Wyzant
May 6, 2019
•[ leak, education ]
Wyzant, an online marketplace that connects parents and students reveals a data breach which has led to the compromise of user data including Facebook profile information. The breach occurred on April 27.
SkyMed
April 29, 2019
•[ leak, ransomware, misconfiguration ]
A detailed list or 137,000 SkyMed members accounts is found, on March 27th, into an unsecured Elasticsearch database. The leak also shows evidence of ransomware inside the network.
Deezer
April 22, 2019
•[ leak, misconfiguration, technology ]
In late 2022, the music streaming service Deezer disclosed a data breach that impacted over 240M customers. The breach dated back to a mid-2019 backup exposed by a 3rd party partner which was subsequently sold and then broadly redistributed on a popular hacking forum. Impacted data included 229M unique email addresses, IP addresses, names, usernames, genders, DoBs and the geographic location of the customer.
Ministry of Intelligence and Security (MOIS) (APT 34 OilRig)
April 18, 2019
•[ espionage, leak, government ]
A collective dubbed Lab Dookhtegan reveal details about the inner workings of the cyber-espionage group known as OilRig, APT34, and HelixKitten, linked to the Iranian government. The source code of their tools is leaked on Telegram.
ApexSMS
April 15, 2019
•[ leak, misconfiguration, technology ]
In May 2019, news broke of a massive SMS spam operation known as "ApexSMS" which was discovered after a MongoDB instance of the same name was found exposed without a password. The incident leaked over 80M records with 23M unique email addresses alongside names, phone numbers and carriers, geographic locations (state and country), genders and IP addresses.
Truth Finder
April 12, 2019
•[ leak, technology ]
In 2019, the public records search service TruthFinder suffered a data breach that later came to light in early 2023. The data included over 8M unique customer email addresses, names, phone numbers and passwords stored as scrypt hashes.
Instant Checkmate
April 12, 2019
•[ leak, technology ]
In 2019, the public records search service Instant Checkmate suffered a data breach that later came to light in early 2023. The data included almost 12M unique customer email addresses, names, phone numbers and passwords stored as scrypt hashes.
Matrix
April 10, 2019
•[ leak, technology ]
Matrix.org is the victim of a cyberattack which forces the organization to overhaul its entire production infrastructure and inform users of a widespread credentials leak.
Minnesota Department of Human Services
April 9, 2019
•[ leak, government ]
Minnesota Department of Human Services announced to have suffered a data breach that may have exposed the personal information of about 11,000 people after an employee's email is compromised on March 26, 2019.
Lumin PDF
April 1, 2019
•[ leak, misconfiguration, technology ]
In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been "contacted multiple times, but ignored all the queries". The exposed data included names, email addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".
Toyota (Japan)
March 29, 2019
•[ hack, leak, manufacturing ]
The personal information of roughly 3.1 million Toyota customers may have been leaked following an authorized access of multiple Toyota and Lexus sales subsidiaries.
Hakko Corporation
March 28, 2019
•[ leak, manufacturing ]
In March 2019, the Japanese solder-related business Hakko Corporation suffered a data breach. The incident exposed almost 10k customer records including email and physical addresses, phone numbers, names, usernames, genders, dates of birth and plain text passwords.
Everybody Edits
March 23, 2019
•[ leak, technology ]
In March 2019, the multiplayer platform game Everybody Edits suffered a data breach. The incident exposed 871k unique email addresses alongside usernames and IP addresses. The data was subsequently distributed online across a collection of files.
Hurb
March 14, 2019
•[ leak, misconfiguration, technology ]
In approximately March 2019, the online Brazilian travel agency Hurb (formerly Hotel Urbano) suffered a data breach. The data subsequently appeared online for download the following year and included over 20 million customer records with email and IP addresses, names, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by dehashed.com.
Intelimost
March 10, 2019
•[ leak, misconfiguration ]
In March 2019, a spam operation known as "Intelimost" sent millions of emails appearing to come from people the recipients knew. Security researcher Bob Diachenko found over 3 million unique email addresses in an exposed Elasticsearch database, alongside plain text passwords used to access the victim's mailbox and customise the spam.
Estante Virtual
February 28, 2019
•[ leak, misconfiguration, retail ]
In February 2019, the Brazilian book store Estante Virtual suffered a data breach that impacted 5.4M customers. The exposed data included names, usernames, email and physical addresses, phone numbers, dates of birth and unsalted SHA-1 password hashes.
Verifications.io
February 25, 2019
•[ leak, misconfiguration, technology ]
In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.
Memorial Hospital
February 15, 2019
•[ leak, phishing, healthcare ]
Memorial Hospital at Gulfport reveals a phishing incident that exposed 30,000 patients' information.
LBB
February 14, 2019
•[ leak, misconfiguration, retail ]
In August 2022, customer data of the Indian shopping site "LBB" (Little Black Book) was posted to a popular hacking forum. The data contained over 3M records with 39k unique email addresses alongside IP and physical addresses, names and device information with the most recent data dating back to early 2019. LBB advised they believe the data was exposed by a third party service and whilst it contained information they retain on their customers, it had also been enriched with additional data attributes.
LandMark White
February 12, 2019
•[ leak, finance ]
Up to 100,000 customers have personal information including property valuations, phone numbers and dates of birth leaked as part of the data breach at LandMark White.
