Diachenko identified several unprotected MongoDB instances believed to be hosted by a data aggregator. Containing a total of over 66M records, the owner of the data couldn't be identified but it is believed to have been scraped from LinkedIn hence the title "You've Been Scraped". The exposed records included names, both work and personal email addresses, job titles and links to the individuals' LinkedIn profiles.
Breach date: 5 October 2018
Date added to HIBP: 6 December 2018
Compromised accounts: 66,147,869
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Social media profiles
Permalink
Zhenai.com
In December 2011, the Chinese dating site known as Zhenai.com suffered a data breach that impacted 5 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 21 December 2011
Date added to HIBP: 11 July 2019
Compromised accounts: 5,024,908
Compromised data: Email addresses, Passwords
Permalink
Zomato
In May 2017, the restaurant guide website Zomato was hacked resulting in the exposure of almost 17 million accounts. The data was consequently redistributed online and contains email addresses, usernames and salted MD5 hashes of passwords (the password hash was not present on all accounts). This data was provided to HIBP by whitehat security researcher and data analyst Adam Davies.
Breach date: 17 May 2017
Date added to HIBP: 4 September 2017
Compromised accounts: 16,472,873
Compromised data: Email addresses, Passwords, Usernames
Permalink
Zoosk (2011)
In approximately 2011, an alleged breach of the dating website Zoosk began circulating. Comprised of almost 53 million records, the data contained email addresses and plain text passwords. However, during extensive verification in May 2016 no evidence could be found that the data was indeed sourced from the dating service. This breach has consequently been flagged as fabricated; it's highly unlikely the data was sourced from Zoosk.
Breach date: 1 January 2011
Date added to HIBP: 8 February 2017
Compromised accounts: 52,578,183
Compromised data: Email addresses, Passwords
Permalink
Zoosk (2020)
In January 2020, the online dating service Zoosk suffered a data breach which was subsequently shared extensively across online hacking communities. The breach contained 24 million unique email addresses alongside extensive personal information including genders, sexualities, dates of birth, physical attributes such as height and weight, religions, ethnicities and political views. The breach also allegedly exposed MD5 password hashes, although the data circulating in hacking circles had this field nulled out. The breach was provided to HIBP by breachbase.pw.
Breach date: 12 January 2020
Date added to HIBP: 7 August 2020
Compromised accounts: 23,927,853
Compromised data: Dates of birth, Drinking habits, Education levels, Email addresses, Ethnicities, Family structure, Genders, Geographic locations, Income levels, Names, Nicknames, Physical attributes, Political views, Relationship statuses, Religions, Sexual orientations, Smoking habits
Permalink
Zooville
In September 2019, the zoophilia and bestiality forum Zooville suffered a data breach. The usernames and email addresses of 71k members were accessed via an unpatched vulnerability in the vBulletin forum software then subsequently distributed online. A second data set was later provided to HIBP which contained a complete vBulletin database dump including IP addresses, dates of birth and passwords stored as bcrypt hashes. The site administrator advised that following the breach, all data had been deleted from the forum and a new one had been stood up on the XenForo platform. The data was provided to HIBP by a source who requested it be attributed to "burger vault".
Breach date: 27 September 2019
Date added to HIBP: 19 October 2019
Compromised accounts: 71,407
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Спрашивай.ру
In May 2015, Спрашивай.ру (a the Russian website for anonymous reviews) was reported to have had 6.7 million user details exposed by a hacker known as "w0rm". Intended to be a site for expressing anonymous opinions, the leaked data included email addresses, birth dates and other personally identifiable data about almost 3.5 million unique email addresses found in the leak.
Breach date: 11 May 2015
Date added to HIBP: 12 May 2015
Compromised accounts: 3,474,763
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Spoken languages
Permalink
In March 2020, the Korean interior decoration website ???? (Decorating the House) suffered a data breach which impacted almost 1.3 million members. Served via the URL ggumim.co.kr, the exposed data included email addresses, names, usernames and phone numbers, all of which was subsequently shared extensively throughout online hacking communities. The data was provided to HIBP by breachbase.pw.
Breach date: 27 March 2020
Date added to HIBP: 2 August 2020
Compromised accounts: 1,298,651
Compromised data: Email addresses, Names, Phone numbers, Usernames
Permalink
Sensitive breach, not publicly searchable
Retired breach, removed from system
Unverified breach, may be sourced from elsewhere
Fabricated breach, likely not legitimate
Spam List, used for spam marketing
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK