Metropolitan Police's Twitter account
July 19, 2019
•[ hack, misconfiguration, education ]
The Metropolitan Police's Twitter account is hit by hackers who post a series of bizarre messages. The breach is due to the compromise of the MyNewsDesk platform.
Vedantu
July 8, 2019
•[ leak, misconfiguration, education ]
In mid-2019, the Indian interactive online tutoring platform Vedantu suffered a data breach which exposed the personal data of 687k users. The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored as bcrypt hashes. When contacted about the incident, Vedantu advised that they were aware of the breach and were in the process of informing their customers.
NASA's Jet Propulsion Laboratory (JPL)
June 20, 2019
•[ hack, misconfiguration, government ]
A report from NASA reveals an April 2018 security breach, wherein a Raspberry Pi that was not authorized to be linked to the JPL network was targeted by hackers.
Artvalue
June 19, 2019
•[ leak, misconfiguration ]
In June 2019, the France-based art valuation website Artvalue.com left their 158k member subscriber base publicly exposed in a text file on their website. The exposed data included names, usernames, email addresses and passwords stored as MD5 hashes. The site operator did not respond when contacted about the incident, although the exposed file was subsequently removed.
Condo.com
June 1, 2019
•[ leak, misconfiguration, technology ]
In June 2019, now defunct website Condo.com suffered a data breach that was later redistributed as part of a larger corpus of data. The impacted data included 1.5M email addresses alongside names, phone numbers and for a small number of records, physical addresses.
American Medical Collection Agency
May 10, 2019
•[ leak, misconfiguration, healthcare ]
A data breach involving a medical collection agency affects more than 200,000 patients who had used the firm's online payment portal between September, 2018 and the beginning of March, 2019. The data is found on the dark web.
WIRED
May 9, 2019
•[ financial, hack, misconfiguration ]
Cond Nast notifies about 1,100 WIRED subscribers of a breach involving their payment information, when an unauthorized party accessed a third-party vendor's systems between April 14 and April 17, 2019.
275 Million Indian Citizens
May 8, 2019
•[ ransomware, misconfiguration, government ]
The "Unistellar" hacking group steals 275 million records of Indian citizens from a publicly configured Mongo database exposing and hold them for ransom.
SkyMed
April 29, 2019
•[ leak, ransomware, misconfiguration ]
A detailed list or 137,000 SkyMed members accounts is found, on March 27th, into an unsecured Elasticsearch database. The leak also shows evidence of ransomware inside the network.
Lime
April 23, 2019
•[ hack, misconfiguration, manufacturing ]
Eight e-scooters from Lime, a Brisbane-based manufacturer, have their audio files swapped during a test in the streets of Brisbane.
Deezer
April 22, 2019
•[ leak, misconfiguration, technology ]
In late 2022, the music streaming service Deezer disclosed a data breach that impacted over 240M customers. The breach dated back to a mid-2019 backup exposed by a 3rd party partner which was subsequently sold and then broadly redistributed on a popular hacking forum. Impacted data included 229M unique email addresses, IP addresses, names, usernames, genders, DoBs and the geographic location of the customer.
ApexSMS
April 15, 2019
•[ leak, misconfiguration, technology ]
In May 2019, news broke of a massive SMS spam operation known as "ApexSMS" which was discovered after a MongoDB instance of the same name was found exposed without a password. The incident leaked over 80M records with 23M unique email addresses alongside names, phone numbers and carriers, geographic locations (state and country), genders and IP addresses.
Blue Cross of Idaho Health Service
April 12, 2019
•[ hack, misconfiguration, healthcare ]
Blue Cross of Idaho Health Service notifies that, on March 21, 2019, an unauthorized user accessed Blue Cross of Idaho's online provider portal and was able to access provider remittance documents, which contained PHI.
Georgia Tech University
April 2, 2019
•[ hack, misconfiguration, education ]
Georgia Tech announces that a vulnerability in a web application allowed an attacker to gain access to the personal information of up to 1.3 million students, college applications, staff, and faculty members. The breach was discovered on March 21.
Lumin PDF
April 1, 2019
•[ leak, misconfiguration, technology ]
In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been "contacted multiple times, but ignored all the queries". The exposed data included names, email addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".
Canada's Natural Health Services (NHS)
March 28, 2019
•[ hack, misconfiguration, healthcare ]
A data breach at Canada's Natural Health Services (NHS) exposes personal information of roughly 34,000 medical marijuana users after a record is accessed by an "unauthorized user".
Post Rock Rural Water District
March 27, 2019
•[ insider, misconfiguration, government ]
Kansas WWS is hacked by former employee able to use creditentials to remotely tamper with facility processes and threaten safety of drinking water.
Hurb
March 14, 2019
•[ leak, misconfiguration, technology ]
In approximately March 2019, the online Brazilian travel agency Hurb (formerly Hotel Urbano) suffered a data breach. The data subsequently appeared online for download the following year and included over 20 million customer records with email and IP addresses, names, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by dehashed.com.
Intelimost
March 10, 2019
•[ leak, misconfiguration ]
In March 2019, a spam operation known as "Intelimost" sent millions of emails appearing to come from people the recipients knew. Security researcher Bob Diachenko found over 3 million unique email addresses in an exposed Elasticsearch database, alongside plain text passwords used to access the victim's mailbox and customise the spam.
Estante Virtual
February 28, 2019
•[ leak, misconfiguration, retail ]
In February 2019, the Brazilian book store Estante Virtual suffered a data breach that impacted 5.4M customers. The exposed data included names, usernames, email and physical addresses, phone numbers, dates of birth and unsalted SHA-1 password hashes.
