Advanced Health Media (AHM)
February 24, 2023
•[ hack, misconfiguration, healthcare ]
Advanced Health Media (AHM) files a notice of data breach after learning that an unauthorized party was able to access certain company servers that stored confidential consumer data.
HDB Financial Services
February 22, 2023
•[ leak, misconfiguration, finance ]
In March 2023, the Indian non-bank lending unit HDB Financial Services suffered a data breach that disclosed over 70M customer records. Containing 1.6M unique email addresses, the breach also disclosed names, dates of birth, phone numbers, genders, post codes and loan information belonging to the customers.
PeopleConnect Holdings Inc.
February 21, 2023
•[ leak, misconfiguration, technology ]
PeopleConnect, the owners of the TruthFinder and Instant Checkmate background check services, confirm they suffered a data breach after hackers leaked a 2019 backup database containing the info of 20 millions of customers.
O'Neal Industries
February 17, 2023
•[ hack, misconfiguration, manufacturing ]
O'Neal Industries files notice of a data breach after learning that confidential consumer information stored on the company's computer network was accessible to an unauthorized party.
Platypus
February 16, 2023
•[ financial, misconfiguration, finance ]
Decentralized finance protocol Platypus, suffers a fresh loan attack causing $8.5 million drained from the protocol. The suspect is identified shortly after.
Retina & Vitreous of Texas
February 1, 2023
•[ hack, misconfiguration, healthcare ]
Retina & Vitreous of Texas files a notice of data breach after learning that confidential patient information that had been entrusted to the company was accessible to unauthorized parties following a cybersecurity incident.
Terravision
February 1, 2023
•[ leak, misconfiguration, technology ]
In February 2023, the European airport transfers service Terravision suffered a data breach. The breach exposed over 2M records of customer data including names, phone numbers, email addresses, salted password hashes and in some cases, date of birth and country of origin. Terravision did not respond to multiple attempts by individuals period over a period of months to report the incident.
Francesca's Acquisition
January 31, 2023
•[ hack, misconfiguration, retail ]
Francesca's Acquisition files a notice of data breach after discovering that an unauthorized party accessed portions of its computer network.
Verizon
January 27, 2023
•[ leak, misconfiguration, technology ]
IntelBroker leaks a database, allegedly from Verizon, for free, containing 7.5 million clients' records, only first names, device types (Apple or Android), and service plans. Verizon verified that the data leak was legitimate and originated from a vendor which creates videos to assist clients.
CommuteAir
January 26, 2023
•[ leak, misconfiguration, government ]
A U.S. No Fly list with over 1.5 million records of banned flyers and upwards of 250,000 'selectees' is shared publicly on a hacking forum.
Guardian Analytics
January 26, 2023
•[ leak, misconfiguration, finance ]
Webster Bank files a notice of data breach after learning of a third-party data breach at Guardian Analytics, one of Webster Bank's vendors.
Eye4Fraud
January 25, 2023
•[ hack, misconfiguration, technology ]
In February 2023, data alleged to have been taken from the fraud protection service Eye4Fraud was listed for sale on a popular hacking forum. Spanning tens of millions of rows with 16M unique email addresses, the data was spread across 147 tables totalling 65GB and included both direct users of the service and what appears to be individuals who'd placed orders on other services that implemented Eye4Fraud to protect their sales. The data included names and bcrypt password hashes for users, and names, phone numbers, physical addresses and partial credit card data (card type and last 4 digits) for orders placed using the service. Eye4Fraud did not respond to multiple attempts to report the incident.
Duolingo
January 24, 2023
•[ leak, misconfiguration, education ]
In August 2023, 2.6M records of data scraped from Duolingo were broadly distributed on a popular hacking forum. Obtained by enumerating a vulnerable API, the data had earlier appeared for sale in January 2023 and contained email addresses, names, the languages being learned, XP (experience points), and other data related to learning progress on Duolingo. Whilst some of the data attributes are intentionally public, the ability to map private email addresses to them presents an ongoing risk to user privacy.
Mscripts
January 17, 2023
•[ hack, misconfiguration, technology ]
Mscripts files notice of a data breach after determining confidential consumer information entrusted to the company was accessible by an unauthorized party.
School District 42 Maple Ridge-Pitt Meadows
January 17, 2023
•[ leak, misconfiguration, education ]
The School District 42 has 19,126 records released in a breach when the documents appear to have been uploaded to a popular hacker forum.
Citi Trends
January 14, 2023
•[ hack, misconfiguration, retail ]
Citi Trends files a notice of data breach after discovering that an unauthorized party was able to access confidential employee information stored on the company's IT network.
AT&T
January 6, 2023
•[ leak, misconfiguration, technology ]
A threat actor named IntelBroker claims to have found a third-party vendor's unsecured cloud storage containing 37 million AT&T client records. The threat actor shares a sample of 5 million records.
Autotrader
January 6, 2023
•[ hack, misconfiguration, automotive ]
In January 2023, 1.4M records from the Autotrader online vehicle marketplace appeared on a popular hacking forum. Autotrader stated that the "data in question relates to aged listing data that was generally publicly available on our site at the time and open to automated collection methods". The data contained 20k unique email addresses alongside physical addresses and phone numbers of dealers and vehicle details including VIN numbers. The data was provided to HIBP by a source who requested it be attributed to "IntelBroker".
T-Mobile
January 5, 2023
•[ hack, misconfiguration, technology ]
T-Mobile discloses a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).
