Warby Parker
December 20, 2018
•[ hack, brute-force, retail ]
Warby Parker discloses that roughly 198,000 of its customers may have been affected by a credential stuffing attack targeting the eyeglass retail chain. The unauthorized activity started on Sept. 25 and continued through late November.
Dunkin' Donuts
November 29, 2018
•[ hack, brute-force, retail ]
Dunkin' Donuts informs some of its DD Perks program members that their account information may have been exposed through a credential stuffing attack. The incident was discovered on October 31, 2018.
DoorDash
September 25, 2018
•[ hack, brute-force, technology ]
Food delivery startup DoorDash receives dozens of complaints from customers who say their accounts have been hacked. The users are the target of a credential stuffing attack.
AdGuard
September 21, 2018
•[ hack, brute-force, technology ]
AdGuard, a popular ad blocker for Android, iOS, Windows, and Mac, resets all user passwords, after suffering a brute-force attack during which an unknown attacker tried to log into user accounts by guessing their passwords.
Humana
June 21, 2018
•[ hack, brute-force, healthcare ]
Health insurer Humana notifies an unspecified number of health plan members after detecting and blocking a credential stuffing attack against Humana.com and Go365.com. The attacks took place on June 3 and June 4 from overseas IP addresses.
UK National Lottery
March 16, 2018
•[ hack, brute-force, government ]
The UK National Lottery advises all 10.5 million people with online accounts to change their passwords following an attempt by hackers to access accounts using credential stuffing.
Pinterest
December 11, 2017
•[ hack, brute-force, technology ]
Pinterest notifies users of suspicious activity due to attackers trying to compromise accounts using 'credential stuffing' (credentials obtained from other breaches).
Zazzle
August 28, 2017
•[ hack, brute-force, retail ]
Zazzle sends an email to customers revealing that hackers in June used brute-force techniques to cycle through account usernames and passwords that were stolen from a breach of another unnamed site.
Scottish Parliament
August 15, 2017
•[ hack, brute-force, government ]
Officials reveal that the Scottish Parliament has been targeted by a "brute force" cyber attack. The attack, from "external sources", was similar to that which affected Westminster in June.
MALL.cz
July 27, 2017
•[ leak, brute-force, retail ]
In July 2017, the Czech Republic e-commerce site MALL.cz suffered a data breach after which 735k unique accounts including email addresses, names, phone numbers and passwords were later posted online. Whilst passwords were stored as hashes, a number of different algorithms of varying strength were used over time. All passwords included in the publicly distributed data were in plain text and were likely just those that had been successfully cracked (members with strong passwords don't appear to be included). According to MALL.cz, the breach only impacted accounts created before 2015.
UK Parliament
June 23, 2017
•[ hack, brute-force, government ]
Up to 90 email accounts are compromised amid a brute-force cyber-attack on UK Parliament.
Donald Trump's Twitter account
October 27, 2016
•[ hack, brute-force, technology ]
Three Dutch hackers broke into Donald Trump's Twitter account in 2016 by guessing his password was "yourefired".
GoToMyPC
June 18, 2016
•[ hack, brute-force, technology ]
GoToMyPC the remote access software service is hit by hackers conducting a "very sophisticated password attack". The company initiates password resets for all users.
GitHub
June 14, 2016
•[ hack, brute-force, technology ]
Someone using what appears to have been a list of e-mail addresses and passwords obtained from the breach of "other online services" makes a massive number of login attempts to GitHub's repository service.
US Internal Revenue Service
February 9, 2016
•[ hack, brute-force, government ]
The US Internal Revenue Service is the target of an attack able to steal the electronic tax-return credentials for 101,000 social security numbers. The attack is performed using credentials stolen from an external source.
