MEO
December 24, 2020
•[ leak, misconfiguration, retail ]
In early 2023, a corpus of data sourced from the New Zealand based face mask company MEO was discovered. Dating back to December 2020, the data contained over 8k customer records including names, addresses, phone numbers and passwords stored as MD5 Wordpress hashes. MEO did not respond to multiple attempts to report the breach.
Innovative Solution for Healthcare
December 23, 2020
•[ hack, misconfiguration, healthcare ]
Innovative Solution for Healthcare (iSofH) misconfigured a database of sensitive patient data which was then attacked by the meow bot.
Proliance Surgeons, Inc.
December 23, 2020
•[ financial, misconfiguration, healthcare ]
Proliance Surgeons has disclosed a data breach where payment card information may have been exposed for customers who made online payments on Proliance's platform.
NetGalley
December 21, 2020
•[ leak, misconfiguration, technology ]
NetGalley " a website that gives book reviewers pre-release access to new titles " has warned users about a data breach that may have exposed their passwords and other personal data. NetGalley's website was also defaced.
MMG Fusion
December 20, 2020
•[ leak, misconfiguration, healthcare ]
In December 2020, the dental practice management service MMG Fusion was the victim of a data breach which exposed 2.6M unique email addresses. The data also included patient appointments, names, phone numbers, dates of birth, genders and physical addresses. A small number of records also included passwords stored as bcrypt hashes.
North Shore Hebrew Academy
December 14, 2020
•[ hack, misconfiguration, education ]
The website of North Shore Hebrew Academy was defaced with racial slurs and anti-Semitic propaganda.
7 million debit and credit cardholders in India
December 8, 2020
•[ leak, misconfiguration, finance ]
Sensitive details belonging to 7 million debit and credit cardholders in India are available on a public Google Drive document that has been circulating on the dark web.
Sherman Independent School District
November 20, 2020
•[ insider, misconfiguration, education ]
The Sherman Independent School District is investigating a data breach after two Sherman High School students accessed private information.
Vertafore
November 10, 2020
•[ leak, misconfiguration, technology ]
Vertrafore, a provider of insurance software, has disclosed a data breach after a third-party accessed the details of 27.7. million Texas drivers. The breach was a result of three files being stored in an unsecured external storage device.
Polecat
October 29, 2020
•[ leak, misconfiguration, technology ]
U.K. analytics firm, Polecat, left 30TB of data and billions of records exposed on an elasticsearch server that was not secured. As a result, a Meow attack wiped half the data on the server.
Century 21
October 24, 2020
•[ insider, misconfiguration, retail ]
Hector Navarro, a former Human Resources systems administrator at Century 21's Manhattan department store, has been indicted for breaching the company's network to steal and alter data after resigning in October 2019.
Hennepin HealthCare
October 13, 2020
•[ insider, misconfiguration, healthcare ]
Five employees at Hennepin HealthCare have been fired for improperly accessing George Floyd's medical information.
Thingiverse
October 13, 2020
•[ leak, misconfiguration, technology ]
In October 2021, a database backup taken from the 3D model sharing service Thingiverse began extensively circulating within the hacking community. Dating back to October 2020, the 36GB file contained 228 thousand unique email addresses, mostly alongside comments left on 3D models. The data also included usernames, IP addresses, full names and passwords stored as either unsalted SHA-1 or bcrypt hashes. In some cases, physical addresses was also exposed. Thingiverse's owner, MakerBot, is aware of the incident but at the time of writing, is yet to issue a disclosure statement. The data was provided to HIBP by dehashed.com.
Kate Ainge
October 9, 2020
•[ insider, misconfiguration, government ]
A Crown Prosecution Service lawyer is on trial accused of unlawfully accessing information about his judge wife's new lover.
Docsketch
October 9, 2020
•[ leak, misconfiguration, technology ]
The electronic document-signing service Docsketch says an unauthorized third-party accessed a three-week old copy of its database in early August.
Famm
October 8, 2020
•[ leak, misconfiguration, technology ]
In late 2020, the Japanese family photos website Famm suffered a data breach that subsequently exposed 1.3M customer records, including 535k unique email addresses. Impacted data also included names, dates of birth, genders and passwords stored as SHA-256 hashes.
Unnamed individual
October 7, 2020
•[ insider, misconfiguration, government ]
A Welsh police officer plead guilty to misusing Dyfed-Powys Police computers to unlawfully access information about the ex-partner of a woman he was in a relationship with.
Pitkin County
October 1, 2020
•[ leak, misconfiguration, government ]
Pitkin County has disclosed a data sercurity incident where a file was left accessible via the Internet and was subject to unauthorized access.
RedDoorz
September 26, 2020
•[ leak, misconfiguration, technology ]
Singapore-based hospitality start-up RedDoorz acknowledged on Saturday (Sept 26) that one of its IT databases suffered a breach. In November, a threat actor began selling the stolen database.
Games Box
September 21, 2020
•[ leak, misconfiguration, technology ]
In September 2020, now defunct website Games Box suffered a data breach that was later redistributed as part of a larger corpus of data. The impacted data included 1.4M email addresses alongside usernames, genders, ages and passwords stored as either a hash or plain text.
