North Mundham Primary in Chichester
April 23, 2017
•[ hack, misconfiguration, education ]
Police are investigating after "malicious" messages are left on a school website by Turkish nationalists in an apparent hacking attempt.
Dueling Network
March 29, 2017
•[ hack, misconfiguration, technology ]
In March 2017, the Flash game based on the Yu-Gi-Oh trading card game Dueling Network suffered a data breach. The site itself was taken offline in 2016 due to a cease-and-desist order but the forum remained online for another year. The data breach exposed usernames, IP and email addresses and passwords stored as MD5 hashes. The data was provided to HIBP by a source who requested it be attributed to "burger vault".
Health Now Networks
March 25, 2017
•[ leak, misconfiguration, healthcare ]
In March 2017, the telemarketing service Health Now Networks left a database containing hundreds of thousands of medical records exposed. There were over 900,000 records in total containing significant volumes of personal information including names, dates of birth, various medical conditions and operator notes on the individuals' health. The data included over 320k unique email addresses.
Dun & Bradstreet
March 15, 2017
•[ leak, misconfiguration, technology ]
A Dun & Bradstreet 52GB database containing about 33.6 million records with very specific details about each of the people involved from job title to email address is exposed.
Master Deeds
March 14, 2017
•[ leak, misconfiguration, finance ]
In March 2017, a 27GB database backup file named "Master Deeds" was sent to HIBP by a supporter of the project. Upon detailed analysis later that year, the file was found to contain the personal data of tens of millions of living and deceased South African residents. The data included extensive personal attributes such as names, addresses, ethnicities, genders, birth dates, government issued personal identification numbers and 2.2 million email addresses. At the time of publishing, it's alleged the data was sourced from Dracore Data Sciences (Dracore is yet to publicly confirm or deny the data was sourced from their systems). On 18 October 2017, the file was found to have been published to a publicly accessible web server where it was located at the root of an IP address with directory listing enabled. The file was dated 8 April 2015.
Ster-Kinekor
March 9, 2017
•[ leak, misconfiguration, retail ]
In 2016, the South African cinema company Ster-Kinekor had a security flaw which leaked a large amount of customer data via an enumeration vulnerability in the API of their old website. Whilst more than 6 million accounts were leaked by the flaw, the exposed data only contained 1.6 million unique email addresses. The data also included extensive personal information such as names, addresses, birthdates, genders and plain text passwords.
St. Mary's Catholic Academy
February 26, 2017
•[ hack, misconfiguration, education ]
Hackers break into CCTV systems of at least four British schools and stream footage of pupils live on the internet. St. Mary's Catholic Academy and Christ The King Academy Primary School are two fo the victims.
Roberts Hawaii
February 26, 2017
•[ hack, misconfiguration, retail ]
The tour company Roberts Hawaii warns its customers about a security breach that may have affected people who purchased tours and other services on its website between July 2015 and December 2016.
Retina-X
February 23, 2017
•[ hack, misconfiguration, technology ]
In February 2017, the mobile device monitoring software developer Retina-X was hacked and customer data downloaded before being wiped from their servers. The incident was covered in the Motherboard article titled Inside the 'Stalkerware' Surveillance Market, Where Ordinary People Tap Each Other's Phones. The service, used to monitor mobile devices, had 71k email addresses and MD5 hashes with no salt exposed. Retina-X disclosed the incident in a blog post on April 27, 2017.
Zcoin
February 17, 2017
•[ hack, misconfiguration, finance ]
A simple one-digit typo within the source code of a cryptocurrency called Zcoin has allowed a hacker to make a profit of over $400,000 worth of cryptocurrency.
Yahoo!
February 15, 2017
•[ espionage, misconfiguration, technology ]
Yahoo sends out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo's mail service that allowed an attacker, most likely a "state actor", according to Yahoo, to use a forged cookie created by software stolen from within Yahoo's internal systems to gain access accounts without a password.
FileSilo
February 8, 2017
•[ hack, misconfiguration, technology ]
UK magazine publisher Future's FileSilo website (FileSilo.co.uk) is raided by hackers, who make off with, among other information, unencrypted user account passwords.
Sunny 107.9 WFBS-LPFM
January 31, 2017
•[ hack, misconfiguration, technology ]
Another station is hijacked to play the "F*** Donald Trump" song.
Freedom Hosting II
January 31, 2017
•[ hack, misconfiguration, technology ]
In January 2017, the free hidden service host Freedom Hosting II suffered a data breach. The attack allegedly took down 20% of dark web sites running behind Tor hidden services with the attacker claiming that of the 10,613 impacted sites, more than 50% of the content was child pornography. The hack led to the exposure of MySQL databases for the sites which included a vast amount of information on the hidden services Freedom Hosting II was managing. The impacted data classes far exceeds those listed for the breach and differ between the thousands of impacted sites.
AlphaBay
January 26, 2017
•[ leak, misconfiguration, technology ]
About 218,000 unencrypted private messages posted to the AlphaBay dark web marketplace are accessed and released to the public.
Princeton University
January 7, 2017
•[ hack, misconfiguration, education ]
Princeton University is one of the 27,000 victims that have their data wiped by attackers leveraging a vulnerable MongoDB.
google
January 4, 2017
•[ hack, misconfiguration, technology ]
Kuroi'SH hjacks the DNS record of google.com.br and redirects the users to a defaced page.
CloudPets
January 1, 2017
•[ leak, ransomware, misconfiguration ]
In January, the maker of teddy bears that record children's voices and sends them to family and friends via the internet CloudPets left their database publicly exposed and it was subsequently downloaded by external parties (the data was also subject to 3 different ransom demands). 583k records were provided to HIBP via a data trader and included email addresses and bcrypt hashes, but the full extent of user data exposed by the system was over 821k records and also included children's names and references to portrait photos and voice recordings.
Victory Phones
January 1, 2017
•[ leak, misconfiguration, technology ]
In January 2017, the automated telephony services company Victory Phones left a Mongo DB database publicly facing without a password. Subsequently, 213GB of data was downloaded by an unauthorised party including names, addresses, phone numbers and over 166k unique email addresses.
