LiveJournal
January 1, 2017
•[ hack, misconfiguration, technology ]
In mid-2019, news broke of an alleged LiveJournal data breach. This followed multiple reports of credential abuse against Dreamwidth beginning in 2018, a fork of LiveJournal with a significant crossover in user base. The breach allegedly dates back to 2017 and contains 26M unique usernames and email addresses (both of which have been confirmed to exist on LiveJournal) alongside plain text passwords. An archive of the data was subsequently shared on a popular hacking forum in May 2020 and redistributed broadly. The data was provided to HIBP by a source who requested it be attributed to "nano@databases.pw".
Russian America
January 1, 2017
•[ leak, misconfiguration, technology ]
In approximately 2017, the website for Russian speakers in America known as Russian America suffered a data breach. The incident exposed 183k unique records including names, email addresses, phone numbers and passwords stored in both plain text and as MD5 hashes. Russian America was contacted about the breach but did not respond.
River City Media Spam List
January 1, 2017
•[ leak, misconfiguration ]
In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation. Once de-duplicated, there were 393 million unique email addresses within the exposed data.
Anti Public Combo List
December 16, 2016
•[ leak, misconfiguration ]
In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.
PayAsUGym
December 15, 2016
•[ hack, leak, misconfiguration ]
In December 2016, an attacker breached PayAsUGym's website exposing over 400k customers' personal data. The data was consequently leaked publicly and broadly distributed via Twitter. The leaked data contained personal information including email addresses and passwords hashed using MD5 without a salt.
FashionFantasyGame
December 1, 2016
•[ leak, misconfiguration, technology ]
In late 2016, the fashion gaming website Fashion Fantasy Game suffered a data breach. The incident exposed 2.3 million unique user accounts and corresponding MD5 password hashes with no salt. The data was contributed to Have I Been Pwned courtesy of rip@creep.im.
Quest Diagnostics
November 26, 2016
•[ hack, misconfiguration, healthcare ]
Quest Diagnostics says it is investigating a recent hack that exposed the personal health information of about 34,000 people. An "unauthorized third party" gained access to names, dates of birth, lab results and, in some cases, telephone numbers on Nov. 26 through a mobile health app that gives patients access to lab results and other information.
RankWatch
November 19, 2016
•[ leak, misconfiguration, technology ]
In approximately November 2016, the search engine optimisation management company RankWatch exposed a Mongo DB with no password publicly whereupon their data was exfiltrated and posted to an online forum. The data contained 7.4 million unique email addresses along with names, employers, phone numbers and job titles in a table called "us_emails". When contacted and advised of the incident, RankWatch would not reveal the purpose of the data, where it had been acquired from and whether the data owners had consented to its collection. The forum which originally posted the data explained it as being "in the same vein as the modbsolutions leak", a large list of corporate data allegedly used for spam purposes.
Unknown Organization
November 17, 2016
•[ hack, misconfiguration, government ]
The Canadian army's public recruitment website (forces.ca) is hacked and briefly redirects visitors to the official website of the Chinese government.
24luv
November 12, 2016
•[ hack, misconfiguration, technology ]
The hacktivist known as ElSurveillance is back with its operation #EscortsOffline and two more data dumps from two dating sites: 24luv.com (92,937 users' email addresses and plain-text passwords) and freedateusa.com (127,395 email addresses and plain-text passwords).
Sam's Club
November 5, 2016
•[ leak, misconfiguration, retail ]
Wholesale retail giant Sam's Club has reset passwords for thousands of customers (14,600 email addresses and plain-text passwords) after their account details were posted online.
PageGroup
November 1, 2016
•[ hack, misconfiguration, technology ]
UK-based global recruitment firm PageGroup confirms that an alleged lone hacker broke into its network and illegally accessed job applicants' personal information. The data breach occurred when the hacker infiltrated a development server run by Capgemini.
Road signs in Chicago
October 17, 2016
•[ hack, misconfiguration, government ]
A number of people at the Chicago's Grand Avenue and Central Avenue intersection witness an unusual message on a construction signboard against the mayor Rahm Emanuel.
Modern Business Solutions
October 8, 2016
•[ leak, misconfiguration, technology ]
In October 2016, a large Mongo DB file containing tens of millions of accounts was shared publicly on Twitter (the file has since been removed). The database contained over 58M unique email addresses along with IP addresses, names, home addresses, genders, job titles, dates of birth and phone numbers. The data was subsequently attributed to "Modern Business Solutions", a company that provides data storage and database hosting solutions. They've yet to acknowledge the incident or explain how they came to be in possession of the data.
Pont3
October 6, 2016
•[ leak, misconfiguration, retail ]
Pont3, an Australian event organizer, reveals that an unauthorized party had gained access to its mailing list account and downloaded data about individuals that subscribed to various events organized by the company in the past.
i-dressup
September 26, 2016
•[ hack, misconfiguration, technology ]
Un unknown hacker downloads more than 2.2 million of improperly stored account credentials from i-dressup.com, a social hangout website for teenage girls.
Real Estate Mogul
September 6, 2016
•[ hack, misconfiguration, finance ]
In September 2016, the real estate investment site Real Estate Mogul had a Mongo DB instance compromised and 5GB of data downloaded by an unauthorised party. The data contained real estate listings including addresses and the names, phone numbers and 308k unique email addresses of the sellers. Real Estate Mogul was advised of the incident in September 2018 and stated that they "found no instance of user account credentials like usernames and passwords nor billing information within this file".
