Open Exchange Rates
March 12, 2020
•[ leak, misconfiguration, finance ]
Open Exchange Rates announces a data breach that exposed the personal information and salted and hashed passwords for customers of its API service. The breach occurred between February 9th, 2020, and March 2nd, 2020.
Entercom
March 6, 2020
•[ leak, misconfiguration, technology ]
US radio giant Entercom reports a data breach that took place in August 2019 after an unauthorized party was able to access database backup files stored in a third-party cloud hosting service and containing Radio.com user credentials.
Lead Hunter
March 4, 2020
•[ leak, misconfiguration ]
In March 2020, a massive trove of personal information referred to as "Lead Hunter" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. The data contained 69 million unique email addresses across 110 million rows of data accompanied by additional personal information including names, phone numbers, genders and physical addresses. At the time of publishing, the breach could not be attributed to those responsible for obtaining and exposing it. The data was provided to HIBP by dehashed.com.
Vijay Sales
March 2, 2020
•[ leak, misconfiguration, retail ]
A threat actor posts a leaked Vijay Sales, a large electronics retail store chain in India, database on a popular dark web hacker forum. The threat actor claims the source was from an "exposed backup server" breached in February 2020.
GeoCloud
March 2, 2020
•[ leak, misconfiguration, technology ]
A threat actor posts another database, this time from technology company GeoCloud, leaked through a public Amazon server. The data contains users' names, email addresses, and passwords as well as the company's social media keys and company information.
Catho
March 1, 2020
•[ leak, misconfiguration, technology ]
In approximately March 2020, the Brazilian recruitment website Catho was compromised and subsequently appeared alongside 20 other breached websites listed for sale on a dark web marketplace. The breach included almost 11 million records with 1.2 million unique email addresses. Names, usernames and plain text passwords were also exposed. The data was provided to HIBP by breachbase.pw.
Rady's Children's Hospital
February 26, 2020
•[ leak, misconfiguration, healthcare ]
Rady's Children's Hospital notifies patients whose data were accessed via an "open port" on June 2019, and January 2020.
Covve
February 20, 2020
•[ leak, misconfiguration, technology ]
In February 2020, a massive trove of personal information referred to as "db8151dd" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. Later identified as originating from the Covve contacts app, the exposed data included extensive personal information and interactions between Covve users and their contacts. The data was provided to HIBP by dehashed.com.
Straffic
February 14, 2020
•[ leak, misconfiguration, technology ]
In February 2020, Israeli marketing company Straffic exposed a database with 140GB of personal data. The publicly accessible Elasticsearch database contained over 300M rows with 49M unique email addresses. Exposed data also included names, phone numbers, physical addresses and genders. In their breach disclosure message, Straffic stated that "it is impossible to create a totally immune system, and these things can occur".
An Ukrainian government job portal
January 21, 2020
•[ leak, misconfiguration, government ]
The https://career.gov.ua has leaked the personal data of an unidentified number of job applicants. It is unclear whether the leak was a result of cyberattack or human error.
P&N Bank
January 15, 2020
•[ hack, misconfiguration, finance ]
P&N Bank in Western Australia informs its customers that hackers may have accessed personal information stored on its systems following a cyber attack on December 12, during an upgrade at a third-party hosting company.
LimeLeads
January 14, 2020
•[ leak, misconfiguration, technology ]
49 million user records extracted from a misconfigured Elasticsearch database by US data broker LimeLeads are put up for sale online.
US municipal government
January 8, 2020
•[ hack, misconfiguration, government ]
The FBI says that also a US municipal government was breached via the CVE-2019-11510 Pulse Secure VPN flaw.
U.S. Federal Depository Library Program
January 4, 2020
•[ hack, misconfiguration, government ]
The homepage for the U.S. Federal Depository Library Program is briefly altered to show a pro-Iranian message and an image of bloodied Donald Trump being punched in the face.
Pampling
January 4, 2020
•[ hack, misconfiguration, retail ]
In January 2020, the online clothing retailer Pampling suffered a data breach that exposed 383k unique customer email addresses. The data was later shared on a popular hacking forum and also included names, usernames and unsalted MD5 password hashes.
Filmai.in
January 1, 2020
•[ leak, misconfiguration, technology ]
In approximately 2019 or 2020, the Lithuanian movie streaming service Filmai.in suffered a data breach exposing 645k email addresses, usernames and plain text passwords.
National Health Information Center (NCZI) of Slovakia
January 1, 2020
•[ leak, misconfiguration, healthcare ]
poor security
Unknown agency(believed to be tied to United States Census Bureau)
January 1, 2020
•[ leak, misconfiguration, financial ]
accidentally published
