Adapt
November 5, 2018
•[ leak, misconfiguration, technology ]
In November 2018, security researcher Bob Diachenko identified an unprotected database hosted by data aggregator "Adapt". A provider of "Fresh Quality Contacts", the service exposed over 9.3M unique records of individuals and employer information including their names, employers, job titles, contact information and data relating to the employer including organisation description, size and revenue. No response was received from Adapt when contacted.
WPSandbox
November 4, 2018
•[ leak, phishing, technology ]
In November 2018, the WordPress sandboxing service that allows people to create temporary websites WP Sandbox discovered their service was being used to host a phishing site attempting to collect Microsoft OneDrive accounts. After identifying the malicious site, WP Sandbox took it offline, contacted the 858 people who provided information to it then self-submitted their addresses to HIBP. The phishing page requested both email addresses and passwords.
Ingerop
November 2, 2018
•[ hack, leak, manufacturing ]
Hackers access confidential documents about nuclear plants and prisons in a cyberattack on the French Ingerop and leak 65Gb of data. The attack occurred back in June.
Radisson Hotel Group
October 31, 2018
•[ leak, retail ]
The hotel chain Radisson Hotel Group suffered a security breach that exposed personal information of the members of its loyalty scheme. The incident happened on September 11, but was identified only on October first.
NorthBay Healthcare Corporation
October 31, 2018
•[ leak, healthcare ]
NorthBay Healthcare Corporation suffers a data breach affecting the information of everyone who applied for a position within the organization between December 2012 and May 2018.
GoldSilver
October 21, 2018
•[ leak, misconfiguration, finance ]
In October 2018, the bullion education and dealer services site GoldSilver suffered a data breach that exposed 243k unique email addresses spanning customers and mailing list subscribers. An extensive amount of personal information on customers was obtained including names, addresses, phone numbers, purchases and passwords and answers to security questions stored as MD5 hashes. In a small number of cases, passport, social security numbers and partial credit card data was also exposed. The data breach and source code belonging to GoldSilver was publicly posted on a dark web service where it remained months later. When notified about the incident, GoldSilver advised that "all affected customers have been directly notified".
Facepunch
October 17, 2018
•[ leak, technology ]
As reported by Troy Hunt's Have I Been Pwned breach notification service, the Facepunch game studio was the victim of a data breach in June 2016 which led to sensitive information of 396,650 users being exposed.
Eatigo
October 16, 2018
•[ leak, misconfiguration, technology ]
In October 2018, the restaurant reservation service Eatigo suffered a data breach that exposed 2.8 million accounts. The data included email addresses, names, phone numbers, social media profiles, genders and passwords stored as unsalted MD5 hashes.
You've Been Scraped
October 5, 2018
•[ leak, misconfiguration, technology ]
In October and November 2018, security researcher Bob Diachenko identified several unprotected MongoDB instances believed to be hosted by a data aggregator. Containing a total of over 66M records, the owner of the data couldn't be identified but it is believed to have been scraped from LinkedIn hence the title "You've Been Scraped". The exposed records included names, both work and personal email addresses, job titles and links to the individuals' LinkedIn profiles.
VimeWorld
October 1, 2018
•[ leak ]
In October 2018, the Russian Minecraft service VimeWorld suffered a data breach that was later redistributed as part of a larger corpus of data. The data included 3.1M records of usernames, email and IP addresses and passwords stored as either MD5 or bcrypt hashes.
Chegg
September 25, 2018
•[ leak, education ]
Educational technology company Chegg resets the passwords for 40 million of its users after news broke that the firm was breached in April of this year.
SaverSpy
September 18, 2018
•[ leak, misconfiguration, technology ]
In September 2018, security researcher Bob Diachenko discovered a massive collection of personal details exposed in an unprotected Mongo DB instance. The data appears to have been used in marketing campaigns (possibly for spam purposes) but had little identifying data about it other than a description of "Yahoo_090618_ SaverSpy". The data set provided to HIBP had almost 2.5M unique email addresses (all of which were from Yahoo!) alongside names, genders and physical addresses.
Saverspy
September 17, 2018
•[ leak, misconfiguration, retail ]
Bob Diachenko, a security researcher, identifies an unsecured MongoDB server leaking the personal details of nearly 11 million users. The database seems to have been ransomed back in June.
Unknown Organization
September 17, 2018
•[ leak, government ]
LulzSecITA leaks the personal details of about 300 retired military officials.
U.S. Department of State
September 7, 2018
•[ leak, government ]
The State Department suffers a breach of its unclassified email system, and the compromise exposes the personal information of a small number of employees.
Cork City Park by Phone
September 6, 2018
•[ leak ]
A data breach at Cork City Park by Phone service in Ireland affects more than 5,000 people. The unauthorized access started in May.
Rousseau
September 5, 2018
•[ leak, government ]
Rousseau, the online platform of the Italian Five Star Movement is hacked again by rogue0, who leaks private data related to the donors.
Knuddels
September 5, 2018
•[ leak, misconfiguration, technology ]
In September 2018, the German social media website Knuddels suffered a data breach. The incident exposed 808k unique email addresses alongside usernames, real names, the city of the person and their password in plain text. Knuddels was subsequently fined 20k for the breach.
C&A
August 30, 2018
•[ leak, retail ]
The Brazilian operation of international fashion retail clothing chain C&A confirms a cyberattack to its gift card platform. Data from 36,000 customers who purchased gift cards is leaked on Pastebin.
Family Orbit
August 30, 2018
•[ hack, leak, misconfiguration ]
An anonymous hacker is able to find the key to the cloud servers of Family Orbit and leaks 281 Gb of pictures and videos.
