All Breaches

La Poste Mobile fell victim to ransomware by LockBit

Bank account numbers, Dates of birth, Email addresses, Genders, Names, Phone numbers, Physical addresses

In July 2022, the French telecommunications company La Poste Mobile was the target of an attack by the LockBit ransomware which resulted in company data being published publicly. The impacted data included 533k unique email addresses along with names, physical addresses, phone numbers, dates of birth, genders, and banking information. 10 days after the attack, the La Poste Mobile website remained offline.
Continue Reading
QuestionPro

Browser user agent details, Email addresses, IP addresses, Survey results

In May 2022, the survey website QuestionPro was the target of an extortion attempt relating to an alleged data breach. Over 100GB of data containing 22M unique email addresses (some of which appear to be generated by the platform), are alleged to have been extracted from the service along with IP addresses, browser user agents and results relating to surveys. QuestionPro would not confirm whether a breach had occurred (although they did confirm they were the target of an extortion attempt), so the data has been flagged as "unverified" and may have been sourced from another location.
Continue Reading
Amart Furniture

Email addresses, Names, Passwords, Phone numbers, Physical addresses

In May 2022, the Australian retailer Amart Furniture advised that their warranty claims database hosted on Amazon Web Services had been the target of a cyber attack. Over 100k records containing email and physical address, names, phone numbers and passwords stored as bcrypt hashes were exposed and shared online by the attacker.
Continue Reading
Mangatoon leaked 23 million email addresses plus gender, names, passwords

Auth tokens, Avatars, Email addresses, Genders, Names, Passwords, Social media profiles, Usernames

In May 2022, the Hong Kong based Manga service Mangatoon suffered a data breach that exposed 23M subscriber records. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and passwords stored as salted MD5 hashes. Mangatoon did not respond to multiple attempts to make contact regarding the breach.
Continue Reading
BlackBerry Fans

Email addresses, IP addresses, Passwords, Usernames

In May 2022, the Chinese BlackBerry enthusiasts website BlackBerry Fans suffered a data breach that exposed 174k member records. The impacted data included usernames, email and IP addresses and passwords stored as salted MD5 hashes.
Continue Reading
Fanpass

Email addresses, Genders, Names, Partial dates of birth, Passwords, Phone numbers, Physical addresses, Purchases, Social media profiles

In April 2022, the UK based website for buying and selling soccer tickets Fanpass suffered a data breach which exposed 112k customer records. Impacted data includes names, phone numbers, physical addresses, purchase histories and salted password hashes. The data was provided to HIBP by a source who requested it be attributed to "breaches.net".
Continue Reading
PayHere

Email addresses, IP addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases

In late March 2022, the Sri Lankan payment gateway PayHere suffered a data breach that exposed more than 65GB of payment records including over 1.5M unique email addresses. The data also included IP and physical addresses, names, phone numbers, purchase histories and partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date). A month later, PayHere published a blog on the incident titled Ensuring Integrity on PayHere Cybersecurity Incident.
Continue Reading
CDEK

Email addresses, Names, Phone numbers

In early 2022, a collective known as IT Army whose stated goal is to "completely de-anonymise most Russian users by leaking hundreds of gigabytes of databases" published over 30GB of data allegedly sourced from Russian courier service CDEK. The data contained over 19M unique email addresses along with names and phone numbers. The authenticity of the breach could not be independently established and has been flagged as "unverfieid".
Continue Reading
NVIDIA

Email addresses, Passwords

In February 2022, microchip company NVIDIA suffered a data breach that exposed employee credentials and proprietary code. Impacted data included over 70k employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.
Continue Reading
GiveSendGo

Email addresses, Geographic locations, Names, Purchases

In February 2022, the Christian fundraising service GiveSendGo suffered a data breach which exposed the personal data of 90k donors to the Canadian "Freedom Convoy" protest against vaccine mandates. The breach exposed names, email addresses, post codes, donation amount and comments left at the time of donation.
Continue Reading