Bombuj.eu
December 7, 2018
•[ leak, misconfiguration, technology ]
In December 2018, the Slovak website for watching movies online for free Bombuj.eu suffered a data breach. The incident exposed over 575k unique email addresses and passwords stored as unsalted MD5 hashes. No response was received from Bombuj.eu when contacted about the incident.
Humble Bundle
December 4, 2018
•[ leak, technology ]
The gaming subscription site Humble Bundle informs its customers of a data breach that may have exposed a person's subscription status.
OppoSuits
December 3, 2018
•[ financial, hack, leak ]
Customers of Dutch clothing company OppoSuits are warned to monitor their credit card accounts after the firm discovers the Magecart malware planted on its website could have stolen the details of 7,000 customers.
Palermo Calcio
December 1, 2018
•[ leak ]
The Italian Football Team Palermo Calcio reveals to have suffered an intrusion with the consequent leak of fake news about the imminent sale of the team.
Dubsmash
December 1, 2018
•[ leak, misconfiguration, technology ]
In December 2018, the video messaging service Dubsmash suffered a data breach. The incident exposed 162 million unique email addresses alongside usernames and PBKDF2 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "BenjaminBlue@exploit.im".
Christian Ehring
November 14, 2018
•[ hack, leak, government ]
German security officials detected a cyberattack, believed to be by the Russian group Snake, on the email accounts of German celebrities, lawmakers, military officials, and staff of several German embassies. As a result of the hack, the personal details of the victims were leaked online by the hackers. One of the victimis is TV presenter Christian Ehring.
Huntsville Hospital
November 9, 2018
•[ leak, healthcare ]
Huntsville Hospital also reports the information of job applicants who applied to the facility may be at risk after the breach at Jobscience.
Southwest Washington Regional Surgery Center
November 8, 2018
•[ leak, phishing, healthcare ]
Southwest Washington Regional Surgery Center notifies 2,393 patients after phishing attack exposed their PHI.
Mobile World
November 7, 2018
•[ hack, leak, financial ]
A hacker dubbed Erwincho leaks a file containing more than 5.4 million email addresses and 31,000 bank card numbers (six digits covered), claiming they belong to clients of Mobile World.
Adapt
November 5, 2018
•[ leak, misconfiguration, technology ]
In November 2018, security researcher Bob Diachenko identified an unprotected database hosted by data aggregator "Adapt". A provider of "Fresh Quality Contacts", the service exposed over 9.3M unique records of individuals and employer information including their names, employers, job titles, contact information and data relating to the employer including organisation description, size and revenue. No response was received from Adapt when contacted.
WPSandbox
November 4, 2018
•[ leak, phishing, technology ]
In November 2018, the WordPress sandboxing service that allows people to create temporary websites WP Sandbox discovered their service was being used to host a phishing site attempting to collect Microsoft OneDrive accounts. After identifying the malicious site, WP Sandbox took it offline, contacted the 858 people who provided information to it then self-submitted their addresses to HIBP. The phishing page requested both email addresses and passwords.
Ingerop
November 2, 2018
•[ hack, leak, manufacturing ]
Hackers access confidential documents about nuclear plants and prisons in a cyberattack on the French Ingerop and leak 65Gb of data. The attack occurred back in June.
Radisson Hotel Group
October 31, 2018
•[ leak, retail ]
The hotel chain Radisson Hotel Group suffered a security breach that exposed personal information of the members of its loyalty scheme. The incident happened on September 11, but was identified only on October first.
NorthBay Healthcare Corporation
October 31, 2018
•[ leak, healthcare ]
NorthBay Healthcare Corporation suffers a data breach affecting the information of everyone who applied for a position within the organization between December 2012 and May 2018.
GoldSilver
October 21, 2018
•[ leak, misconfiguration, finance ]
In October 2018, the bullion education and dealer services site GoldSilver suffered a data breach that exposed 243k unique email addresses spanning customers and mailing list subscribers. An extensive amount of personal information on customers was obtained including names, addresses, phone numbers, purchases and passwords and answers to security questions stored as MD5 hashes. In a small number of cases, passport, social security numbers and partial credit card data was also exposed. The data breach and source code belonging to GoldSilver was publicly posted on a dark web service where it remained months later. When notified about the incident, GoldSilver advised that "all affected customers have been directly notified".
Facepunch
October 17, 2018
•[ leak, technology ]
As reported by Troy Hunt's Have I Been Pwned breach notification service, the Facepunch game studio was the victim of a data breach in June 2016 which led to sensitive information of 396,650 users being exposed.
Eatigo
October 16, 2018
•[ leak, misconfiguration, technology ]
In October 2018, the restaurant reservation service Eatigo suffered a data breach that exposed 2.8 million accounts. The data included email addresses, names, phone numbers, social media profiles, genders and passwords stored as unsalted MD5 hashes.
You've Been Scraped
October 5, 2018
•[ leak, misconfiguration, technology ]
In October and November 2018, security researcher Bob Diachenko identified several unprotected MongoDB instances believed to be hosted by a data aggregator. Containing a total of over 66M records, the owner of the data couldn't be identified but it is believed to have been scraped from LinkedIn hence the title "You've Been Scraped". The exposed records included names, both work and personal email addresses, job titles and links to the individuals' LinkedIn profiles.
VimeWorld
October 1, 2018
•[ leak ]
In October 2018, the Russian Minecraft service VimeWorld suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 3.1M records of usernames, email and IP addresses and passwords stored as either MD5 or bcrypt hashes.
Chegg
September 25, 2018
•[ leak, education ]
Educational technology company Chegg resets the passwords for 40 million of its users after news broke that the firm was breached in April of this year.
