Somalia e-Visa Platform
October 20, 2025
•[ data leak, misconfiguration, government ]
Attackers accessed Somalias national e-visa application serverhosted on a misconfigured shared cPanel environmentallowing unauthorized retrieval of more than 125,000 visa applications and associated passport, biometric, contact, and payment data. U.S. and UK government alerts on November 13, 2025, warned that at least 35,000 travelers may have had their information compromised as the breach continued into mid-November.
National Credit Information Center (CIC), State Bank of Vietnam
September 10, 2025
•[ hack, leak, financial ]
VNCERT confirmed signs of intrusion targeting personal-data theft at CIC; ShinyHunters/Scattered Spider claimed ~160M records, allegedly exploiting end-of-life software; data offered for sale with samples posted.
Wealthsimple
August 30, 2025
•[ hack, misconfiguration, finance ]
A third-party software component was compromised, leading to unauthorized access to sensitive data of a small subset of Wealthsimple clients. Accounts and funds remained secure. Incident was rapidly contained and clients notified.
Federal Emergency Management Agency (FEMA)
August 29, 2025
•[ hack, insider, misconfiguration ]
DHS revealed on Aug 29, 2025 that a threat actor gained unauthorized access to FEMAs IT systems by exploiting unpatched vulnerabilities, outdated protocols, and lack of multi-factor authentication. No citizen data was stolen or exfiltrated. As a result, 24 FEMA IT employees, including the CIO and CISO, were terminated for negligence in cybersecurity oversight.
Data I/O Corporation (electronics manufacturing)
August 16, 2025
•[ ransomware, misconfiguration, manufacturing ]
Ransomware incident on August 16 due to third-party firewall vulnerability disrupted internal and operational systems. Contained and fully remediated by September 4 with no customer impact or data theft; remediation cost ~$180K against $300K in annual savings. Actor remains unknown.
Pi-hole (donations site)
July 28, 2025
•[ phishing, misconfiguration, technology ]
Donor names/emails shown in page source due to GiveWP plugin flaw; donors began reporting phishing on July 28; Pi-hole post-mortem confirms exposure and no payment data affected.
TransUnion
July 28, 2025
•[ hack, misconfiguration, finance ]
Unauthorized access via third-party contractor application used in U.S. consumer support operations enabled viewing and copying of files.
Tea App
July 25, 2025
•[ data leak, misconfiguration ]
Tea, a women-focused dating and safety app, suffered a breach via a misconfigured Firebase storage bucket, exposing ~72,000 images and up to 1.1M private DMs, later leaked on 4chan; users who signed up before Feb 2024 were affected.
IMDataCenter
July 15, 2025
•[ leak, hack, misconfiguration ]
Unsecured AWS S3 bucket exposed ~38GB of records; hacker downloaded ~75GB, including ~20M emails, ~37M phone numbers, 50k SSNs/DOBs; affects multiple industries (healthcare, airlines, universities, dealerships). Bucket later secured; lawsuits pending.
Ohio Medical Alliance (Ohio Marijuana Card)
July 14, 2025
•[ leak, misconfiguration, healthcare ]
Unsecured database exposed sensitive records of an estimated 30,00040,000 Ohio medical cannabis patients. Data included names, addresses, phone numbers, email addresses, medical marijuana card numbers, state ID numbers, and medical information. The database was discovered on July 14, 2025, by a security researcher and secured on July 15; no evidence of ransomware or encryption was found.
Viva Health Insurance
June 14, 2025
•[ leak, misconfiguration, healthcare ]
Viva Health, an Alabama-based health insurance company headquartered in Birmingham, experienced exposure of a web-accessible file from June 14 to August 27, 2025. The file contained limited PHI for about 4,945 members and was removed upon discovery. No misuse or encryption was reported.
ColoCrossing
May 24, 2025
•[ leak, misconfiguration, technology ]
In May 2025, hosting provider ColoCrossing identified a data breach that impacted customers of their ColoCloud virtual server product. ColoCrossing advised the incident was isolated to their cloud/VPS platform and stemmed from a single sign-on vulnerability. 7k email addresses were exposed in the incident along with names and MD5-Crypt password hashes.
Rochester Public School listserv
May 12, 2025
•[ misconfiguration, insider threat, email abuse ]
Rochester School District officials reported that students and staff were bombarded with sexually explicit and threatening emails after a student exploited a misconfiguration in an email distribution list. The distribution list had been inadvertently configured with broader permissions than intended, allowing a student to send an unauthorized mass message to a large number of student accounts across grade levels. The districts technology team worked to identify the source, recall the messages, and correct the permission setting; students were then blocked from sending to distribution groups. The incident primarily affected communications integrity and student safety, rather than causing extended operational downtime.
Unnamed U.S. Banking Organization
May 9, 2025
•[ social, misconfiguration, finance ]
ReliaQuest links Scattered Spider to renewed activity against U.S. financial services, including a bank intrusion achieved via social engineering + Azure AD SSPR, followed by lateral movement (Citrix/VPN), ESXi compromise, and cloud data access attempts (Snowflake/AWS).
Ualabee
May 6, 2025
•[ leak, misconfiguration, technology ]
In May 2025, the South American mobility services platform Ualabee had hundreds of thousands of records scraped from an interface on their platform. The data included 472k unique email addresses along with names, profile photos, dates of birth and phone numbers.
ImagineX Management Company Limited
March 31, 2025
•[ data leak, misconfiguration, outdated systems ]
A breach at the Hong Kong brand-management firm ImagineX Management Company Limited led to the exposure of nearly 128,000 individuals personal data after attackers exploited an unused temporary user account and gained access to the company intranet, with the root cause attributed to outdated operating systems and delayed deletion of temporary accounts
Doxbin Scrape
January 24, 2025
•[ leak, misconfiguration, technology ]
In January 2025, 435k email addresses were scraped from the "doxing" service Doxbin. Posts to the service are usually intended to disclose the personal information of non-consensually third parties. The data was provided to HIBP by a source who requested it be attributed to "oathnet.ru".
Otelier
January 17, 2025
•[ leak, misconfiguration, technology ]
Hotel management platform Otelier suffers a data breach after threat actors breached its Amazon S3 cloud storage to stole millions of guests' personal information and reservations for well-known hotel brands like Marriott, Hilton, and Hyatt.
FortiGate devices
January 14, 2025
•[ leak, misconfiguration, technology ]
A new group dubbed "Belsen Group" leaks the configuration files, IP addresses, and VPN credentials for over 15,000 FortiGate devices on the dark web in a 1.6 GB archive, allegedly obtained exploiting CVE-2022-40684.
Multiple Organizations
January 13, 2025
•[ ransomware, misconfiguration, technology ]
Researchers at Halcyon identify a new ransomware campaign targeting Amazon S3 buckets, and leveraging AWS' Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it.
