Exactis
June 1, 2018
•[ leak, misconfiguration, technology ]
In June 2018, the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data. The data was collected as part of Exactis' service as a "compiler and aggregator of premium business & consumer data" which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
Adult-FanFiction.Org
May 30, 2018
•[ leak, misconfiguration, technology ]
In May 2018, the website for sharing adult-orientated works of fiction known as Adult-FanFiction.Org had 186k records exposed in a data breach. The data contained names, email addresses, dates of birth and passwords stored as both MD5 hashes and plain text. AFF did not respond when contacted about the breach and the site was previously reported as compromised on the Vigilante.pw breached database directory.
Honda Greece
May 7, 2018
•[ hack, misconfiguration, manufacturing ]
Turkish hackers from Akincilar launch a new cyber attack against Honda Greece. The automaker's website in Greece is infiltrated with a message condemning the country for "partnering" with terrorists.
ViewFines
May 7, 2018
•[ leak, misconfiguration, government ]
In May 2018, the South African website for viewing traffic fines online known as ViewFines suffered a data breach. Over 934k records containing 778k unique email addresses were exposed and included names, phone numbers, government issued IDs and passwords stored in plain text.
W.S. Neal High School
May 4, 2018
•[ hack, misconfiguration, education ]
While finalizing end-year school rankings, W.S. Neal High School realizes that someone has been changing grades since 2016.
Linux Forums
May 1, 2018
•[ leak, misconfiguration, technology ]
In May 2018, the Linux Forums website suffered a data breach which resulted in the disclosure of 276k unique email addresses. Running on an old version of vBulletin, the breach also disclosed usernames, IP addresses and salted MD5 password hashes. Linux Forums did not respond to multiple attempts to contact them about the breach.
Creative
May 1, 2018
•[ hack, misconfiguration, technology ]
In May 2018, the forum for Singaporean hardware company Creative Technology suffered a data breach which resulted in the disclosure of 483k unique email addresses. Running on an old version of vBulletin, the breach also disclosed usernames, IP addresses and salted MD5 password hashes. After being notified of the incident, Creative permanently shut down the forum.
Chegg
April 28, 2018
•[ hack, misconfiguration, education ]
In April 2018, the textbook rental service Chegg suffered a data breach that impacted 40 million subscribers. The exposed data included email addresses, usernames, names and passwords stored as unsalted MD5 hashes. A small number of records also contained physical address or phone number. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".
Funny Games
April 28, 2018
•[ leak, misconfiguration, technology ]
In April 2018, the online entertainment site Funny Games suffered a data breach that disclosed 764k records including usernames, email and IP addresses and salted MD5 password hashes. The incident was disclosed to Funny Games in July who acknowledged the breach and identified it had been caused by legacy code no longer in use. The record count in the breach constitute approximately half of the user base.
Highway Sign in Arizona
April 27, 2018
•[ hack, misconfiguration, government ]
Someone hacks a highway sign in Arizona and defaces it with 'Hail Hitler' text.
Billings Clinic
April 27, 2018
•[ hack, misconfiguration, healthcare ]
Billings Clinic notifies 949 patients of a breach affecting its email security system causing an unknown individual to access patients' information back in February.
MyEtherWallet
April 24, 2018
•[ hack, financial, misconfiguration ]
A hacker (or group of hackers) hijacks the Amazon DNS servers of MyEtherWallet.com, a web-based Ether wallet service. Users accessing the site are redirected to a fake version of the website. Those who logged in had their wallet private keys stolen, which the attacker used to empty accounts.
Red Bull
April 22, 2018
•[ hack, misconfiguration, manufacturing ]
The Red Bull website is defaced twice in few hours, probably exploiting the Drupalgeddon 2 vulnerability.
Trusted Quid
March 20, 2018
•[ hack, misconfiguration, finance ]
Trusted Quid reports a theft of data from unauthorised access to its website. The incident relates to data directly entered by people applying for a loan only on the Trusted Quid website between 1 July 2016 and 17 February 2018. Up to 65,925 people may have been affected by the incident.
Svitzer
March 15, 2018
•[ insider, misconfiguration ]
The shipping company Svitzer suffers a significant data breach affecting almost half its Australian employees when three employees have had emails auto-forwarded in the past 11 months.
2,844 Separate Data Breaches
February 19, 2018
•[ leak, misconfiguration, technology ]
In February 2018, a massive collection of almost 3,000 alleged data breaches was found online. Whilst some of the data had previously been seen in Have I Been Pwned, 2,844 of the files consisting of more than 80 million unique email addresses had not previously been seen. Each file contained both an email address and plain text password and were consequently loaded as a single "unverified" data breach.
Western Union
February 14, 2018
•[ hack, misconfiguration, finance ]
Western Union warns that some customers' information may have been accessed without authorization as a result of a computer intrusion against an external vendor system formerly used by Western Union for secure data storage.
Autocentrum.pl
February 4, 2018
•[ leak, misconfiguration, automotive ]
In February 2018, data belonging to the Polish motoring website autocentrum.pl was found online. The data contained 144k email addresses and plain text passwords.
MyFitnessPal
February 1, 2018
•[ leak, misconfiguration, technology ]
In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "BenjaminBlue@exploit.im".
