Indian Railways
October 28, 2019
•[ leak, misconfiguration, government ]
In November 2019, the website for Indian Rail left more than 2M records exposed on an unprotected Firebase database instance. The exposed data included 583k unique email addresses alongside usernames and passwords stored in plain text.
VikingVPN
October 20, 2019
•[ leak, misconfiguration, technology ]
OpenVPN keys and configuration files from VikingVPN are also leaked online.
NordVPN
October 20, 2019
•[ leak, misconfiguration, technology ]
NordVPN is compromised as the'private keys for their web site certificate'are publicly leaked on the Internet The company confirms the breach was discovered on March 2018.
Data Enrichment Exposure From PDL Customer
October 16, 2019
•[ leak, misconfiguration, technology ]
In October 2019, security researchers Vinny Troia and Bob Diachenko identified an unprotected Elasticsearch server holding 1.2 billion records of personal data. The exposed data included an index indicating it was sourced from data enrichment company People Data Labs (PDL) and contained 622 million unique email addresses. The server was not owned by PDL and it's believed a customer failed to properly secure the database. Exposed information included email addresses, phone numbers, social media profiles and job history data.
StarTribune
October 10, 2019
•[ hack, misconfiguration, technology ]
In October 2019, the Minnesota-based news service StarTribune suffered a data breach which was subsequently sold on the dark web. The breach exposed over 2 million unique email addresses alongside names, usernames, physical addresses, dates of birth, genders and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
ASICS Store in Auckland
September 29, 2019
•[ hack, misconfiguration, retail ]
Major sportswear brand Asics blames a "cyberattack" after large storefront display screens played pornography to passersby for nine hours. The incident took place at a busy Asics store on a major high street in Auckland.
Billboard on Interstate 75
September 28, 2019
•[ hack, misconfiguration, technology ]
Two individuals play an adult pornography video on a billboard on Interstate 75 near Michigan highway 59.
Zooville
September 27, 2019
•[ hack, misconfiguration, technology ]
In September 2019, the zoophilia and bestiality forum Zooville suffered a data breach. The usernames and email addresses of 71k members were accessed via an unpatched vulnerability in the vBulletin forum software then subsequently distributed online. A second data set was later provided to HIBP which contained a complete vBulletin database dump including IP addresses, dates of birth and passwords stored as bcrypt hashes. The site administrator advised that following the breach, all data had been deleted from the forum and a new one had been stood up on the XenForo platform. The data was provided to HIBP by a source who requested it be attributed to "burger vault".
The Halloween Spot
September 27, 2019
•[ leak, misconfiguration, retail ]
In September 2019, the Halloween costume store The Halloween Spot suffered a data breach. Originally misattributed to fancy dress store Smiffys, the breach contained 13GB of data with over 10k unique email addresses alongside names, physical and IP addresses, phone numbers and order histories. The Halloween Spot advised customers the breach was traced back to "an old shipping information database".
CircleCI
August 31, 2019
•[ leak, misconfiguration, technology ]
Software testing and delivery company CircleCI notifies a security incident involving the company and a third-party analytics vendor. An attacker was able to improperly access some user data in the vendor account.
Imperva
August 27, 2019
•[ hack, misconfiguration, technology ]
Imperva discloses a security incident that impacts customers of its cloud Web Application Firewall. Apparently the intruders made off with customer API keys and SSL certificates.
Hostinger
August 25, 2019
•[ hack, misconfiguration, technology ]
Hostinger discloses a security incident that impacted its platform and users. A hacker gained access to an internal server, where he found an authorization token for an internal API used to retrieve information about up to 14 million clients.
Audi
August 14, 2019
•[ leak, misconfiguration, automotive ]
In August 2019, Audi USA suffered a data breach after a vendor left data unsecured and exposed on the internet. The data contained 2.7M unique email addresses along with names, phone numbers, physical addresses and vehicle information including VIN. In a disclosure statement from Audi, they also advised some customers had driver's licenses, dates of birth, social security numbers and other personal information exposed.
Choice Hotels
August 13, 2019
•[ hack, misconfiguration ]
Hackers claim to have stolen 700,000 guest records belonging to Choice Hotels, one of the largest hotel chains in the world. The data was left exposed in an unsecured MongoDB.
Comodo
July 27, 2019
•[ hack, misconfiguration, technology ]
A hacker gain access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet (GitHub).
City of Concord
July 26, 2019
•[ hack, misconfiguration, government ]
The City of Concord website is defaced with offensive images.
StockX
July 26, 2019
•[ leak, misconfiguration, retail ]
In July 2019, the fashion and sneaker trading platform StockX suffered a data breach which was subsequently sold via a dark webmarketplace. The exposed data included 6.8 million unique email addresses, names, physical addresses, purchases and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com.
MGM Resorts
July 25, 2019
•[ hack, leak, misconfiguration ]
In July 2019, MGM Resorts discovered a data breach of one of their cloud services. The breach included 10.6M guest records with 3.1M unique email addresses stemming back to 2017. The exposed data included email and physical addresses, names, phone numbers and dates of birth and was subsequently shared on a popular hacking forum in February 2020 where it was extensively redistributed. The data was provided to HIBP by Under The Breach.
Tennessee Higher Education Commission
July 23, 2019
•[ leak, misconfiguration, education ]
The Tennessee Higher Education Commission investigates a possible data breach of a 3rd party vendor, that potentially has exposed personal information of thousands of students.
University of Hawaii
July 23, 2019
•[ education, hack, misconfiguration ]
Personal information for as many as 70,000 public school students may have been compromised after Graduation Alliance, a University of Hawaii vendor, detected "suspicious" unauthorized access to one of its servers.
