Kinsmen Foundation
May 22, 2026
•[ unauthorized access, data leak, contact information ]
The Kinsmen Foundation, which runs Saskatchewan's TeleMiracle fundraiser, disclosed unauthorized access to certain applications on its systems. The incident was contained, regular operations and services were not affected, and the foundation said contact information and email addresses may have been exposed. The foundation notified law enforcement, engaged third-party experts, and said impacted donors would be contacted through Cyberscout.
Vimeo
April 28, 2026
•[ extortion, data leak, third-party breach ]
In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include "Vimeo video content, valid user login credentials, or payment card information".
Vimeo
April 28, 2026
•[ unauthorized access, data leak, stolen data ]
Vimeo confirmed that an unauthorized actor accessed certain user and customer data through the Anodot breach; ShinyHunters later leaked 106GB of stolen data affecting 119,200 email addresses.
LegionProxy
April 6, 2026
•[ data breach, email addresses, password hashes ]
In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases.
Divine Skins
March 13, 2026
•[ data breach, unauthorised access, data leak ]
In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users.
KomikoAI
February 25, 2026
•[ data breach, PII, AI prompts ]
In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.
Lovora
February 25, 2026
•[ data breach, personal information, email addresses ]
In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users display names and profile photos, along with other personal information collected through use of the app. The apps maker, Plantake, did not respond to multiple attempts to contact them about the incident.
Provecho
January 30, 2026
•[ data leak, email addresses, usernames ]
In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed. Provecho has been notified and is aware of the claims surrounding the incident.
Dragonica Lunaris
December 6, 2025
•[ data breach, gaming, email addresses ]
In December 2025, the European Dragonica private server Dragonica Lunaris suffered a data breach. The incident exposed 126k email addresses, usernames, dates of birth and bcrypt password hashes. The service operator confirmed the breach and advised it has since been fixed.
Substack
October 23, 2025
•[ data breach, data leak, PII ]
In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as publication names and bios. A subset of records also included phone numbers.
James
March 25, 2020
•[ data breach, bcrypt, passwords ]
In June 2020, 14 previously undisclosed data breaches appeared for sale including the Brazilian delivery service, "James". The breach occurred in March 2020 and exposed 1.5M unique email addresses, customer locations expressed in longitude and latitude and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
