Adapt
November 5, 2018
•[ leak, misconfiguration, technology ]
In November 2018, security researcher Bob Diachenko identified an unprotected database hosted by data aggregator "Adapt". A provider of "Fresh Quality Contacts", the service exposed over 9.3M unique records of individuals and employer information including their names, employers, job titles, contact information and data relating to the employer including organisation description, size and revenue. No response was received from Adapt when contacted.
Internet Solutions
October 23, 2018
•[ hack, misconfiguration, technology ]
Internet Solutions (IS) sends a notice to clients to warn them about a breach, and urges them to change their passwords and take additional steps to secure their servers. Later the company confirms that its internal monitoring systems have detected "irregular activity" on some of its virtual services.
GoldSilver
October 21, 2018
•[ leak, misconfiguration, finance ]
In October 2018, the bullion education and dealer services site GoldSilver suffered a data breach that exposed 243k unique email addresses spanning customers and mailing list subscribers. An extensive amount of personal information on customers was obtained including names, addresses, phone numbers, purchases and passwords and answers to security questions stored as MD5 hashes. In a small number of cases, passport, social security numbers and partial credit card data was also exposed. The data breach and source code belonging to GoldSilver was publicly posted on a dark web service where it remained months later. When notified about the incident, GoldSilver advised that "all affected customers have been directly notified".
Eatigo
October 16, 2018
•[ leak, misconfiguration, technology ]
In October 2018, the restaurant reservation service Eatigo suffered a data breach that exposed 2.8 million accounts. The data included email addresses, names, phone numbers, social media profiles, genders and passwords stored as unsalted MD5 hashes.
Rep. Pete King's campaign website
October 7, 2018
•[ hack, misconfiguration, government ]
Rep. Pete King's campaign website is defaced.
SpankChain
October 6, 2018
•[ financial, misconfiguration, finance ]
SpankChain, an adult industry focused cryptocurrency, has $38,000 worth of Ethereum stolen due to a smart contract bug.
You've Been Scraped
October 5, 2018
•[ leak, misconfiguration, technology ]
In October and November 2018, security researcher Bob Diachenko identified several unprotected MongoDB instances believed to be hosted by a data aggregator. Containing a total of over 66M records, the owner of the data couldn't be identified but it is believed to have been scraped from LinkedIn hence the title "You've Been Scraped". The exposed records included names, both work and personal email addresses, job titles and links to the individuals' LinkedIn profiles.
Organization for the Prohibition of Chemical Weapons
October 4, 2018
•[ espionage, misconfiguration, government ]
A threat actor, believed to be Russian military intelligence, targeted the office of the Organization for the Prohibition of Chemical Weapons in The Hague with a view of compromising its Wi-Fi network for espionage purposes.
Facebook
September 27, 2018
•[ hack, misconfiguration, technology ]
Facebook says a breach affected 50 million people on the social network. The vulnerability stemmed from the "view as" feature, which lets people see what their profiles look like to others. Attackers exploited code associated with the feature that allowed them to steal "access tokens" that could be used to take over people's accounts.
SaverSpy
September 18, 2018
•[ leak, misconfiguration, technology ]
In September 2018, security researcher Bob Diachenko discovered a massive collection of personal details exposed in an unprotected Mongo DB instance. The data appears to have been used in marketing campaigns (possibly for spam purposes) but had little identifying data about it other than a description of "Yahoo_090618_ SaverSpy". The data set provided to HIBP had almost 2.5M unique email addresses (all of which were from Yahoo!) alongside names, genders and physical addresses.
Saverspy
September 17, 2018
•[ leak, misconfiguration, retail ]
Bob Diachenko, a security researcher, identifies an unsecured MongoDB server leaking the personal details of nearly 11 million users. The database seems to have been ransomed back in June.
Color Dating
September 5, 2018
•[ hack, misconfiguration, technology ]
In September 2018, the dating app to match people with different ethnicities Color Dating suffered a data breach that was later redistributed as part of a larger corpus of data. The breach exposed 220k unique email addresses along with bios, names, profile photos and bcrypt password hashes. The data was provided to HIBP by a source who requested it be attributed to "ANK (Veles)".
Knuddels
September 5, 2018
•[ leak, misconfiguration, technology ]
In September 2018, the German social media website Knuddels suffered a data breach. The incident exposed 808k unique email addresses alongside usernames, real names, the city of the person and their password in plain text. Knuddels was subsequently fined 20k for the breach.
EscortReviews
September 1, 2018
•[ hack, misconfiguration, technology ]
An online community promoting female escorts and reviews of their services has suffered a data breach after a hacker downloaded the site's database. The site ran vBulletin 3.8.9, which has known vulnerabilities that could allow attackers to breach the site. It is unknown if the forum was hacked using one of these vulnerabilities or if the site left an unsecured backup of the database online.
Family Orbit
August 30, 2018
•[ hack, leak, misconfiguration ]
An anonymous hacker is able to find the key to the cloud servers of Family Orbit and leaks 281 Gb of pictures and videos.
Air Canada
August 29, 2018
•[ hack, misconfiguration ]
Air Canada says the personal information for about 20,000 customers "may potentially have been improperly accessed" via a breach in its mobile app, so the company has locked down all 1.7 million accounts as a precaution until customers change their passwords.
T-Mobile
August 23, 2018
•[ hack, misconfiguration, technology ]
T-Mobile reveals that hackers stole some of the personal data of 2 million people in a new data breach. The intrusion took place on August 20 when hackers accessed company servers through an API that "didn't contain any financial data or other sensitive data."
Bossier City
August 18, 2018
•[ hack, misconfiguration, government ]
Some Bossier City water customers may have had their information compromised due to a possible breach of an online billing payment system.
SpyFone
August 16, 2018
•[ leak, misconfiguration, technology ]
In August 2018, the spyware company SpyFone left terabytes of data publicly exposed. Collected surreptitiously whilst the targets were using their devices, the data included photos, audio recordings, text messages and browsing history which were then exposed via a number of misconfigurations within SpyFone's systems. The data belonged the thousands of SpyFone customers and included 44k unique email addresses, many likely belonging to people the targeted phones had contact with.
Mention
August 3, 2018
•[ leak, misconfiguration, technology ]
Mention CEO Matthieu Vaxelaire informs users of the occurrence of a data security breach involving a third-party provider. The breach occurred in July and Mention promptly reported details to the French data protection authorities.
