Full List

Search

Recent Breaches

• Sephora January 9, 2017 • [ leak, retail ] In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".
• esea January 8, 2017 Over 1.5 million user profiles featuring names, email addresses and personal IDs from the eSports Entertainment Association (Esea), a leading competitive videogame community, are leaked online after being hijacked by hackers in late December last year.
• MJ Freeway January 7, 2017 MJ Freeway, a Denver company whose tracking software is used by hundreds of marijuana companies to comply with state regulations, says its main servers and backup system are down after a "targeted cyber attack".
• Princeton University January 7, 2017 • [ hack, misconfiguration, education ] Princeton University is one of the 27,000 victims that have their data wiped by attackers leveraging a vulnerable MongoDB.
• Arizona Department of Administration January 6, 2017 • [ hack, malware, government ] Arizona officials investigate how and when several computers used by state legislators and their staffs became infected with malware.
• Square Enix's European Twitter Account (@SQUARE_ENIX_EU) January 6, 2017 • [ hack, social, technology ] Video game giant Square Enix's European Twitter account is hacked by a group of hackers calling themselves the "cyberwolfgang" and posts multiple tweets mocking other companies including rival gaming company EA, media outlet TechCrunch .
• esguarnacpuntademata.mil.ve January 6, 2017 One of the websites belonging to Venezuela's ministry of defense (esguarnacpuntademata.mil.ve) is hacked by Kapustkiy in protest of what the attacker described as the dictatorship of President Nicolas Maduro in the country. The attacker leaks 2,100 accounts.
• 123-Reg January 6, 2017 • [ hack, ddos, technology ] 123-Reg is the target of a DDoS attack which disrupted the company's services only days into 2017.
• University of Alberta January 5, 2017 • [ hack, malware, education ] The University of Alberta discloses the details of a malware attack, occurring late last year, that involved 300 computers and put over 3,000 students at risk.
• Emory Brain Health Center January 4, 2017 • [ ransomware, malware, healthcare ] Emory Healthcare is one of the victims of the MongoDB ransomware attacks and has its database, managed by a third-party and containing 90,000 records, encrypted.
• google January 4, 2017 • [ hack, misconfiguration, technology ] Kuroi'SH hjacks the DNS record of google.com.br and redirects the users to a defaced page.
• Northside Independent School District January 4, 2017 • [ hack, phishing, education ] The Northside Independent School District sends letters to about 23,000 former and current students and employees regarding a security breach that might have put their personal information at risk after several employees' email accounts have been compromised.
• Victorian Equal Opportunity & Human Rights Commission January 2, 2017 • [ hack, government ] A group claiming to be part of the Anonymous collective defaces the Victorian Equal Opportunity & Human Rights Commission website (humanrightscommission.vic.gov.au) with a nonsensical message about its social network AnonPlus.
• FBI January 1, 2017 Exploiting a vulnerability of Plone CMS, CyberZeist claim to have hacked fbi.gov and leaks the records of 155 FBI officials on pastebin. Plone denies that a 0-day vulnerability has been exploited to carry on the attack.
• Little Monsters January 1, 2017 • [ leak ] In approximately January 2017, the Lady Gaga fan site known as "Little Monsters" suffered a data breach that impacted 1 million accounts. The data contained usernames, email addresses, dates of birth and bcrypt hashes of passwords.
• CloudPets January 1, 2017 • [ leak, ransomware, misconfiguration ] In January, the maker of teddy bears that record children's voices and sends them to family and friends via the internet CloudPets left their database publicly exposed and it was subsequently downloaded by external parties (the data was also subject to 3 different ransom demands). 583k records were provided to HIBP via a data trader and included email addresses and bcrypt hashes, but the full extent of user data exposed by the system was over 821k records and also included children's names and references to portrait photos and voice recordings.
• Victory Phones January 1, 2017 • [ leak, misconfiguration, technology ] In January 2017, the automated telephony services company Victory Phones left a Mongo DB database publicly facing without a password. Subsequently, 213GB of data was downloaded by an unauthorised party including names, addresses, phone numbers and over 166k unique email addresses.
• LiveJournal January 1, 2017 • [ hack, misconfiguration, technology ] In mid-2019, news broke of an alleged LiveJournal data breach. This followed multiple reports of credential abuse against Dreamwidth beginning in 2018, a fork of LiveJournal with a significant crossover in user base. The breach allegedly dates back to 2017 and contains 26M unique usernames and email addresses (both of which have been confirmed to exist on LiveJournal) alongside plain text passwords. An archive of the data was subsequently shared on a popular hacking forum in May 2020 and redistributed broadly. The data was provided to HIBP by a source who requested it be attributed to "nano@databases.pw".
• Russian America January 1, 2017 • [ leak, misconfiguration, technology ] In approximately 2017, the website for Russian speakers in America known as Russian America suffered a data breach. The incident exposed 183k unique records including names, email addresses, phone numbers and passwords stored in both plain text and as MD5 hashes. Russian America was contacted about the breach but did not respond.
• River City Media Spam List January 1, 2017 • [ leak, misconfiguration ] In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation. Once de-duplicated, there were 393 million unique email addresses within the exposed data.