-
SHEIN
June 1, 2018
In June 2018, online fashion retailer SHEIN suffered a data breach. The company discovered the breach 2 months later in August then disclosed the incident another month after that. A total of 39 million unique email addresses were found in the breach alongside MD5 password hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".
-
Exactis
June 1, 2018
•
[ leak, misconfiguration, technology ]
In June 2018, the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data. The data was collected as part of Exactis' service as a "compiler and aggregator of premium business & consumer data" which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
-
Sooke School District
May 31, 2018
The Sooke School District warns parents about a privacy invasion after an employee's email was hacked.
-
Ticketfly
May 31, 2018
In May 2018, the website for the ticket distribution service Ticketfly was defaced by an attacker and was subsequently taken offline. The attacker allegedly requested a ransom to share details of the vulnerability with Ticketfly but did not receive a reply and subsequently posted the breached data online to a publicly accessible location. The data included over 26 million unique email addresses along with names, physical addresses and phone numbers. Whilst there were no passwords in the publicly leaked data, Ticketfly later issued an incident update and stated that "It is possible, however, that hashed values of password credentials could have been accessed".
-
Ticketfly
May 30, 2018
The Ticketfly website is defaced with an image of V from the film V for Vendetta. Unfortunately, after refusing to pay a 1 BTC ransom, Ticketfly reveals that the personal information of 27 million accounts, including ticket buyers and venue operators, was compromised.
-
Adult-FanFiction.Org
May 30, 2018
•
[ leak, misconfiguration, technology ]
In May 2018, the website for sharing adult-orientated works of fiction known as Adult-FanFiction.Org had 186k records exposed in a data breach. The data contained names, email addresses, dates of birth and passwords stored as both MD5 hashes and plain text. AFF did not respond when contacted about the breach and the site was previously reported as compromised on the Vigilante.pw breached database directory.
-
Harare Institute of Technology
May 28, 2018
•
[ leak, education ]
A database from the Harare Institute of Technology is leaked, containing 3,500 users.
-
Bank of Montreal
May 28, 2018
Bank of Montreal, the country's fourth bank, announces to have been contacted by fraudsters claiming to have stolen personal and financial information of a limited number of the bank's customers. According to the bank, less than 50,000 c customers are affected.
-
Canadian Imperial Bank of Commerce (CIBC)
May 28, 2018
•
[ leak, finance ]
Also the Canadian Imperial Bank of Commerce (CIBC), the country's fifth largest bank is affected by the same incident, and they believe that 40,000 users could be possibly affected from its subsidiary Simplii Financial.
-
Taylor Cryptocurrency
May 28, 2018
•
[ financial, hack, finance ]
The creators of the Taylor cryptocurrency trading app claim that an unidentified hacker has stolen around $1.35 million worth of Ether from the company's wallets.
-
Goliath and Goliath
May 27, 2018
•
[ financial, social, phishing ]
Comedy and entertainment agency Goliath and Goliath suffered a loss of more than 300,000 ZAR (22,000 USD worth) in what appears to be a phishing scam.
-
Afghan diplomats in Pakistan
May 26, 2018
•
[ espionage, phishing, government ]
Afghan diplomats in Pakistan are warned they are believed to be victims of "government-backed" digital attacks trying to steal their email passwords.
-
Arlo
May 26, 2018
Arlo advises its customers to change their passwords after credential-stuffing attempts detected.
-
Aultman Health Foundation
May 25, 2018
About 42,600 patients tied to AultWorks Occupational Medicine, Aultman Hospital, and some Aultman physician offices may have had personal health and identification information stolen in a data breach after unknown and unauthorized individuals gained access to certain email accounts in February and March.
-
American Family Life Assurance Company of Columbus (Aflac)
May 25, 2018
•
[ leak, finance ]
American Family Life Assurance Company of Columbus (Aflac) issues a press release concerning the breach of independent contractor sales agents' email accounts. The breach occurred between Jan. 17 and April 2 and has reportedly affected some clients' personal information.
-
Oxnard City
May 25, 2018
Oxnard city officials are contacted by a bank representative about fraudulent purchases being made with the cards people used to pay their utility bills.
-
Associates in Psychiatry and Psychology
May 24, 2018
•
[ ransomware, malware, healthcare ]
Associates in Psychiatry and Psychology notifies 6,546 patients and the U.S. Department of Health and Human Services (HHS) of a ransomware incident that occurred in March.
-
Mashhad airport
May 24, 2018
Hackers deface the screens at the Mashhad airport in Iran to protest against the government and the military's activities in the Middle East. The hackers also took control of the email account of the Mashhad airport civil aviation head, Mohsen Eidizadeh to spread the news of the hack.
-
University of Vermont
May 23, 2018
•
[ hack, education ]
University of Vermont officials say they have no reason to believe the personal information of 37,000 current and former faculty, staff and students fell into the wrong hands following an intrusion of the school's computer systems.
-
Houzz
May 23, 2018
In mid-2018, the housing design website Houzz suffered a data breach. The company learned of the incident later that year then disclosed it to impacted members in February 2019. Almost 49 million unique email addresses were in the breach alongside names, IP addresses, geographic locations and either salted hashes of passwords or links to social media profiles used to authenticate to the service. The data was provided to HIBP by dehashed.com.