Massachusetts Interscholastic Athletic Association
November 1, 2021
•[ hack, misconfiguration, government ]
Massachusetts athletic associate website is defaced.
Fantasy Football Hub
October 3, 2021
•[ hack, misconfiguration, technology ]
Fantasy Football Hub suffers data breach via comromised WordPress administrator dashboard.
Fantasy Football Hub
October 2, 2021
•[ hack, misconfiguration, technology ]
In October 2021, the fantasy premier league (soccer) website Fantasy Football Hub suffered a data breach that exposed 66 thousand unique email addresses. The data included names, usernames, IP addresses, transactions and passwords stored as WordPress MD5 hashes.
Fitmart
October 1, 2021
•[ leak, misconfiguration, retail ]
In October 2021, data from the German fitness supplies store Fitmart was obtained and later redistributed online. The data included 214k unique email addresses accompanied by plain text passwords, allegedly "dehashed" from the original stored version.
Marshall & Melhorn
September 14, 2021
•[ hack, misconfiguration ]
Marshall & Melhorn files a notice of data breach after determining that an unauthorized party was able to access confidential information stored on the firm's IT network.
Brazil's National Health Surveillance Agency
September 9, 2021
•[ hack, misconfiguration, government ]
The website of Brazil's National Health Surveillance Agency is defaced in an apparent protest against the suspension of a World Cup qualifing match.
Seneca Family of Agencies
August 25, 2021
•[ hack, misconfiguration, healthcare ]
California health and social services provider suffers unauthorized network access compromising protected health information of nearly 20,000 individuals.
DatPiff
August 25, 2021
•[ leak, misconfiguration, technology ]
In late 2021, email address and plain text password pairs from the rap mixtape website DatPiff appeared for sale on a popular hacking forum. The data allegedly dated back to an earlier breach and in total, contained almost 7.5M email addresses and cracked password pairs. The original data source allegedly contained usernames, security questions and answers and passwords stored as MD5 hashes with a static salt.
Imavex
August 20, 2021
•[ hack, misconfiguration, technology ]
In August 2021, the website development company Imavex suffered a data breach that exposed 878 thousand unique email addresses. The data included user records containing names, usernames and password material with some records also containing genders and partial credit card data, including the last 4 digits of the card and expiry date. Hundreds of thousands of form submissions and orders via Imavex customers were also exposed and contained further personal information of submitters and the contents of the form. The compromised system was subsequently sunset in January 2024 and all customer data impacted by the incident was permanently deleted.
AT&T
August 20, 2021
•[ hack, misconfiguration, technology ]
In March 2024, tens of millions of records allegedly breached from AT&T were posted to a popular hacking forum. Dating back to August 2021, the data was originally posted for sale before later being freely released. At the time, AT&T maintained that there had not been a breach of their systems and that the data originated from elsewhere. 12 days later, AT&T acknowledged that data fields specific to them were in the breach and that it was not yet known whether the breach occurred at their end or that of a vendor. AT&T also proceeded to reset customer account passcodes, an indicator that there was sufficient belief passcodes had been compromised. The incident exposed names, email and physical addresses, dates of birth, phone numbers and US social security numbers.
Open Subtitles
August 1, 2021
•[ ransomware, misconfiguration, technology ]
In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers' personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.
Educators Mutual Insurance Association
July 29, 2021
•[ hack, misconfiguration, finance ]
Educators Mutual Insurance Associate discovers unauthorized network access potentially compromising protected health information of its members.
AndroidLista
July 28, 2021
•[ hack, misconfiguration, technology ]
In July 2021, the Android applications and games review site AndroidLista suffered a data breach. The incident exposed 6.6M user records containing email addresses, names, usernames and passwords stored as salted SHA-1 hashes, all of which were subsequently posted to a popular hacking forum. AndroidLista did not respond when contacted about the breach.
Guntrader
July 22, 2021
•[ leak, misconfiguration, retail ]
Names and addresses of over 100,000 customers of Guntrader.uk are stolen are published online.
Intuit TurboTax
June 12, 2021
•[ hack, misconfiguration, technology ]
An undisclosed amount of TurboTax customer accounts were breached using stolen login credentials exposing customer information.
Phoenix
June 5, 2021
•[ leak, misconfiguration, technology ]
In mid-2021, the "vintage messaging reborn" service Phoenix suffered a data breach that exposed 75k unique email addresses. The breach also exposed IP addresses, usernames and passwords.
Tokyo Olympics Organizing Committee
June 4, 2021
•[ leak, misconfiguration, government ]
The orgainzing committee for the Tokyo Games suffers a data breach through unauthorized access to an information-sharing tool.
START
June 1, 2021
•[ leak, misconfiguration, technology ]
In August 2022, news broke of an attack against the Russian streaming service "START". The incident led to the exposure of 44M records containing 7.4M unique email addresses. The impacted data also included the subscriber's country and password hash. START subsequently acknowledged the incident in a Telegram post and stated that the data dated back to 2021.
IndiaMART
May 23, 2021
•[ leak, misconfiguration, retail ]
In August 2021, 38 million records from Indian e-commerce company IndiaMART were found being traded on a popular hacking forum. Dated several months earlier, the data included over 20 million unique email addresses alongside names, phone numbers and physical addresses. It's unclear whether IndiaMART intentionally exposed the data attributes as part of the intended design of the platform or whether the data was obtained by exploiting a vulnerability in the service.
CTARS
May 21, 2021
•[ leak, hack, misconfiguration ]
In May 2022, the client management system for the Australian government's NDIS (National Disability Insurance Scheme) suffered a data breach which was subsequently posted to an online hacking forum. The CTARS cloud platform is used by care providers to record information about NDIS participants and often contains sensitive medical information. Impacted data includes over 12k unique email addresses, physical addresses, names, dates of birth, phone numbers and data related to patient conditions and treatments.
