Civil Service Commission
March 1, 2021
•[ leak, misconfiguration, government ]
IamNoobie noticed that the server of the Civil Service Commission (CSC) has promising results when he Google dorked government websites. When IamNoobie saw other groups downloading data, he then decided to disconnect them one by one and started to secure the server of the CSC.
LogicGate
February 23, 2021
•[ leak, misconfiguration, technology ]
Risk and compliance startup LogicGate confirms a data breach after an unauthorized third party obtains credentials to its Amazon Web Services-hosted cloud storage.
Ticketcounter
February 22, 2021
•[ leak, misconfiguration, technology ]
In August 2020, the Dutch ticketing service Ticketcounter inadvertently published a database backup to a publicly accessible location where it was then found and downloaded in February 2021. The data contained 1.9M unique email addresses which were offered for sale on a hacking forum and in some cases included names, physical and IP addresses, genders, dates of birth, payment histories and bank account numbers. Ticketcounter was later held to ransom with the threat of the breached being released publicly. The data was provided to HIBP by a source who requested it be attributed to redredred@riseup.net.
Gemplex
February 18, 2021
•[ leak, misconfiguration ]
In February 2021, the Indian streaming platform Gemplex suffered a data breach that exposed 4.6M user accounts. The impacted data included device information, names, phone numbers, email addresses and bcrypt password hashes.
NurseryCam
February 12, 2021
•[ leak, misconfiguration, education ]
In February 2021, a series of egregiously bad security flaws were identified in the NurseryCam system designed for parents to remotely monitor their children whilst attending nursery. The flaws led to the exposure of over 10k parent records before the service was shut down. The email addresses alone were provided to Have I Been Pwned to ensure parents were properly notified of the incident.
Salt Lake Community College
February 5, 2021
•[ hack, misconfiguration, education ]
A virtual poetry slam part of Black History Month events at Salt Lake Community College is commandeered by unknown individuals who display racist and anti-Black messages as well as inappropriate images of children.
Mutuelle Nationale des Hospitaliers et des professionnels de la sant et du social
February 5, 2021
•[ hack, misconfiguration, healthcare ]
The MNH disconnected computer systems on Friday, February 5, 2021 because of a cyberattack. A Citrix / Netscaler Gateway system was affected by the CVE-2019-19781 vulnerability, known as Shitrix.
CityBee
February 5, 2021
•[ leak, misconfiguration, automotive ]
In February 2021, the Lithuanian car-sharing service CityBee announced they'd suffered a data breach that exposed 110k customers' personal information. The breach exposed names, email addresses, government issued IDs and passwords stored as unsalted SHA-1 hashes.
Emsisoft
February 3, 2021
•[ leak, misconfiguration, technology ]
Antivirus solutions provider Emsisoft reveals last that a third-party had accessed a publicly exposed database containing technical logs.
Metromile
February 1, 2021
•[ leak, misconfiguration, finance ]
Car insurance startup Metromile says it has fixed a security flaw on its website that allowed a hacker to obtain driver license numbers.
KomplettFritid
February 1, 2021
•[ leak, misconfiguration, retail ]
In January 2023, the online Norwegian store KomplettFritid was reported as having had a data breach dating back to February 2021. The incident exposed 140k customer records including physical, email and IP addresses, names, phone numbers and passwords. Most passwords were stored as bcrypt hashes with a small number appearing in plain text.
British Mensa
January 31, 2021
•[ hack, misconfiguration ]
British Mensa has had its website hacked after failing to properly secure the data of its 18,000 members.
Ducks Unlimited
January 29, 2021
•[ leak, misconfiguration ]
In mid-2021, Risk Based Security reported on a database sourced from Ducks Unlimited being traded online. The data dated back to January 2021 and contained 1.3M unique email addresses across both a membership list and a list of website users. Impacted data included names, phones numbers, physical addresses, dates of birth and passwords stored as unsalted MD5 hashes.
Bookchor
January 28, 2021
•[ leak, misconfiguration, retail ]
In January 2021, the Indian book trading website Bookchor suffered a data breach that exposed half a million customer records. The exposed data included email and IP addresses, names, genders, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes. The data was subsequently traded on a popular hacking forum.
Washington's State Auditor office
January 25, 2021
•[ leak, misconfiguration, government ]
Washington's State Auditor Office suffers a data breach that exposes the personal information in 1.6 million employment claims after a threat actor exploited a vulnerability in a secure file transfer service from Accellion.
Bonobos
January 22, 2021
•[ leak, misconfiguration, retail ]
Bonobos men's clothing store has suffered a massive data breach exposing millions of customers' personal information after a cloud backup of their database was downloaded by a threat actor.
Noblr Reciprocal Exchange
January 21, 2021
•[ hack, misconfiguration, finance ]
Noblr Reciprocal Exchange notifies 97,633 consumers of a breach involving its insurance quote platform. Attackers used a feature of the platform to illicitly obtain personal information of other drivers.
Geico
January 21, 2021
•[ hack, misconfiguration, finance ]
Geico, the second-largest auto insurer in the U.S., suffers a data breach when threat actors exploit a bug in their website to steal the driver's licenses for policyholders for several weeks.
Virgin Mobile Polska
January 15, 2021
•[ leak, misconfiguration, technology ]
Virgin Mobile Polska has had a fine imposed on it for failing to secure user data which led to a data breach.
Daily Quiz
January 13, 2021
•[ leak, misconfiguration, technology ]
In January 2021, the quiz website Daily Quiz suffered a data breach that exposed over 8 million unique email addresses. The data also included usernames, IP addresses and passwords stored in plain text.
