Brazzers
September 5, 2016
•[ leak, misconfiguration, technology ]
Nearly 800,000 accounts for popular porn site Brazzers have been exposed in a data breach.
Digimon
September 5, 2016
•[ leak, misconfiguration, technology ]
In September 2016, over 16GB of logs from a service indicated to be digimon.co.in were obtained, most likely from an unprotected Mongo DB instance. The service ceased running shortly afterwards and no information remains about the precise nature of it. Based on enquiries made via Twitter, it appears to have been a mail service possibly based on PowerMTA and used for delivering spam. The logs contained information including 7.7M unique email recipients (names and addresses), mail server IP addresses, email subjects and tracking information including mail opens and clicks.
ClixSense
September 4, 2016
•[ hack, misconfiguration, technology ]
In September 2016, the paid-to-click site ClixSense suffered a data breach which exposed 2.4 million subscriber identities. The breached data was then posted online by the attackers who claimed it was a subset of a larger data breach totalling 6.6 million records. The leaked data was extensive and included names, physical, email and IP addresses, genders and birth dates, account balances and passwords stored as plain text.
NemoWeb
September 4, 2016
•[ leak, misconfiguration, technology ]
In September 2016, almost 21GB of data from the French website used for "standardised and decentralized means of exchange for publishing newsgroup articles" NemoWeb was leaked from what appears to have been an unprotected Mongo DB. The data consisted of a large volume of emails sent to the service and included almost 3.5M unique addresses, albeit many of them auto-generated. Multiple attempts were made to contact the operators of NemoWeb but no response was received.
Variety
September 3, 2016
•[ hack, misconfiguration, technology ]
Entertainment news site Variety is briefly taken over by the infamous hacker group OurMine. The hacking collective manages to break into Variety's content management system and defaces the site with a post of their own claiming responsibility for the attack.
Twitter
September 3, 2016
•[ hack, misconfiguration, technology ]
A group of hackers dubbed Spain Squad claims to have found a way to seize inactive and suspended Twitter accounts, and sells them on the social network.
NetProspex
September 1, 2016
•[ leak, misconfiguration, technology ]
In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet's NetProspex service was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them. It contained extensive personal and corporate information including names, email addresses, job titles and general information about the employer.
MDPI
August 30, 2016
•[ leak, misconfiguration, education ]
In August 2016, the Swiss scholarly open access publisher known as MDPI had 17.5GB of data obtained from an unprotected Mongo DB instance. The data contained email exchanges between MDPI and their authors and reviewers which included 845k unique email addresses. MDPI have confirmed that the system has since been protected and that no data of a sensitive nature was impacted. As such, they concluded that notification to their subscribers was not necessary due to the fact that all their authors and reviewers are available online on their website.
Sage Software
August 17, 2016
•[ insider, misconfiguration, technology ]
A data breach at Sage Software may have compromised personal information for employees at 280 UK businesses. The breach was caused by "unauthorised access" by someone using an "internal" company computer login. The alleged author of the attack, a 32 year-old Sage employee was arrested at Heathrow airport.
GeekedIn
August 15, 2016
•[ leak, misconfiguration, technology ]
In August 2016, the technology recruitment site GeekedIn left a MongoDB database exposed and over 8M records were extracted by an unknown third party. The breached data was originally scraped from GitHub in violation of their terms of use and contained information exposed in public profiles, including over 1 million members' email addresses. Full details on the incident (including how impacted members can see their leaked data) are covered in the blog post on 8 million GitHub profiles were leaked from GeekedIn's MongoDB - here's how to see yours.
LinkedIn
August 11, 2016
•[ hack, misconfiguration, technology ]
A new lawsuit reveals that data thieves used a massive botnet against LinkedIn to steal members' personal information via information scraping by fake profiles.
Alexa Losey Twitter Account
August 6, 2016
•[ hack, misconfiguration, technology ]
The OurMine collective hacks the Twitter account of popular Youtuber Alexa Losey.
Roblox
July 31, 2016
•[ leak, misconfiguration, technology ]
In August 2016, Roblox disclosed a data breach that affected over 50k users. The security incident impacted email and IP addresses, usernames, purchases and Robux balances which were left exposed on a test server.
Shadi.com
July 9, 2016
•[ leak, misconfiguration, technology ]
In July 2016, the Muslim dating site Shadi.com suffered a data breach that exposed over 2M members' email addresses. The breach also exposed passwords stored as MD5 hashes alongside their plain text equivalents. The data was provided to HIBP by a source who requested it be attributed to "fall1984@protonmail.com".
Mac Forums
July 3, 2016
•[ hack, misconfiguration, technology ]
In July 2016, the self-proclaimed "Ultimate Source For Your Mac" website Mac Forums suffered a data breach. The vBulletin-based system exposed over 326k usernames, email and IP addresses, dates of birth and passwords stored as salted MD5 hashes. The data was later discovered being traded on a popular hacking forum. Mac Forums did not respond when contacted about the incident via their contact us form.
CrackingForum
July 1, 2016
•[ hack, misconfiguration, technology ]
In approximately mid-2016, the cracking community forum known as CrackingForum suffered a data breach. The vBulletin based forum exposed 660k email and IP addresses, usernames and salted MD5 hashes.
Kaneva
July 1, 2016
•[ leak, misconfiguration ]
In July 2016, now defunct website Kaneva, the service to "build and explore virtual worlds", suffered a data breach that exposed 3.9M user records. The data included email addresses, usernames, dates of birth and salted MD5 password hashes.
Quebec Liberal Party (PLQ)
June 19, 2016
•[ espionage, misconfiguration, government ]
The Quebec Liberal Party (PLQ) fixes a security issue in their video conferencing software that allowed an unknown hacker to spy on their meetings and even access the video camera.
Several Road Signs in the US
June 1, 2016
•[ hack, misconfiguration, government ]
A number of road signs in the US fall victim to a politically-motivated 'hack' attack after being altered to show messages relating to presidential candidates Donald Trump and Bernie Sanders.
ForumCommunity
June 1, 2016
•[ leak, misconfiguration, technology ]
In approximately mid-2016, the Italian-based service for creating forums known as ForumCommunity suffered a data breach. The incident impacted over 776k unique email addresses along with usernames and unsalted MD5 password hashes. No response was received from ForumCommunity when contacted.
