Lumin PDF
April 1, 2019
•[ leak, misconfiguration, technology ]
In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been "contacted multiple times, but ignored all the queries". The exposed data included names, email addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".
Everybody Edits
March 23, 2019
•[ leak, technology ]
In March 2019, the multiplayer platform game Everybody Edits suffered a data breach. The incident exposed 871k unique email addresses alongside usernames and IP addresses. The data was subsequently distributed online across a collection of files.
Hurb
March 14, 2019
•[ leak, misconfiguration, technology ]
In approximately March 2019, the online Brazilian travel agency Hurb (formerly Hotel Urbano) suffered a data breach. The data subsequently appeared online for download the following year and included over 20 million customer records with email and IP addresses, names, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by dehashed.com.
Citrix
March 6, 2019
•[ hack, brute-force, technology ]
FBI informs Citrix of a data breach that appears to have begun with a 'password spraying' attack aimed to steal weak credentials to access the company's network.
Newsquest Media Group
February 28, 2019
•[ hack, technology ]
Several websites belonging to Newsquest Media Group, the second largest publisher of regional and local newspapers in the United Kingdom, are apparently defaced.
Lifebear
February 28, 2019
•[ hack, technology ]
In early 2019, the Japanese schedule app Lifebear appeared for sale on a dark web marketplace amongst a raft of other hacked websites. The breach exposed almost 3.7M unique email addresses, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by a source who requested it be attributed to "nano@databases.pw".
Zillow
February 27, 2019
•[ hack, misconfiguration, technology ]
Zillow is sued for $60 million after a hacker manages to gain access to a property's Zillow listing page, and update its information.
Verifications.io
February 25, 2019
•[ leak, misconfiguration, technology ]
In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.
Apex Human Capital Management
February 23, 2019
•[ ransomware, malware, technology ]
Payroll software provider Apex Human Capital Management suffers a ransomware attack that severs payroll management services for hundreds of the company's customers for nearly three days. The company decides to pay the ransom.
Demon Forums
February 20, 2019
•[ hack, technology ]
In February 2019, the hacking forum Demon Forums suffered a data breach. The compromise of the vBulletin forum exposed 52k unique email addresses alongside usernames and passwords stored as salted MD5 hashes.
YouNow
February 15, 2019
•[ hack, technology ]
In February 2019, data from the live broadcasting service YouNow appeared for sale on a dark web marketplace. Whilst it's not clear what date the actual breach occurred on, the impacted data included 18M unique email addresses, IP addresses, names, usernames and links to social media profiles. As authentication is performed via social providers, no passwords were exposed in the breach. Many records didn't have associated email addresses thus the unique number is lower than the reported total number of accounts. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".
500px
February 13, 2019
•[ hack, technology ]
Users of the photography site 500px are forced to reset their passwords, following a breach where an attacker was able to take "partial user data" from July 5 last year.
OkCupid
February 12, 2019
•[ hack, brute-force, technology ]
Users of the OkCupid dating app are the victims of a credential stuffing attack.
VFEmail
February 11, 2019
•[ hack, technology ]
The U.S. servers of privacy-focused e-mail provider VFEmail is hacked on February 11 and all the data is destroyed, on both the main and the backup systems.
Visma
February 4, 2019
•[ espionage, technology ]
Norwegian software firm Visma reveals to be among the victims of the Cloudhopper campaign allegedly orchestrated by Chinese state-sponsored actors.
devkitPro
February 3, 2019
•[ leak, misconfiguration, technology ]
In February 2019, the devkitPro forum suffered a data breach. The phpBB based forum had 1,508 unique email addresses exposed in the breach alongside forum posts, private messages and passwords stored as weak salted hashes. The data breach was self-submitted to HIBP by the forum operator.
Houzz
January 31, 2019
•[ leak, technology ]
Home improvement startup Houzz informs its users that it suffered a data breach in December 2018. The company has not provided details about the occurrence but contacted its users to encourage them to change their passwords as a precautionary measure.
BenefitMall
January 29, 2019
•[ hack, leak, technology ]
Delaware's Department of Insurance announces that 650 residents and 5 companies located within the state are impacted by a 2018 data breach of BenefitMall, an HR services administrator. An employee email was compromised between June 2018 and October 11.
Basecamp
January 29, 2019
•[ hack, brute-force, technology ]
Basecamp suffers an hour-long credential stuffing attack targeting its platform.
Altran Technologies
January 25, 2019
•[ ransomware, malware, technology ]
French engineering consultancy Altran Technologies reveals to have suffered a cyber attack that hit operations in some European countries. The attack seems to have been caused by ransomware (LockerGoga). No customer data has been stolen.
