Here's an overview of the assorted breaches that idiosyncratic been consolidated into this Have I Been Pwned. These are accessible programmatically via the HIBP API and too via the RSS feed.
000webhost
In astir March 2015, the escaped web hosting supplier 000webhost suffered a ample accusation breach that exposed astir 15 cardinal suit records. The accusation was sold and traded earlier 000webhost was alerted palmy October. The breach included names, email addresses and plain substance passwords.
Breach date: 1 March 2015
Date added to HIBP: 26 October 2015
Compromised accounts: 14,936,670
Compromised data: Email addresses, IP addresses, Names, Passwords
Permalink
123RF
In March 2020, the banal photograph tract 123RF suffered a accusation breach which impacted implicit 8 cardinal subscribers and was subsequently sold online. The breach included email, IP and carnal addresses, names, telephone numbers and passwords stored arsenic MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 22 March 2020
Date added to HIBP: 15 November 2020
Compromised accounts: 8,661,578
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
126
In astir 2012, it's alleged that the Chinese email enactment known arsenic 126 suffered a accusation breach that impacted 6.4 cardinal subscribers. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email addresses and plain substance passwords. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 1 January 2012
Date added to HIBP: 8 October 2016
Compromised accounts: 6,414,191
Compromised data: Email addresses, Passwords
Permalink
17
In April 2016, suit accusation obtained from the streaming app known arsenic "17" appeared listed for merchantability connected a Tor hidden enactment marketplace. The accusation contained implicit 4 cardinal unsocial email addresses connected with IP addresses, usernames and passwords stored arsenic unsalted MD5 hashes.
Breach date: 19 April 2016
Date added to HIBP: 8 July 2016
Compromised accounts: 4,009,640
Compromised data: Device information, Email addresses, IP addresses, Passwords, Usernames
Permalink
2,844 Separate Data Breaches
In February 2018, a monolithic postulation of astir 3,000 alleged accusation breaches was recovered online. Whilst immoderate of the accusation had antecedently been seen palmy Have I Been Pwned, 2,844 of the files consisting of overmuch than 80 cardinal unsocial email addresses had not antecedently been seen. Each grounds contained immoderate an email codification and plain substance password and were consequently loaded arsenic a azygous "unverified" accusation breach.
Breach date: 19 February 2018
Date added to HIBP: 26 February 2018
Compromised accounts: 80,115,532
Compromised data: Email addresses, Passwords
Permalink
2fast4u
In December 2017, the Belgian motorcycle forum 2fast4u discovered a accusation breach of their system. The breach of the vBulletin transportation committee impacted implicit 17k idiosyncratic users and exposed email addresses, usersnames and salted MD5 passwords.
Breach date: 20 December 2017
Date added to HIBP: 7 January 2018
Compromised accounts: 17,706
Compromised data: Email addresses, Passwords, Usernames
Permalink
500px
In mid-2018, the online photography assemblage 500px suffered a accusation breach. The incidental exposed astir 15 cardinal unsocial email addresses alongside names, usernames, genders, dates of commencement and either an MD5 oregon bcrypt password hash. In 2019, the accusation appeared listed for merchantability connected a acheronian web marketplace (along with respective antithetic ample breaches) and subsequently began circulating overmuch broadly. The accusation was provided to HIBP by a basal who requested it to beryllium attributed to "[email protected]".
Breach date: 5 July 2018
Date added to HIBP: 25 March 2019
Compromised accounts: 14,867,999
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Usernames
Permalink
7k7k
In astir 2011, it's alleged that the Chinese gaming tract known arsenic 7k7k suffered a accusation breach that impacted 9.1 cardinal subscribers. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains usernames, email addresses and plain substance passwords. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 1 January 2011
Date added to HIBP: 26 September 2017
Compromised accounts: 9,121,434
Compromised data: Email addresses, Passwords, Usernames
Permalink
8fit
In July 2018, the wellness and fittingness enactment 8fit suffered a accusation breach. The accusation subsequently appeared for merchantability connected a acheronian web marketplace palmy February 2019 and included implicit 15M unsocial email addresses alongside names, genders, IP addresses and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 July 2018
Date added to HIBP: 21 March 2019
Compromised accounts: 15,025,407
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords
Permalink
8tracks
In June 2017, the online playlists enactment known arsenic 8Tracks suffered a accusation breach which impacted 18 cardinal accounts. In their disclosure, 8Tracks advised that "the vector for the onslaught was an employee’s GitHub account, which was not secured utilizing two-factor authentication". Salted SHA-1 password hashes for users who didn't question up with either Google oregon Facebook authentication were too included. The accusation was provided to HIBP by whitehat accusation researcher and accusation adept Adam Davies and contained astir 8 cardinal unsocial email addresses. The implicit acceptable of 18M records was aboriginal provided by JimSc[email protected] and updated palmy HIBP accordingly.
Breach date: 27 June 2017
Date added to HIBP: 16 February 2018
Compromised accounts: 17,979,961
Compromised data: Email addresses, Passwords
Permalink
Abandonia (2015)
In November 2015, the gaming website dedicated to classical DOS games Abandonia suffered a accusation breach resulting palmy the vulnerability of 776k unsocial idiosyncratic records. The accusation contained email and IP addresses, usernames and salted MD5 hashes of passwords.
Breach date: 1 November 2015
Date added to HIBP: 5 June 2017
Compromised accounts: 776,125
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Abandonia (2022)
In November 2022, the gaming website dedicated to classical DOS games Abandonia suffered a accusation breach resulting palmy the vulnerability of 920k unsocial idiosyncratic records. This breach was palmy summation to antithetic 1 7 years earlier palmy 2015. The accusation contained email and IP addresses, usernames and salted MD5 hashes of passwords.
Breach date: 15 November 2022
Date added to HIBP: 7 December 2022
Compromised accounts: 919,790
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
AbuseWith.Us
In 2016, the tract dedicated to helping extremist hack email and online gaming accounts known arsenic Abusewith.us suffered aggregate accusation breaches. The tract allegedly had an caput palmy communal with the nefarious LeakedSource site, immoderate of which idiosyncratic since been unopen down. The exposed accusation included overmuch than 1.3 cardinal unsocial email addresses, often accompanied by usernames, IP addresses and plain substance oregon hashed passwords retrieved from assorted sources and intended to beryllium utilized to compromise the victims' accounts.
Breach date: 1 July 2016
Date added to HIBP: 9 October 2017
Compromised accounts: 1,372,550
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Acne.org
In November 2014, the acne website acne.org suffered a accusation breach that exposed implicit 430k forum members' accounts. The accusation was being actively traded connected underground forums and included email addresses, commencement dates and passwords.
Breach date: 25 November 2014
Date added to HIBP: 6 March 2016
Compromised accounts: 432,943
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Adapt
In November 2018, security researcher Bob Diachenko identified an unprotected database hosted by accusation aggregator "Adapt". A supplier of "Fresh Quality Contacts", the enactment exposed implicit 9.3M unsocial records of individuals and person accusation including their names, employers, concern titles, enactment accusation and accusation relating to the person including organisation description, size and revenue. No effect was received from Adapt erstwhile contacted.
Breach date: 5 November 2018
Date added to HIBP: 22 November 2018
Compromised accounts: 9,363,740
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Social media profiles
Permalink
Adecco
In March 2021, news broke of a monolithic accusation breach impacting millions of Adecco customers palmy South America which was subsequently sold connected a fashionable hacking forum. The breach exposed implicit 4M unsocial email addresses arsenic bully arsenic genders, dates of birth, marital statuses, telephone numbers and passwords stored arsenic bcrypt hashes.
Breach date: 3 January 2021
Date added to HIBP: 31 May 2022
Compromised accounts: 4,284,538
Compromised data: Email addresses, Genders, Geographic locations, Marital statuses, Names, Passwords, Phone numbers
Permalink
Aditya Birla Fashion and Retail
In December 2021, Indian retailer Aditya Birla Fashion and Retail Ltd was breached and ransomed. The ransom petition was allegedly rejected and accusation containing 5.4M unsocial email addresses was subsequently dumped publically connected a fashionable hacking forum the adjacent month. The accusation contained extended idiosyncratic suit accusation including names, telephone numbers, carnal addresses, DoBs, bid histories and passwords stored arsenic MD5 hashes. Employee accusation was too dumped publically and included wage grades, marital statuses and religions. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 1 December 2021
Date added to HIBP: 15 January 2022
Compromised accounts: 5,470,063
Compromised data: Email addresses, Genders, Income levels, Job titles, Marital statuses, Names, Passwords, Phone numbers, Physical addresses, Purchases, Religions, Salutations
Permalink
Adobe
In October 2013, 153 cardinal Adobe accounts were breached with each containing an interior ID, username, email, encrypted password and a password hint palmy plain text. The password cryptography was poorly done and galore were rapidly resolved backmost to plain text. The unencrypted hints too disclosed overmuch astir the passwords adding further to the hazard that hundreds of millions of Adobe customers already faced.
Breach date: 4 October 2013
Date added to HIBP: 4 December 2013
Compromised accounts: 152,445,165
Compromised data: Email addresses, Password hints, Passwords, Usernames
Permalink
Adult FriendFinder (2015)
In May 2015, the large hookup tract Adult FriendFinder was hacked and astir 4 cardinal records dumped publicly. The accusation dump included highly delicate idiosyncratic accusation astir individuals and their narration statuses and intersexual preferences combined with personally identifiable information.
Breach date: 21 May 2015
Date added to HIBP: 22 May 2015
Compromised accounts: 3,867,997
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Races, Relationship statuses, Sexual orientations, Spoken languages, Usernames
Permalink
Adult FriendFinder (2016)
In October 2016, the large amusement instauration Friend Finder Networks suffered a monolithic accusation breach. The incidental impacted aggregate abstracted online assets owned by the company, the largest of which was the Adult FriendFinder website alleged to beryllium "the world's largest enactment & swinger community". Exposed accusation included usernames, passwords stored arsenic SHA-1 hashes and 170 cardinal unsocial email addresses. This incidental is abstracted to the 2015 accusation breach Adult FriendFinder too suffered. The accusation was provided to HIBP by dehashed.com.
Breach date: 16 October 2016
Date added to HIBP: 6 February 2020
Compromised accounts: 169,746,810
Compromised data: Email addresses, Passwords, Spoken languages, Usernames
Permalink
Adult-FanFiction.Org
In May 2018, the website for sharing adult-orientated works of fabrication known arsenic Adult-FanFiction.Org had 186k records exposed palmy a accusation breach. The accusation contained names, email addresses, dates of commencement and passwords stored arsenic both MD5 hashes and plain text. AFF did not respond erstwhile contacted astir the breach and the tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 30 May 2018
Date added to HIBP: 6 August 2018
Compromised accounts: 186,082
Compromised data: Dates of birth, Email addresses, Names, Passwords
Permalink
AerServ
In April 2018, the advertisement absorption level known arsenic AerServ suffered a accusation breach. Acquired by InMobi earlier palmy the year, the AerServ breach impacted implicit 66k unsocial email addresses and too included enactment accusation and passwords stored arsenic salted SHA-512 hashes. The accusation was publically posted to Twitter aboriginal palmy 2018 aft which InMobi was notified and advised they were alert of the incident.
Breach date: 1 April 2018
Date added to HIBP: 6 December 2018
Compromised accounts: 66,308
Compromised data: Email addresses, Employers, Job titles, Names, Passwords, Phone numbers, Physical addresses
Permalink
AgusiQ-Torrents.pl
In September 2019, Polish torrent tract AgusiQ-Torrents.pl suffered a accusation breach. The incidental exposed 90k subordinate records including email and IP addresses, usernames and passwords stored arsenic MD5 hashes.
Breach date: 24 September 2019
Date added to HIBP: 4 December 2019
Compromised accounts: 90,478
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
AhaShare.com
In May 2013, the torrent tract AhaShare.com suffered a breach which resulted palmy overmuch than 180k idiosyncratic accounts being published publicly. The breach included a raft of idiosyncratic accusation connected registered users affirmative contempt assertions of not distributing personally identifiable information, the tract too leaked the IP addresses utilized by the registered identities.
Breach date: 30 May 2013
Date added to HIBP: 6 November 2014
Compromised accounts: 180,468
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Partial dates of birth, Passwords, Usernames, Website activity
Permalink
ai.type
In December 2017, the virtual keyboard exertion ai.type was recovered to idiosyncratic adjacent a immense magnitude of accusation publically facing palmy an unsecured MongoDB instance. Discovered by researchers astatine The Kromtech Security Center, the 577GB accusation acceptable included extended idiosyncratic accusation including implicit 20 cardinal unsocial email addresses, societal media profiles and codification work contacts. The email addresses unsocial were provided to HIBP to alteration impacted users to measurement their exposure.
Breach date: 5 December 2017
Date added to HIBP: 8 December 2017
Compromised accounts: 20,580,060
Compromised data: Address work contacts, Apps installed connected devices, Cellular web names, Dates of birth, Device information, Email addresses, Genders, Geographic locations, IMEI numbers, IMSI numbers, IP addresses, Names, Phone numbers, Profile photos, Social media profiles
Permalink
Aimware
In mid-2019, the video crippled cheats website "Aimware" suffered a accusation breach that exposed hundreds of thousands of subscribers' idiosyncratic information. Data included email and IP addresses, usernames, forum posts, backstage messages, website enactment and passwords stored arsenic salted MD5 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "clerk/anthrax/soontoberichh".
Breach date: 28 April 2019
Date added to HIBP: 2 May 2022
Compromised accounts: 305,470
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
Aipai.com
In September 2016, accusation allegedly obtained from the Chinese gaming website known arsenic Aipai.com and containing 6.5M accounts was leaked online. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email addresses and MD5 password hashes. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 27 September 2016
Date added to HIBP: 7 November 2016
Compromised accounts: 6,496,778
Compromised data: Email addresses, Passwords
Permalink
Ajarn
In September 2021, the Thai-based English transportation teaching website Ajarn discovered they'd been the unfortunate of a accusation breach dating backmost to December 2018. The breach was self-submitted to HIBP and included 266k email addresses, names, genders, telephone numbers and antithetic idiosyncratic information. Hashed passwords were too impacted palmy the breach.
Breach date: 13 December 2018
Date added to HIBP: 26 September 2021
Compromised accounts: 266,399
Compromised data: Dates of birth, Education levels, Email addresses, Genders, Geographic locations, Job applications, Marital statuses, Names, Nationalities, Passwords, Phone numbers, Profile photos
Permalink
Ancestry
In November 2015, an Ancestry enactment known arsenic RootsWeb suffered a accusation breach. The breach was not discovered until precocious 2017 erstwhile a grounds containing astir 300k email addresses and plain substance passwords was identified.
Breach date: 7 November 2015
Date added to HIBP: 24 December 2017
Compromised accounts: 297,806
Compromised data: Email addresses, Passwords
Permalink
Android Forums
In October 2011, the Android Forums website was hacked and 745k idiosyncratic accounts were subsequently leaked publicly. The compromised accusation included email addresses, idiosyncratic commencement dates and passwords stored arsenic a salted MD5 hash.
Breach date: 30 October 2011
Date added to HIBP: 20 December 2015
Compromised accounts: 745,355
Compromised data: Dates of birth, Email addresses, Homepage URLs, Instant messenger identities, IP addresses, Passwords
Permalink
Animal Jam
In October 2020, the online crippled for kids Animal Jam suffered a accusation breach which was subsequently shared done online hacking communities the pursuing month. The accusation contained 46 cardinal idiosyncratic accounts with implicit 7 cardinal unsocial email addresses. Impacted accusation too included usernames, IP addresses and for immoderate records, dates of commencement (sometimes palmy partial form), carnal addresses, genitor names and passwords stored arsenic PBKDF2 hashes.
Breach date: 12 October 2020
Date added to HIBP: 12 November 2020
Compromised accounts: 7,104,998
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Physical addresses, Usernames
Permalink
AnimeGame
In February 2020, the gaming website AnimeGame suffered a accusation breach. The incidental affected 1.4M subscribers and exposed email addresses, usernames and passwords stored arsenic salted MD5 hashes. The accusation was subsequently shared connected a fashionable hacking forum and was provided to HIBP by dehashed.com.
Breach date: 27 February 2020
Date added to HIBP: 9 March 2020
Compromised accounts: 1,431,378
Compromised data: Email addresses, Passwords, Usernames
Permalink
Anime-Planet
In astir 2016, the anime website Anime-Planet suffered a accusation breach that impacted 369k subscribers. The exposed accusation included usernames, IP and email addresses, dates of commencement and passwords stored arsenic unsalted MD5 hashes and for newer accounts, bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 January 2016
Date added to HIBP: 28 July 2019
Compromised accounts: 368,507
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Animoto
In July 2018, the cloud-based video making enactment Animoto suffered a accusation breach. The breach exposed 22 cardinal unsocial email addresses alongside names, dates of birth, authorities of basal and salted password hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 10 July 2018
Date added to HIBP: 18 July 2019
Compromised accounts: 22,437,749
Compromised data: Dates of birth, Email addresses, Geographic locations, Names, Passwords
Permalink
Anti Public Combo List
In December 2016, a immense database of email codification and password pairs appeared palmy a "combo list" referred to arsenic "Anti Public". The database contained 458 cardinal unsocial email addresses, galore with aggregate antithetic passwords hacked from assorted online systems. The database was broadly circulated and utilized for "credential stuffing", that is attackers employment it palmy an effort to spot antithetic online systems wherever the narration proprietor had reused their password. For elaborate inheritance connected this incident, enactment Password reuse, credential stuffing and antithetic cardinal records palmy Have I Been Pwned.
Breach date: 16 December 2016
Date added to HIBP: 4 May 2017
Compromised accounts: 457,962,538
Compromised data: Email addresses, Passwords
Permalink
Apollo
In July 2018, the income engagement startup Apollo adjacent a database containing billions of accusation points publically exposed without a password. The accusation was discovered by accusation researcher Vinny Troia who subsequently sent a subset of the accusation containing 126 cardinal unsocial email addresses to Have I Been Pwned. The accusation adjacent exposed by Apollo was utilized palmy their "revenue acceleration platform" and included idiosyncratic accusation specified arsenic names and email addresses arsenic bully arsenic nonrecreational accusation including places of employment, the roles extremist clasp and wherever they're located. Apollo stressed that the exposed accusation did not spot delicate accusation specified arsenic passwords, societal accusation numbers oregon fiscal data. The Apollo website has a enactment form for those looking to get palmy enactment with the organisation.
Breach date: 23 July 2018
Date added to HIBP: 5 October 2018
Compromised accounts: 125,929,660
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Salutations, Social media profiles
Permalink
Appartoo
In March 2017, the French Flatsharing tract known arsenic Appartoo suffered a accusation breach. The incidental exposed an extended magnitude of idiosyncratic accusation connected astir 50k members including email addresses, genders, ages, backstage messages sent betwixt users of the enactment and passwords stored arsenic SHA-256 hashes. Appartoo advised that each subscribers were notified of the incidental palmy aboriginal 2017.
Breach date: 25 March 2017
Date added to HIBP: 2 May 2019
Compromised accounts: 49,681
Compromised data: Ages, Auth tokens, Email addresses, Employment statuses, Genders, IP addresses, Marital statuses, Names, Passwords, Physical addresses, Private messages, Social media profiles
Permalink
Appen
In June 2020, the AI grooming accusation instauration Appen suffered a accusation breach exposing the details of astir 5.9 cardinal users which were subsequently sold online. Included palmy the breach were names, email addresses and passwords stored arsenic bcrypt hashes. Some records too contained telephone numbers, employers and IP addresses. The accusation was provided to HIBP by dehashed.com.
Breach date: 22 June 2020
Date added to HIBP: 30 July 2020
Compromised accounts: 5,888,405
Compromised data: Email addresses, Employers, IP addresses, Names, Passwords, Phone numbers
Permalink
Aptoide
In April 2020, the autarkic Android app store Aptoide suffered a accusation breach. The incidental resulted palmy the vulnerability of 20M suit records which were subsequently shared online via a fashionable hacking forum. Impacted accusation included email and IP addresses, names, IP addresses and passwords stored arsenic SHA-1 hashes without a salt.
Breach date: 13 April 2020
Date added to HIBP: 19 April 2020
Compromised accounts: 20,012,235
Compromised data: Browser idiosyncratic origin details, Email addresses, IP addresses, Names, Passwords
Permalink
Armor Games
In January 2019, the crippled portal website Armor Games suffered a accusation breach. A afloat of 10.6 cardinal email addresses were impacted by the breach which too exposed usernames, IP addresses, birthdays of caput accounts and passwords stored arsenic salted SHA-1 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 1 January 2019
Date added to HIBP: 20 July 2019
Compromised accounts: 10,604,307
Compromised data: Bios, Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Usernames
Permalink
Army Force Online
In May 2016, the online gaming tract Army Force Online suffered a accusation breach that exposed 1.5M accounts. The breached accusation was recovered being regularly traded online and included usernames, email and IP addresses and MD5 passwords.
Breach date: 18 May 2016
Date added to HIBP: 10 November 2016
Compromised accounts: 1,531,235
Compromised data: Avatars, Email addresses, Geographic locations, IP addresses, Names, Passwords, Usernames, Website activity
Permalink
Artvalue
In June 2019, the France-based instauration valuation website Artvalue.com adjacent their 158k subordinate subscriber basal publically exposed palmy a substance grounds connected their website. The exposed accusation included names, usernames, email addresses and passwords stored arsenic MD5 hashes. The tract narration did not respond erstwhile contacted astir the incident, though the exposed grounds was subsequently removed.
Breach date: 19 June 2019
Date added to HIBP: 19 July 2019
Compromised accounts: 157,692
Compromised data: Email addresses, Names, Passwords, Salutations, Usernames
Permalink
Ashley Madison
In July 2015, the infidelity website Ashley Madison suffered a superior accusation breach. The attackers threatened Ashley Madison with the afloat disclosure of the breach unless the enactment was unopen down. One play later, the database was dumped including overmuch than 30M unsocial email addresses. This breach has been classed arsenic "sensitive" and is not publically searchable, though individuals whitethorn observe if they've been impacted by registering for notifications. Read astir this onslaught palmy detail.
Breach date: 19 July 2015
Date added to HIBP: 18 August 2015
Compromised accounts: 30,811,934
Compromised data: Dates of birth, Email addresses, Ethnicities, Genders, Names, Passwords, Payment histories, Phone numbers, Physical addresses, Security questions and answers, Sexual orientations, Usernames, Website activity
Permalink
Astropid
In December 2013, the vBulletin forum for the societal engineering tract known arsenic "AstroPID" was breached and leaked publicly. The tract provided tips connected fraudulently obtaining goods and services, often by providing a morganatic "PID" oregon Product Information Description. The breach resulted palmy astir 6k idiosyncratic accounts and implicit 220k backstage messages betwixt forum members being exposed.
Breach date: 19 December 2013
Date added to HIBP: 6 July 2014
Compromised accounts: 5,788
Compromised data: Email addresses, Instant messenger identities, IP addresses, Names, Passwords, Private messages, Usernames, Website activity
Permalink
Aternos
In December 2015, the enactment for creating and moving escaped Minecraft servers known arsenic Aternos suffered a accusation breach that impacted 1.4 cardinal subscribers. The accusation included usernames, email and IP addresses and hashed passwords.
Breach date: 6 December 2015
Date added to HIBP: 1 October 2016
Compromised accounts: 1,436,486
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Atlas Quantum
In August 2018, the cryptocurrency interest level Atlas Quantum suffered a accusation breach. The breach leaked the idiosyncratic accusation of 261k investors connected the level including their names, telephone numbers, email addresses and narration balances.
Breach date: 25 August 2018
Date added to HIBP: 27 August 2018
Compromised accounts: 261,463
Compromised data: Account balances, Email addresses, Names, Phone numbers
Permalink
Audi
In August 2019, Audi USA suffered a accusation breach aft a vendor adjacent accusation unsecured and exposed connected the internet. The accusation contained 2.7M unsocial email addresses connected with names, telephone numbers, carnal addresses and conveyance accusation including VIN. In a disclosure transportation from Audi, they too advised immoderate customers had driver's licenses, dates of birth, societal accusation numbers and antithetic idiosyncratic accusation exposed.
Breach date: 14 August 2019
Date added to HIBP: 23 July 2021
Compromised accounts: 2,743,539
Compromised data: Dates of birth, Driver's licenses, Email addresses, Names, Phone numbers, Physical addresses, Social accusation numbers, Vehicle details
Permalink
Autotrader
In January 2023, 1.4M records from the Autotrader online conveyance marketplace appeared connected a fashionable hacking forum. Autotrader stated that the "data palmy question relates to aged listing accusation that was mostly publically disposable connected our tract astatine the clip and unfastened to automated postulation methods". The accusation contained 20k unsocial email addresses alongside carnal addresses and telephone numbers of dealers and conveyance details including VIN numbers. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "IntelBroker".
Breach date: 6 January 2023
Date added to HIBP: 23 January 2023
Compromised accounts: 20,032
Compromised data: Email addresses, Phone numbers, Physical addresses, Vehicle details, Vehicle designation numbers (VINs)
Permalink
Avast
In May 2014, the Avast anti-virus forum was hacked and 423k subordinate records were exposed. The Simple Machines Based forum included usernames, emails and password hashes.
Breach date: 26 May 2014
Date added to HIBP: 12 March 2016
Compromised accounts: 422,959
Compromised data: Email addresses, Passwords, Usernames
Permalink
B2B USA Businesses
In mid-2017, a spam database of implicit 105 cardinal individuals palmy steadfast America was discovered online. Referred to arsenic "B2B USA Businesses", the database categorised email addresses by employer, providing accusation connected individuals' concern titles affirmative their enactment telephone numbers and carnal addresses. Read overmuch astir spam lists palmy HIBP.
Breach date: 18 July 2017
Date added to HIBP: 18 July 2017
Compromised accounts: 105,059,554
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
Permalink
Baby Names
In astir 2008, the tract to assistance parents authorisation their children known arsenic Baby Names suffered a accusation breach. The incidental exposed 846k email addresses and passwords stored arsenic salted MD5 hashes. When contacted palmy October 2018, Baby Names advised that "the breach happened astatine slightest 10 years ago" and that members were notified astatine the time.
Breach date: 24 October 2008
Date added to HIBP: 24 October 2018
Compromised accounts: 846,742
Compromised data: Email addresses, Passwords
Permalink
Badoo
In June 2016, a accusation breach allegedly originating from the societal website Badoo was recovered to beryllium circulating amongst traders. Likely obtained respective years earlier, the accusation contained 112 cardinal unsocial email addresses with idiosyncratic accusation including names, birthdates and passwords stored arsenic MD5 hashes. Whilst determination are galore indicators suggesting Badoo did truthful endure a accusation breach, the legitimacy of the accusation could not beryllium emphatically proven truthful this breach has been categorised arsenic "unverified".
Breach date: 1 June 2013
Date added to HIBP: 6 July 2016
Compromised accounts: 112,005,531
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Usernames
Permalink
BannerBit
In astir December 2018, the online advertisement level BannerBit suffered a accusation breach. Containing 213k unsocial email addresses and plain substance passwords, the accusation was provided to HIBP by a 3rd party. Multiple attempts were made to enactment BannerBit, but nary effect was received.
Breach date: 29 December 2018
Date added to HIBP: 8 January 2019
Compromised accounts: 213,415
Compromised data: Email addresses, Passwords
Permalink
Banorte
In August 2022, millions of records from Mexican slope "Banorte" were publically dumped connected a fashionable hacking forum including 2.1M unsocial email addresses, carnal addresses, names, telephone numbers, RFC (tax) numbers, genders and slope balances. Banorte idiosyncratic stated that the accusation is "outdated", though idiosyncratic not yet indicated nevertheless acold backmost it dates to. Anecdotal feedback from HIBP subscribers suggests the accusation whitethorn time backmost 8 years to 2014.
Breach date: 18 August 2014
Date added to HIBP: 18 August 2022
Compromised accounts: 2,107,000
Compromised data: Account balances, Email addresses, Genders, Government issued IDs, Names, Phone numbers, Physical addresses
Permalink
Beautiful People
In November 2015, the dating website Beautiful People was hacked and implicit 1.1M accounts were leaked. The accusation was being traded palmy underground circles and included a immense magnitude of idiosyncratic accusation related to dating.
Breach date: 11 November 2015
Date added to HIBP: 25 April 2016
Compromised accounts: 1,100,089
Compromised data: Beauty ratings, Car ownership statuses, Dates of birth, Drinking habits, Education levels, Email addresses, Genders, Geographic locations, Home ownership statuses, Income levels, IP addresses, Job titles, Names, Passwords, Personal descriptions, Personal interests, Physical attributes, Sexual orientations, Smoking habits, Website activity
Permalink
Bell (2014 breach)
In February 2014, Bell Canada suffered a accusation breach via the hacker firm known arsenic NullCrew. The breach included accusation from aggregate locations incorrect Bell and exposed email addresses, usernames, idiosyncratic preferences and a fig of unencrypted passwords and designation insubstantial accusation from 40,000 records containing conscionable implicit 20,000 unsocial email addresses and usernames.
Breach date: 1 February 2014
Date added to HIBP: 1 February 2014
Compromised accounts: 20,902
Compromised data: Credit cards, Genders, Passwords, Usernames
Permalink
Bell (2017 breach)
In May 2017, the Bell telecommunications instauration palmy Canada suffered a accusation breach resulting palmy the vulnerability of millions of suit records. The accusation was consequently leaked online with a transportation from the attacker stating that they were "releasing a important accusation of Bell.ca's accusation owed to the accusation that they idiosyncratic failed to cooperate with us" and included a menace to leak more. The impacted accusation included implicit 2 cardinal unsocial email addresses and 153k survey results dating backmost to 2011 and 2012. There were too 162 Bell idiosyncratic records with overmuch wide idiosyncratic accusation including names, telephone numbers and plain substance "passcodes". Bell suffered antithetic breach palmy 2014 which exposed 40k records.
Breach date: 15 May 2017
Date added to HIBP: 16 May 2017
Compromised accounts: 2,231,256
Compromised data: Email addresses, Geographic locations, IP addresses, Job titles, Names, Passwords, Phone numbers, Spoken languages, Survey results, Usernames
Permalink
Bestialitysextaboo
In March 2018, the carnal bestiality website known arsenic Bestialitysextaboo was hacked. A postulation of assorted sites moving connected the aforesaid enactment were too compromised and details of the hack (including links to the data) were posted connected a fashionable forum. In all, overmuch than 3.2k unsocial email addresses were included alongside usernames, IP addresses, dates of birth, genders and bcrypt hashes of passwords.
Breach date: 19 March 2018
Date added to HIBP: 29 March 2018
Compromised accounts: 3,204
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Private messages, Usernames
Permalink
Bhinneka
In aboriginal 2020, the Indonesian idiosyncratic electronics website Bhinneka suffered a accusation breach that exposed astir 1.3M suit records. The accusation included email and carnal addresses, names, genders, dates of birth, telephone numbers and salted password hashes.
Breach date: 27 January 2020
Date added to HIBP: 6 October 2022
Compromised accounts: 1,274,340
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses
Permalink
bigbasket
In October 2020, the Indian marketplace level bigbasket suffered a accusation breach that exposed implicit 20 cardinal suit records. The accusation was primitively sold earlier being leaked publically palmy April the pursuing twelvemonth and included email, IP and carnal addresses, names, phones numbers, dates of commencement passwords stored arsenic Django(SHA-1) hashes.
Breach date: 14 October 2020
Date added to HIBP: 26 April 2021
Compromised accounts: 24,500,011
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
BigMoneyJobs
In April 2014, the concern tract bigmoneyjobs.com was hacked by an attacker known arsenic "ProbablyOnion". The onslaught resulted palmy the exposure of implicit 36,000 idiosyncratic accounts including email addresses, usernames and passwords which were stored palmy plain text. The onslaught was allegedly mounted by exploiting a SQL injection vulnerability.
Breach date: 3 April 2014
Date added to HIBP: 8 April 2014
Compromised accounts: 36,789
Compromised data: Career levels, Education levels, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations, User website URLs, Website activity
Permalink
Bin Weevils
In September 2014, the online crippled Bin Weevils suffered a accusation breach. Whilst primitively stating that lone usernames and passwords had been exposed, a consequent communicative connected DataBreaches.net indicated that a overmuch extended acceptable of idiosyncratic attributes were impacted (comments determination too suggest the accusation whitethorn idiosyncratic question from a aboriginal breach). Data matching that signifier was aboriginal provided to Have I Been Pwned by @akshayindia6 and included astir 1.3m unsocial email addresses, genders, ages and plain substance passwords.
Breach date: 1 September 2014
Date added to HIBP: 18 August 2017
Compromised accounts: 1,287,073
Compromised data: Ages, Email addresses, Genders, IP addresses, Passwords, Usernames
Permalink
Biohack.me
In December 2016, the forum for the biohacking website Biohack.me suffered a accusation breach that exposed 3.4k accounts. The accusation included usernames, email addresses and hashed passwords connected with the backstage messages of forum members. The accusation was self-submitted to HIBP by the Biohack.me operators.
Breach date: 2 December 2016
Date added to HIBP: 23 August 2017
Compromised accounts: 3,402
Compromised data: Email addresses, Passwords, Private messages, Usernames
Permalink
Bitcoin Security Forum Gmail Dump
In September 2014, a ample dump of astir 5M usernames and passwords was posted to a Russian Bitcoin forum. Whilst commonly reported arsenic 5M "Gmail passwords", the dump too contained 123k yandex.ru addresses. Whilst the basal of the breach remains unclear, the breached credentials were confirmed by aggregate basal arsenic correct, albeit a fig of years old.
Breach date: 9 January 2014
Date added to HIBP: 10 September 2014
Compromised accounts: 4,789,599
Compromised data: Email addresses, Passwords
Permalink
Bitcoin Talk
In May 2015, the Bitcoin forum Bitcoin Talk was hacked and implicit 500k unsocial email addresses were exposed. The onslaught led to the vulnerability of a raft of idiosyncratic accusation including usernames, email and IP addresses, genders, commencement dates, accusation questions and MD5 hashes of their answers affirmative hashes of the passwords themselves.
Breach date: 22 May 2015
Date added to HIBP: 27 March 2017
Compromised accounts: 501,407
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Passwords, Security questions and answers, Usernames, Website activity
Permalink
Bitly
In May 2014, the nexus absorption instauration Bitly announced they'd suffered a accusation breach. The breach contained implicit 9.3 cardinal unsocial email addresses, usernames and hashed passwords, astir utilizing SHA1 with a tiny fig utilizing bcrypt.
Breach date: 8 May 2014
Date added to HIBP: 6 October 2017
Compromised accounts: 9,313,136
Compromised data: Email addresses, Passwords, Usernames
Permalink
BitTorrent
In January 2016, the forum for the fashionable torrent bundle BitTorrent was hacked. The IP.Board based forum stored passwords arsenic anemic SHA1 salted hashes and the breached accusation too included usernames, email and IP addresses.
Breach date: 1 January 2016
Date added to HIBP: 8 June 2016
Compromised accounts: 34,235
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Black Hat World
In June 2014, the hunt centrifugal optimisation forum Black Hat World had 3 quarters of a cardinal accounts breached from their system. The breach included assorted personally identifiable attributes which were publically released palmy a MySQL database script.
Breach date: 23 June 2014
Date added to HIBP: 3 November 2015
Compromised accounts: 777,387
Compromised data: Dates of birth, Email addresses, Instant messenger identities, IP addresses, Passwords, Usernames, Website activity
Permalink
BlackBerry Fans
In May 2022, the Chinese BlackBerry enthusiasts website BlackBerry Fans suffered a accusation breach that exposed 174k subordinate records. The impacted accusation included usernames, email and IP addresses and passwords stored arsenic salted MD5 hashes.
Breach date: 6 May 2022
Date added to HIBP: 16 May 2022
Compromised accounts: 174,168
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
BlackSpigotMC
In July 2019, the hacking website BlackSpigotMC suffered a accusation breach. The XenForo forum based tract was allegedly compromised by a rival hacking website and resulted palmy 8.5GB of accusation being leaked including the database and website itself. The exposed accusation included 140k unsocial email addresses, usernames, IP addresses, genders, geographic locations and passwords stored arsenic bcrypt hashes.
Breach date: 14 July 2019
Date added to HIBP: 17 July 2019
Compromised accounts: 140,029
Compromised data: Device information, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Usernames
Permalink
BlankMediaGames
In December 2018, the Town of Salem website produced by BlankMediaGames suffered a accusation breach. Reported to HIBP by DeHashed, the accusation contained 7.6M unsocial idiosyncratic email addresses alongside usernames, IP addresses, acquisition histories and passwords stored arsenic phpass hashes. DeHashed made aggregate attempts to enactment BlankMediaGames implicit assorted channels and galore days but had yet to idiosyncratic a effect astatine the clip of publishing.
Breach date: 28 December 2018
Date added to HIBP: 2 January 2019
Compromised accounts: 7,633,234
Compromised data: Browser idiosyncratic origin details, Email addresses, IP addresses, Passwords, Purchases, Usernames, Website activity
Permalink
Bolt
In astir March 2017, the grounds sharing website Bolt suffered a accusation breach resulting palmy the vulnerability of 995k unsocial idiosyncratic records. The accusation was sourced from their vBulletin forum and contained email and IP addresses, usernames and salted MD5 password hashes. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 1 March 2017
Date added to HIBP: 24 November 2017
Compromised accounts: 995,274
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Bombuj.eu
In December 2018, the Slovak website for watching movies online for escaped Bombuj.eu suffered a accusation breach. The incidental exposed implicit 575k unsocial email addresses and passwords stored arsenic unsalted MD5 hashes. No effect was received from Bombuj.eu erstwhile contacted astir the incident.
Breach date: 7 December 2018
Date added to HIBP: 10 December 2018
Compromised accounts: 575,437
Compromised data: Email addresses, Passwords
Permalink
Bonobos
In August 2020, the covering store Bonobos suffered a accusation breach that exposed astir 70GB of accusation containing 2.8 cardinal unsocial email addresses. The breach too exposed names, carnal and IP addresses, telephone numbers, bid histories and passwords stored arsenic salted SHA-512 hashes, including humanities passwords. The breach too exposed partial designation insubstantial accusation including insubstantial type, the authorisation connected the card, expiry time and the past 4 digits of the card. The accusation was provided to HIBP by dehashed.com.
Breach date: 14 August 2020
Date added to HIBP: 31 January 2021
Compromised accounts: 2,811,929
Compromised data: Email addresses, Historical passwords, IP addresses, Names, Partial designation insubstantial data, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
Bookchor
In January 2021, the Indian work trading website Bookchor suffered a accusation breach that exposed fractional a cardinal suit records. The exposed accusation included email and IP addresses, names, genders, dates of birth, telephone numbers and passwords stored arsenic unsalted MD5 hashes. The accusation was subsequently traded connected a fashionable hacking forum.
Breach date: 28 January 2021
Date added to HIBP: 3 July 2022
Compromised accounts: 498,297
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
BookCrossing
In August 2022, the work societal networking tract BookCrossing disclosed a accusation breach that dated backmost to a database backup from November 2012. The incidental exposed astir 1.6M records including names, usernames, email and IP addresses, dates of commencement and plain substance passwords.
Breach date: 5 November 2012
Date added to HIBP: 25 July 2023
Compromised accounts: 1,582,323
Compromised data: Dates of birth, Email addresses, Geographic locations, IP addresses, Names, Passwords, Usernames
Permalink
Bookmate
In mid-2018, the societal ebook subscription enactment Bookmate was among a raft of sites that were breached and their accusation past sold palmy early-2019. The accusation included astir 4 cardinal unsocial email addresses alongside names, genders, dates of commencement and passwords stored arsenic salted SHA-512 hashes. The accusation was provided to HIBP by a basal who requested it to beryllium attributed to "[email protected]".
Breach date: 8 July 2018
Date added to HIBP: 22 March 2019
Compromised accounts: 3,830,916
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Usernames
Permalink
Bot of Legends
In November 2014, the forum for Bot of Legends suffered a accusation breach. The IP.Board forum contained 238k accounts including usernames, email and IP addresses and passwords stored arsenic salted MD5 hashes.
Breach date: 13 November 2014
Date added to HIBP: 27 December 2016
Compromised accounts: 238,373
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Bourse des Vols
In January 2021, the French question instauration Bourse des Vols suffered a accusation breach that exposed 1.46M unsocial email addresses crossed overmuch than 1.2k .sql files and implicit 9GB of data. The impacted accusation exposed idiosyncratic accusation and question histories including names, telephone numbers, IP and carnal addresses, dates of commencement connected with flights taken and purchases.
Breach date: 12 January 2021
Date added to HIBP: 3 July 2022
Compromised accounts: 1,460,130
Compromised data: Dates of birth, Email addresses, Flights taken, IP addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
Boxee
In March 2014, the determination theatre PC bundle shaper Boxee had their forums compromised palmy an attack. The attackers obtained the afloat vBulletin MySQL database and promptly posted it for download connected the Boxee forum itself. The accusation included 160k users, password histories, backstage messages and a assortment of antithetic accusation exposed crossed astir 200 publically exposed tables.
Breach date: 29 March 2014
Date added to HIBP: 30 March 2014
Compromised accounts: 158,093
Compromised data: Dates of birth, Email addresses, Geographic locations, Historical passwords, Instant messenger identities, IP addresses, Passwords, Private messages, User website URLs, Usernames
Permalink
Brand New Tube
In August 2022, the streaming website Brand New Tube suffered a accusation breach that exposed the idiosyncratic accusation of astir 350k subscribers. The impacted accusation included email and IP addresses, usernames, genders, passwords stored arsenic unsalted SHA-1 hashes and backstage messages.
Breach date: 14 August 2022
Date added to HIBP: 8 September 2022
Compromised accounts: 349,627
Compromised data: Email addresses, Genders, IP addresses, Passwords, Private messages, Usernames
Permalink
Brazzers
In April 2013, the large website known arsenic Brazzers was hacked and 790k accounts were exposed publicly. Each grounds included a username, email codification and password stored palmy plain text. The breach was brought to airy by the Vigilante.pw accusation breach reporting tract palmy September 2016.
Breach date: 1 April 2013
Date added to HIBP: 5 September 2016
Compromised accounts: 790,724
Compromised data: Email addresses, Passwords, Usernames
Permalink
BreachForums
In November 2022, the well-known hacking forum "BreachForums" was itself, breached. Later the pursuing year, the narration of the website was arrested and the tract seized by instrumentality enforcement agencies. The breach exposed 212k records including usernames, IP and email addresses, backstage messages betwixt tract members and passwords stored arsenic argon2 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "breached_db_person".
Breach date: 29 November 2022
Date added to HIBP: 26 July 2023
Compromised accounts: 212,156
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
BTC-Alpha
In November 2021, the crypto code level BTC-Alpha suffered a ransomware onslaught accusation breach aft which suit accusation was publically dumped. The impacted accusation included 362k email and IP addresses, usernames and passwords stored arsenic PBKDF2 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 2 November 2021
Date added to HIBP: 27 January 2022
Compromised accounts: 362,426
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
BTC-E
In October 2014, the Bitcoin code BTC-E was hacked and 568k accounts were exposed. The accusation included email and IP addresses, wallet balances and hashed passwords.
Breach date: 1 October 2014
Date added to HIBP: 12 March 2017
Compromised accounts: 568,340
Compromised data: Account balances, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
BtoBet
In December 2019, a ample postulation of accusation from Nigerian gambling instauration Surebet247 was sent to HIBP. Alongside the Surebet247, database backups from gambling sites BetAlfa, BetWay, BongoBongo and TopBet was too included. Further probe implicated betting level supplier BtoBet arsenic being the communal basal of the data. Impacted accusation included idiosyncratic records and extended accusation connected gambling histories.
Breach date: 26 December 2019
Date added to HIBP: 11 January 2020
Compromised accounts: 444,241
Compromised data: Dates of birth, Email addresses, Financial transactions, Geographic locations, IP addresses, Names, Usernames
Permalink
Bukalapak
In March 2019, the Indonesian e-commerce website Bukalapak discovered a accusation breach of the organisation's backups dating backmost to October 2017. The incidental exposed astir 13 cardinal unsocial email addresses alongside IP addresses, names and passwords stored arsenic bcrypt and salted SHA-512 hashes. The accusation was provided to HIBP by a basal who requested it to beryllium attributed to "Maxime Thalet".
Breach date: 23 October 2017
Date added to HIBP: 18 April 2019
Compromised accounts: 13,369,666
Compromised data: Email addresses, IP addresses, Names, Passwords, Usernames
Permalink
Business Acumen Magazine
In April 2014, the Australian "Business Acumen Magazine" website was hacked by an attacker known arsenic 1337MiR. The breach resulted palmy implicit 26,000 accounts being exposed including usernames, email addresses and password stored with a anemic cryptographic hashing algorithm (MD5 with nary salt).
Breach date: 25 April 2014
Date added to HIBP: 11 May 2014
Compromised accounts: 26,596
Compromised data: Email addresses, Names, Passwords, Usernames, Website activity
Permalink
CafeMom
In 2014, the societal web for mothers CafeMom suffered a accusation breach. The accusation surfaced alongside a fig of antithetic humanities breaches including Kickstarter, Bitly and Disqus and contained 2.6 cardinal email addresses and plain substance passwords.
Breach date: 10 April 2014
Date added to HIBP: 9 November 2017
Compromised accounts: 2,628,148
Compromised data: Email addresses, Passwords
Permalink
CafePress
In February 2019, the customized merchandise retailer CafePress suffered a accusation breach. The exposed accusation included 23 cardinal unsocial email addresses with immoderate records too containing names, carnal addresses, telephone numbers and passwords stored arsenic SHA-1 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 20 February 2019
Date added to HIBP: 5 August 2019
Compromised accounts: 23,205,290
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Cannabis.com
In February 2014, the vBulletin forum for the Marijuana tract cannabis.com was breached and leaked publicly. Whilst determination has been nary nationalist attribution of the breach, the leaked accusation included implicit 227k accounts and astir 10k backstage messages betwixt users of the forum.
Breach date: 5 February 2014
Date added to HIBP: 1 June 2014
Compromised accounts: 227,746
Compromised data: Dates of birth, Email addresses, Geographic locations, Historical passwords, Instant messenger identities, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
Canva
In May 2019, the graphic program instrumentality website Canva suffered a accusation breach that impacted 137 cardinal subscribers. The exposed accusation included email addresses, usernames, names, cities of residence and passwords stored arsenic bcrypt hashes for users not utilizing societal logins. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 24 May 2019
Date added to HIBP: 9 August 2019
Compromised accounts: 137,272,116
Compromised data: Email addresses, Geographic locations, Names, Passwords, Usernames
Permalink
Capital Economics
In December 2020, the economical probe instauration Capital Economics suffered a accusation breach that exposed 263k suit records. The exposed accusation included email and carnal addresses, names, telephone numbers, concern titles and the person of impacted customers.
Breach date: 12 December 2020
Date added to HIBP: 4 July 2022
Compromised accounts: 263,829
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
Permalink
Carding Mafia (December 2021)
In December 2021, the Carding Mafia forum suffered a accusation breach that exposed implicit 300k members' email addresses. Dedicated to the theft and trading of stolen designation cards, the forum breach too exposed usernames, IP addresses and passwords stored arsenic salted MD5 hashes. This breach came lone 9 months aft antithetic breach of the forum palmy March 2021.
Breach date: 28 December 2021
Date added to HIBP: 16 January 2022
Compromised accounts: 303,877
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Carding Mafia (March 2021)
In March 2021, the Carding Mafia forum suffered a accusation breach that exposed astir 300k members' email addresses. Dedicated to the theft and trading of stolen designation cards, the forum breach too exposed usernames, IP addresses and passwords stored arsenic salted MD5 hashes.
Breach date: 18 March 2021
Date added to HIBP: 23 March 2021
Compromised accounts: 297,744
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
CashCrate
In June 2017, prime broke that CashCrate had suffered a accusation breach exposing 6.8 cardinal records. The breach of the cash-for-surveys tract dated backmost to November 2016 and exposed names, carnal addresses, email addresses and passwords stored palmy plain substance for older accounts connected with anemic MD5 hashes for newer ones.
Breach date: 17 November 2016
Date added to HIBP: 20 April 2018
Compromised accounts: 6,844,490
Compromised data: Email addresses, Names, Passwords, Physical addresses
Permalink
Catho
In astir March 2020, the Brazilian recruitment website Catho was compromised and subsequently appeared alongside 20 antithetic breached websites listed for merchantability connected a acheronian web marketplace. The breach included astir 11 cardinal records with 1.2 cardinal unsocial email addresses. Names, usernames and plain substance passwords were too exposed. The accusation was provided to HIBP by breachbase.pw.
Breach date: 1 March 2020
Date added to HIBP: 18 August 2020
Compromised accounts: 1,173,012
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
CD Projekt RED
In March 2016, Polish crippled developer CD Projekt RED suffered a accusation breach. The hack of their forum led to the vulnerability of astir 1.9 cardinal accounts connected with usernames, email addresses and salted SHA1 passwords.
Breach date: 1 March 2016
Date added to HIBP: 31 January 2017
Compromised accounts: 1,871,373
Compromised data: Email addresses, Passwords, Usernames
Permalink
Chatbooks
In March 2020, the photograph radical enactment Chatbooks suffered a accusation breach which was subsequently enactment up for merchantability connected a acheronian web marketplace. The breach contained 15 cardinal idiosyncratic records with 2.5 cardinal unsocial email addresses alongside names, telephone numbers, societal media profiles and salted SHA-512 password hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 26 March 2020
Date added to HIBP: 29 July 2020
Compromised accounts: 2,520,441
Compromised data: Email addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
CheapAssGamer.com
In astir mid-2015, the forum for CheapAssGamer.com suffered a accusation breach. The database from the IP.Board based forum contained 445k accounts including usernames, email and IP addresses and salted MD5 password hashes.
Breach date: 1 July 2015
Date added to HIBP: 8 November 2016
Compromised accounts: 444,767
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Chegg
In April 2018, the textbook rental enactment Chegg suffered a accusation breach that impacted 40 cardinal subscribers. The exposed accusation included email addresses, usernames, names and passwords stored arsenic unsalted MD5 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 28 April 2018
Date added to HIBP: 16 August 2019
Compromised accounts: 39,721,127
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
CityJerks
In aboriginal 2023, the "mutual masturbation" website CityJerks suffered a accusation breach that exposed 177k unsocial email addresses. The breach too included accusation from the TruckerSucker "dating app for REAL TRUCKERS and REAL MEN" with the combined corpus of accusation too exposing usernames, IP addresses, dates of birth, intersexual orientations, geo locations, backstage messages betwixt members and passwords stored arsenic salted MD5 hashes. The accusation was listed connected a nationalist hacking tract and provided to HIBP by a basal who requested it beryllium attributed to "discord.gg/gN9C9em".
Breach date: 27 February 2023
Date added to HIBP: 27 April 2023
Compromised accounts: 177,554
Compromised data: Bios, Dates of birth, Email addresses, Geographic locations, IP addresses, Passwords, Private messages, Profile photos, Sexual orientations, Usernames
Permalink
Civil Online
In mid-2011, accusation was allegedly obtained from the Chinese engineering website known arsenic Civil Online and contained 7.8M accounts. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email and IP addresses, idiosyncratic names and MD5 password hashes. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 10 July 2011
Date added to HIBP: 7 November 2016
Compromised accounts: 7,830,195
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Clash of Kings
In July 2016, the forum for the crippled "Clash of Kings" suffered a accusation breach that impacted 1.6 cardinal subscribers. The impacted accusation included usernames, IP and email addresses and passwords stored arsenic MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 14 July 2016
Date added to HIBP: 27 July 2019
Compromised accounts: 1,604,957
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
ClearVoice Surveys
In April 2021, the marketplace probe surveys instauration ClearVoice Surveys had a publically facing database backup from 2015 taken and redistributed connected a fashionable hacking forum. The accusation included 15M unsocial email addresses crossed overmuch than 17M rows of accusation that too included names, carnal and IP addresses, genders, dates of commencement and plain substance passwords. ClearVoice Surveys advised they were alert of the breach and confirmed its authenticity.
Breach date: 23 August 2015
Date added to HIBP: 23 April 2021
Compromised accounts: 15,074,786
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
ClixSense
In September 2016, the paid-to-click tract ClixSense suffered a accusation breach which exposed 2.4 cardinal subscriber identities. The breached accusation was past posted online by the attackers who claimed it was a subset of a larger accusation breach totalling 6.6 cardinal records. The leaked accusation was extended and included names, physical, email and IP addresses, genders and commencement dates, narration balances and passwords stored arsenic plain text.
Breach date: 4 September 2016
Date added to HIBP: 11 September 2016
Compromised accounts: 2,424,784
Compromised data: Account balances, Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Payment histories, Payment methods, Physical addresses, Usernames, Website activity
Permalink
CloudPets
In January, the shaper of teddy bears that grounds children's voices and sends them to household and friends via the nett CloudPets adjacent their database publically exposed and it was subsequently downloaded by outer parties (the accusation was too taxable to 3 antithetic ransom demands). 583k records were provided to HIBP via a accusation trader and included email addresses and bcrypt hashes, but the afloat people of idiosyncratic accusation exposed by the strategy was implicit 821k records and too included children's names and references to practice photos and dependable recordings.
Breach date: 1 January 2017
Date added to HIBP: 27 February 2017
Compromised accounts: 583,503
Compromised data: Email addresses, Family members' names, Passwords
Permalink
Club Penguin Rewritten (January 2018)
In January 2018, the children's gaming tract Club Penguin Rewritten (CPRewritten) suffered a accusation breach (note: CPRewritten is an autarkic recreation of Disney's Club Penguin game). The incidental exposed astir 1.7 cardinal unsocial email addresses alongside IP addresses, usernames and passwords stored arsenic bcrypt hashes. When contacted, CPRewritten advised they were alert of the breach and had "contacted affected users".
Breach date: 21 January 2018
Date added to HIBP: 23 April 2019
Compromised accounts: 1,688,176
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Club Penguin Rewritten (July 2019)
In July 2019, the children's gaming tract Club Penguin Rewritten (CPRewritten) suffered a accusation breach (note: CPRewritten is an autarkic recreation of Disney's Club Penguin game). In summation to an earlier accusation breach that impacted 1.7 cardinal accounts, the consequent breach exposed 4 cardinal unsocial email addresses alongside IP addresses, usernames and passwords stored arsenic bcrypt hashes.
Breach date: 27 July 2019
Date added to HIBP: 30 July 2019
Compromised accounts: 4,007,909
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Coinmama
In August 2017, the crypto coin brokerage enactment Coinmama suffered a accusation breach that impacted 479k subscribers. The breach was discovered palmy February 2019 with exposed accusation including email addresses, usernames and passwords stored arsenic MD5 WordPress hashes. The accusation was provided to HIBP by achromatic chapeau accusation researcher and accusation adept Adam Davies.
Breach date: 3 August 2017
Date added to HIBP: 30 August 2019
Compromised accounts: 478,824
Compromised data: Email addresses, Passwords, Usernames
Permalink
CoinMarketCap
During October 2021, 3.1 cardinal email addresses with accounts connected the cryptocurrency marketplace capitalisation website CoinMarketCap were discovered being traded connected hacking forums. Whilst the email addresses were recovered to correlate with CoinMarketCap accounts, it's unclear precisely nevertheless they were obtained. CoinMarketCap has provided the pursuing transportation connected the data: "CoinMarketCap has spell alert that batches of accusation idiosyncratic shown up online purporting to beryllium a database of idiosyncratic accounts. While the accusation lists we idiosyncratic seen are lone email addresses (no passwords), we idiosyncratic recovered a correlation with our subscriber base. We idiosyncratic not recovered immoderate grounds of a accusation leak from our ain servers — we are actively investigating this contented and volition update our subscribers arsenic soon arsenic we idiosyncratic immoderate caller information."
Breach date: 12 October 2021
Date added to HIBP: 22 October 2021
Compromised accounts: 3,117,548
Compromised data: Email addresses
Permalink
Collection #1
In January 2019, a ample postulation of credential stuffing lists (combinations of email addresses and passwords utilized to hijack accounts connected antithetic services) was discovered being distributed connected a fashionable hacking forum. The accusation contained astir 2.7 billion records including 773 cardinal unsocial email addresses alongside passwords those addresses had utilized connected antithetic breached services. Full details connected the incidental and nevertheless to hunt the breached passwords are provided palmy the blog presumption The 773 Million Record "Collection #1" Data Breach.
Breach date: 7 January 2019
Date added to HIBP: 16 January 2019
Compromised accounts: 772,904,991
Compromised data: Email addresses, Passwords
Permalink
COMELEC (Philippines Voters)
In March 2016, the Philippines Commission of Elections website (COMELEC) was attacked and defaced, allegedly by Anonymous Philippines. Shortly after, data connected 55 cardinal Filipino voters was leaked publicly and included delicate accusation specified arsenic genders, marital statuses, tallness and worth and biometric fingerprint data. The breach lone included 228k email addresses.
Breach date: 27 March 2016
Date added to HIBP: 14 April 2016
Compromised accounts: 228,605
Compromised data: Biometric data, Dates of birth, Email addresses, Family members' names, Genders, Job titles, Marital statuses, Names, Passport numbers, Phone numbers, Physical addresses, Physical attributes
Permalink
Convex
In February 2023, the Russian telecommunications supplier Convex was hacked by "Anonymous" who subsequently released 128GB of accusation publicly, alleging it revealed amerciable authorities surveillance. The leaked accusation contained 150k unsocial email, IP and carnal addresses, names and telephone numbers.
Breach date: 1 February 2023
Date added to HIBP: 26 February 2023
Compromised accounts: 150,129
Compromised data: Email addresses, IP addresses, Names, Phone numbers
Permalink
Coupon Mom / Armor Games
In 2014, a grounds allegedly containing accusation hacked from Coupon Mom was created and included 11 cardinal email addresses and plain substance passwords. On further investigation, the grounds was too recovered to incorporated accusation indicating it had been sourced from Armor Games. Subsequent verification with HIBP subscribers confirmed the passwords had antecedently been utilized and galore subscribers had utilized either Coupon Mom oregon Armor Games palmy the past. On disclosure to immoderate organisations, each recovered that the accusation did not correspond their afloat suit basal and perchance includes records from antithetic sources with communal subscribers. The breach has subsequently been flagged arsenic "unverified" arsenic the basal cannot beryllium emphatically proven. In July 2020, the accusation was too recovered to incorporated BeerAdvocate accounts sourced from a antecedently chartless breach.
Breach date: 8 February 2014
Date added to HIBP: 9 November 2017
Compromised accounts: 11,010,525
Compromised data: Email addresses, Passwords
Permalink
Covve
In February 2020, a monolithic trove of idiosyncratic accusation referred to arsenic "db8151dd" was provided to HIBP aft being recovered adjacent exposed connected a publically facing Elasticsearch server. Later identified arsenic originating from the Covve contacts app, the exposed accusation included extended idiosyncratic accusation and interactions betwixt Covve users and their contacts. The accusation was provided to HIBP by dehashed.com.
Breach date: 20 February 2020
Date added to HIBP: 15 May 2020
Compromised accounts: 22,802,117
Compromised data: Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles
Permalink
Crack Community
In precocious 2013, the Crack Community forum specialising palmy cracks for games was compromised and implicit 19k accounts published online. Built connected the MyBB forum platform, the compromised accusation included email addresses, IP addresses and salted MD5 passwords.
Breach date: 9 September 2013
Date added to HIBP: 3 February 2015
Compromised accounts: 19,210
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Cracked.to
In July 2019, the hacking website Cracked.to suffered a accusation breach. There were 749k unsocial email addresses dispersed crossed 321k forum users and antithetic tables palmy the database. A rival hacking website claimed enactment for breaching the MyBB based forum which disclosed email and IP addresses, usernames, backstage messages and passwords stored arsenic bcrypt hashes.
Breach date: 21 July 2019
Date added to HIBP: 12 August 2019
Compromised accounts: 749,161
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
CrackingForum
In astir mid-2016, the cracking assemblage forum known arsenic CrackingForum suffered a accusation breach. The vBulletin based forum exposed 660k email and IP addresses, usernames and salted MD5 hashes.
Breach date: 1 July 2016
Date added to HIBP: 10 December 2017
Compromised accounts: 660,305
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
CraftRise
In May 2023, news broke of a accusation breach of the Turkish Minecraft server known arsenic CraftRise. The accusation of implicit 2.5M users was subsequently shared connected a fashionable hacking forum and included email addresses, usernames, geographic locations and plain substance passwords. The newest records bespeak the accusation was obtained palmy March 2022.
Breach date: 5 March 2022
Date added to HIBP: 8 August 2023
Compromised accounts: 2,532,527
Compromised data: Email addresses, Geographic locations, Passwords, Usernames
Permalink
Creative
In May 2018, the forum for Singaporean hardware instauration Creative Technology suffered a accusation breach which resulted palmy the disclosure of 483k unsocial email addresses. Running connected an aged mentation of vBulletin, the breach too disclosed usernames, IP addresses and salted MD5 password hashes. After being notified of the incident, Creative permanently unopen down the forum.
Breach date: 1 May 2018
Date added to HIBP: 7 June 2018
Compromised accounts: 483,015
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Cross Fire
In August 2016, the Russian gaming forum known arsenic Cross Fire (or cfire.mail.ru) was hacked connected with a fig of antithetic forums connected the Russian connection provider, mail.ru. The vBulletin forum contained 12.8 cardinal accounts including usernames, email addresses and passwords stored arsenic salted MD5 hashes.
Breach date: 8 August 2016
Date added to HIBP: 28 December 2016
Compromised accounts: 12,865,609
Compromised data: Email addresses, Passwords, Usernames
Permalink
CTARS
In May 2022, the suit absorption strategy for the Australian government's NDIS (National Disability Insurance Scheme) suffered a accusation breach which was subsequently posted to an online hacking forum. The CTARS unreality level is utilized by attraction providers to grounds accusation astir NDIS participants and often contains delicate aesculapian information. Impacted accusation includes implicit 12k unsocial email addresses, carnal addresses, names, dates of birth, telephone numbers and accusation related to diligent conditions and treatments.
Breach date: 21 May 2021
Date added to HIBP: 31 May 2022
Compromised accounts: 12,314
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Personal wellness data, Phone numbers, Physical addresses, Salutations, Usernames
Permalink
CyberServe
In October 2021, the Israeli hosting supplier CyberServe was breached and ransomed earlier having a important magnitude of their suit accusation leaked publically by a extremist known arsenic "Black Shadow". Amongst the accusation was the LGBTQ dating tract Atraf and the Machon Mor aesculapian institute. Due to aggregate antithetic sites being compromised, the impacted accusation is wide and ranges from narration accusation to aesculapian accusation to email addresses and passwords stored palmy plain text. The accusation was made disposable to HIBP with enactment from May Brooks-Kempler, laminitis of the Think Safe Cyber assemblage palmy Israel.
Breach date: 29 October 2021
Date added to HIBP: 4 November 2021
Compromised accounts: 1,107,034
Compromised data: Dates of birth, Drinking habits, Email addresses, Family structure, Genders, Geographic locations, HIV statuses, IP addresses, Names, Passwords, Personal wellness data, Phone numbers, Physical attributes, Private messages, Profile photos, Religions, Sexual orientations, Smoking habits, Usernames
Permalink
D3Scene
In January 2016, the gaming website D3Scene, suffered a accusation breach. The compromised vBulletin forum exposed 569k cardinal email addresses, IP address, usernames and passwords stored arsenic salted MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 January 2016
Date added to HIBP: 15 June 2019
Compromised accounts: 568,827
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
DaFont
In May 2017, font sharing tract DaFont suffered a accusation breach resulting palmy the vulnerability of 637k records. Allegedly owed to a SQL injection vulnerability exploited by aggregate parties, the exposed accusation included usernames, email addresses and passwords stored arsenic MD5 without a salt.
Breach date: 16 May 2017
Date added to HIBP: 18 May 2017
Compromised accounts: 637,340
Compromised data: Email addresses, Passwords, Usernames
Permalink
Daily Quiz
In January 2021, the quiz website Daily Quiz suffered a accusation breach that exposed implicit 8 cardinal unsocial email addresses. The accusation too included usernames, IP addresses and passwords stored palmy plain text.
Breach date: 13 January 2021
Date added to HIBP: 21 May 2021
Compromised accounts: 8,032,404
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Dailymotion
In October 2016, the video sharing level Dailymotion suffered a accusation breach. The onslaught led to the vulnerability of overmuch than 85 cardinal idiosyncratic accounts and included email addresses, usernames and bcrypt hashes of passwords.
Breach date: 20 October 2016
Date added to HIBP: 7 August 2017
Compromised accounts: 85,176,234
Compromised data: Email addresses, Passwords, Usernames
Permalink
DailyObjects
In astir January 2018, a postulation of overmuch than 464k suit records from the Indian online retailer DailyObjects were leaked online. The accusation included names, carnal and email addresses, telephone numbers and "pincodes" stored palmy plain text. After aggregate attempts to enactment them, DailyObjects responded and received a transcript of the accusation for verification, nevertheless failed to respond to aggregate enactment attempts pursuing that.
Breach date: 1 January 2018
Date added to HIBP: 28 January 2020
Compromised accounts: 464,260
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Dangdang
In 2011, the Chinese e-commerce tract Dangdang suffered a accusation breach. The incidental exposed implicit 4.8 cardinal unsocial email addresses which were subsequently traded online implicit the ensuing years.
Breach date: 1 June 2011
Date added to HIBP: 10 January 2019
Compromised accounts: 4,848,734
Compromised data: Email addresses
Permalink
DaniWeb
In precocious 2015, the exertion and societal tract DaniWeb suffered a accusation breach. The onslaught resulted palmy the disclosure of 1.1 cardinal accounts including email and IP addresses which were too accompanied by salted MD5 hashes of passwords. However, DaniWeb idiosyncratic advised that "the breached password hashes and salts are incorrect" and that they idiosyncratic since switched to caller infrastructure and software.
Breach date: 1 December 2015
Date added to HIBP: 28 December 2016
Compromised accounts: 1,131,636
Compromised data: Email addresses, IP addresses, Passwords
Permalink
Data & Leads
In November 2018, security researcher Bob Diachenko identified an unprotected database believed to beryllium hosted by a accusation aggregator. Upon further investigation, the accusation was linked to selling instauration Data & Leads. The exposed Elasticsearch suit contained implicit 44M unsocial email addresses connected with names, IP and carnal addresses, telephone numbers and employment information. No effect was received from Data & Leads erstwhile contacted by Bob and their tract subsequently went offline.
Breach date: 14 November 2018
Date added to HIBP: 28 November 2018
Compromised accounts: 44,320,330
Compromised data: Email addresses, Employers, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Permalink
Data Enrichment Exposure From PDL Customer
In October 2019, security researchers Vinny Troia and Bob Diachenko identified an unprotected Elasticsearch server holding 1.2 cardinal records of idiosyncratic data. The exposed accusation included an standard indicating it was sourced from accusation enrichment instauration People Data Labs (PDL) and contained 622 cardinal unsocial email addresses. The server was not owned by PDL and it's believed a suit failed to decently unafraid the database. Exposed accusation included email addresses, telephone numbers, societal media profiles and concern past data.
Breach date: 16 October 2019
Date added to HIBP: 22 November 2019
Compromised accounts: 622,161,052
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Social media profiles
Permalink
Data Enrichment Records
In December 2016, more than 200 cardinal "data enrichment profiles" were recovered for merchantability connected the darknet. The seller claimed the accusation was sourced from Experian and whilst that assertion was rejected by the company, the accusation itself was recovered to beryllium morganatic suggesting it whitethorn idiosyncratic been sourced from antithetic morganatic locations. In total, determination were overmuch than 8 cardinal unsocial email addresses palmy the accusation which too contained a raft of antithetic idiosyncratic attributes including designation ratings, determination ownership status, household cognition and antithetic fields described palmy the communicative linked to above. The email addresses unsocial were provided to HIBP.
Breach date: 23 December 2016
Date added to HIBP: 8 June 2017
Compromised accounts: 8,176,132
Compromised data: Buying preferences, Charitable donations, Credit presumption information, Dates of birth, Email addresses, Family structure, Financial investments, Home ownership statuses, Income levels, Job titles, Marital statuses, Names, Net worths, Phone numbers, Physical addresses, Political donations
Permalink
Dave
In June 2020, the integer banking app Dave suffered a accusation breach which exposed 7.5 cardinal rows of accusation and subsequently appeared for nationalist download connected a hacking forum. The breach exposed extended idiosyncratic accusation including astir 3 cardinal unsocial email addresses alongside names, dates of birth, encrypted societal accusation numbers and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 28 June 2020
Date added to HIBP: 27 July 2020
Compromised accounts: 2,964,182
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Social accusation numbers
Permalink
Deezer
In precocious 2022, the euphony streaming enactment Deezer disclosed a accusation breach that impacted implicit 240M customers. The breach dated backmost to a mid-2019 backup exposed by a 3rd enactment spouse which was subsequently sold and past broadly redistributed connected a fashionable hacking forum. Impacted accusation included 229M unsocial email addresses, IP addresses, names, usernames, genders, DoBs and the geographic determination of the customer.
Breach date: 22 April 2019
Date added to HIBP: 2 January 2023
Compromised accounts: 229,037,936
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Spoken languages, Usernames
Permalink
Demon Forums
In February 2019, the hacking forum Demon Forums suffered a accusation breach. The compromise of the vBulletin forum exposed 52k unsocial email addresses alongside usernames and passwords stored arsenic salted MD5 hashes.
Breach date: 20 February 2019
Date added to HIBP: 4 April 2019
Compromised accounts: 52,623
Compromised data: Email addresses, Passwords, Usernames
Permalink
Descomplica
In March 2021, the Brazilian EdTech instauration Descomplica suffered a accusation breach which was subsequently posted to a fashionable hacking forum. The accusation included astir 5 cardinal email addresses, names, the archetypal 6 and past 4 digits and the expiry time of designation cards, acquisition histories and password hashes.
Breach date: 14 March 2021
Date added to HIBP: 28 April 2021
Compromised accounts: 4,845,378
Compromised data: Email addresses, Names, Partial designation insubstantial data, Passwords, Purchases
Permalink
Devil-Torrents.pl
In aboriginal 2021, the Polish torrents website Devil-Torrents.pl suffered a accusation breach. A subset of the accusation including 63k unsocial email addresses and cracked passwords were subsequently socialised connected a fashionable accusation breach sharing service.
Breach date: 4 January 2021
Date added to HIBP: 1 May 2022
Compromised accounts: 63,451
Compromised data: Email addresses, Passwords
Permalink
devkitPro
In February 2019, the devkitPro forum suffered a accusation breach. The phpBB based forum had 1,508 unsocial email addresses exposed palmy the breach alongside forum posts, backstage messages and passwords stored arsenic anemic salted hashes. The accusation breach was self-submitted to HIBP by the forum operator.
Breach date: 3 February 2019
Date added to HIBP: 11 February 2019
Compromised accounts: 1,508
Compromised data: Email addresses, Passwords, Private messages
Permalink
diet.com
In August 2014, the fare and nutrition website diet.com suffered a accusation breach resulting palmy the vulnerability of 1.4 cardinal unsocial idiosyncratic records dating backmost arsenic acold arsenic 2004. The accusation contained email and IP addresses, usernames, plain substance passwords and dietary accusation astir the tract members including eating habits, BMI and commencement date. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 10 August 2014
Date added to HIBP: 13 October 2017
Compromised accounts: 1,383,759
Compromised data: Dates of birth, Eating habits, Email addresses, IP addresses, Names, Passwords, Physical attributes, Usernames
Permalink
Digimon
In September 2016, implicit 16GB of logs from a enactment indicated to beryllium digimon.co.in were obtained, astir apt from an unprotected Mongo DB instance. The enactment ceased moving soon afterwards and nary accusation remains astir the precise prime of it. Based connected enquiries made via Twitter, it appears to idiosyncratic been a connection enactment perchance based connected PowerMTA and utilized for delivering spam. The logs contained accusation including 7.7M unsocial email recipients (names and addresses), connection server IP addresses, email subjects and tracking accusation including connection opens and clicks.
Breach date: 5 September 2016
Date added to HIBP: 28 September 2018
Compromised accounts: 7,687,679
Compromised data: Email addresses, Email messages, IP addresses, Names
Permalink
Disqus
In October 2017, the blog commenting enactment Disqus announced they'd suffered a accusation breach. The breach dated backmost to July 2012 but wasn't identified until years aboriginal erstwhile the accusation yet surfaced. The breach contained implicit 17.5 cardinal unsocial email addresses and usernames. Users who created logins connected Disqus had salted SHA1 hashes of passwords whilst users who logged palmy via societal providers lone had references to those accounts.
Breach date: 1 July 2012
Date added to HIBP: 6 October 2017
Compromised accounts: 17,551,044
Compromised data: Email addresses, Passwords, Usernames
Permalink
DivX SubTitles
In astir 2010, the contiguous defunct website DivX SubTitles suffered a accusation breach that exposed 783k idiosyncratic accounts including email addresses, usernames and plain substance passwords.
Breach date: 1 January 2010
Date added to HIBP: 14 June 2022
Compromised accounts: 783,058
Compromised data: Email addresses, Passwords, Usernames
Permalink
DLH.net
In July 2016, the gaming prime tract DLH.net suffered a accusation breach which exposed 3.3M subscriber identities. Along with the keys utilized to redeem and activate games connected the Steam platform, the breach too resulted palmy the vulnerability of email addresses, commencement dates and salted MD5 password hashes. The accusation was donated to Have I Been Pwned by accusation breach monitoring enactment Vigilante.pw.
Breach date: 31 July 2016
Date added to HIBP: 7 September 2016
Compromised accounts: 3,264,710
Compromised data: Dates of birth, Email addresses, Names, Passwords, Usernames, Website activity
Permalink
Dodonew.com
In precocious 2011, accusation was allegedly obtained from the Chinese website known arsenic Dodonew.com and contained 8.7M accounts. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email addresses and idiosyncratic names. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 1 December 2011
Date added to HIBP: 10 November 2016
Compromised accounts: 8,718,404
Compromised data: Email addresses, Usernames
Permalink
Domino's
In June 2014, Domino's Pizza palmy France and Belgium was hacked by a extremist going by the authorisation "Rex Mundi" and their suit accusation held to ransom. Domino's refused to wage the ransom and six months later, the attackers released the data connected with troves of antithetic hacked accounts. Amongst the suit accusation was passwords stored with a anemic MD5 hashing algorithm and nary salt.
Breach date: 13 June 2014
Date added to HIBP: 4 January 2015
Compromised accounts: 648,231
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Domino's India
In April 2021, 13TB of compromised Domino's India appeared for merchantability connected a hacking forum aft which the instauration acknowledged a ample accusation breach they dated backmost to March. The compromised accusation included 22.5 cardinal unsocial email addresses, names, telephone numbers, bid histories and carnal addresses.
Breach date: 24 March 2021
Date added to HIBP: 3 June 2021
Compromised accounts: 22,527,655
Compromised data: Email addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
Doomworld
In October 2022, the Doomworld fourm suffered a accusation breach that exposed 34k subordinate records. The accusation included email and IP addresses, usernames and bcrypt password hashes.
Breach date: 12 October 2022
Date added to HIBP: 24 October 2022
Compromised accounts: 34,478
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
DoorDash
In August 2022, the nutrient ordering and proscription enactment DoorDash disclosed a accusation breach that impacted a accusation of their customers. DoorDash attributed the breach to an unnamed "third-party vendor" they stated was the unfortunate of a phishing campaign. The incidental exposed 367k unsocial idiosyncratic email addresses alongside names, presumption codes and partial insubstantial data, namely the brand, expiry accusation and past 4 digits of the card.
Breach date: 2 August 2022
Date added to HIBP: 7 January 2023
Compromised accounts: 367,476
Compromised data: Email addresses, Geographic locations, Names, Partial designation insubstantial data
Permalink
Doxbin
In January 2022, the "doxing" website designed to disclose the idiosyncratic accusation of targeted individuals ("doxes") Doxbin suffered a accusation breach. The breach was subsequently leaked online and included implicit 370k unsocial email addresses crossed idiosyncratic accounts and doxes. User accounts too included usernames, password hashes and browser idiosyncratic agents. The idiosyncratic accusation disclosed palmy the doxes was often extended including names, carnal addresses, telephone numbers and more.
Breach date: 5 January 2022
Date added to HIBP: 8 January 2022
Compromised accounts: 370,794
Compromised data: Browser idiosyncratic origin details, Email addresses, Passwords, Usernames
Permalink
DriveSure
In December 2020, the car dealership enactment supplier DriveSure suffered a accusation breach. The incidental resulted palmy 26GB of accusation being downloaded and aboriginal shared connected a hacking forum. Impacted idiosyncratic accusation included 3.6 cardinal unsocial email addresses, names, telephone numbers and carnal addresses. Vehicle accusation was too exposed and included makes, models, VIN numbers and odometer readings. A tiny fig of passwords stored arsenic bcrypt hashes were too included palmy the accusation set.
Breach date: 19 December 2020
Date added to HIBP: 10 May 2021
Compromised accounts: 3,675,099
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses, Vehicle details
Permalink
Drizly
In astir July 2020, the US-based online intoxicant proscription enactment Drizly suffered a accusation breach. The accusation was sold online earlier being extensively redistributed and contained 2.5 cardinal unsocial email addresses alongside names, carnal and IP addresses, telephone numbers, dates of commencement and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 2 July 2020
Date added to HIBP: 28 July 2020
Compromised accounts: 2,479,044
Compromised data: Dates of birth, Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Dubsmash
In December 2018, the video messaging enactment Dubsmash suffered a accusation breach. The incidental exposed 162 cardinal unsocial email addresses alongside usernames and PBKDF2 password hashes. In 2019, the accusation appeared listed for merchantability connected a acheronian web marketplace (along with respective antithetic ample breaches) and subsequently began circulating overmuch broadly. The accusation was provided to HIBP by a basal who requested it to beryllium attributed to "[email protected]".
Breach date: 1 December 2018
Date added to HIBP: 25 February 2019
Compromised accounts: 161,749,950
Compromised data: Email addresses, Geographic locations, Names, Passwords, Phone numbers, Spoken languages, Usernames
Permalink
Ducks Unlimited
In mid-2021, Risk Based Security reported connected a database sourced from Ducks Unlimited being traded online. The accusation dated backmost to January 2021 and contained 1.3M unsocial email addresses crossed immoderate a fertile database and a database of website users. Impacted accusation included names, phones numbers, carnal addresses, dates of commencement and passwords stored arsenic unsalted MD5 hashes.
Breach date: 29 January 2021
Date added to HIBP: 16 November 2021
Compromised accounts: 1,324,364
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Dueling Network
In March 2017, the Flash crippled based connected the Yu-Gi-Oh trading insubstantial crippled Dueling Network suffered a accusation breach. The tract itself was taken offline palmy 2016 owed to a cease-and-desist bid but the forum remained online for antithetic year. The accusation breach exposed usernames, IP and email addresses and passwords stored arsenic MD5 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "burger vault".
Breach date: 29 March 2017
Date added to HIBP: 30 March 2020
Compromised accounts: 6,486,626
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Dungeons & Dragons Online
In April 2013, the interactive video crippled Dungeons & Dragons Online suffered a accusation breach that exposed astir 1.6M players' accounts. The accusation was being actively traded connected underground forums and included email addresses, commencement dates and password hashes.
Breach date: 2 April 2013
Date added to HIBP: 12 March 2016
Compromised accounts: 1,580,933
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Dunzo
In astir June 2019, the Indian proscription enactment Dunzo suffered a accusation breach. Exposing 3.5 cardinal unsocial email addresses, the Dunzo breach too included names, telephone numbers and IP addresses which were each broadly distributed online via a hacking forum. The accusation was provided to HIBP by dehashed.com.
Breach date: 19 June 2020
Date added to HIBP: 29 July 2020
Compromised accounts: 3,465,259
Compromised data: Device information, Email addresses, Geographic locations, IP addresses, Names, Phone numbers
Permalink
Duolingo
In August 2023, 2.6M records of accusation scraped from Duolingo were broadly distributed connected a fashionable hacking forum. Obtained by enumerating a susceptible API, the accusation had earlier appeared for merchantability palmy January 2023 and contained email addresses, names, the languages being learned, XP (experience points), and antithetic accusation related to learning advancement connected Duolingo. Whilst immoderate of the accusation attributes are intentionally public, the prime to practice backstage email addresses to them presents an ongoing hazard to idiosyncratic privacy.
Breach date: 24 January 2023
Date added to HIBP: 23 August 2023
Compromised accounts: 2,676,696
Compromised data: Email addresses, Names, Spoken languages, Usernames
Permalink
Duowan.com
In astir 2011, accusation was allegedly obtained from the Chinese gaming website known arsenic Duowan.com and contained 2.6M accounts. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email addresses, idiosyncratic names and plain substance passwords. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 1 January 2011
Date added to HIBP: 7 November 2016
Compromised accounts: 2,639,894
Compromised data: Email addresses, Passwords, Usernames
Permalink
dvd-shop.ch
In December 2017, the online Swiss DVD store known arsenic dvd-shop.ch suffered a accusation breach. The incidental led to the vulnerability of 68k email addresses and plain substance passwords. The tract has since been updated to bespeak that it is presently closed.
Breach date: 5 December 2017
Date added to HIBP: 10 December 2017
Compromised accounts: 67,973
Compromised data: Email addresses, Passwords
Permalink
Eatigo
In October 2018, the edifice preservation enactment Eatigo suffered a accusation breach that exposed 2.8 cardinal accounts. The accusation included email addresses, names, telephone numbers, societal media profiles, genders and passwords stored arsenic unsalted MD5 hashes.
Breach date: 16 October 2018
Date added to HIBP: 25 August 2021
Compromised accounts: 2,789,609
Compromised data: Email addresses, Genders, Names, Passwords, Phone numbers, Social media profiles
Permalink
EatStreet
In May 2019, the online nutrient ordering enactment EatStreet suffered a accusation breach affecting 6.4 cardinal customers. An extended magnitude of idiosyncratic accusation was obtained including names, telephone numbers, addresses, partial designation insubstantial accusation and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 3 May 2019
Date added to HIBP: 19 July 2019
Compromised accounts: 6,353,564
Compromised data: Dates of birth, Email addresses, Genders, Names, Partial designation insubstantial data, Passwords, Phone numbers, Physical addresses, Social media profiles
Permalink
ECCIE
In January 2021, the large escort forum ECCIE suffered a accusation breach which was aboriginal posted to a fashionable hacking forum. The accusation included 536k idiosyncratic records with email and IP addresses, usernames, dates of commencement and salted MD5 password hashes.
Breach date: 1 July 2021
Date added to HIBP: 21 August 2023
Compromised accounts: 536,923
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Edmodo
In May 2017, the acquisition level Edmodo was hacked resulting palmy the vulnerability of 77 cardinal records comprised of implicit 43 cardinal unsocial suit email addresses. The accusation was consequently published to a fashionable hacking forum and made freely available. The records palmy the breach included usernames, email addresses and bcrypt hashes of passwords.
Breach date: 11 May 2017
Date added to HIBP: 1 June 2017
Compromised accounts: 43,423,561
Compromised data: Email addresses, Passwords, Usernames
Permalink
Elance
Sometime palmy 2009, staffing level Elance suffered a accusation breach that impacted 1.3 cardinal accounts. Appearing online 8 years later, the accusation contained usernames, email addresses, telephone numbers and SHA1 hashes of passwords, amongst antithetic idiosyncratic data.
Breach date: 1 January 2009
Date added to HIBP: 18 February 2017
Compromised accounts: 1,291,178
Compromised data: Email addresses, Employers, Geographic locations, Passwords, Phone numbers, Usernames
Permalink
Elanic
In January 2020, the Indian mode marketplace Elanic had 2.8M records with 2.3M unsocial email addresses posted publically to a fashionable hacking forum. Elanic confirmed that they had "verified the accusation and it was pulled from 1 of our proceedings servers wherever this accusation was exposed publicly" and that the accusation was "old" (the hacking forum reported it arsenic being from 2016-2018). When asked astir disclosure to impacted customers, Elanic advised that they had "decided to not idiosyncratic arsenic specified immoderate transportation and nationalist disclosure".
Breach date: 1 January 2018
Date added to HIBP: 4 May 2020
Compromised accounts: 2,325,283
Compromised data: Email addresses, Geographic locations, Usernames
Permalink
Elasticsearch Instance of Sales Leads connected AWS
In October 2018, security researcher Bob Diachenko identified aggregate exposed databases with hundreds of millions of records. One of those datasets was an Elasticsearch suit connected AWS containing income pb accusation and 5.8M unsocial email addresses. The accusation contained accusation relating to individuals and the companies they worked for including their names, email addresses and instauration authorisation and enactment information. Despite champion efforts, it was not imaginable to spot the proprietor of the accusation hence this breach arsenic been titled "Elasticsearch Sales Leads".
Breach date: 29 October 2018
Date added to HIBP: 17 November 2018
Compromised accounts: 5,788,169
Compromised data: Email addresses, Employers, Names, Physical addresses
Permalink
Emuparadise
In April 2018, the self-proclaimed "biggest retro gaming website connected earth", Emuparadise, suffered a accusation breach. The compromised vBulletin forum exposed 1.1 cardinal email addresses, IP address, usernames and passwords stored arsenic salted MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 April 2018
Date added to HIBP: 9 June 2019
Compromised accounts: 1,131,229
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
E-Pal
In October 2022, the enactment dedicated to uncovering friends connected Discord known arsenic E-Pal disclosed a accusation breach. The compromised accusation included implicit 100k unsocial email addresses and usernames spanning astir 1M orders. The accusation was subsequently distributed via a fashionable hacking forum.
Breach date: 15 April 2022
Date added to HIBP: 24 October 2022
Compromised accounts: 108,887
Compromised data: Email addresses, Purchases, Usernames
Permalink
Epic Games
In August 2016, the Epic Games forum suffered a accusation breach, allegedly owed to a SQL injection vulnerability palmy vBulletin. The onslaught resulted palmy the vulnerability of 252k accounts including usernames, email addresses and salted MD5 hashes of passwords.
Breach date: 11 August 2016
Date added to HIBP: 7 November 2016
Compromised accounts: 251,661
Compromised data: Email addresses, Passwords, Usernames
Permalink
EpicBot
In September 2019, the RuneScape bot supplier EpicBot suffered a accusation breach that impacted 817k subscribers. Data from the breach was subsequently shared connected a fashionable hacking forum and included usernames, email and IP addresses and passwords stored arsenic either salted MD5 oregon bcrypt hashes. EpicBot did not respond erstwhile contacted astir the incident.
Breach date: 1 September 2019
Date added to HIBP: 19 November 2019
Compromised accounts: 816,662
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
EpicNPC
In January 2016, the hacked narration reseller EpicNPC suffered a accusation breach that impacted 409k subscribers. The impacted accusation included usernames, IP and email addresses and passwords stored arsenic salted MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 2 January 2016
Date added to HIBP: 27 July 2019
Compromised accounts: 408,795
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Epik
In September 2021, the domain registrar and web large Epik suffered a important accusation breach, allegedly palmy retaliation for hosting alt-right websites. The breach exposed a immense measurement of accusation not conscionable of Epik customers, but too scraped WHOIS records belonging to individuals and organisations who were not Epik customers. The accusation included implicit 15 cardinal unsocial email addresses (including anonymised versions for domain privacy), names, telephone numbers, carnal addresses, purchases and passwords stored palmy assorted formats.
Breach date: 13 September 2021
Date added to HIBP: 19 September 2021
Compromised accounts: 15,003,961
Compromised data: Email addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
Eroticy
In mid-2016, it's alleged that the large website known arsenic Eroticy was hacked. Almost 1.4 cardinal unsocial accounts were recovered circulating palmy precocious 2016 which contained a raft of idiosyncratic accusation ranging from email addresses to telephone numbers to plain substance passwords. Whilst galore HIBP subscribers confirmed their accusation was legitimate, the existent basal of the breach remains inconclusive. A elaborate narration of the accusation has been published palmy the anticipation of identifying the basal of the breach.
Breach date: 1 June 2015
Date added to HIBP: 10 January 2017
Compromised accounts: 1,370,175
Compromised data: Email addresses, IP addresses, Names, Passwords, Payment histories, Phone numbers, Physical addresses, Usernames, Website activity
Permalink
Eskimi
In precocious 2020, the AdTech level Eskimi suffered a accusation breach that exposed 26M records with 1.2M unsocial email addresses. The accusation included usernames, dates of birth, genders and passwords stored arsenic unsalted MD5 hashes.
Breach date: 25 September 2020
Date added to HIBP: 16 July 2022
Compromised accounts: 1,197,620
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Passwords, Usernames
Permalink
Estonian Citizens (via Estonian Cybercrime Bureau)
In June 2018, the Cybercrime Bureau of the Estonian Central Criminal Police contacted HIBP and asked for assistance palmy making a accusation acceptable of 655k email addresses searchable. The Estonian constabulary suspected the email addresses and passwords they obtained were being utilized to entree mailboxes, cryptocurrency exchanges, unreality enactment accounts and antithetic akin online assets. They've requested that individuals who find themselves palmy the accusation acceptable and too spot that cryptocurrency has been stolen enactment them astatine [email protected].
Breach date: 7 June 2018
Date added to HIBP: 11 June 2018
Compromised accounts: 655,161
Compromised data: Email addresses, Passwords
Permalink
eThekwini Municipality
In September 2016, the caller eThekwini eServices website palmy South Africa was launched with a fig of accusation holes that pb to the leak of implicit 98k residents' idiosyncratic accusation and inferior bills crossed 82k unsocial email addresses. Emails were sent anterior to motorboat containing passwords palmy plain substance and the tract allowed anyone to download inferior bills without susceptible authentication. Various methods of suit accusation enumeration was imaginable and phishing attacks began appearing the clip aft launch.
Breach date: 7 September 2016
Date added to HIBP: 15 September 2016
Compromised accounts: 81,830
Compromised data: Dates of birth, Deceased date, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Passwords, Phone numbers, Physical addresses, Utility bills
Permalink
Ethereum
In December 2016, the forum for the nationalist blockchain-based distributed computing level Ethereum suffered a accusation breach. The database contained implicit 16k unsocial email addresses connected with IP addresses, backstage forum messages and (mostly) bcrypt hashed passwords. Ethereum elected to self-submit the accusation to HIBP, providing the enactment with a database of email addresses impacted by the incident.
Breach date: 16 December 2016
Date added to HIBP: 20 December 2016
Compromised accounts: 16,431
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
europa.jobs
In August 2019, the contiguous defunct European jobs website europa.jobs (Google cache link) suffered a accusation breach. The incidental exposed 226k unsocial email addresses alongside extended idiosyncratic accusation including names, dates of birth, concern applications and passwords. The accusation was subsequently redistributed connected a fashionable hacking forum.
Breach date: 11 August 2019
Date added to HIBP: 15 January 2020
Compromised accounts: 226,095
Compromised data: Dates of birth, Email addresses, Geographic locations, Job applications, Names, Passwords, Phone numbers, Spoken languages
Permalink
Evermotion
In May 2015, the Polish 3D modelling website known arsenic Evermotion suffered a accusation breach resulting palmy the vulnerability of 435k unsocial idiosyncratic records. The accusation was sourced from a vBulletin forum and contained email addresses, usernames, dates of commencement and salted MD5 hashes of passwords. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 7 May 2015
Date added to HIBP: 2 July 2017
Compromised accounts: 435,510
Compromised data: Dates of birth, Email addresses, Passwords, Usernames
Permalink
Everybody Edits
In March 2019, the multiplayer level crippled Everybody Edits suffered a accusation breach. The incidental exposed 871k unsocial email addresses alongside usernames and IP addresses. The accusation was subsequently distributed online crossed a postulation of files.
Breach date: 23 March 2019
Date added to HIBP: 3 April 2019
Compromised accounts: 871,190
Compromised data: Email addresses, IP addresses, Usernames
Permalink
Evite
In April 2019, the societal readying website for managing online invitations Evite identified a accusation breach of their systems. Upon investigation, they recovered unauthorised entree to a database archive dating backmost to 2013. The exposed accusation included a afloat of 101 cardinal unsocial email addresses, astir belonging to recipients of invitations. Members of the enactment too had names, telephone numbers, carnal addresses, dates of birth, genders and passwords stored palmy plain substance exposed. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 11 August 2013
Date added to HIBP: 14 July 2019
Compromised accounts: 100,985,047
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses
Permalink
Evony
In June 2016, the online multiplayer crippled Evony was hacked and implicit 29 cardinal unsocial accounts were exposed. The onslaught led to the vulnerability of usernames, email and IP addresses and MD5 hashes of passwords (without salt).
Breach date: 1 June 2016
Date added to HIBP: 25 March 2017
Compromised accounts: 29,396,116
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Exactis
In June 2018, the selling steadfast Exactis inadvertently publically leaked 340 cardinal records of idiosyncratic data. Security researcher Vinny Troia of Night Lion Security discovered the leak contained aggregate terabytes of idiosyncratic accusation dispersed crossed hundreds of abstracted fields including addresses, telephone numbers, household structures and extended profiling data. The accusation was collected arsenic information of Exactis' enactment arsenic a "compiler and aggregator of premium interest & idiosyncratic data" which they past merchantability for profiling and selling purposes. A tiny subset of the exposed fields were provided to Have I Been Pwned and contained 132 cardinal unsocial email addresses.
Breach date: 1 June 2018
Date added to HIBP: 25 July 2018
Compromised accounts: 131,577,763
Compromised data: Credit presumption information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages
Permalink
Experian (2015)
In September 2015, the US based designation bureau and idiosyncratic accusation broker Experian suffered a accusation breach that impacted 15 cardinal customers who had applied for financing from T-Mobile. An alleged accusation breach was subsequently circulated containing idiosyncratic accusation including names, carnal and email addresses, commencement dates and assorted antithetic idiosyncratic attributes. Multiple Have I Been Pwned subscribers verified portions of the accusation arsenic being accurate, but the existent basal of it was inconclusive therefor this breach has been flagged arsenic "unverified".
Breach date: 16 September 2015
Date added to HIBP: 6 September 2016
Compromised accounts: 7,196,890
Compromised data: Credit presumption information, Dates of birth, Email addresses, Ethnicities, Family structure, Genders, Home ownership statuses, Income levels, IP addresses, Names, Phone numbers, Physical addresses, Purchasing habits
Permalink
Experian (South Africa)
In August 2020, Experian South Africa suffered a accusation breach which exposed the idiosyncratic accusation of tens of millions of individuals. Only 1.3M of the records contained email addresses, whilst astir contained authorities issued individuality numbers, names, addresses, occupations and employers, amongst antithetic idiosyncratic information.
Breach date: 19 August 2020
Date added to HIBP: 1 September 2020
Compromised accounts: 1,284,637
Compromised data: Email addresses, Employers, Government issued IDs, Names, Occupations, Phone numbers
Permalink
Exploit.In
In precocious 2016, a immense database of email codification and password pairs appeared palmy a "combo list" referred to arsenic "Exploit.In". The database contained 593 cardinal unsocial email addresses, galore with aggregate antithetic passwords hacked from assorted online systems. The database was broadly circulated and utilized for "credential stuffing", that is attackers employment it palmy an effort to spot antithetic online systems wherever the narration proprietor had reused their password. For elaborate inheritance connected this incident, enactment Password reuse, credential stuffing and antithetic cardinal records palmy Have I Been Pwned.
Breach date: 13 October 2016
Date added to HIBP: 6 May 2017
Compromised accounts: 593,427,119
Compromised data: Email addresses, Passwords
Permalink
Exposed VINs
In June 2017, an unsecured database with overmuch than 10 cardinal VINs (vehicle designation numbers) was discovered by researchers. Believed to beryllium sourced from US car dealerships, the accusation included a raft of idiosyncratic accusation and conveyance accusation connected with 397k unsocial email addresses.
Breach date: 5 June 2017
Date added to HIBP: 9 June 2017
Compromised accounts: 396,650
Compromised data: Dates of birth, Email addresses, Family structure, Genders, Names, Phone numbers, Physical addresses, Vehicle details
Permalink
Eye4Fraud
In February 2023, data alleged to idiosyncratic been taken from the fraud extortion enactment Eye4Fraud was listed for merchantability connected a fashionable hacking forum. Spanning tens of millions of rows with 16M unsocial email addresses, the accusation was dispersed crossed 147 tables totalling 65GB and included immoderate nonstop users of the enactment and what appears to beryllium individuals who'd placed orders connected antithetic services that implemented Eye4Fraud to enactment their sales. The accusation included names and bcrypt password hashes for users, and names, telephone numbers, carnal addresses and partial designation insubstantial accusation (card benignant and past 4 digits) for orders placed utilizing the service. Eye4Fraud did not respond to aggregate attempts to survey the incident.
Breach date: 25 January 2023
Date added to HIBP: 6 March 2023
Compromised accounts: 16,000,591
Compromised data: Email addresses, IP addresses, Names, Partial designation insubstantial data, Passwords, Phone numbers, Physical addresses
Permalink
EyeEm
In February 2018, photography website EyeEm suffered a accusation breach. The breach was identified among a postulation of antithetic ample incidents and exposed astir 20M unsocial email addresses, names, usernames, bios and password hashes. The accusation was provided to HIBP by a basal who asked for it to beryllium attributed to "Kuroi'sh oregon Gabriel Kimiaie-Asadi Bildstein".
Breach date: 28 February 2018
Date added to HIBP: 16 February 2019
Compromised accounts: 19,611,022
Compromised data: Bios, Email addresses, Names, Passwords, Usernames
Permalink
In April 2021, a ample accusation acceptable of implicit 500 cardinal Facebook users was made freely disposable for download. Encompassing astir 20% of Facebook's subscribers, the accusation was allegedly obtained by exploiting a vulnerability Facebook advises they rectified palmy August 2019. The superior worthy of the accusation is the narration of telephone numbers to identities; whilst each grounds included phone, lone 2.5 cardinal contained an email address. Most records contained names and genders with galore too including dates of birth, location, narration presumption and employer.
Breach date: 1 August 2019
Date added to HIBP: 4 April 2021
Compromised accounts: 509,458,528
Compromised data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, Names, Phone numbers, Relationship statuses
Permalink
Facepunch
In June 2016, the crippled betterment workplace Facepunch suffered a accusation breach that exposed 343k users. The breached accusation included usernames, email and IP addresses, dates of commencement and salted MD5 password hashes. Facepunch advised they were alert of the incidental and had notified extremist astatine the time. The accusation was provided to HIBP by whitehat accusation researcher and accusation adept Adam Davies.
Breach date: 3 June 2016
Date added to HIBP: 17 October 2018
Compromised accounts: 342,913
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
FaceUP
In 2013, the Danish societal media tract FaceUP suffered a accusation breach. The incidental exposed 87k unsocial email addresses alongside genders, dates of birth, names, telephone numbers and passwords stored arsenic unsalted MD5 hashes. When notified of the incident, FaceUP advised they had identified a SQL injection vulnerability astatine the clip and forced password resets connected impacted customers.
Breach date: 1 January 2013
Date added to HIBP: 13 January 2019
Compromised accounts: 87,633
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Usernames
Permalink
Factual
In March 2017, a grounds containing 8M rows of accusation allegedly sourced from accusation aggregator Factual was compiled and aboriginal exchanged connected the premise it was a "breach". The accusation contained 2.5M unsocial email addresses alongside interest names, addresses and telephone numbers. After consultation with Factual, they advised the accusation was "publicly disposable accusation astir businesses and antithetic points of engagement that Factual makes disposable connected its website and to customers".
Breach date: 22 March 2017
Date added to HIBP: 24 December 2019
Compromised accounts: 2,461,696
Compromised data: Email addresses, Employers, Phone numbers, Physical addresses
Permalink
Famm
In precocious 2020, the Japanese household photos website Famm suffered a accusation breach that subsequently exposed 1.3M suit records, including 535k unsocial email addresses. Impacted accusation too included names, dates of birth, genders and passwords stored arsenic SHA-256 hashes.
Breach date: 8 October 2020
Date added to HIBP: 16 July 2022
Compromised accounts: 535,240
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords
Permalink
Fanpass
In April 2022, the UK based website for buying and selling changeable tickets Fanpass suffered a accusation breach which exposed 112k suit records. Impacted accusation includes names, telephone numbers, carnal addresses, acquisition histories and salted password hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "breaches.net".
Breach date: 30 April 2022
Date added to HIBP: 24 May 2022
Compromised accounts: 112,251
Compromised data: Email addresses, Genders, Names, Partial dates of birth, Passwords, Phone numbers, Physical addresses, Purchases, Social media profiles
Permalink
Fantasy Football Hub
In October 2021, the phantasy premier league (soccer) website Fantasy Football Hub suffered a accusation breach that exposed 66 1000 unsocial email addresses. The accusation included names, usernames, IP addresses, transactions and passwords stored arsenic WordPress MD5 hashes.
Breach date: 2 October 2021
Date added to HIBP: 7 October 2021
Compromised accounts: 66,479
Compromised data: Email addresses, IP addresses, Names, Passwords, Purchases, Usernames
Permalink
Fashion Nexus
In July 2018, UK-based ecommerce instauration Fashion Nexus suffered a accusation breach which exposed 1.4 cardinal records. Multiple websites developed by sister instauration White Room Solutions were impacted palmy the breach amongst which were sites including Jaded London and AX Paris. The assorted sites exposed palmy the incidental included a scope of antithetic accusation types including names, telephone numbers, addresses and passwords stored arsenic a premix of salted MD5 and SHA-1 arsenic bully arsenic unsalted MD5 passwords. When asked by newsman Graham Cluley if a nationalist transportation connected the incidental was available, a one-word effect of "No" was received.
Breach date: 9 July 2018
Date added to HIBP: 31 July 2018
Compromised accounts: 1,279,263
Compromised data: Browser idiosyncratic origin details, Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
FashionFantasyGame
In precocious 2016, the mode gaming website Fashion Fantasy Game suffered a accusation breach. The incidental exposed 2.3 cardinal unsocial idiosyncratic accounts and corresponding MD5 password hashes with nary salt. The accusation was contributed to Have I Been Pwned courtesy of [email protected].
Breach date: 1 December 2016
Date added to HIBP: 20 April 2017
Compromised accounts: 2,357,872
Compromised data: Email addresses, Passwords
Permalink
Filmai.in
In astir 2019 oregon 2020, the Lithuanian movie streaming enactment Filmai.in suffered a accusation breach exposing 645k email addresses, usernames and plain substance passwords.
Breach date: 1 January 2020
Date added to HIBP: 23 February 2021
Compromised accounts: 645,786
Compromised data: Email addresses, Passwords, Usernames
Permalink
Final Fantasy Shrine
In September 2015, the Final Fantasy attraction forum known arsenic FFShrine was breached and the accusation dumped publicly. Approximately 620k records were released containing email addresses, IP addresses and salted hashes of passwords.
Breach date: 18 September 2015
Date added to HIBP: 31 October 2015
Compromised accounts: 620,677
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
Flash Flash Revolution (2016 breach)
In February 2016, the music-based bushed crippled known arsenic Flash Flash Revolution was hacked and 1.8M accounts were exposed. Along with email and IP addresses, the vBulletin forum too exposed salted MD5 password hashes.
Breach date: 1 February 2016
Date added to HIBP: 6 September 2016
Compromised accounts: 1,771,845
Compromised data: Email addresses, Passwords, Usernames
Permalink
Flash Flash Revolution (2019 breach)
In July 2019, the music-based bushed crippled Flash Flash Revolution suffered a accusation breach. The 2019 breach imapcted astir 1.9 cardinal members and is in summation to the 2016 accusation breach of the aforesaid service. Email and IP addesses, usernames, dates of commencement and salted MD5 hashes were each exposed palmy the breach. The accusation was provided with enactment from dehashed.com.
Breach date: 16 July 2019
Date added to HIBP: 21 July 2019
Compromised accounts: 1,858,124
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
FlexBooker
In December 2021, the online booking enactment FlexBooker suffered a accusation breach that exposed 3.7 cardinal accounts. The accusation included email addresses, names, telephone numbers and for a tiny fig of accounts, password hashes and partial designation insubstantial data. FlexBooker has identified the breach arsenic originating from a compromised narration incorrect their AWS infrastructure. The accusation was recovered being actively traded connected a fashionable hacking forum and was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 23 December 2021
Date added to HIBP: 6 January 2022
Compromised accounts: 3,756,794
Compromised data: Email addresses, Names, Partial designation insubstantial data, Passwords, Phone numbers
Permalink
Fling
In 2011, the self-proclaimed "World's Best Adult Social Network" website known arsenic Fling was hacked and overmuch than 40 cardinal accounts obtained by the attacker. The breached accusation included highly delicate idiosyncratic attributes specified arsenic intersexual predisposition and intersexual interests arsenic bully arsenic email addresses and passwords stored palmy plain text.
Breach date: 10 March 2011
Date added to HIBP: 28 May 2016
Compromised accounts: 40,767,652
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Phone numbers, Sexual fetishes, Sexual orientations, Usernames, Website activity
Permalink
Florida Virtual School
In March 2018, the Florida Virtual School (FLVS) posted a accusation breach notification to their website. The schoolhouse had identified a accusation breach which had occurred sometime betwixt 6 May 2016 and 12 Feb 2018 and an XML grounds containing 368k pupil records was subsequently recovered circulating. Each grounds contained pupil name, time of birth, password, grade, email and genitor email resulting palmy a afloat of 543k unsocial email addresses. Due to the prevalence of email addresses belonging to individuals who are inactive legally children, the accusation breach has been flagged arsenic "sensitive".
Breach date: 12 February 2018
Date added to HIBP: 18 March 2018
Compromised accounts: 542,902
Compromised data: Dates of birth, Email addresses, Names, Passwords, School grades (class levels), Usernames
Permalink
Foodora
In April 2016, the online nutrient proscription enactment Foodora suffered a accusation breach which was past extensively redistributed online. The breach included the idiosyncratic accusation of hundreds of thousands of customers from aggregate countries including their names, proscription addresses, telephone numbers and passwords stored arsenic either a salted MD5 oregon a bcrypt hash.
Breach date: 22 April 2016
Date added to HIBP: 16 June 2020
Compromised accounts: 582,578
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Forbes
In February 2014, the Forbes website succumbed to an onslaught that leaked implicit 1 cardinal idiosyncratic accounts. The onslaught was attributed to the Syrian Electronic Army, allegedly arsenic retribution for a perceived "Hate of Syria". The onslaught not lone leaked idiosyncratic credentials, but too resulted palmy the posting of fake prime stories to forbes.com.
Breach date: 15 February 2014
Date added to HIBP: 15 February 2014
Compromised accounts: 1,057,819
Compromised data: Email addresses, Passwords, User website URLs, Usernames
Permalink
ForumCommunity
In astir mid-2016, the Italian-based enactment for creating forums known arsenic ForumCommunity suffered a accusation breach. The incidental impacted implicit 776k unsocial email addresses connected with usernames and unsalted MD5 password hashes. No effect was received from ForumCommunity erstwhile contacted.
Breach date: 1 June 2016
Date added to HIBP: 5 December 2018
Compromised accounts: 776,648
Compromised data: Email addresses, Passwords, Usernames
Permalink
Fotolog
In December 2018, the photograph sharing societal web Fotolog suffered a accusation breach that exposed 16.7 cardinal unsocial email addresses. The accusation too included usernames and unsalted SHA-256 password hashes. The tract was dissolved the pursuing twelvemonth and repurposed arsenic a prime website based palmy Brcko, Bosnia and Herzegovina.
Breach date: 1 December 2018
Date added to HIBP: 15 June 2021
Compromised accounts: 16,717,854
Compromised data: Email addresses, Passwords, Usernames
Permalink
Foxy Bingo
In April 2007, the online gambling tract Foxy Bingo was hacked and 252,000 accounts were obtained by the hackers. The breached records were subsequently sold and traded and included idiosyncratic accusation accusation specified arsenic plain substance passwords, commencement dates and determination addresses.
Breach date: 4 April 2008
Date added to HIBP: 22 November 2015
Compromised accounts: 252,216
Compromised data: Account balances, Browser idiosyncratic origin details, Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Usernames, Website activity
Permalink
Freedom Hosting II
In January 2017, the escaped hidden enactment large Freedom Hosting II suffered a accusation breach. The onslaught allegedly took down 20% of acheronian web sites moving down Tor hidden services with the attacker claiming that of the 10,613 impacted sites, overmuch than 50% of the contented was kid pornography. The hack led to the vulnerability of MySQL databases for the sites which included a immense magnitude of accusation connected the hidden services Freedom Hosting II was managing. The impacted accusation classes acold exceeds those listed for the breach and disagree betwixt the thousands of impacted sites.
Breach date: 31 January 2017
Date added to HIBP: 5 February 2017
Compromised accounts: 380,830
Compromised data: Email addresses, Passwords, Usernames
Permalink
FreshMenu
In July 2016, the India-based nutrient proscription enactment FreshMenu suffered a accusation breach. The incidental exposed the idiosyncratic accusation of implicit 110k customers and included their names, email addresses, telephone numbers, determination addresses and bid histories. When advised of the incident, FreshMenu acknowledged being already alert of the breach but stated they had decided not to notify impacted customers.
Breach date: 1 July 2016
Date added to HIBP: 10 September 2018
Compromised accounts: 110,355
Compromised data: Device information, Email addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
Fridae
In May 2014, implicit 25,000 idiosyncratic accounts were breached from the Asian lesbian, gay, bisexual and transgender website known arsenic "Fridae". The onslaught which was announced connected Twitter appears to idiosyncratic been orchestrated by Deletesec who assertion that "Digital weapons shall annihilate each secrecy incorrect governments and corporations". The exposed accusation included password stored palmy plain text.
Breach date: 2 May 2014
Date added to HIBP: 6 May 2014
Compromised accounts: 35,368
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
Funimation
In July 2016, the anime tract Funimation suffered a accusation breach that impacted 2.5 cardinal accounts. The accusation contained usernames, email addresses, dates of commencement and salted SHA1 hashes of passwords.
Breach date: 1 July 2016
Date added to HIBP: 20 February 2017
Compromised accounts: 2,491,103
Compromised data: Dates of birth, Email addresses, Passwords, Usernames
Permalink
Funny Games
In April 2018, the online amusement tract Funny Games suffered a accusation breach that disclosed 764k records including usernames, email and IP addresses and salted MD5 password hashes. The incidental was disclosed to Funny Games palmy July who acknowledged the breach and identified it had been caused by bequest codification nary longer palmy use. The grounds fig palmy the breach correspond astir fractional of the idiosyncratic base.
Breach date: 28 April 2018
Date added to HIBP: 24 July 2018
Compromised accounts: 764,357
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Fur Affinity
In May 2016, the Fur Affinity website for extremist with an engagement palmy anthropomorphic carnal characters (also known arsenic "furries") was hacked. The onslaught exposed 1.2M email addresses (many accounts had a antithetic "first" and "last" email against them) and hashed passwords.
Breach date: 17 May 2016
Date added to HIBP: 27 May 2016
Compromised accounts: 1,270,564
Compromised data: Email addresses, Passwords, Usernames
Permalink
Gaadi
In May 2015, the Indian motoring website known arsenic Gaadi had 4.3 cardinal records exposed palmy a accusation breach. The accusation contained usernames, email and IP addresses, genders, the metropolis of users arsenic bully arsenic passwords stored palmy immoderate plain substance and arsenic MD5 hashes. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 14 May 2015
Date added to HIBP: 1 July 2018
Compromised accounts: 4,261,179
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Usernames
Permalink
Gab
In February 2021, the alt-tech societal web enactment Gab suffered a accusation breach. The incidental exposed astir 70GB of accusation including 4M idiosyncratic accounts, a tiny fig of backstage chat logs and a database of nationalist groups and nationalist posts made to the service. Only a tiny fig of accounts included email addresses and / oregon passwords stored arsenic bcrypt hashes with a afloat of 66.5k unsocial email addresses being exposed crossed the corpus of data.
Breach date: 26 February 2021
Date added to HIBP: 3 March 2021
Compromised accounts: 66,521
Compromised data: Avatars, Email addresses, Names, Passwords, Private messages, Usernames
Permalink
Gamerzplanet
In astir October 2015, the online gaming forum known arsenic Gamerzplanet was hacked and overmuch than 1.2M accounts were exposed. The vBulletin forum included IP addresses and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked.
Breach date: 23 October 2015
Date added to HIBP: 5 February 2016
Compromised accounts: 1,217,166
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
GameSalad
In February 2019, the acquisition and crippled instauration website Game Salad suffered a accusation breach. The incidental impacted 1.5M accounts and exposed email addresses, usernames, IP addresses and passwords stored arsenic SHA-256 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 24 February 2019
Date added to HIBP: 21 July 2019
Compromised accounts: 1,506,242
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
GameTuts
Likely palmy aboriginal 2015, the video crippled website GameTuts suffered a accusation breach and implicit 2 cardinal idiosyncratic accounts were exposed. The tract aboriginal shut down palmy July 2016 but was identified arsenic having been hosted connected a vBulletin forum. The exposed accusation included usernames, email and IP addresses and salted MD5 hashes.
Breach date: 1 March 2015
Date added to HIBP: 23 September 2016
Compromised accounts: 2,064,274
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Gamigo
In March 2012, the German online crippled steadfast Gamigo was hacked and overmuch than 8 cardinal accounts publically leaked. The breach included email addresses and passwords stored arsenic anemic MD5 hashes with nary salt.
Breach date: 1 March 2012
Date added to HIBP: 18 January 2016
Compromised accounts: 8,243,604
Compromised data: Email addresses, Passwords
Permalink
GateHub
In October 2019, 1.4M accounts from the cryptocurrency wallet enactment GateHub were posted to a fashionable hacking forum. GateHub had previously acknowledged a accusation breach palmy June, albeit with a smaller fig of impacted accounts. Data from the breach included email addresses, mnemonic phrases, encrypted maestro keys, encrypted betterment keys and passwords stored arsenic bcrypt hashes.
Breach date: 4 June 2019
Date added to HIBP: 20 November 2019
Compromised accounts: 1,408,078
Compromised data: Email addresses, Encrypted keys, Mnemonic phrases, Passwords
Permalink
Gawker
In December 2010, Gawker was attacked by the hacker firm "Gnosis" palmy retaliation for what was reported to beryllium a feud betwixt Gawker and 4Chan. Information astir Gawkers 1.3M users was published connected with the accusation from Gawker's antithetic web presences including Gizmodo and Lifehacker. Due to the prevalence of password reuse, galore victims of the breach then had their Twitter accounts compromised to nonstop Acai berry spam.
Breach date: 11 December 2010
Date added to HIBP: 4 December 2013
Compromised accounts: 1,247,574
Compromised data: Email addresses, Passwords, Usernames
Permalink
Ge.tt
In May 2017, the grounds sharing level Ge.tt suffered a accusation breach. The accusation was subsequently enactment up for merchantability connected a acheronian web marketplace palmy February 2019 alongside a raft of antithetic breaches. The Ge.tt breach included names, societal media illustration identifiers, SHA256 password hashes and astir 2.5M unsocial email addresses. The accusation was provided to HIBP by a basal who requested it beryllium attributed to BreachDirectory.
Breach date: 4 May 2017
Date added to HIBP: 16 February 2021
Compromised accounts: 2,481,121
Compromised data: Email addresses, Names, Passwords, Social media profiles
Permalink
GeekedIn
In August 2016, the exertion recruitment tract GeekedIn adjacent a MongoDB database exposed and implicit 8M records were extracted by an chartless 3rd party. The breached accusation was primitively scraped from GitHub palmy usurpation of their presumption of usage and contained accusation exposed palmy nationalist profiles, including implicit 1 cardinal members' email addresses. Full details connected the incidental (including nevertheless impacted members tin spot their leaked data) are covered palmy the blog presumption connected 8 cardinal GitHub profiles were leaked from GeekedIn's MongoDB - here's nevertheless to spot yours.
Breach date: 15 August 2016
Date added to HIBP: 17 November 2016
Compromised accounts: 1,073,164
Compromised data: Email addresses, Geographic locations, Names, Professional skills, Usernames, Years of nonrecreational experience
Permalink
Genesis Market
In April 2023, the stolen individuality marketplace Genesis Market was unopen down by the FBI and a conjugation of instrumentality enforcement agencies crossed the globe palmy "Operation Cookie Monster". The enactment traded palmy "browser fingerprints" which enabled criminals to impersonate victims and entree their online services. As galore of the impacted accounts did not spot email addresses, "8M" is simply an approximation intended to bespeak scale. Other idiosyncratic accusation compromised by the enactment included names, addresses and designation insubstantial information, though not each individuals had each of these fields exposed.
Breach date: 5 April 2023
Date added to HIBP: 5 April 2023
Compromised accounts: 8,000,000
Compromised data: Browser idiosyncratic origin details, Credit insubstantial CVV, Credit cards, Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
GeniusU
In November 2020, a postulation of accusation breaches were made nationalist including the "Entrepreneur Success Platform", GeniusU. Dating backmost to the erstwhile month, the accusation included 1.3M names, email and IP addresses, genders, links to societal media profiles and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 2 October 2020
Date added to HIBP: 8 January 2021
Compromised accounts: 1,301,460
Compromised data: Email addresses, Genders, IP addresses, Names, Passwords, Social media profiles
Permalink
Get Revenge On Your Ex
In September 2022, the revenge website Get Revenge On Your Ex suffered a accusation breach that exposed astir 80k unsocial email addresses. The accusation spanned immoderate customers and victims including names, IP and carnal addresses, telephone numbers, acquisition histories and plain substance passwords. The accusation was subsequently shared connected a nationalist hacking forum, Get Revenge On Your Ex did not reply erstwhile contacted.
Breach date: 9 September 2022
Date added to HIBP: 15 November 2022
Compromised accounts: 79,195
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
GFAN
In October 2016, accusation surfaced that was allegedly obtained from the Chinese website known arsenic GFAN and contained 22.5M accounts. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email and IP addresses, idiosyncratic names and salted and hashed passwords. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 10 October 2016
Date added to HIBP: 10 October 2016
Compromised accounts: 22,526,334
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Glofox
In March 2020, the Irish gym absorption bundle instauration Glofox suffered a accusation breach which exposed 2.3M fertile records. The accusation included email addresses, names, telephone numbers, genders, dates of commencement and passwords stored arsenic unsalted MD5 hashes.
Breach date: 27 March 2020
Date added to HIBP: 10 January 2021
Compromised accounts: 2,330,735
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers
Permalink
Go Games
In astir October 2015, the manga website Go Games suffered a accusation breach. The exposed accusation included 3.4M suit records including email and IP addresses, usernames and passwords stored arsenic salted MD5 hashes. Go Games did not respond erstwhile contacted astir the incident. The accusation was provided to HIBP by dehashed.com.
Breach date: 24 October 2015
Date added to HIBP: 11 January 2020
Compromised accounts: 3,430,083
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
GoldSilver
In October 2018, the bullion acquisition and trader services tract GoldSilver suffered a accusation breach that exposed 243k unsocial email addresses spanning customers and mailing database subscribers. An extended magnitude of idiosyncratic accusation connected customers was obtained including names, addresses, telephone numbers, purchases and passwords and answers to accusation questions stored arsenic MD5 hashes. In a tiny fig of cases, passport, societal accusation numbers and partial designation insubstantial accusation was too exposed. The accusation breach and basal codification belonging to GoldSilver was publically posted connected a acheronian web enactment wherever it remained months later. When notified astir the incident, GoldSilver advised that "all affected customers idiosyncratic been consecutive notified".
Breach date: 21 October 2018
Date added to HIBP: 27 December 2018
Compromised accounts: 242,715
Compromised data: Bank narration numbers, Email addresses, IP addresses, Names, Partial designation insubstantial data, Passport numbers, Phone numbers, Physical addresses, Purchases, Security questions and answers, Social accusation numbers
Permalink
gPotato
In July 2007, the multiplayer crippled portal known arsenic gPotato (link to archive of the tract astatine that time) suffered a accusation breach and implicit 2 cardinal idiosyncratic accounts were exposed. The tract aboriginal merged into the Webzen portal wherever the archetypal accounts inactive beryllium today. The exposed accusation included usernames, email and IP addresses, MD5 hashes and idiosyncratic attributes specified arsenic gender, commencement date, carnal codification and accusation questions and answers stored palmy plain text.
Breach date: 12 July 2007
Date added to HIBP: 24 September 2016
Compromised accounts: 2,136,520
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Physical addresses, Security questions and answers, Usernames, Website activity
Permalink
GTAGaming
In August 2016, the Grand Theft Auto forum GTAGaming was hacked and astir 200k idiosyncratic accounts were leaked. The vBulletin based forum included usernames, email addresses and password hashes.
Breach date: 1 August 2016
Date added to HIBP: 23 August 2016
Compromised accounts: 197,184
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
GunAuction.com
In December 2022, the online firearms auction website GunAuction.com suffered a accusation breach which was aboriginal discovered adjacent unprotected connected the hacker's server. The accusation included implicit 565k idiosyncratic records with extended idiosyncratic accusation including email, IP and carnal addresses, names, telephone numbers, genders, years of birth, designation insubstantial benignant and passwords stored palmy plain text. The leaked identities could subsequently beryllium matched to firearms listed for merchantability connected the website.
Breach date: 3 December 2022
Date added to HIBP: 2 March 2023
Compromised accounts: 565,470
Compromised data: Browser idiosyncratic origin details, Email addresses, Genders, IP addresses, Partial designation insubstantial data, Partial dates of birth, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Guns and Robots
In astir April 2016, the gaming website Guns and Robots suffered a accusation breach resulting palmy the vulnerability of 143k unsocial records. The accusation contained email and IP addresses, usernames and SHA-1 password hashes. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 1 April 2016
Date added to HIBP: 14 February 2018
Compromised accounts: 143,569
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Guns.com
In January 2021, the firearms website guns.com suffered a accusation breach. The breach exposed 376k unsocial email addresses connected with names, telephone numbers, carnal addresses, limb purchases, partial designation insubstantial data, dates of commencement and passwords stored arsenic bcrypt hashes.
Breach date: 12 January 2021
Date added to HIBP: 13 January 2022
Compromised accounts: 375,928
Compromised data: Dates of birth, Email addresses, Names, Partial designation insubstantial data, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
Guntrader
In July 2021, the United Kingdom based website Guntrader suffered a accusation breach that exposed 112k unsocial email addresses. Extensive idiosyncratic accusation was too exposed including names, telephone numbers, geolocation data, IP addresses and assorted carnal codification attributes (cities for each users, implicit addresses for some). Passwords stored arsenic bcrypt hashes were too exposed.
Breach date: 17 July 2021
Date added to HIBP: 21 July 2021
Compromised accounts: 112,031
Compromised data: Browser idiosyncratic origin details, Email addresses, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations
Permalink
hackforums.net
In June 2011, the hacktivist extremist known arsenic "LulzSec" leaked one past ample accusation breach they titled "50 days of lulz". The compromised accusation came from sources specified arsenic AT&T, Battlefield Heroes and the hackforums.net website. The leaked Hack Forums accusation included credentials and idiosyncratic accusation of astir 200,000 registered forum users.
Breach date: 25 June 2011
Date added to HIBP: 11 May 2014
Compromised accounts: 191,540
Compromised data: Dates of birth, Email addresses, Instant messenger identities, IP addresses, Passwords, Social connections, Spoken languages, Time zones, User website URLs, Usernames, Website activity
Permalink
Hacking Team
In July 2015, the Italian accusation steadfast Hacking Team suffered a ample accusation breach that resulted palmy implicit 400GB of their accusation being posted online via a torrent. The accusation searchable connected "Have I Been Pwned?" is from 189GB worthy of PST connection folders palmy the dump. The contents of the PST files is searchable connected Wikileaks.
Breach date: 6 July 2015
Date added to HIBP: 12 July 2015
Compromised accounts: 32,310
Compromised data: Email addresses, Email messages
Permalink
HauteLook
In mid-2018, the mode buying tract HauteLook was among a raft of sites that were breached and their accusation past sold palmy early-2019. The accusation included implicit 28 cardinal unsocial email addresses alongside names, genders, dates of commencement and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 7 August 2018
Date added to HIBP: 21 March 2019
Compromised accounts: 28,510,459
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords
Permalink
Havenly
In June 2020, the interior program website Havenly suffered a accusation breach which impacted astir 1.4 cardinal members of the service. The exposed accusation included email addresses, names, telephone numbers, geographic locations and passwords stored arsenic SHA-1 hashes, each of which was subsequently shared extensively passim online hacking communities. The accusation was provided to HIBP by dehashed.com.
Breach date: 25 June 2020
Date added to HIBP: 1 August 2020
Compromised accounts: 1,369,180
Compromised data: Email addresses, Geographic locations, Names, Passwords, Phone numbers
Permalink
HDB Financial Services
In March 2023, the Indian non-bank lending information HDB Financial Services suffered a accusation breach that disclosed implicit 70M suit records. Containing 1.6M unsocial email addresses, the breach too disclosed names, dates of birth, telephone numbers, genders, presumption codes and indebtedness accusation belonging to the customers.
Breach date: 22 February 2023
Date added to HIBP: 11 March 2023
Compromised accounts: 1,658,750
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Loan information, Names, Phone numbers
Permalink
Health Now Networks
In March 2017, the telemarketing enactment Health Now Networks adjacent a database containing hundreds of thousands of aesculapian records exposed. There were implicit 900,000 records palmy afloat containing important volumes of idiosyncratic accusation including names, dates of birth, assorted aesculapian conditions and narration notes connected the individuals' health. The accusation included implicit 320k unsocial email addresses.
Breach date: 25 March 2017
Date added to HIBP: 7 April 2017
Compromised accounts: 321,920
Compromised data: Dates of birth, Email addresses, Genders, Health information information, IP addresses, Names, Personal wellness data, Phone numbers, Physical addresses, Security questions and answers, Social connections
Permalink
Hemmakväll
In July 2015, the Swedish video store concatenation Hemmakväll was hacked and astir 50k records dumped publicly. The disclosed accusation included assorted attributes of their customers including email and carnal addresses, names and telephone numbers. Passwords were too leaked, stored with a anemic MD5 hashing algorithm.
Breach date: 8 July 2015
Date added to HIBP: 9 July 2015
Compromised accounts: 47,297
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
hemmelig.com
In December 2011, Norway's largest online enactment store hemmelig.com was hacked by a firm calling themselves "Team Appunity". The onslaught exposed implicit 28,000 usernames and email addresses connected with nicknames, gender, twelvemonth of commencement and unsalted MD5 password hashes.
Breach date: 21 December 2011
Date added to HIBP: 25 March 2014
Compromised accounts: 28,641
Compromised data: Email addresses, Genders, Nicknames, Partial dates of birth, Passwords, Usernames
Permalink
Heroes of Gaia
In aboriginal 2013, the online phantasy multiplayer crippled Heroes of Gaia suffered a accusation breach. The newest records palmy the accusation acceptable bespeak a breach time of 4 January 2013 and spot usernames, IP and email addresses but nary passwords.
Breach date: 4 January 2013
Date added to HIBP: 7 November 2016
Compromised accounts: 179,967
Compromised data: Browser idiosyncratic origin details, Email addresses, IP addresses, Usernames, Website activity
Permalink
Heroes of Newerth
In December 2012, the multiplayer online struggle arena crippled known arsenic Heroes of Newerth was hacked and implicit 8 cardinal accounts extracted from the system. The compromised accusation included usernames, email addresses and passwords.
Breach date: 17 December 2012
Date added to HIBP: 24 January 2016
Compromised accounts: 8,089,103
Compromised data: Email addresses, Passwords, Usernames
Permalink
HiAPK
In astir 2014, it's alleged that the Chinese Android store known arsenic HIAPK suffered a accusation breach that impacted 13.8 cardinal unsocial subscribers. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains usernames, email addresses and salted MD5 password hashes and was provided to HIBP by achromatic chapeau accusation researcher and accusation adept Adam Davies. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 1 January 2014
Date added to HIBP: 1 April 2018
Compromised accounts: 13,873,674
Compromised data: Email addresses, Passwords, Usernames
Permalink
HLTV
In June 2016, the "home of competitory Counter Strike" website HLTV was hacked and 611k accounts were exposed. The onslaught led to the vulnerability of names, usernames, email addresses and bcrypt hashes of passwords.
Breach date: 19 June 2016
Date added to HIBP: 22 March 2017
Compromised accounts: 611,070
Compromised data: Email addresses, Names, Passwords, Usernames, Website activity
Permalink
Home Chef
In aboriginal 2020, the nutrient proscription enactment Home Chef suffered a accusation breach which was subsequently sold online. The breach exposed the idiosyncratic accusation of astir 9 cardinal customers including names, IP addresses, presumption codes, the past 4 digits of designation insubstantial numbers and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 10 February 2020
Date added to HIBP: 13 November 2020
Compromised accounts: 8,815,692
Compromised data: Email addresses, Geographic locations, IP addresses, Names, Partial designation insubstantial data, Passwords, Phone numbers
Permalink
HongFire
In March 2015, the anime and manga forum HongFire suffered a accusation breach. The hack of their vBulletin forum led to the vulnerability of 1 cardinal accounts connected with email and IP addresses, usernames, dates of commencement and salted MD5 passwords.
Breach date: 1 March 2015
Date added to HIBP: 5 February 2017
Compromised accounts: 999,991
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Hookers.nl
In October 2019, the Dutch prostitution forum Hookers.nl suffered a accusation breach which exposed the idiosyncratic accusation of enactment workers and their customers. The IP and email addresses, usernames and either bcrypt oregon salted MD5 password hashes of 291k members were accessed via an unpatched vulnerability palmy the vBulletin forum software.
Breach date: 10 October 2019
Date added to HIBP: 23 October 2019
Compromised accounts: 290,955
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Houzz
In mid-2018, the lodging program website Houzz suffered a accusation breach. The instauration learned of the incidental aboriginal that twelvemonth past disclosed it to impacted members palmy February 2019. Almost 49 cardinal unsocial email addresses were palmy the breach alongside names, IP addresses, geographic locations and either salted hashes of passwords oregon links to societal media profiles utilized to authenticate to the service. The accusation was provided to HIBP by dehashed.com.
Breach date: 23 May 2018
Date added to HIBP: 12 March 2019
Compromised accounts: 48,881,308
Compromised data: Email addresses, Geographic locations, IP addresses, Names, Passwords, Social media profiles, Usernames
Permalink
HTC Mania
In January 2020, the Spanish mobile telephone forum HTC Mania suffered a accusation breach of the vBulletin based site. The incidental exposed 1.5M subordinate email addresses, usernames, IP addresses, dates of commencement and salted MD5 password hashes and password histories. Data from the breach was subsequently redistributed connected fashionable hacking websites.
Breach date: 4 January 2020
Date added to HIBP: 6 April 2020
Compromised accounts: 1,488,089
Compromised data: Dates of birth, Email addresses, Historical passwords, IP addresses, Passwords, Usernames
Permalink
HTH Studios
In August 2018, the large furry interactive crippled creator HTH Studios suffered a accusation breach impacting aggregate repositories of suit data. Several months later, the accusation surfaced connected a fashionable hacking forum and included 411k unsocial email addresses connected with carnal and IP addresses, names, orders, salted SHA-1 and salted MD5 hashes. HTH Studios is alert of the incident.
Breach date: 24 August 2018
Date added to HIBP: 20 November 2018
Compromised accounts: 411,755
Compromised data: Browser idiosyncratic origin details, Dates of birth, Email addresses, IP addresses, Names, Phone numbers, Physical addresses, Purchases, Usernames
Permalink
Hub4Tech
On an chartless time palmy astir 2017, the Indian grooming and appraisal enactment known arsenic Hub4Tech suffered a accusation breach via a SQL injection attack. The incidental exposed astir 37k unsocial email addresses and passwords stored arsenic unsalted MD5 hashes. No effect was received from Hub4Tech erstwhile contacted astir the incident.
Breach date: 1 January 2017
Date added to HIBP: 9 December 2018
Compromised accounts: 36,916
Compromised data: Email addresses, Passwords
Permalink
Hurb
In astir March 2019, the online Brazilian question bureau Hurb (formerly Hotel Urbano) suffered a accusation breach. The accusation subsequently appeared online for download the pursuing twelvemonth and included implicit 20 cardinal suit records with email and IP addresses, names, dates of birth, telephone numbers and passwords stored arsenic unsalted MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 14 March 2019
Date added to HIBP: 27 July 2020
Compromised accounts: 20,727,771
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
iD Tech
In February 2023, the tech camps for kids enactment iD Tech had astir 1M records posted to a fashionable hacking forum. The accusation included 415k unsocial email addresses, names, dates of commencement and plain substance passwords which look to idiosyncratic been breached palmy the erstwhile month. iD Tech did not respond to aggregate attempts to survey the incident.
Breach date: 3 January 2023
Date added to HIBP: 6 March 2023
Compromised accounts: 415,121
Compromised data: Dates of birth, Email addresses, Names, Passwords
Permalink
i-Dressup
In June 2016, the teen societal tract known arsenic i-Dressup was hacked and implicit 2 cardinal idiosyncratic accounts were exposed. At the clip the hack was reported, the i-Dressup operators were not contactable and the underlying SQL injection flaw remained open, allegedly exposing a afloat of 5.5 cardinal accounts. The breach included email addresses and passwords stored palmy plain text.
Breach date: 15 July 2016
Date added to HIBP: 26 September 2016
Compromised accounts: 2,191,565
Compromised data: Email addresses, Passwords
Permalink
IIMJobs
In December 2018, the Indian concern portal IIMJobs suffered a accusation breach that exposed 4.1 cardinal unsocial email addresses. The accusation too included names, telephone numbers, geographic locations, dates of birth, concern titles, concern applications and surface letters affirmative passwords stored arsenic unsalted MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 31 December 2018
Date added to HIBP: 21 May 2021
Compromised accounts: 4,216,063
Compromised data: Dates of birth, Email addresses, Geographic locations, IP addresses, Job applications, Job titles, Names, Passwords, Phone numbers
Permalink
ILikeCheats
In October 2014, the crippled cheats website known arsenic ILikeCheats suffered a accusation breach that exposed 189k accounts. The vBulletin based forum leaked usernames, IP and email addresses and anemic MD5 hashes of passwords. The accusation was provided with enactment from dehashed.com.
Breach date: 18 October 2014
Date added to HIBP: 22 April 2018
Compromised accounts: 188,847
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Imavex
In August 2021, the website betterment instauration Imavex suffered a accusation breach that exposed 878 1000 unsocial email addresses. The accusation included idiosyncratic records containing names, usernames and password worldly with immoderate records too containing genders and partial designation insubstantial data, including the past 4 digits of the insubstantial and expiry date. Hundreds of thousands of signifier submissions and orders via Imavex customers were too exposed and contained further idiosyncratic accusation of submitters and the contents of the form.
Breach date: 20 August 2021
Date added to HIBP: 26 August 2021
Compromised accounts: 878,209
Compromised data: Email addresses, Genders, Names, Partial designation insubstantial data, Passwords, Phone numbers, Physical addresses, Purchases, Usernames
Permalink
iMenu360
In astir precocious 2022, 3.4M suit records from iMenu360 ("The world's #1 astir trusted online ordering platform") were exposed. The accusation appeared to beryllium from ordering systems utilizing the level and contained email and carnal addresses, latitudes and longitudes, names and telephone numbers. Numerous attempts were made to enactment iMenu360 astir the incidental betwixt April and August 2023, but nary effect was received.
Breach date: 11 August 2022
Date added to HIBP: 17 August 2023
Compromised accounts: 3,425,860
Compromised data: Email addresses, Names, Phone numbers, Physical addresses
Permalink
iMesh
In September 2013, the media and grounds sharing suit known arsenic iMesh was hacked and astir 50M accounts were exposed. The accusation was aboriginal enactment up for merchantability connected a acheronian marketplace website palmy mid-2016 and included email and IP addresses, usernames and salted MD5 hashes.
Breach date: 22 September 2013
Date added to HIBP: 2 July 2016
Compromised accounts: 49,467,477
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
imgur
In September 2013, the online practice sharing assemblage imgur suffered a accusation breach. A enactment of the accusation containing 1.7 cardinal email addresses and passwords surfaced overmuch than 4 years aboriginal palmy November 2017. Although imgur stored passwords arsenic SHA-256 hashes, the accusation palmy the breach contained plain substance passwords suggesting that galore of the archetypal hashes had been cracked. imgur advises that they rolled implicit to bcrypt hashes palmy 2016.
Breach date: 1 September 2013
Date added to HIBP: 25 November 2017
Compromised accounts: 1,749,806
Compromised data: Email addresses, Passwords
Permalink
IndiaMART
In August 2021, 38 cardinal records from Indian e-commerce instauration IndiaMART were recovered being traded connected a fashionable hacking forum. Dated respective months earlier, the accusation included implicit 20 cardinal unsocial email addresses alongside names, telephone numbers and carnal addresses. It's unclear whether IndiaMART intentionally exposed the accusation attributes arsenic information of the intended program of the level oregon whether the accusation was obtained by exploiting a vulnerability palmy the service.
Breach date: 23 May 2021
Date added to HIBP: 27 August 2021
Compromised accounts: 20,154,583
Compromised data: Email addresses, Names, Phone numbers, Physical addresses
Permalink
Insanelyi
In July 2014, the iOS forum Insanelyi was hacked by an attacker known arsenic Kim Jong-Cracks. A fashionable basal of accusation for users of jailbroken iOS devices moving Cydia, the Insanelyi breach disclosed implicit 104k users' emails addresses, idiosyncratic names and weakly hashed passwords (salted MD5).
Breach date: 22 July 2014
Date added to HIBP: 22 July 2014
Compromised accounts: 104,097
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
InterPals
In precocious 2015, the online penpal tract InterPals had their website hacked and 3.4 cardinal accounts exposed. The compromised accusation included email addresses, geographical locations, birthdates and salted hashes of passwords.
Breach date: 4 November 2015
Date added to HIBP: 30 August 2016
Compromised accounts: 3,439,414
Compromised data: Dates of birth, Email addresses, Geographic locations, Names, Passwords, Usernames
Permalink
iPmart
During 2015, the iPmart forum (now known arsenic Mobi NUKE) was hacked and implicit 2 cardinal forum members' details were exposed. The vBulletin forum included IP addresses, commencement dates and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked. A further 368k accounts were added to "Have I Been Pwned" palmy March 2016 bringing the afloat to implicit 2.4M.
Breach date: 1 July 2015
Date added to HIBP: 23 February 2016
Compromised accounts: 2,460,787
Compromised data: Dates of birth, Email addresses, Passwords, Usernames
Permalink
ixigo
In January 2019, the question and edifice booking tract ixigo suffered a accusation breach. The accusation appeared for merchantability connected a acheronian web marketplace the pursuing play and included implicit 17M unsocial email addresses alongside names, genders, telephone numbers, connections to Facebook profiles and passwords stored arsenic MD5 hashes. The accusation was provided to HIBP by a basal who requested it to beryllium attributed to "[email protected]".
Breach date: 3 January 2019
Date added to HIBP: 17 March 2019
Compromised accounts: 17,204,697
Compromised data: Auth tokens, Device information, Email addresses, Genders, Names, Passwords, Phone numbers, Salutations, Social media profiles, Usernames
Permalink
James
In June 2020, 14 antecedently undisclosed accusation breaches appeared for sale including the Brazilian proscription service, "James". The breach occurred palmy March 2020 and exposed 1.5M unsocial email addresses, suit locations expressed palmy longitude and latitude and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 25 March 2020
Date added to HIBP: 5 November 2020
Compromised accounts: 1,541,284
Compromised data: Email addresses, Geographic locations, Passwords
Permalink
JD
In 2013 (exact time unknown), the Chinese e-commerce enactment JD suffered a accusation breach that exposed 13GB of accusation containing 77 cardinal unsocial email addresses. The accusation too included usernames, telephone numbers and passwords stored arsenic SHA-1 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 1 January 2013
Date added to HIBP: 2 June 2021
Compromised accounts: 77,449,341
Compromised data: Email addresses, Passwords, Phone numbers, Usernames
Permalink
JD Group
In May 2023, the South African retailer JD Group announced a accusation breach affecting a fig of their online assets including Bradlows, Everyshop, HiFi Corp, Incredible (Connection), Rochester, Russells, and Sleepmasters. The breach exposed implicit 520k unsocial suit records including names, email and carnal addresses, telephone numbers and South African ID numbers.
Breach date: 31 May 2023
Date added to HIBP: 5 June 2023
Compromised accounts: 521,878
Compromised data: Email addresses, Government issued IDs, Names, Phone numbers, Physical addresses
Permalink
Jefit
In August 2020, the workout tracking app Jefit suffered a accusation breach. The accusation was subsequently sold incorrect the hacking assemblage and included implicit 9 cardinal email and IP addresses, usernames and passwords stored arsenic either vBulletin oregon argon2 hashes. Several cardinal cracked passwords aboriginal appeared palmy wide circulation.
Breach date: 11 August 2020
Date added to HIBP: 27 April 2021
Compromised accounts: 9,052,457
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
JobStreet
In October 2017, the Malaysian website lowyat.net ran a communicative connected a monolithic acceptable of breached accusation affecting millions of Malaysians aft idiosyncratic posted it for merchantability connected their forums. The accusation spanned aggregate abstracted breaches including the JobStreet jobs website which contained astir 4 cardinal unsocial email addresses. The dates palmy the breach bespeak the incidental occurred palmy March 2012. The accusation aboriginal appeared freely downloadable connected a Tor hidden enactment and contained extended accusation connected concern seekers including names, genders, commencement dates, telephone numbers, carnal addresses and passwords.
Breach date: 7 March 2012
Date added to HIBP: 30 October 2017
Compromised accounts: 3,883,455
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Government issued IDs, Marital statuses, Names, Nationalities, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Jobzone
In April 2023, data from the Israeli jobs website Jobzone was posted online. The accusation included 30k records of email addresses, names, societal accusation numbers, genders, dates of birth, fathers' names and carnal addresses.
Breach date: 15 April 2023
Date added to HIBP: 15 August 2023
Compromised accounts: 29,708
Compromised data: Dates of birth, Email addresses, Family members' names, Genders, Government issued IDs, Names, Phone numbers, Physical addresses
Permalink
JoomlArt
In January 2018, the Joomla template website JoomlArt inadvertently exposed overmuch than 22k unsocial suit records palmy a Jira ticket. The exposed accusation was from iJoomla and JomSocial, immoderate services that JoomlArt acquired the erstwhile year. The accusation included usernames, email addresses, purchases and passwords stored arsenic MD5 hashes. When contacted, JoomlArt advised they were alert of the incidental and had antecedently notified impacted parties.
Breach date: 30 January 2018
Date added to HIBP: 1 November 2018
Compromised accounts: 22,477
Compromised data: Email addresses, Names, Passwords, Payment histories, Usernames
Permalink
JukinMedia
In October 2021, the "global idiosyncratic palmy user-generated entertainment" Jukin Media suffered a accusation breach. The breach exposed 13GB of code, configuration and accusation consisting of 314k unsocial email addresses connected with names, telephone numbers, IP addresses and bcrypt password hashes.
Breach date: 28 October 2021
Date added to HIBP: 17 July 2022
Compromised accounts: 314,290
Compromised data: Email addresses, Employers, IP addresses, Names, Occupations, Passwords, Phone numbers
Permalink
Justdate.com
An alleged breach of the dating website Justdate.com began circulating palmy astir September 2016. Comprised of implicit 24 cardinal records, the accusation contained assorted idiosyncratic attributes specified arsenic email addresses, dates of commencement and carnal locations. However, upon verification with HIBP subscribers, lone a fraction of the accusation was recovered to beryllium adjacent and nary narration owners recalled utilizing the Justdate.com service. This breach has consequently been flagged arsenic fabricated; it's highly improbable the accusation was sourced from Justdate.com.
Breach date: 29 September 2016
Date added to HIBP: 7 February 2017
Compromised accounts: 24,451,312
Compromised data: Dates of birth, Email addresses, Geographic locations, Names
Permalink
Kayo.moe Credential Stuffing List
In September 2018, a postulation of astir 42 cardinal email codification and plain substance password pairs was uploaded to the anonymous grounds sharing enactment kayo.moe. The narration of the enactment contacted HIBP to survey the accusation which, upon further investigation, turned retired to beryllium a ample credential stuffing list. For overmuch information, enactment astir The 42M Record kayo.moe Credential Stuffing Data.
Breach date: 11 September 2018
Date added to HIBP: 13 September 2018
Compromised accounts: 41,826,763
Compromised data: Email addresses, Passwords
Permalink
Kickstarter
In February 2014, the crowdfunding level Kickstarter announced they'd suffered a accusation breach. The breach contained astir 5.2 cardinal unsocial email addresses, usernames and salted SHA1 hashes of passwords.
Breach date: 16 February 2014
Date added to HIBP: 6 October 2017
Compromised accounts: 5,176,463
Compromised data: Email addresses, Passwords
Permalink
Kimsufi
In mid-2015, the forum for the providers of affordable dedicated servers known arsenic Kimsufi suffered a accusation breach. The vBulletin forum contained implicit fractional a cardinal accounts including usernames, email and IP addresses and passwords stored arsenic salted MD5 hashes.
Breach date: 1 May 2015
Date added to HIBP: 27 December 2016
Compromised accounts: 504,565
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
KiwiFarms
In September 2019, the forum for discussing "lolcows" (people who tin beryllium milked for laughs) Kiwi Farms suffered a accusation breach. The disclosure announcement advised that email and IP addresses, dates of commencement and contented created by members were each exposed palmy the incident.
Breach date: 10 September 2019
Date added to HIBP: 17 September 2019
Compromised accounts: 4,606
Compromised data: Avatars, Dates of birth, Email addresses, IP addresses, Website activity
Permalink
KM.RU
In February 2016, the Russian portal and email enactment KM.RU was the radical of an onslaught which was consequently detailed connected Reddit. Allegedly protesting "the overseas argumentation of Russia palmy regards to Ukraine", KM.RU was 1 of respective Russian sites palmy the breach and impacted astir 1.5M accounts including delicate idiosyncratic information.
Breach date: 29 February 2016
Date added to HIBP: 3 March 2016
Compromised accounts: 1,476,783
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Recovery email addresses, Security questions and answers, Usernames
Permalink
KnownCircle
In astir April 2016, the "marketing automation for agents and nonrecreational enactment providers" instauration KnownCircle had a ample measurement of accusation obtained by an outer party. The accusation belonging to the contiguous defunct enactment appeared palmy JSON format and contained gigabytes of accusation related to the existent spot and information sectors. The idiosyncratic accusation palmy the breach appears to idiosyncratic chiefly been utilized for selling purposes, including logs of emails sent and tracking of acquisition cards. A tiny fig of passwords for KnownCircle portion were too contiguous and were stored arsenic bcrypt hashes.
Breach date: 12 April 2016
Date added to HIBP: 17 November 2018
Compromised accounts: 1,957,600
Compromised data: Email addresses, Email messages, Genders, Names, Passwords, Phone numbers, Physical addresses
Permalink
Knuddels
In September 2018, the German societal media website Knuddels suffered a accusation breach. The incidental exposed 808k unsocial email addresses alongside usernames, existent names, the metropolis of the idiosyncratic and their password palmy plain text. Knuddels was subsequently fined €20k for the breach.
Breach date: 5 September 2018
Date added to HIBP: 8 April 2019
Compromised accounts: 808,330
Compromised data: Email addresses, Geographic locations, Names, Passwords, Usernames
Permalink
KomplettFritid
In January 2023, the online Norwegian store KomplettFritid was reported arsenic having had a accusation breach dating backmost to February 2021. The incidental exposed 140k suit records including physical, email and IP addresses, names, telephone numbers and passwords. Most passwords were stored arsenic bcrypt hashes with a tiny fig appearing palmy plain text.
Breach date: 1 February 2021
Date added to HIBP: 23 January 2023
Compromised accounts: 139,401
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Kreditplus
In June 2020, the Indonesian designation enactment Kreditplus suffered a accusation breach which exposed 896k records containing 769k unsocial email addresses. The breach exposed extended idiosyncratic accusation including names, household makeup, accusation connected spouses, income and expenses, religions and employment information. The accusation was provided to HIBP by breachbase.pw.
Breach date: 23 June 2020
Date added to HIBP: 3 August 2020
Compromised accounts: 768,890
Compromised data: Dates of birth, Email addresses, Employers, Family structure, Genders, Income levels, Living costs, Marital statuses, Mothers maiden names, Names, Phone numbers, Physical addresses, Places of birth, Religions, Spouses names
Permalink
La Poste Mobile
In July 2022, the French telecommunications instauration La Poste Mobile was the radical of an onslaught by the LockBit ransomware which resulted palmy instauration accusation being published publicly. The impacted accusation included 533k unsocial email addresses connected with names, carnal addresses, telephone numbers, dates of births, genders and banking information. 10 days aft the attack, the La Poste Mobile website remained offline.
Breach date: 4 July 2022
Date added to HIBP: 14 July 2022
Compromised accounts: 533,886
Compromised data: Bank narration numbers, Dates of birth, Email addresses, Genders, Names, Phone numbers, Physical addresses
Permalink
Lanwar
In July 2018, portion of the Lanwar gaming site discovered a accusation breach they justice dates backmost to sometime implicit the erstwhile respective months. The accusation contained 45k names, email addresses, usernames and plain substance passwords. A Lanwar portion subordinate self-submitted the breach to HIBP and has too contacted the applicable authorities astir the incidental aft identifying a phishing effort to extort Bitcoin from a user.
Breach date: 28 July 2018
Date added to HIBP: 8 August 2018
Compromised accounts: 45,120
Compromised data: Email addresses, Names, Passwords, Physical addresses, Usernames
Permalink
Last.fm
In March 2012, the euphony website Last.fm was hacked and 43 cardinal idiosyncratic accounts were exposed. Whilst Last.fm knew of an incidental backmost palmy 2012, the modular of the hack was not known until the accusation was released publically palmy September 2016. The breach included 37 cardinal unsocial email addresses, usernames and passwords stored arsenic unsalted MD5 hashes.
Breach date: 22 March 2012
Date added to HIBP: 20 September 2016
Compromised accounts: 37,217,682
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
Lazada RedMart
In October 2020, news broke of Lazada RedMart accusation breach containing records arsenic caller arsenic July 2020 and being sold via an online marketplace. In all, the accusation contained 1.1 cardinal suit email addresses alongside names, telephone numbers, carnal addresses, partial designation insubstantial numbers and passwords stored arsenic SHA-1 hashes.
Breach date: 30 July 2020
Date added to HIBP: 10 November 2020
Compromised accounts: 1,107,789
Compromised data: Email addresses, Names, Partial designation insubstantial data, Passwords, Phone numbers, Physical addresses
Permalink
LBB
In August 2022, suit accusation of the Indian buying tract "LBB" (Little Black Book) was posted to a fashionable hacking forum. The accusation contained implicit 3M records with 39k unsocial email addresses alongside IP and carnal addresses, names and instrumentality accusation with the astir caller accusation dating backmost to aboriginal 2019. LBB advised they justice the accusation was exposed by a 3rd enactment enactment and whilst it contained accusation they clasp connected their customers, it had too been enriched with further accusation attributes.
Breach date: 14 February 2019
Date added to HIBP: 5 March 2023
Compromised accounts: 39,288
Compromised data: Browser idiosyncratic origin details, Email addresses, IP addresses, Names, Physical addresses
Permalink
Lead Hunter
In March 2020, a monolithic trove of idiosyncratic accusation referred to arsenic "Lead Hunter" was provided to HIBP aft being recovered adjacent exposed connected a publically facing Elasticsearch server. The accusation contained 69 cardinal unsocial email addresses crossed 110 cardinal rows of accusation accompanied by further idiosyncratic accusation including names, telephone numbers, genders and carnal addresses. At the clip of publishing, the breach could not beryllium attributed to those liable for obtaining and exposing it. The accusation was provided to HIBP by dehashed.com.
Breach date: 4 March 2020
Date added to HIBP: 3 June 2020
Compromised accounts: 68,693,853
Compromised data: Email addresses, Genders, IP addresses, Names, Phone numbers, Physical addresses
Permalink
League of Legends
In June 2012, the multiplayer online crippled League of Legends suffered a accusation breach. At the time, the enactment had overmuch than 32 cardinal registered accounts and the breach affected assorted idiosyncratic accusation attributes including "encrypted" passwords. In 2018, a 339k grounds subset of the accusation emerged with email addresses, usernames and plain substance passwords, apt cracked from the archetypal cryptographically protected ones.
Breach date: 11 June 2012
Date added to HIBP: 28 July 2018
Compromised accounts: 339,487
Compromised data: Email addresses, Passwords, Usernames
Permalink
Leaked Reality
In January 2022, the contiguous defunct uncensored video website Leaked Reality suffered a accusation breach that exposed 115k unsocial email addresses. The accusation too included usernames, IP addresses and passwords stored arsenic either MD5 oregon phpass hashes.
Breach date: 31 January 2022
Date added to HIBP: 31 March 2023
Compromised accounts: 114,907
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Leet
In August 2016, the enactment for creating and moving Pocket Minecraft saltation servers known arsenic Leet was reported arsenic having suffered a accusation breach that impacted 6 cardinal subscribers. The incidental reported by Softpedia had allegedly taken spot earlier palmy the year, though the accusation acceptable sent to HIBP was dated arsenic precocious arsenic aboriginal September but contained lone 2 cardinal subscribers. The accusation included usernames, email and IP addresses and SHA512 hashes. A further 3 cardinal accounts were obtained and added to HIBP respective days aft the archetypal accusation was loaded bringing the afloat to implicit 5 million.
Breach date: 10 September 2016
Date added to HIBP: 30 September 2016
Compromised accounts: 5,081,689
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Lifeboat
In January 2016, the Minecraft assemblage known arsenic Lifeboat was hacked and overmuch than 7 cardinal accounts leaked. Lifeboat knew of the incidental for 3 months earlier the breach was made nationalist but elected not to counsel customers. The leaked accusation included usernames, email addresses and passwords stored arsenic consecutive MD5 hashes.
Breach date: 1 January 2016
Date added to HIBP: 25 April 2016
Compromised accounts: 7,089,395
Compromised data: Email addresses, Passwords, Usernames
Permalink
Light's Hope
In June 2018, the World of Warcraft enactment Light's Hope suffered a accusation breach which they subsequently self-submitted to HIBP. Over 30K unsocial users were impacted and their exposed accusation included email addresses, dates of birth, backstage messages and passwords stored arsenic bcrypt hashes.
Breach date: 25 June 2018
Date added to HIBP: 4 July 2018
Compromised accounts: 30,484
Compromised data: Dates of birth, Email addresses, Geographic locations, IP addresses, Passwords, Private messages, Usernames
Permalink
Liker
In March 2021, the self-proclaimed "kinder, smarter societal network" Liker suffered a accusation breach, allegedly palmy retaliation for the Gab accusation breach and scraping of accusation from Parler. The tract remained offline aft the breach which exposed 465k email addresses palmy summation to names, dates of birth, acquisition levels, backstage messages, accusation questions and answers palmy plain text, passwords stored arsenic bcrypt hashes and antithetic idiosyncratic accusation attributes. Liker did not respond erstwhile contacted astir the breach.
Breach date: 8 March 2021
Date added to HIBP: 13 March 2021
Compromised accounts: 465,141
Compromised data: Auth tokens, Dates of birth, Education levels, Email addresses, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Private messages, Security questions and answers, Social media profiles, Usernames
Permalink
LimeVPN
In October 2020, the VPN supplier LimeVPN suffered a accusation breach that exposed the idiosyncratic accusation of tens of thousands of customers. The accusation included email, IP and carnal addresses, names, telephone numbers, acquisition histories and passwords stored arsenic salted MD5 hashes.
Breach date: 8 October 2020
Date added to HIBP: 6 February 2023
Compromised accounts: 23,348
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
In May 2016, LinkedIn had 164 cardinal email addresses and passwords exposed. Originally hacked palmy 2012, the accusation remained retired of amusement until being offered for merchantability connected a acheronian marketplace tract 4 years later. The passwords palmy the breach were stored arsenic SHA1 hashes without salt, the immense bulk of which were rapidly cracked palmy the days pursuing the merchandise of the data.
Breach date: 5 May 2012
Date added to HIBP: 21 May 2016
Compromised accounts: 164,611,595
Compromised data: Email addresses, Passwords
Permalink
LinkedIn Scraped Data
During the archetypal fractional of 2021, LinkedIn was targeted by attackers who scraped accusation from hundreds of millions of nationalist profiles and aboriginal sold them online. Whilst the scraping did not correspond a accusation breach nor did it entree immoderate idiosyncratic accusation not intended to beryllium publically accessible, the accusation was inactive monetised and aboriginal broadly circulated palmy hacking circles. The scraped accusation contains astir 400M records with 125M unsocial email addresses, arsenic bully arsenic names, geographic locations, genders and concern titles. LinkedIn specifically addresses the incidental palmy their presumption connected An update connected survey of scraped data.
Breach date: 8 April 2021
Date added to HIBP: 2 October 2021
Compromised accounts: 125,698,496
Compromised data: Education levels, Email addresses, Genders, Geographic locations, Job titles, Names, Social media profiles
Permalink
Linux Forums
In May 2018, the Linux Forums website suffered a accusation breach which resulted palmy the disclosure of 276k unsocial email addresses. Running connected an aged mentation of vBulletin, the breach too disclosed usernames, IP addresses and salted MD5 password hashes. Linux Forums did not respond to aggregate attempts to enactment them astir the breach.
Breach date: 1 May 2018
Date added to HIBP: 7 June 2018
Compromised accounts: 275,785
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Linux Mint
In February 2016, the website for the Linux distro known arsenic Linux Mint was hacked and the ISO infected with a backdoor. The tract too ran a phpBB forum which was subsequently enactment up for merchantability implicit with astir 145k email addresses, passwords and antithetic idiosyncratic subscriber information.
Breach date: 21 February 2016
Date added to HIBP: 22 February 2016
Compromised accounts: 144,989
Compromised data: Avatars, Dates of birth, Email addresses, Geographic locations, IP addresses, Passwords, Time zones, Website activity
Permalink
LiveAuctioneers
In June 2020, the online antiques marketplace LiveAuctioneers suffered a accusation breach which was subsequently sold online past extensively redistributed palmy the hacking community. The accusation contained 3.4 cardinal records including names, email and IP addresses, carnal addresses, phones numbers and passwords stored arsenic unsalted MD5 hashes. The accusation was provided to HIBP by breachbase.pw.
Breach date: 19 June 2020
Date added to HIBP: 22 August 2020
Compromised accounts: 3,385,862
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
LiveJournal
In mid-2019, news broke of an alleged LiveJournal accusation breach. This followed multiple reports of credential maltreatment against Dreamwidth opening palmy 2018, a fork of LiveJournal with a important crossover palmy idiosyncratic base. The breach allegedly dates backmost to 2017 and contains 26M unsocial usernames and email addresses (both of which idiosyncratic been confirmed to beryllium connected LiveJournal) alongside plain substance passwords. An archive of the accusation was subsequently shared connected a fashionable hacking forum palmy May 2020 and redistributed broadly. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 1 January 2017
Date added to HIBP: 26 May 2020
Compromised accounts: 26,372,781
Compromised data: Email addresses, Passwords, Usernames
Permalink
Livpure
In August 2020, the Indian retailer Livpure suffered a accusation breach which exposed implicit 1 cardinal suit purchases with 270 1000 unsocial email addresses. The accusation too included names, telephone numbers, carnal addresses and details of purchased items. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 29 August 2020
Date added to HIBP: 22 May 2021
Compromised accounts: 269,552
Compromised data: Email addresses, Names, Phone numbers, Physical addresses, Purchases, Salutations
Permalink
Lizard Squad
In January 2015, the hacker firm known arsenic "Lizard Squad" created a DDoS enactment by the authorisation of "Lizard Stresser" which could beryllium procured to equine attacks against online targets. Shortly thereafter, the enactment suffered a accusation breach which resulted palmy the nationalist disclosure of implicit 13k idiosyncratic accounts including passwords stored palmy plain text.
Breach date: 16 January 2015
Date added to HIBP: 18 January 2015
Compromised accounts: 13,451
Compromised data: Email addresses, Passwords, Usernames
Permalink
Locally
In October 2022, "The Industry's Leading Online-to-Offline Shopping Solution" Locally suffered a accusation breach. Whilst Locally acknowledged the breach privately, it's chartless whether impacted customers were subsequently notified of the incidental which exposed implicit 362k names, telephone numbers, email and carnal addresses, purchases, designation insubstantial benignant and past 4 digits and bcrypt password hashes.
Breach date: 1 October 2022
Date added to HIBP: 10 July 2023
Compromised accounts: 362,619
Compromised data: Email addresses, Partial designation insubstantial data, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
Lolzteam
In May 2018, the Russian hacking forum Lolzteam suffered a accusation breach that exposed 400k members. The impacted accusation included usernames and email addresses which were aboriginal redistributed via antithetic hacking forum. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "ZAN @ BF".
Breach date: 13 May 2018
Date added to HIBP: 6 November 2022
Compromised accounts: 398,011
Compromised data: Email addresses, Usernames
Permalink
Lookbook
In August 2012, the mode tract Lookbook suffered a accusation breach. The accusation aboriginal appeared listed for merchantability palmy June 2016 and included 1.1 cardinal usernames, email and IP addresses, commencement dates and plain substance passwords.
Breach date: 24 August 2012
Date added to HIBP: 8 November 2016
Compromised accounts: 1,074,948
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Usernames, Website activity
Permalink
Lord of the Rings Online
In August 2013, the interactive video crippled Lord of the Rings Online suffered a accusation breach that exposed implicit 1.1M players' accounts. The accusation was being actively traded connected underground forums and included email addresses, commencement dates and password hashes.
Breach date: 1 August 2013
Date added to HIBP: 12 March 2016
Compromised accounts: 1,141,278
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Lounge Board
At immoderate constituent palmy 2013, 45k accounts were breached from the Lounge Board "General Discussion Forum" and past dumped publicly. Lounge Board was a MyBB forum launched palmy 2012 and discontinued palmy mid 2013 (the past enactment palmy the logs was from August 2013).
Breach date: 1 August 2013
Date added to HIBP: 6 July 2014
Compromised accounts: 45,018
Compromised data: Email addresses, IP addresses, Names, Passwords, Private messages, Usernames, Website activity
Permalink
Lumin PDF
In April 2019, the PDF absorption enactment Lumin PDF suffered a accusation breach. The breach wasn't publically disclosed until September erstwhile 15.5M records of idiosyncratic accusation appeared for download connected a fashionable hacking forum. The accusation had been adjacent publically exposed palmy a MongoDB suit aft which Lumin PDF was allegedly been "contacted aggregate times, but ignored each the queries". The exposed accusation included names, email addresses, genders, spoken transportation and either a bcrypt password hash oregon Google auth token. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 1 April 2019
Date added to HIBP: 18 September 2019
Compromised accounts: 15,453,048
Compromised data: Auth tokens, Email addresses, Genders, Names, Passwords, Spoken languages, Usernames
Permalink
Luxottica
In March 2021, the world's largest eyewear instauration Luxoticca suffered a accusation breach via 1 of their partners that exposed the idiosyncratic accusation of overmuch than 70M people. The accusation was subsequently sold via a fashionable hacking forum palmy precocious 2022 and included email and carnal addresses, names, genders, dates of commencement and telephone numbers. In a transportation from Luxottica, they advised they were alert of the incidental and are presently "considering antithetic notification obligations".
Breach date: 16 March 2021
Date added to HIBP: 19 May 2023
Compromised accounts: 77,093,812
Compromised data: Dates of birth, Email addresses, Genders, Names, Phone numbers, Physical addresses
Permalink
Lyrics Mania
In December 2017, the opus lyrics website known arsenic Lyrics Mania suffered a accusation breach. The accusation palmy the breach included 109k usernames, email addresses and plain substance passwords. Numerous attempts were made to enactment Lyrics Mania astir the incident, nevertheless nary responses were received.
Breach date: 21 December 2017
Date added to HIBP: 15 January 2018
Compromised accounts: 109,202
Compromised data: Email addresses, Passwords, Usernames
Permalink
Mac Forums
In July 2016, the self-proclaimed "Ultimate Source For Your Mac" website Mac Forums suffered a accusation breach. The vBulletin-based strategy exposed implicit 326k usernames, email and IP addresses, dates of commencement and passwords stored arsenic salted MD5 hashes. The accusation was aboriginal discovered being traded connected a fashionable hacking forum. Mac Forums did not respond erstwhile contacted astir the incidental via their enactment america form.
Breach date: 3 July 2016
Date added to HIBP: 29 October 2018
Compromised accounts: 326,714
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
MacGeneration
In January 2022, the French Apple prime website MacGeneration suffered a accusation breach. The incidental exposed implicit 100k usernames, email addresses and passwords stored arsenic salted SHA-512 hashes. After discovering the incident, MacGeneration self-submitted accusation to HIBP.
Breach date: 29 January 2022
Date added to HIBP: 3 March 2022
Compromised accounts: 101,004
Compromised data: Email addresses, Passwords, Usernames
Permalink
Mac-Torrents
In October 2015, the torrent tract Mac-Torrents was hacked and astir 94k usernames, email addresses and passwords were leaked. The passwords were hashed with MD5 and nary salt.
Breach date: 31 October 2015
Date added to HIBP: 31 October 2015
Compromised accounts: 93,992
Compromised data: Email addresses, Passwords, Usernames
Permalink
mail.ru Dump
In September 2014, respective ample dumps of idiosyncratic accounts appeared connected the Russian Bitcoin Security Forum including 1 with astir 5M email addresses and passwords, predominantly connected the mail.ru domain. Whilst unlikely to beryllium the effect of a nonstop onslaught against mail.ru, the credentials were confirmed by galore arsenic morganatic for antithetic services they had subscribed to. Further accusation allegedly valid for mail.ru and containing email addresses and plain substance passwords was added palmy January 2018 bringing to afloat to overmuch than 16M records. The incidental was too past flagged arsenic "unverified", a conception that was introduced aft the archetypal accusation load palmy 2014.
Breach date: 10 September 2014
Date added to HIBP: 12 September 2014
Compromised accounts: 16,630,988
Compromised data: Email addresses, Passwords
Permalink
MajorGeeks
In November 2015, astir 270k accounts from the MajorGeeks enactment forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.
Breach date: 15 November 2015
Date added to HIBP: 3 March 2016
Compromised accounts: 269,548
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
MALL.cz
In July 2017, the Czech Republic e-commerce tract MALL.cz suffered a accusation breach aft which 735k unsocial accounts including email addresses, names, telephone numbers and passwords were aboriginal posted online. Whilst passwords were stored arsenic hashes, a fig of antithetic algorithms of varying spot were utilized implicit time. All passwords included palmy the publically distributed accusation were palmy plain substance and were apt conscionable those that had been successfully cracked (members with beardown passwords don't look to beryllium included). According to MALL.cz, the breach lone impacted accounts created earlier 2015.
Breach date: 27 July 2017
Date added to HIBP: 4 September 2017
Compromised accounts: 735,405
Compromised data: Email addresses, Names, Passwords, Phone numbers
Permalink
Malwarebytes
In November 2014, the Malwarebytes forum was hacked and 111k subordinate records were exposed. The IP.Board forum included email and IP addresses, commencement dates and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked.
Breach date: 15 November 2014
Date added to HIBP: 9 March 2016
Compromised accounts: 111,623
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Manga Traders
In June 2014, the Manga trading website Mangatraders.com had the usernames and passwords of implicit 900k users leaked connected the internet (approximately 855k of the emails were unique). The passwords were weakly hashed with a azygous iteration of MD5 leaving them susceptible to being casual cracked.
Breach date: 9 June 2014
Date added to HIBP: 10 June 2014
Compromised accounts: 855,249
Compromised data: Email addresses, Passwords
Permalink
MangaDex
In March 2021, the manga instrumentality tract MangaDex suffered a accusation breach that resulted palmy the vulnerability of astir 3 cardinal subscribers. The accusation included email and IP addresses, usernames and passwords stored arsenic bcrypt hashes. The accusation was subsequently circulated incorrect hacking groups.
Breach date: 22 March 2021
Date added to HIBP: 25 April 2021
Compromised accounts: 2,987,329
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
MangaFox.me
In astir July 2016, the manga website known arsenic mangafox.me suffered a accusation breach. The vBulletin based forum exposed 1.3 cardinal accounts including usernames, email and IP addresses, dates of commencement and salted MD5 password hashes.
Breach date: 1 June 2016
Date added to HIBP: 17 March 2018
Compromised accounts: 1,311,610
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Mangatoon
In May 2022, the Hong Kong based Manga enactment Mangatoon suffered a accusation breach that exposed 23M subscriber records. The breach exposed names, email addresses, genders, societal media narration identities, auth tokens from societal logins and passwords stored arsenic salted MD5 hashes. Mangatoon did not respond to aggregate attempts to marque enactment regarding the breach.
Breach date: 13 May 2022
Date added to HIBP: 6 July 2022
Compromised accounts: 23,040,238
Compromised data: Auth tokens, Avatars, Email addresses, Genders, Names, Passwords, Social media profiles, Usernames
Permalink
Manipulated Caiman
In July 2023, Perception Point reported connected a phishing cognition dubbed "Manipulated Caiman". Targeting chiefly the citizens of Mexico, the tally attempted to summation entree to victims' slope accounts via spear phishing attacks utilizing malicious attachments. Researchers obtained astir 40M email addresses targeted palmy the tally and provided the accusation to HIBP to alert imaginable victims.
Breach date: 16 July 2023
Date added to HIBP: 15 August 2023
Compromised accounts: 39,901,389
Compromised data: Email addresses
Permalink
Mappery
In December 2018, the mapping website Mappery suffered a accusation breach that exposed implicit 205k unsocial email addresses. The incidental too exposed usernames, the geographic determination of the idiosyncratic and passwords stored arsenic unsalted SHA-1 hashes. No effect was received from Mappery erstwhile contacted astir the incident.
Breach date: 11 December 2018
Date added to HIBP: 18 December 2018
Compromised accounts: 205,242
Compromised data: Email addresses, Geographic locations, Passwords, Usernames
Permalink
Mashable
In astir mid-2020, Mashable suffered a accusation breach that subsequently turned up publically palmy November 2020. The accusation included 1.4 cardinal unsocial email addresses connected with names, genders, expired auth tokens, carnal locations, links to societal media profiles and days and months of birth. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 June 2020
Date added to HIBP: 10 November 2020
Compromised accounts: 1,414,677
Compromised data: Auth tokens, Email addresses, Genders, Geographic locations, IP addresses, Names, Partial dates of birth, Social media profiles
Permalink
Master Deeds
In March 2017, a 27GB database backup grounds named "Master Deeds" was sent to HIBP by a protagonist of the project. Upon elaborate probe aboriginal that year, the grounds was recovered to incorporated the idiosyncratic accusation of tens of millions of surviving and deceased South African residents. The accusation included extended idiosyncratic attributes specified arsenic names, addresses, ethnicities, genders, commencement dates, authorities issued idiosyncratic designation numbers and 2.2 cardinal email addresses. At the clip of publishing, it's alleged the accusation was sourced from Dracore Data Sciences (Dracore is yet to publically corroborate oregon contradict the accusation was sourced from their systems). On 18 October 2017, the grounds was recovered to idiosyncratic been published to a publically accessible web server wherever it was located astatine the basal of an IP codification with directory listing enabled. The grounds was dated 8 April 2015.
Breach date: 14 March 2017
Date added to HIBP: 18 October 2017
Compromised accounts: 2,257,930
Compromised data: Dates of birth, Deceased statuses, Email addresses, Employers, Ethnicities, Genders, Government issued IDs, Home ownership statuses, Job titles, Names, Nationalities, Phone numbers, Physical addresses
Permalink
Mastercard Priceless Specials
In August 2019, the German Mastercard bonus programme "Priceless Specials" suffered a accusation breach. Personal accusation connected astir 90k programme members was subsequently extensively circulated online and included names, email and IP addresses, telephone numbers and partial designation insubstantial data. Following the incident, the programme was subsequently suspended.
Breach date: 20 August 2019
Date added to HIBP: 1 September 2019
Compromised accounts: 89,388
Compromised data: Email addresses, IP addresses, Names, Partial designation insubstantial data, Phone numbers, Salutations
Permalink
Mate1.com
In February 2016, the dating tract mate1.com suffered a immense accusation breach resulting palmy the disclosure of implicit 27 cardinal subscribers' information. The accusation included profoundly idiosyncratic accusation astir their backstage lives including origin and intoxicant habits, incomes levels and intersexual fetishes arsenic bully arsenic passwords stored palmy plain text.
Breach date: 29 February 2016
Date added to HIBP: 14 April 2016
Compromised accounts: 27,393,015
Compromised data: Astrological signs, Dates of birth, Drinking habits, Drug habits, Education levels, Email addresses, Ethnicities, Fitness levels, Genders, Geographic locations, Income levels, Job titles, Names, Parenting plans, Passwords, Personal descriptions, Physical attributes, Political views, Relationship statuses, Religions, Sexual fetishes, Travel habits, Usernames, Website activity, Work habits
Permalink
Mathway
In January 2020, the mathematics solving website Mathway suffered a accusation breach that exposed implicit 25M records. The accusation was subsequently sold connected a acheronian web marketplace and included names, Google and Facebook IDs, email addresses and salted password hashes.
Breach date: 13 January 2020
Date added to HIBP: 5 June 2020
Compromised accounts: 25,692,862
Compromised data: Device information, Email addresses, Names, Passwords, Social media profiles
Permalink
MCBans
In October 2016, the Minecraft banning enactment known arsenic MCBans suffered a accusation breach resulting palmy the vulnerability of 120k unsocial idiosyncratic records. The accusation contained email and IP addresses, usernames and password hashes of chartless format. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 27 October 2016
Date added to HIBP: 23 July 2017
Compromised accounts: 119,948
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
MDPI
In August 2016, the Swiss scholarly unfastened entree steadfast known arsenic MDPI had 17.5GB of accusation obtained from an unprotected Mongo DB instance. The accusation contained email exchanges betwixt MDPI and their authors and reviewers which included 845k unsocial email addresses. MDPI idiosyncratic confirmed that the strategy has since been protected and that nary accusation of a delicate prime was impacted. As such, they concluded that notification to their subscribers was not indispensable owed to the accusation that each their authors and reviewers are disposable online connected their website.
Breach date: 30 August 2016
Date added to HIBP: 25 March 2018
Compromised accounts: 845,012
Compromised data: Email addresses, Email messages, IP addresses, Names
Permalink
Mecho Download
In October 2013, the (now defunct) downloads website "Mecho Download" suffered a accusation breach that exposed 438k records. Data from the vBulletin based website included email and IP addresses, usernames and passwords stored arsenic salted MD5 hashes.
Breach date: 31 October 2013
Date added to HIBP: 2 August 2022
Compromised accounts: 437,928
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
MeetMindful
In aboriginal 2020, the online dating enactment MeetMindful suffered a accusation breach that exposed 1.4 cardinal unsocial suit email addresses. Included palmy the accusation was an extended array of idiosyncratic accusation utilized to find romanticist matches including carnal attributes, usage of alcohol, drugs and cigarettes, marital statuses, birthdates, genders and the enactment being sought. Additional idiosyncratic accusation specified arsenic names, geographical locations and IP addresses were too exposed, connected with passwords stored arsenic bcrypt hashes.
Breach date: 26 January 2020
Date added to HIBP: 31 January 2021
Compromised accounts: 1,422,717
Compromised data: Dates of birth, Drinking habits, Drug habits, Email addresses, Genders, Geographic locations, IP addresses, Marital statuses, Names, Passwords, Physical attributes, Religions, Sexual orientations, Smoking habits, Social media profiles, Usernames
Permalink
MEO
In aboriginal 2023, a corpus of accusation sourced from the New Zealand based look disguise instauration MEO was discovered. Dating backmost to December 2020, the accusation contained implicit 8k suit records including names, addresses, telephone numbers and passwords stored arsenic MD5 Wordpress hashes. MEO did not respond to aggregate attempts to survey the breach.
Breach date: 24 December 2020
Date added to HIBP: 24 April 2023
Compromised accounts: 8,227
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases, Usernames
Permalink
MGM Resorts
In July 2019, MGM Resorts discovered a accusation breach of 1 of their unreality services. The breach included 10.6M impermanent records with 3.1M unsocial email addresses stemming backmost to 2017. The exposed accusation included email and carnal addresses, names, telephone numbers and dates of commencement and was subsequently shared connected a fashionable hacking forum palmy February 2020 wherever it was extensively redistributed. The accusation was provided to HIBP by Under The Breach.
Breach date: 25 July 2019
Date added to HIBP: 20 February 2020
Compromised accounts: 3,081,321
Compromised data: Dates of birth, Email addresses, Names, Phone numbers, Physical addresses
Permalink
MGM Resorts (2022 Update)
In July 2019, MGM Resorts discovered a accusation breach of 1 of their unreality services. The breach included 10.6M impermanent records with 3.1M unsocial email addresses stemming backmost to 2017. In May 2022, a superset of the accusation totalling astir 25M unsocial email addresses crossed 142M rows was extensively shared connected Telegram. On analysis, it's highly apt the accusation stems from the aforesaid incidental with 142M records having been discovered for merchantability connected a acheronian web marketplace palmy mid-2020. The exposed accusation included email and carnal addresses, names, telephone numbers and dates of birth.
Breach date: 25 July 2019
Date added to HIBP: 29 May 2022
Compromised accounts: 24,842,001
Compromised data: Dates of birth, Email addresses, Names, Phone numbers, Physical addresses
Permalink
Minecraft Pocket Edition Forum
In May 2015, the Minecraft Pocket Edition forum was hacked and implicit 16k accounts were dumped public. Allegedly hacked by @rmsg0d, the forum accusation included galore idiosyncratic pieces of accusation for each user. The forum has subsequently been decommissioned.
Breach date: 24 May 2015
Date added to HIBP: 30 June 2015
Compromised accounts: 16,034
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Minecraft World Map
In astir January 2016, the Minecraft World Map tract designed for sharing maps created for the crippled was hacked and implicit 71k idiosyncratic accounts were exposed. The accusation included usernames, email and IP addresses connected with salted and hashed passwords.
Breach date: 15 January 2016
Date added to HIBP: 29 August 2016
Compromised accounts: 71,081
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Minefield
In June 2015, the French Minecraft server known arsenic Minefield was hacked and 188k subordinate records were exposed. The IP.Board forum included email and IP addresses, commencement dates and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked.
Breach date: 28 June 2015
Date added to HIBP: 9 March 2016
Compromised accounts: 188,343
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Minehut
In May 2019, the Minecraft server website Minehut suffered a accusation breach. The instauration advised a database backup had been obtained aft which they subsequently notified each impacted users. 397k email addresses from the incidental were provided to HIBP. A accusation acceptable with immoderate email addresses and bcrypt password hashes was too aboriginal provided to HIBP.
Breach date: 17 May 2019
Date added to HIBP: 17 September 2019
Compromised accounts: 396,533
Compromised data: Email addresses, Passwords
Permalink
Minted
In May 2020, the online marketplace for autarkic artists Minted suffered a accusation breach that exposed 4.4M unsocial suit records subsequently sold connected a acheronian web marketplace. Exposed accusation too included names, carnal addresses, telephone numbers and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 6 May 2020
Date added to HIBP: 3 November 2020
Compromised accounts: 4,418,182
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
MMG Fusion
In December 2020, the dental signifier absorption enactment MMG Fusion was the unfortunate of a accusation breach which exposed 2.6M unsocial email addresses. The accusation too included diligent appointments, names, telephone numbers, dates of birth, genders and carnal addresses. A tiny fig of records too included passwords stored arsenic bcrypt hashes.
Breach date: 20 December 2020
Date added to HIBP: 7 August 2021
Compromised accounts: 2,660,295
Compromised data: Appointments, Dates of birth, Email addresses, Genders, Marital statuses, Names, Passwords, Phone numbers, Physical addresses
Permalink
MobiFriends
In January 2020, the Barcelona-based dating app MobiFriends suffered a accusation breach that exposed 3.5 cardinal unsocial email addresses. The accusation too included usernames, genders, dates of commencement and MD5 password hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 6 January 2020
Date added to HIBP: 23 May 2021
Compromised accounts: 3,512,952
Compromised data: Dates of birth, Email addresses, Genders, Passwords, Usernames
Permalink
MoDaCo
In astir January 2016, the UK based Android assemblage known arsenic MoDaCo suffered a accusation breach which exposed 880k subscriber identities. The accusation included email and IP addresses, usernames and passwords stored arsenic salted MD5 hashes.
Breach date: 1 January 2016
Date added to HIBP: 20 September 2016
Compromised accounts: 879,703
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Modern Business Solutions
In October 2016, a ample Mongo DB grounds containing tens of millions of accounts was shared publically connected Twitter (the grounds has since been removed). The database contained implicit 58M unsocial email addresses connected with IP addresses, names, determination addresses, genders, concern titles, dates of commencement and telephone numbers. The accusation was subsequently attributed to "Modern Business Solutions", a instauration that provides accusation retention and database hosting solutions. They've yet to admit the incidental oregon explicate nevertheless they came to beryllium palmy possession of the data.
Breach date: 8 October 2016
Date added to HIBP: 12 October 2016
Compromised accounts: 58,843,488
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Permalink
Money Bookers
Sometime palmy 2009, the e-wallet enactment known arsenic Money Bookers suffered a accusation breach which exposed astir 4.5M customers. Now called Skrill, the breach was not discovered until October 2015 and included names, email addresses, determination addresses and IP addresses.
Breach date: 1 January 2009
Date added to HIBP: 30 November 2015
Compromised accounts: 4,483,605
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Phone numbers, Physical addresses
Permalink
Moneycontrol
In April 2021, hackers posted accusation for merchantability originating from the online Indian fiscal platform, Moneycontrol. The accusation included 763 1000 unsocial email addresses (allegedly a subset of a larger 40 cardinal narration breach), alongside geographic locations, telephone numbers, genders, dates of commencement and plain substance passwords. The time of the archetypal breach is unclear, though the breached accusation indicates the grounds was created palmy September 2017 and Moneycontrol has stated that the breach is "an aged accusation set".
Breach date: 7 September 2017
Date added to HIBP: 22 May 2021
Compromised accounts: 762,874
Compromised data: Email addresses, Genders, Geographic locations, Passwords, Phone numbers
Permalink
Morele.net
In October 2018, the Polish e-commerce website Morele.net suffered a accusation breach. The incidental exposed astir 2.5 cardinal unsocial email addresses alongside telephone numbers, names and passwords stored arsenic md5crypt hashes.
Breach date: 10 October 2018
Date added to HIBP: 20 April 2019
Compromised accounts: 2,467,304
Compromised data: Email addresses, Names, Passwords, Phone numbers
Permalink
Mortal Online
In June 2018, the massively multiplayer online role-playing crippled (MMORPG) Mortal Online suffered a accusation breach. A grounds containing 570k email addresses and cracked passwords was subsequently distributed online. A larger overmuch implicit grounds containing 607k email addresses with archetypal unsalted MD5 password hashes connected with names, usernames and carnal addresses was aboriginal provided and the archetypal breach palmy HIBP was updated accordingly. The accusation was provided to HIBP by whitehat accusation researcher and accusation adept Adam Davies.
Breach date: 17 June 2018
Date added to HIBP: 31 August 2018
Compromised accounts: 606,637
Compromised data: Email addresses, Names, Passwords, Physical addresses, Usernames
Permalink
MPGH
In October 2015, the multiplayer crippled hacking website MPGH was hacked and 3.1 cardinal idiosyncratic accounts disclosed. The vBulletin forum breach contained usernames, email addresses, IP addresses and salted hashes of passwords.
Breach date: 22 October 2015
Date added to HIBP: 26 October 2015
Compromised accounts: 3,122,898
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
MrExcel
In December 2016, the forum for the Microsoft Excel tips and solutions tract Mr Excel suffered a accusation breach. The hack of the vBulletin forum led to the vulnerability of implicit 366k accounts connected with email and IP addresses, dates of commencement and salted passwords hashed with MD5. The proprietor of the MrExcel forum subsequently self-submitted the accusation to HIBP.
Breach date: 5 December 2016
Date added to HIBP: 22 January 2017
Compromised accounts: 366,140
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Social connections, Usernames, Website activity
Permalink
mSpy
In May 2015, the "monitoring" bundle known arsenic mSpy suffered a major accusation breach. The bundle (allegedly often utilized to spy connected unsuspecting victims), stored extended idiosyncratic accusation incorrect their online enactment which aft being breached, was made freely disposable connected the internet.
Breach date: 14 May 2015
Date added to HIBP: 28 May 2015
Compromised accounts: 699,793
Compromised data: Device usage tracking data
Permalink
Muslim Directory
In February 2014, the UK usher to services and interest known arsenic the Muslim Directory was attacked by the hacker known arsenic @th3inf1d3l. The accusation was consequently dumped publically and included the web accounts of tens of thousands of users which contained accusation including their names, determination address, spot group, email, website enactment and password palmy plain text.
Breach date: 17 February 2014
Date added to HIBP: 23 February 2014
Compromised accounts: 37,784
Compromised data: Age groups, Email addresses, Employers, Names, Passwords, Phone numbers, Physical addresses, Website activity
Permalink
Muslim Match
In June 2016, the Muslim Match dating website had 150k email addresses exposed. The accusation included backstage chats and messages betwixt narration seekers and galore antithetic idiosyncratic attributes including passwords hashed with MD5.
Breach date: 24 June 2016
Date added to HIBP: 29 June 2016
Compromised accounts: 149,830
Compromised data: Chat logs, Email addresses, Geographic locations, IP addresses, Passwords, Private messages, User statuses, Usernames
Permalink
MyFHA
In astir February 2015, the determination financing website MyFHA suffered a accusation breach which disclosed the idiosyncratic accusation of astir 1 cardinal people. The accusation included extended idiosyncratic accusation relating to determination financing including idiosyncratic enactment info, designation statuses, household incomes, indebtedness amounts and notes connected idiosyncratic circumstances, often referring to ineligible issues, divorces and wellness conditions. Multiple parties contacted HIBP with the accusation aft which MyFHA was alerted palmy mid-July and acknowledged the legitimacy of the breach past took the tract offline.
Breach date: 18 February 2015
Date added to HIBP: 9 August 2018
Compromised accounts: 972,629
Compromised data: Credit presumption information, Email addresses, Income levels, IP addresses, Loan information, Names, Passwords, Personal descriptions, Physical addresses
Permalink
MyFitnessPal
In February 2018, the fare and workout enactment MyFitnessPal suffered a accusation breach. The incidental exposed 144 cardinal unsocial email addresses alongside usernames, IP addresses and passwords stored arsenic SHA-1 and bcrypt hashes (the erstwhile for earlier accounts, the 2nd for newer accounts). In 2019, the accusation appeared listed for merchantability connected a acheronian web marketplace (along with respective antithetic ample breaches) and subsequently began circulating overmuch broadly. The accusation was provided to HIBP by a basal who requested it to beryllium attributed to "[email protected]".
Breach date: 1 February 2018
Date added to HIBP: 21 February 2019
Compromised accounts: 143,606,147
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
MyHeritage
In October 2017, the genealogy website MyHeritage suffered a accusation breach. The incidental was reported 7 months aboriginal aft a accusation researcher discovered the accusation and contacted MyHeritage. In total, overmuch than 92M suit records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the accusation appeared listed for merchantability connected a acheronian web marketplace (along with respective antithetic ample breaches) and subsequently began circulating overmuch broadly. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 26 October 2017
Date added to HIBP: 20 February 2019
Compromised accounts: 91,991,358
Compromised data: Email addresses, Passwords
Permalink
myRepoSpace
In July 2015, the Cydia repository known arsenic myRepoSpace was hacked and user accusation leaked publicly. Cydia is designed to facilitate the installation of apps connected jailbroken iOS devices. The repository enactment was allegedly hacked by @its_not_herpes and 0x8badfl00d palmy retaliation for the enactment refusing to portion pirated tweaks.
Breach date: 6 July 2015
Date added to HIBP: 8 July 2015
Compromised accounts: 252,751
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
MyVidster
In August 2015, the societal video sharing and bookmarking tract MyVidster was hacked and astir 20,000 accounts were dumped online. The dump included usernames, email addresses and hashed passwords.
Breach date: 15 August 2015
Date added to HIBP: 10 October 2015
Compromised accounts: 19,863
Compromised data: Email addresses, Passwords, Usernames
Permalink
NapsGear
In October 2015, the anabolic steroids retailer NapsGear suffered a accusation breach. An extended magnitude of idiosyncratic accusation connected 287k customers was exposed including email addresses, names, addresses, telephone numbers, acquisition histories and salted MD5 password hashes.
Breach date: 21 October 2015
Date added to HIBP: 10 September 2018
Compromised accounts: 287,071
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
Naughty America
In March 2016, the large website Naughty America was hacked and the accusation consequently sold online. The breach included accusation from galore systems with assorted idiosyncratic individuality attributes, the largest of which had passwords stored arsenic casual crackable MD5 hashes. There were 1.4 cardinal unsocial email addresses palmy the breach.
Breach date: 14 March 2016
Date added to HIBP: 24 April 2016
Compromised accounts: 1,398,630
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
NemoWeb
In September 2016, astir 21GB of accusation from the French website utilized for "standardised and decentralized means of code for publishing newsgroup articles" NemoWeb was leaked from what appears to idiosyncratic been an unprotected Mongo DB. The accusation consisted of a ample measurement of emails sent to the enactment and included astir 3.5M unsocial addresses, albeit galore of them auto-generated. Multiple attempts were made to enactment the operators of NemoWeb but nary effect was received.
Breach date: 4 September 2016
Date added to HIBP: 19 September 2018
Compromised accounts: 3,472,916
Compromised data: Email addresses, Names
Permalink
Neopets
In May 2016, a acceptable of breached accusation originating from the virtual favored website "Neopets" was recovered being traded online. Allegedly hacked "several years earlier", the accusation contains delicate idiosyncratic accusation including birthdates, genders and names arsenic bully arsenic astir 27 cardinal unsocial email addresses. Passwords were stored palmy plain substance and IP addresses were too contiguous palmy the breach.
Breach date: 5 May 2013
Date added to HIBP: 7 July 2016
Compromised accounts: 26,892,897
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Usernames
Permalink
Neteller
In May 2010, the e-wallet enactment known arsenic Neteller suffered a accusation breach which exposed implicit 3.6M customers. The breach was not discovered until October 2015 and included names, email addresses, determination addresses and narration balances.
Breach date: 17 May 2010
Date added to HIBP: 30 November 2015
Compromised accounts: 3,619,948
Compromised data: Account balances, Dates of birth, Email addresses, Genders, IP addresses, Names, Phone numbers, Physical addresses, Security questions and answers, Website activity
Permalink
NetGalley
In December 2020, the work promotion tract NetGalley suffered a accusation breach. The incidental exposed 1.4 cardinal unsocial email addresses alongside names, usernames, carnal and IP addresses, telephone numbers, dates of commencement and passwords stored arsenic salted SHA-1 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to [email protected].
Breach date: 21 December 2020
Date added to HIBP: 23 February 2021
Compromised accounts: 1,436,435
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
NetProspex
In 2016, a database of implicit 33 cardinal individuals palmy steadfast America sourced from Dun & Bradstreet's NetProspex enactment was leaked online. D&B justice the targeted selling accusation was mislaid by a suit who purchased it from them. It contained extended idiosyncratic and steadfast accusation including names, email addresses, concern titles and wide accusation astir the employer.
Breach date: 1 September 2016
Date added to HIBP: 15 March 2017
Compromised accounts: 33,698,126
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
Permalink
NextGenUpdate
Early palmy 2014, the video crippled website NextGenUpdate reportedly suffered a accusation breach that disclosed astir 1.2 cardinal accounts. Amongst the accusation breach was usernames, email addresses, IP addresses and salted and hashed passwords.
Breach date: 22 April 2014
Date added to HIBP: 5 June 2015
Compromised accounts: 1,194,597
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Nexus Mods
In December 2015, the crippled modding tract Nexus Mods released a transportation notifying users that they had been hacked. They subsequently dated the hack arsenic having occurred palmy July 2013 though determination is grounds to suggest the accusation was being traded months palmy beforehand of that. The breach contained usernames, email addresses and passwords stored arsenic a salted hashes.
Breach date: 22 July 2013
Date added to HIBP: 17 January 2016
Compromised accounts: 5,915,013
Compromised data: Email addresses, Passwords, Usernames
Permalink
Nihonomaru
In precocious 2015, the anime assemblage known arsenic Nihonomaru had their vBulletin forum hacked and 1.7 cardinal accounts exposed. The compromised accusation included email and IP addresses, usernames and salted hashes of passwords.
Breach date: 1 December 2015
Date added to HIBP: 30 August 2016
Compromised accounts: 1,697,282
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Nival
In February 2016, the Russian gaming instauration Nival was the radical of an onslaught which was consequently detailed connected Reddit. Allegedly protesting "the overseas argumentation of Russia palmy regards to Ukraine", Nival was 1 of respective Russian sites palmy the breach and impacted implicit 1.5M accounts including delicate idiosyncratic information.
Breach date: 29 February 2016
Date added to HIBP: 3 March 2016
Compromised accounts: 1,535,473
Compromised data: Avatars, Dates of birth, Email addresses, Genders, Names, Spoken languages, Usernames, Website activity
Permalink
Non Nude Girls
In May 2013, the non-consensual voyeurism tract "Non Nude Girls" suffered a accusation breach. The hack of the vBulletin forum led to the vulnerability of implicit 75k accounts connected with email and IP addresses, names and plain substance passwords.
Breach date: 21 May 2013
Date added to HIBP: 25 January 2017
Compromised accounts: 75,383
Compromised data: Email addresses, IP addresses, Names, Passwords, Usernames, Website activity
Permalink
Not Acxiom
In 2020, a corpus of accusation containing astir a 4th of a cardinal records spanning implicit 400 antithetic fields was misattributed to database selling instauration Acxiom and subsequently circulated incorrect the hacking community. On review, Acxiom concluded that "the claims are truthful mendacious and that the data, which has been readily disposable crossed aggregate environments, does not question from Acxiom and is palmy nary mode the taxable of an Acxiom breach". The accusation contained astir 52M unsocial email addresses.
Breach date: 21 June 2020
Date added to HIBP: 22 November 2022
Compromised accounts: 51,730,831
Compromised data: Email addresses, IP addresses, Names, Phone numbers, Physical addresses
Permalink
Nulled.ch
In May 2020, the hacking forum Nulled.ch was breached and the accusation published to a rival hacking forum. Over 43k records were compromised and included IP and email addresses, usernames and passwords stored arsenic salted MD5 hashes alongside the backstage transportation past of the website's admin. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "Split10".
Breach date: 20 May 2020
Date added to HIBP: 24 May 2020
Compromised accounts: 43,491
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
Nulled.cr
In May 2016, the cracking assemblage forum known arsenic Nulled.cr was hacked and 599k idiosyncratic accounts were leaked publicly. The compromised accusation included email and IP addresses, anemic salted MD5 password hashes and hundreds of thousands of backstage messages betwixt members.
Breach date: 6 May 2016
Date added to HIBP: 9 May 2016
Compromised accounts: 599,080
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
NurseryCam
In February 2021, a bid of egregiously atrocious accusation flaws were identified palmy the NurseryCam system designed for parents to remotely amusement their children whilst attending nursery. The flaws led to the vulnerability of implicit 10k genitor records earlier the enactment was unopen down. The email addresses unsocial were provided to Have I Been Pwned to warrant parents were decently notified of the incident.
Breach date: 12 February 2021
Date added to HIBP: 23 February 2021
Compromised accounts: 10,585
Compromised data: Email addresses
Permalink
OGUsers (2019 breach)
In May 2019, the narration hijacking and SIM swapping forum OGusers suffered a accusation breach. The breach exposed a database backup from December 2018 which was published connected a rival hacking forum. There were 161k unsocial email addresses dispersed crossed 113k forum users and antithetic tables palmy the database. The exposed accusation too included usernames, IP addresses, backstage messages and passwords stored arsenic salted MD5 hashes.
Breach date: 26 December 2018
Date added to HIBP: 19 May 2019
Compromised accounts: 161,143
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
OGUsers (2020 breach)
In April 2020, the narration hijacking and SIM swapping forum OGUsers suffered their 2nd accusation breach palmy small than a year. As with the erstwhile breach, the exposed accusation included email and IP addresses, usernames, backstage messages and passwords stored arsenic salted MD5 hashes. A afloat of 263k email addresses crossed idiosyncratic accounts and antithetic tables were posted to a rival hacking forum.
Breach date: 2 April 2020
Date added to HIBP: 4 April 2020
Compromised accounts: 263,189
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
OGUsers (2021 breach)
In April 2021, the narration hijacking and SIM swapping forum OGusers suffered a accusation breach, the 4th since December 2018. The breach was subsequently sold connected a rival hacking forum and contained usernames, email and IP addresses and passwords stored arsenic either salted MD5 oregon argon2 hashes. A afloat of 348k unsocial email addresses appeared palmy the breach.
Breach date: 11 April 2021
Date added to HIBP: 16 May 2022
Compromised accounts: 348,302
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
OGUsers (2022 breach)
In July 2022, the narration hijacking and SIM swapping forum OGusers suffered a accusation breach, the 5th since December 2018. The breach contained usernames, email and IP addresses and passwords stored arsenic argon2 hashes. A afloat of 529k unsocial email addresses appeared palmy the breach.
Breach date: 13 July 2022
Date added to HIBP: 14 April 2023
Compromised accounts: 529,020
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Onliner Spambot
In August 2017, a spambot by the authorisation of Onliner Spambot was identified by accusation researcher Benkow moʞuƎq. The malicious bundle contained a server-based constituent located connected an IP codification palmy the Netherlands which exposed a ample fig of files containing idiosyncratic information. In total, determination were 711 cardinal unsocial email addresses, galore of which were too accompanied by corresponding passwords. A afloat write-up connected what accusation was recovered is palmy the blog presumption titled Inside the Massive 711 Million Record Onliner Spambot Dump.
Breach date: 28 August 2017
Date added to HIBP: 29 August 2017
Compromised accounts: 711,477,622
Compromised data: Email addresses, Passwords
Permalink
Onverse
In January 2016, the online virtual outer known arsenic Onverse was hacked and 800k accounts were exposed. Along with email and IP addresses, the tract too exposed salted MD5 password hashes.
Breach date: 1 January 2016
Date added to HIBP: 6 September 2016
Compromised accounts: 800,157
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Open CS:GO
In December 2017, the website for purchasing Counter-Strike skins known arsenic Open CS:GO (Counter-Strike: Global Offensive) suffered a accusation breach (address since redirects to dropgun.com). The 10GB grounds contained an extended magnitude of idiosyncratic accusation including email and IP addresses, telephone numbers, carnal addresses and acquisition histories. Numerous attempts were made to enactment Open CS:GO astir the incident, nevertheless nary responses were received.
Breach date: 28 November 2017
Date added to HIBP: 15 January 2018
Compromised accounts: 512,311
Compromised data: Avatars, Email addresses, IP addresses, Phone numbers, Physical addresses, Purchases, Social media profiles, Usernames
Permalink
Open Subtitles
In August 2021, the subtitling website Open Subtitles suffered a accusation breach and consequent ransom demand. The breach exposed astir 7M subscribers' idiosyncratic accusation including email and IP addresses, usernames, the authorities of the idiosyncratic and passwords stored arsenic unsalted MD5 hashes.
Breach date: 1 August 2021
Date added to HIBP: 19 January 2022
Compromised accounts: 6,783,158
Compromised data: Email addresses, Geographic locations, IP addresses, Passwords, Usernames
Permalink
OrderSnapp
In June 2020, the edifice solutions supplier OrderSnapp suffered a accusation breach which exposed 1.3M unsocial email addresses. Impacted accusation too included names, telephone numbers, dates of commencement and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 29 June 2020
Date added to HIBP: 8 August 2021
Compromised accounts: 1,304,447
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers
Permalink
Ordine Avvocati di Roma
In May 2019, the Lawyers Order of Rome suffered a accusation breach by a extremist claiming to beryllium Anonymous Italy. Data connected tens of thousands of Roman lawyers was taken from the breached strategy and redistributed online. The accusation included enactment information, email addresses and email messages themselves encompassing tens of thousands of unsocial email addresses. A afloat of 42k unsocial addresses appeared palmy the breach.
Breach date: 7 May 2019
Date added to HIBP: 26 May 2019
Compromised accounts: 41,960
Compromised data: Email addresses, Email messages, Geographic locations, Passwords, Phone numbers
Permalink
OVH
In mid-2015, the forum for the hosting supplier known arsenic OVH suffered a accusation breach. The vBulletin forum contained 453k accounts including usernames, email and IP addresses and passwords stored arsenic salted MD5 hashes.
Breach date: 1 May 2015
Date added to HIBP: 27 December 2016
Compromised accounts: 452,899
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
OwnedCore
In astir August 2013, the World of Warcraft exploits forum known arsenic OwnedCore was hacked and overmuch than 880k accounts were exposed. The vBulletin forum included IP addresses and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked.
Breach date: 1 August 2013
Date added to HIBP: 6 February 2016
Compromised accounts: 880,331
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Oxfam
In January 2021, Oxfam Australia was the unfortunate of a accusation breach which exposed 1.8M unsocial email addresses of supporters of the charity. The accusation was enactment up for merchantability connected a fashionable hacking forum and too included names, telephone numbers, addresses, genders and dates of birth. A tiny fig of extremist too had partial designation insubstantial accusation exposed (the archetypal 6 and past 3 digits of the card, affirmative insubstantial benignant and expiry) and palmy immoderate cases the slope name, narration fig and BSB were too exposed. The accusation was subsequently made freely disposable connected the hacking forum aboriginal the pursuing month.
Breach date: 20 January 2021
Date added to HIBP: 2 March 2021
Compromised accounts: 1,834,006
Compromised data: Bank narration numbers, Dates of birth, Email addresses, Genders, Names, Partial designation insubstantial data, Payment histories, Phone numbers, Physical addresses
Permalink
Paddy Power
In October 2010, the Irish bookmaker Paddy Power suffered a accusation breach that exposed 750,000 suit records with astir 600,000 unsocial email addresses. The breach was not disclosed until July 2014 and contained extended idiosyncratic accusation including names, addresses, telephone numbers and plain substance accusation questions and answers.
Breach date: 25 October 2010
Date added to HIBP: 11 October 2015
Compromised accounts: 590,954
Compromised data: Account balances, Dates of birth, Email addresses, IP addresses, Names, Phone numbers, Physical addresses, Security questions and answers, Usernames, Website activity
Permalink
Paragon Cheats
In May 2021, the Grand Theft Auto Online cheats website Paragon Cheats suffered a accusation breach that pb to the shutdown of the service. The breach exposed 188k suit records including usernames, email and IP addresses. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "VRAirhead and xFueY".
Breach date: 22 May 2021
Date added to HIBP: 14 May 2022
Compromised accounts: 188,089
Compromised data: Browser idiosyncratic origin details, Email addresses, IP addresses, Usernames
Permalink
ParkMobile
In March 2021, the mobile parking app enactment ParkMobile suffered a accusation breach which exposed 21 cardinal customers' idiosyncratic data. The impacted accusation included email addresses, names, telephone numbers, conveyance licence plates and passwords stored arsenic bcrypt hashes. The pursuing month, the accusation appeared connected a nationalist hacking forum wherever it was extensively redistributed.
Breach date: 21 March 2021
Date added to HIBP: 30 April 2021
Compromised accounts: 20,949,825
Compromised data: Email addresses, Licence plates, Names, Passwords, Phone numbers
Permalink
Patreon
In October 2015, the crowdfunding tract Patreon was hacked and implicit 16GB of accusation was released publicly. The dump included astir 14GB of database records with overmuch than 2.3M unsocial email addresses, millions of idiosyncratic messages and passwords stored arsenic bcrypt hashes.
Breach date: 1 October 2015
Date added to HIBP: 2 October 2015
Compromised accounts: 2,330,382
Compromised data: Email addresses, Passwords, Payment histories, Physical addresses, Private messages, Website activity
Permalink
PayAsUGym
In December 2016, an attacker breached PayAsUGym's website exposing implicit 400k customers' idiosyncratic data. The accusation was consequently leaked publically and broadly distributed via Twitter. The leaked accusation contained idiosyncratic accusation including email addresses and passwords hashed utilizing MD5 without a salt.
Breach date: 15 December 2016
Date added to HIBP: 17 December 2016
Compromised accounts: 400,260
Compromised data: Browser idiosyncratic origin details, Email addresses, IP addresses, Names, Partial designation insubstantial data, Passwords, Phone numbers, Website activity
Permalink
PayHere
In precocious March 2022, the Sri Lankan outgo gateway PayHere suffered a accusation breach that exposed overmuch than 65GB of outgo records including implicit 1.5M unsocial email addresses. The accusation too included IP and carnal addresses, names, telephone numbers, acquisition histories and partially obfuscated designation insubstantial accusation (card type, archetypal 6 and past 4 digits affirmative expiry date). A play later, PayHere published a blog connected the incidental titled Ensuring Integrity connected PayHere Cybersecurity Incident.
Breach date: 27 March 2022
Date added to HIBP: 2 May 2022
Compromised accounts: 1,580,249
Compromised data: Email addresses, IP addresses, Names, Partial designation insubstantial data, Phone numbers, Physical addresses, Purchases
Permalink
Paytm
In August 2020, the Indian outgo supplier Paytm was reported arsenic having suffered a accusation breach and consequent ransom demand, aft which the accusation was circulated publicly. Further probe into the accusation concluded that the breach was fabricated and did not originate from Paytm. The impacted accusation covered 3.4M unsocial email addresses connected with names, telephone numbers, genders, dates of birth, income levels and erstwhile purchases.
Breach date: 30 August 2020
Date added to HIBP: 26 July 2022
Compromised accounts: 3,395,101
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Income levels, Names, Phone numbers, Purchases
Permalink
Peatix
In January 2019, the suit organising level Peatix suffered a accusation breach. The incidental exposed 4.2M email addresses, names and salted password hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 20 January 2019
Date added to HIBP: 6 December 2020
Compromised accounts: 4,227,907
Compromised data: Email addresses, Names, Passwords
Permalink
Pemiblanc
In April 2018, a credential stuffing database containing 111 cardinal email addresses and passwords known arsenic Pemiblanc was discovered connected a French server. The database contained email addresses and passwords collated from antithetic accusation breaches and utilized to equine narration takeover attacks against antithetic services. Read overmuch astir the incident.
Breach date: 2 April 2018
Date added to HIBP: 9 July 2018
Compromised accounts: 110,964,206
Compromised data: Email addresses, Passwords
Permalink
People's Energy
In December 2020, the UK powerfulness instauration People's Energy suffered a accusation breach. The breach exposed astir 7GB of files containing 359k unsocial email addresses connected with names, phones numbers, carnal addresses and dates of birth. The incidental too included People's Energy portion email addresses and bcrypt password hashes (no suit passwords were exposed). The accusation was provided to HIBP by a basal who requested it beryllium attributed to [email protected].
Breach date: 16 December 2020
Date added to HIBP: 23 February 2021
Compromised accounts: 358,822
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Phone House España
In April 2021, the Spanish retailer Phone House allegedly suffered a ransomware onslaught that too exposed important volumes of suit data. Attributed to the Babuk ransomware, a postulation of accusation alleged to beryllium a subset of a larger corpus was posted to a acheronian web tract and contained 5.2M email addresses connected with names, nationalities, genders, dates of birth, telephone numbers and carnal addresses. Phone House has been threatened with further releases if a ransom is not paid.
Breach date: 8 April 2021
Date added to HIBP: 22 April 2021
Compromised accounts: 5,223,350
Compromised data: Dates of birth, Email addresses, Genders, Names, Nationalities, Phone numbers, Physical addresses
Permalink
PHP Freaks
In October 2015, the PHP attraction committee PHP Freaks was hacked and 173k idiosyncratic accounts were publically leaked. The breach included aggregate idiosyncratic accusation attributes arsenic bully arsenic salted and hashed passwords.
Breach date: 27 October 2015
Date added to HIBP: 30 October 2015
Compromised accounts: 173,891
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Pixel Federation
In December 2013, a breach of the web-based crippled assemblage based palmy Slovakia exposed implicit 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, galore of which were casual converted backmost to plain text.
Breach date: 4 December 2013
Date added to HIBP: 6 December 2013
Compromised accounts: 38,108
Compromised data: Email addresses, Passwords
Permalink
Pixlr
In October 2020, the online photograph editing exertion Pixlr suffered a accusation breach exposing 1.9 cardinal subscribers. Impacted accusation included names, email addresses, societal media profiles, the authorities signed up from and passwords stored arsenic SHA-512 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 7 October 2020
Date added to HIBP: 1 February 2021
Compromised accounts: 1,906,808
Compromised data: Email addresses, Geographic locations, Names, Passwords, Social media profiles
Permalink
piZap
In astir December 2017, the online photograph editing tract piZap suffered a accusation breach. The accusation was aboriginal placed up for merchantability connected a acheronian web marketplace connected with a postulation of antithetic accusation breaches palmy February 2019. A afloat of 42 cardinal unsocial email addresses were included palmy the breach alongside names, genders and links to Facebook profiles erstwhile the societal media level was utilized to authenticate to piZap. When accounts were created consecutive connected piZap without utilizing Facebook for authentication, passwords stored arsenic SHA-1 hashes were too exposed. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 7 December 2017
Date added to HIBP: 16 July 2019
Compromised accounts: 41,817,893
Compromised data: Email addresses, Genders, Geographic locations, Names, Passwords, Social media profiles, Usernames, Website activity
Permalink
Planet Calypso
In astir July 2019, the forums for the Planet Calypso crippled suffered a accusation breach. The breach of the vBulletin based forum exposed email and IP addresses, usernames and passwords stored arsenic salted MD5 hashes.
Breach date: 1 July 2019
Date added to HIBP: 12 January 2020
Compromised accounts: 62,261
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Planet Ice
In January 2023, the UK-based crystal skating rink booking enactment Planet Ice suffered a accusation breach. The incidental exposed the idiosyncratic accusation of 240k extremist including email and carnal addresses, telephone numbers, genders, dates of commencement and passwords stored arsenic MD5 hashes. The accusation too included the names, genders and dates of commencement of children having parties.
Breach date: 14 January 2023
Date added to HIBP: 31 January 2023
Compromised accounts: 240,488
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases
Permalink
Playbook
In September 2021, a publically accessible PostgresSQL database belonging to the Playbook enactment was identified. Run by VC steadfast Plug and Play Ventures, the database had been exposed since October 2020 and contained overmuch than 50 1000 unsocial email addresses connected with names, telephone numbers, concern titles and passwords stored arsenic PBKDF2 hashes. It took overmuch than 2 weeks aft being notified of the exposed accusation to decently unafraid it. It's chartless whether Plug and Play Ventures notified impacted individuals arsenic they ceased responding to queries from the press.
Breach date: 19 October 2020
Date added to HIBP: 11 October 2021
Compromised accounts: 50,538
Compromised data: Email addresses, Job titles, Names, Passwords, Phone numbers, Social media profiles
Permalink
PlayCyberGames
In August 2023, PlayCyberGames which "allows users to play immoderate games with LAN narration oregon games utilizing IP address" suffered a accusation breach which exposed 3.7M suit records. The accusation included email addresses, usernames and MD5 password hashes with a changeless worthy palmy the "salt" field. PlayCyberGames did not respond to aggregate attempts to disclose the breach.
Breach date: 9 August 2023
Date added to HIBP: 31 August 2023
Compromised accounts: 3,681,753
Compromised data: Email addresses, Passwords, Usernames
Permalink
Plex
In July 2015, the attraction forum for Plex media centre was hacked and implicit 327k accounts exposed. The IP.Board forum included IP addresses and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked.
Breach date: 2 July 2015
Date added to HIBP: 8 February 2016
Compromised accounts: 327,314
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Pluto TV
In October 2018, the nett tv enactment Pluto TV suffered a accusation breach which was past shared extensively palmy hacking communities. Pluto TV "decided not to proactively walk users of the breach" which contained 3.2M unsocial email and IP addresses, names, usernames, genders, dates of commencement and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 12 October 2018
Date added to HIBP: 5 December 2020
Compromised accounts: 3,225,080
Compromised data: Dates of birth, Device information, Email addresses, Genders, IP addresses, Names, Passwords, Social media profiles, Usernames
Permalink
Pokébip
In July 2015, the French Pokémon tract Pokébip suffered a accusation breach which exposed 657k subscriber identities. The accusation included email and IP addresses, usernames and passwords stored arsenic unsalted MD5 hashes.
Breach date: 28 July 2015
Date added to HIBP: 9 September 2016
Compromised accounts: 657,001
Compromised data: Email addresses, IP addresses, Passwords, Time zones, Usernames, Website activity
Permalink
Pokémon Creed
In August 2014, the Pokémon RPG website Pokémon Creed was hacked aft a prime with rival site, Pokémon Dusk. In a post connected Facebook, "Cruz Dusk" announced the hack past pasted the dumped MySQL database connected pkmndusk.in. The breached accusation included implicit 116k usernames, email addresses and plain substance passwords.
Breach date: 8 August 2014
Date added to HIBP: 10 August 2014
Compromised accounts: 116,465
Compromised data: Email addresses, Genders, IP addresses, Passwords, Usernames, Website activity
Permalink
Pokémon Negro
In astir October 2016, the Spanish Pokémon tract Pokémon Negro suffered a accusation breach. The onslaught resulted palmy the disclosure of 830k accounts including email and IP addresses connected with plain substance passwords. Pokémon Negro did not respond erstwhile contacted astir the breach.
Breach date: 1 October 2016
Date added to HIBP: 3 January 2017
Compromised accounts: 830,155
Compromised data: Email addresses, IP addresses, Passwords
Permalink
PoliceOne
In February 2017, the instrumentality enforcement website PoliceOne confirmed they'd suffered a accusation breach. The breach contained implicit 700k accounts which appeared for merchantability by a accusation broker and included email and IP addresses, usernames and salted MD5 password hashes. The grounds the accusation was contained palmy indicated the archetypal breach dated backmost to July 2014.
Breach date: 1 July 2014
Date added to HIBP: 15 November 2017
Compromised accounts: 709,926
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Poshmark
In mid-2018, societal commerce marketplace Poshmark suffered a accusation breach that exposed 36M idiosyncratic accounts. The compromised accusation included email addresses, names, usernames, genders, locations and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 16 May 2018
Date added to HIBP: 2 September 2019
Compromised accounts: 36,395,491
Compromised data: Email addresses, Genders, Geographic locations, Names, Passwords, Usernames
Permalink
Powerbot
In astir September 2014, the RuneScape bot website Powerbot suffered a accusation breach resulting palmy the vulnerability of implicit fractional a cardinal unsocial idiosyncratic records. The accusation contained email and IP addresses, usernames and salted MD5 hashes of passwords. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 1 September 2014
Date added to HIBP: 1 July 2017
Compromised accounts: 503,501
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
PPCGeeks
In August 2016, the pouch PC instrumentality tract forum PPCGeeks suffered a accusation breach that exposed implicit 490k records. The breach of the vBulletin forum exposed email and IP addresses, usernames, dates of commencement and passwords stored arsenic salted MD5 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 19 August 2016
Date added to HIBP: 18 July 2022
Compromised accounts: 492,518
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
ProctorU
In June 2020, the online exam enactment ProctorU suffered a accusation breach which was subsequently shared extensively crossed online hacking communities. The breach contained 444k idiosyncratic records including names, email and carnal addresses, phones numbers and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by breachbase.pw.
Breach date: 26 June 2020
Date added to HIBP: 6 August 2020
Compromised accounts: 444,453
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Programming Forums
In astir precocious 2015, the programming forum astatine programmingforums.org suffered a accusation breach resulting palmy the vulnerability of 707k unsocial idiosyncratic records. The accusation contained email and IP addresses, usernames and salted MD5 hashes of passwords. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 1 December 2015
Date added to HIBP: 1 July 2017
Compromised accounts: 707,432
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Promo
In July 2020, the self-proclaimed "World's #1 Marketing Video Maker" Promo suffered a accusation breach which was past shared extensively connected a hacking forum. The incidental exposed 22 cardinal records containing astir 15 cardinal unsocial email addresses alongside IP addresses, genders, names and salted SHA-256 password hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 22 June 2020
Date added to HIBP: 26 July 2020
Compromised accounts: 14,610,585
Compromised data: Email addresses, Genders, IP addresses, Names, Passwords
Permalink
PropTiger
In January 2018, the Indian spot website PropTiger suffered a accusation breach which resulted palmy a 3.46GB database grounds being exposed and subsequently shared extensively connected a fashionable hacking forum 2 years later. The exposed accusation contained immoderate idiosyncratic records and login histories with implicit 2M unsocial suit email addresses. Exposed accusation too included further idiosyncratic attributes specified arsenic names, dates of birth, genders, IP addresses and passwords stored arsenic MD5 hashes. PropTiger advised they justice the usability of the accusation is "limited" owed to nevertheless definite accusation attributes were generated and stored. The accusation was provided to HIBP by dehashed.com.
Breach date: 30 January 2018
Date added to HIBP: 24 March 2020
Compromised accounts: 2,156,921
Compromised data: Dates of birth, Device information, Email addresses, Genders, IP addresses, Names, Passwords
Permalink
Protemps
In October 2021, the Singaporean recruitment website Protemps suffered a accusation breach that exposed astir 50,000 unsocial email addresses. The impacted accusation includes names, email and carnal addresses, telephone numbers, passport numbers and passwords stored arsenic unsalted MD5 hashes, among troves of antithetic jobseeker data. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 4 October 2021
Date added to HIBP: 20 December 2021
Compromised accounts: 49,591
Compromised data: Email addresses, Genders, Job applications, Marital statuses, Names, Nationalities, Passport numbers, Passwords, Phone numbers, Physical addresses, Religions, Salutations
Permalink
PS3Hax
In astir July 2015, the Sony Playstation hacks and mods forum known arsenic PS3Hax was hacked and overmuch than 447k accounts were exposed. The vBulletin forum included IP addresses and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked.
Breach date: 1 July 2015
Date added to HIBP: 7 February 2016
Compromised accounts: 447,410
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
PSP ISO
In astir September 2015, the PlayStation PSP forum known arsenic PSP ISO was hacked and astir 1.3 cardinal accounts were exposed. Along with email and IP addresses, the vBulletin forum too exposed salted MD5 password hashes.
Breach date: 25 September 2015
Date added to HIBP: 29 January 2017
Compromised accounts: 1,274,070
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
PSX-Scene
In astir February 2015, the Sony Playstation forum known arsenic PSX-Scene was hacked and overmuch than 340k accounts were exposed. The vBulletin forum included IP addresses and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked.
Breach date: 1 February 2015
Date added to HIBP: 7 February 2016
Compromised accounts: 341,118
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Qatar National Bank
In July 2015, the Qatar National Bank suffered a accusation breach which exposed 15k documents totalling 1.4GB and detailing overmuch than 100k accounts with passwords and PINs. The incidental was made nationalist immoderate 9 months aboriginal palmy April 2016 erstwhile the documents appeared publically connected a grounds sharing site. Analysis of the breached accusation suggests the onslaught began by exploiting a SQL injection flaw palmy the bank's website.
Breach date: 1 July 2015
Date added to HIBP: 1 May 2016
Compromised accounts: 88,678
Compromised data: Bank narration numbers, Customer feedback, Dates of birth, Financial transactions, Genders, Geographic locations, Government issued IDs, IP addresses, Marital statuses, Names, Passwords, Phone numbers, Physical addresses, PINs, Security questions and answers, Spoken languages
Permalink
QIP
In mid-2011, the Russian instant messaging enactment known arsenic QIP (Quiet Internet Pager) suffered a accusation breach. The onslaught resulted palmy the disclosure of implicit 26 cardinal unsocial accounts including email addresses and passwords with the accusation yet appearing palmy nationalist years later.
Breach date: 1 June 2011
Date added to HIBP: 8 January 2017
Compromised accounts: 26,183,992
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
Quantum Booter
In March 2014, the booter service Quantum Booter (also referred to arsenic Quantum Stresser) suffered a breach which pb to the disclosure of their interior database. The leaked accusation included backstage discussions relating to malicious enactment Quantum Booter users were performing against online adversaries, including the IP addresses of those utilizing the enactment to equine DDoS attacks.
Breach date: 18 March 2014
Date added to HIBP: 4 April 2015
Compromised accounts: 48,592
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames, Website activity
Permalink
QuestionPro
In May 2022, the survey website QuestionPro was the radical of an extortion effort relating to an alleged accusation breach. Over 100GB of accusation containing 22M unsocial email addresses (some of which look to beryllium generated by the platform), are alleged to idiosyncratic been extracted from the enactment connected with IP addresses, browser idiosyncratic agents and results relating to surveys. QuestionPro would not corroborate whether a breach had occurred (although they did corroborate they were the radical of an extortion attempt), truthful the accusation was initially flagged arsenic "unverified". Subsequent verification by impacted HIBP subscribers aboriginal led to the removal of the unverified flag.
Breach date: 21 May 2022
Date added to HIBP: 5 August 2022
Compromised accounts: 22,229,637
Compromised data: Browser idiosyncratic origin details, Email addresses, IP addresses, Survey results
Permalink
Quidd
In 2019, online marketplace for trading stickers, cards, toys, and antithetic collectibles Quidd suffered a accusation breach. The breach exposed astir 4 cardinal users' email addresses, usernames and passwords stored arsenic bcrypt hashes. The accusation was subsequently sold past redistributed extensively via hacking forums.
Breach date: 1 July 2019
Date added to HIBP: 24 June 2020
Compromised accounts: 3,805,863
Compromised data: Email addresses, Passwords, Usernames
Permalink
QuinStreet
In astir precocious 2015, the shaper of "performance selling products" QuinStreet had a fig of their online assets compromised. The onslaught impacted 28 abstracted sites, predominantly exertion forums specified arsenic flashkit.com, codeguru.com and webdeveloper.com (view a afloat database of sites). QuinStreet advised that impacted users idiosyncratic been notified and passwords reset. The accusation contained details connected implicit 4.9 cardinal extremist and included email addresses, dates of commencement and salted MD5 hashes.
Breach date: 14 December 2015
Date added to HIBP: 17 December 2016
Compromised accounts: 4,907,802
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
R2 (2017 forum breach)
In aboriginal 2017, the forum for the gaming website R2 Games was hacked. R2 had antecedently appeared connected HIBP palmy 2015 aft a anterior incident. This 1 exposed implicit 1 cardinal unsocial idiosyncratic accounts and corresponding MD5 password hashes with nary salt.
Breach date: 1 January 2017
Date added to HIBP: 25 April 2017
Compromised accounts: 1,023,466
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
R2Games
In precocious 2015, the gaming website R2Games was hacked and overmuch than 2.1M idiosyncratic records disclosed. The vBulletin forum included IP addresses and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked. A further 11M accounts were added to "Have I Been Pwned" palmy March 2016 and antithetic 9M palmy July 2016 bringing the afloat to implicit 22M.
Breach date: 1 November 2015
Date added to HIBP: 9 February 2016
Compromised accounts: 22,281,337
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Rambler
In precocious 2016, a accusation dump of astir 100M accounts from Rambler, sometimes referred to arsenic "The Russian Yahoo", was discovered being traded online. The accusation acceptable provided to Have I Been Pwned included 91M unsocial usernames (which too signifier information of Rambler email addresses) and plain substance passwords. According to Rambler, the accusation dates backmost to March 2014.
Breach date: 1 March 2014
Date added to HIBP: 1 November 2016
Compromised accounts: 91,436,280
Compromised data: Email addresses, Passwords, Usernames
Permalink
RankWatch
In astir November 2016, the hunt centrifugal optimisation absorption instauration RankWatch exposed a Mongo DB with nary password publically whereupon their accusation was exfiltrated and posted to an online forum. The accusation contained 7.4 cardinal unsocial email addresses connected with names, employers, telephone numbers and concern titles palmy a array called "us_emails". When contacted and advised of the incident, RankWatch would not uncover the intent of the data, wherever it had been acquired from and whether the accusation owners had consented to its collection. The forum which primitively posted the accusation explained it arsenic being "in the aforesaid vein arsenic the modbsolutions leak", a ample database of steadfast accusation allegedly utilized for spam purposes.
Breach date: 19 November 2016
Date added to HIBP: 3 November 2017
Compromised accounts: 7,445,067
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers
Permalink
Rbx.Rocks
In August 2018, the Roblox trading tract Rbx.Rocks suffered a accusation breach. Almost 25k records were sent to HIBP palmy November and included names, email addresses and passwords stored arsenic bcrypt hashes. In July 2019, a further 125k records emerged bringing the afloat size of the incidental to 150k. The website has since gone offline with a transportation stating that "Rbx.Rocks v2.0 is presently nether construction".
Breach date: 6 August 2018
Date added to HIBP: 7 November 2018
Compromised accounts: 149,958
Compromised data: Email addresses, Names, Passwords
Permalink
Read Novel
In May 2019, the Chinese lit website Read Novel allegedly suffered a accusation breach that exposed 22M unsocial email addresses. Data too included usernames, genders, telephone numbers and passwords stored arsenic salted MD5 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]". Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 1 May 2019
Date added to HIBP: 16 May 2022
Compromised accounts: 22,424,472
Compromised data: Email addresses, Genders, Passwords, Phone numbers, Usernames
Permalink
Real Estate Mogul
In September 2016, the existent spot interest tract Real Estate Mogul had a Mongo DB suit compromised and 5GB of accusation downloaded by an unauthorised party. The accusation contained existent spot listings including addresses and the names, telephone numbers and 308k unsocial email addresses of the sellers. Real Estate Mogul was advised of the incidental palmy September 2018 and stated that they "found nary suit of idiosyncratic narration credentials akin usernames and passwords nor billing accusation incorrect this file".
Breach date: 6 September 2016
Date added to HIBP: 24 September 2018
Compromised accounts: 307,768
Compromised data: Email addresses, Names, Phone numbers, Physical addresses
Permalink
RealDudesInc
In October 2022, the GTA mod insubstantial supplier RealDudesInc suffered a accusation breach that exposed implicit 100k email addresses (many of which are impermanent impermanent narration addresses). The breach too included usernames and bcrypt password hashes.
Breach date: 22 October 2022
Date added to HIBP: 19 February 2023
Compromised accounts: 101,543
Compromised data: Email addresses, Passwords, Usernames
Permalink
RedDoorz
In September 2020, the edifice absorption & booking level RedDoorz suffered a accusation breach that exposed implicit 5.8M idiosyncratic accounts. The breached accusation included names, email addresses, telephone numbers, genders, dates of commencement and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 4 September 2020
Date added to HIBP: 28 January 2022
Compromised accounts: 5,890,277
Compromised data: Dates of birth, Email addresses, Genders, Names, Occupations, Passwords, Phone numbers
Permalink
Regpack
In July 2016, a tweet was posted with a nexus to an alleged accusation breach of BlueSnap, a planetary outgo gateway and merchant narration provider. The accusation contained 324k outgo records crossed 105k unsocial email addresses and included idiosyncratic attributes specified arsenic name, determination codification and telephone number. The accusation was verified with aggregate Have I Been Pwned subscribers who confirmed it too contained valid transactions, partial designation insubstantial numbers, expiry dates and CVVs. A downstream idiosyncratic of BlueSnap services known arsenic Regpack was subsequently identified arsenic the basal of the accusation aft they identified prime mistake had adjacent the transactions exposed connected a publically facing server. A afloat probe of the accusation and transportation by Regpack is elaborate palmy the presumption titled Someone conscionable mislaid 324k outgo records, implicit with CVVs.
Breach date: 20 May 2016
Date added to HIBP: 13 September 2016
Compromised accounts: 104,977
Compromised data: Browser idiosyncratic origin details, Credit insubstantial CVV, Email addresses, IP addresses, Names, Partial designation insubstantial data, Phone numbers, Physical addresses, Purchases
Permalink
Reincubate
In October 2020, the app accusation instauration Reincubate suffered a accusation breach which exposed a backup from November 2017 (the newest grounds palmy the accusation appeared respective months earlier). The accusation included implicit 616k unsocial email addresses, names and passwords stored arsenic PBKDF2 hashes.
Breach date: 11 May 2017
Date added to HIBP: 29 October 2020
Compromised accounts: 616,146
Compromised data: Email addresses, Names, Passwords
Permalink
RentoMojo
In April 2023, the Indian rental enactment RentoMojo suffered a accusation breach. The breach exposed implicit 2M unsocial email addresses connected with names, phone, passport and Aadhaar numbers, genders, dates of birth, purchases and bcrypt password hashes.
Breach date: 15 April 2023
Date added to HIBP: 10 May 2023
Compromised accounts: 2,185,697
Compromised data: Dates of birth, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Passwords, Phone numbers, Purchases, Social media profiles
Permalink
Rightbiz
In June 2023, accusation belonging to the "UK's No.1 Business Marketplace" Rightbiz appeared connected a fashionable hacking forum. Comprising of overmuch than 18M rows of data, the breach included 65k unsocial email addresses connected with names, telephone numbers and carnal address. Rightbiz didn't respond to mulitple attempts to disclose the incident. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "https://discord.gg/gN9C9em".
Breach date: 9 July 2023
Date added to HIBP: 10 August 2023
Compromised accounts: 65,376
Compromised data: Email addresses, Names, Phone numbers, Physical addresses
Permalink
River City Media Spam List
In January 2017, a monolithic trove of accusation from River City Media was recovered exposed online. The accusation was recovered to incorporated astir 1.4 cardinal records including email and IP addresses, names and carnal addresses, each of which was utilized arsenic information of an tremendous spam operation. Once de-duplicated, determination were 393 cardinal unsocial email addresses incorrect the exposed data.
Breach date: 1 January 2017
Date added to HIBP: 8 March 2017
Compromised accounts: 393,430,309
Compromised data: Email addresses, IP addresses, Names, Physical addresses
Permalink
Robinhood
In November 2021, the online trading level Robinhood suffered a accusation breach aft a suit enactment emblematic was socially engineered. The incidental exposed implicit 5M suit email addresses and 2M suit names. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "Jarand Moen Romtviet".
Breach date: 3 November 2021
Date added to HIBP: 3 March 2022
Compromised accounts: 5,003,937
Compromised data: Email addresses
Permalink
Roblox
In August 2016, Roblox disclosed a accusation breach that affected implicit 50k users. The accusation incidental impacted email and IP addresses, usernames, purchases and Robux balances which were adjacent exposed connected a proceedings server.
Breach date: 31 July 2016
Date added to HIBP: 23 July 2023
Compromised accounts: 52,458
Compromised data: Account balances, Email addresses, IP addresses, Purchases, Usernames
Permalink
Roblox Developer Conference
In July 2023, a database of alleged attendees from the 2017-2020 Roblox Developers Conferences was circulated connected a forum. The accusation contained 4k unsocial email addresses connected with names, usernames, dates of birth, telephone numbers, carnal and IP addresses and T-shirt sizes
Breach date: 18 December 2020
Date added to HIBP: 18 July 2023
Compromised accounts: 3,943
Compromised data: Clothing sizes, Dates of birth, Email addresses, IP addresses, Names, Phone numbers, Physical addresses, Usernames
Permalink
Roll20
In December 2018, the tabletop role-playing games website Roll20 suffered a accusation breach. Almost 4 cardinal customers were impacted by the breach and had email and IP addresses, names, bcrypt hashes of passwords and the past 4 digits of designation cards exposed. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 26 December 2018
Date added to HIBP: 19 July 2019
Compromised accounts: 3,994,436
Compromised data: Email addresses, IP addresses, Names, Partial designation insubstantial data, Passwords
Permalink
Romwe
In mid-2018, the Hong Kong-based retailer Romwe suffered a accusation breach which exposed astir 20 cardinal customers. The accusation was subsequently sold online and includes names, telephone numbers, email and IP addresses, suit geographic locations and passwords stored arsenic salted SHA-1 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 June 2018
Date added to HIBP: 18 January 2021
Compromised accounts: 19,531,820
Compromised data: Geographic locations, IP addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Rosebutt Board
Some clip anterior to May 2016, the forum known arsenic "Rosebutt Board" was hacked and 107k accounts were exposed. The self-described "top 1 committee for anal fisting, prolapse, immense insertions and rosebutt fans" had email and IP addresses, usernames and weakly stored salted MD5 password hashes hacked from the IP.Board based forum.
Breach date: 9 May 2016
Date added to HIBP: 10 May 2016
Compromised accounts: 107,303
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Royal Enfield
In January 2020, motorcycle shaper Royal Enfield adjacent a database publically exposed that resulted palmy the inadvertent enactment of implicit 400k customers. The impacted accusation included email and carnal addresses, names, motorcycle information, societal media profiles, passwords, and antithetic idiosyncratic information. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 1 January 2019
Date added to HIBP: 31 March 2022
Compromised accounts: 420,873
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Social media profiles, Vehicle details
Permalink
Russian America
In astir 2017, the website for Russian speakers palmy America known arsenic Russian America suffered a accusation breach. The incidental exposed 183k unsocial records including names, email addresses, telephone numbers and passwords stored palmy immoderate plain substance and arsenic MD5 hashes. Russian America was contacted astir the breach but did not respond.
Breach date: 1 January 2017
Date added to HIBP: 13 September 2018
Compromised accounts: 182,717
Compromised data: Email addresses, Names, Passwords, Phone numbers
Permalink
SC Daily Phone Spam List
In aboriginal 2015, a spam database known arsenic SC Daily Phone emerged containing astir 33M identities. The accusation includes idiosyncratic attributes specified arsenic names, carnal and IP addresses, genders, commencement dates and telephone numbers. Read overmuch astir spam lists palmy HIBP.
Breach date: 14 April 2015
Date added to HIBP: 24 November 2016
Compromised accounts: 32,939,105
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Physical addresses
Permalink
Scentbird
In June 2020, the online fragrance enactment Scentbird suffered a accusation breach that exposed the idiosyncratic accusation of implicit 5.8 cardinal customers. Personal accusation including names, email addresses, genders, dates of birth, passwords stored arsenic bcrypt hashes and indicators of password spot were each exposed. The accusation was provided to HIBP by breachbase.pw.
Breach date: 22 June 2020
Date added to HIBP: 30 July 2020
Compromised accounts: 5,814,988
Compromised data: Dates of birth, Email addresses, Genders, Names, Password strengths, Passwords
Permalink
Seedpeer
In July 2015, the torrent tract Seedpeer was hacked and 282k subordinate records were exposed. The accusation included usernames, email addresses and passwords stored arsenic anemic MD5 hashes.
Breach date: 12 July 2015
Date added to HIBP: 9 March 2016
Compromised accounts: 281,924
Compromised data: Email addresses, Passwords, Usernames
Permalink
Sephora
In astir January 2017, the prime store Sephora suffered a accusation breach. Impacting customers palmy South East Asia, Australia and New Zealand, 780k unsocial email addresses were included palmy the breach alongside names, genders, dates of birth, ethnicities and antithetic idiosyncratic information. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 9 January 2017
Date added to HIBP: 6 October 2019
Compromised accounts: 780,073
Compromised data: Dates of birth, Email addresses, Ethnicities, Genders, Names, Physical attributes
Permalink
ServerPact
In mid-2015, the Dutch Minecraft tract ServerPact was hacked and 73k accounts were exposed. Along with commencement dates, email and IP addresses, the tract too exposed SHA1 password hashes with the username arsenic the salt.
Breach date: 1 January 2016
Date added to HIBP: 6 September 2016
Compromised accounts: 73,587
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
SHEIN
In June 2018, online mode retailer SHEIN suffered a accusation breach. The instauration discovered the breach 2 months aboriginal palmy August past disclosed the incidental antithetic play aft that. A afloat of 39 cardinal unsocial email addresses were recovered palmy the breach alongside MD5 password hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 1 June 2018
Date added to HIBP: 17 July 2019
Compromised accounts: 39,086,762
Compromised data: Email addresses, Passwords
Permalink
Shitexpress
In August 2022, the online faeces proscription enactment Shitexpress suffered a accusation breach that exposed 24k unsocial email addresses. The addresses spanned invoices, acquisition cards, promotions and PayPal records. The breach too exposed the IP and email addresses of senders, carnal addresses of recipients and messages accompanying the crap delivery.
Breach date: 8 August 2022
Date added to HIBP: 16 August 2022
Compromised accounts: 23,817
Compromised data: Email addresses, IP addresses, Names, Physical addresses, Private messages, Purchases
Permalink
ShockGore
In August 2020, the website for sharing graphic videos and images of gore and carnal cruelty suffered a accusation breach. The breach exposed 74k unsocial email addresses alongside usernames, IP addresses, genders and unsalted SHA-1 password hashes. Private messages were too exposed, galore containing requests for worldly of a depraved nature. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 11 August 2020
Date added to HIBP: 20 January 2022
Compromised accounts: 73,944
Compromised data: Email addresses, Genders, IP addresses, Passwords, Private messages, Usernames
Permalink
ShopBack
In September 2020, the cashback reward programme ShopBack suffered a accusation breach. The incidental exposed implicit 20 cardinal unsocial email addresses connected with names, telephone numbers, authorities of residence and passwords stored arsenic salted SHA-1 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 17 September 2020
Date added to HIBP: 25 April 2021
Compromised accounts: 20,529,819
Compromised data: Email addresses, Geographic locations, Names, Passwords, Phone numbers
Permalink
Shopper+
In March 2023, "Canada's online buying mall" Shopper+ disclosed a accusation breach discovered connected a nationalist hacking forum. The breach dated backmost to September 2020 and included 878k suit records with email and carnal addresses, names, telephone numbers and palmy immoderate cases, genders and dates of birth.
Breach date: 14 September 2020
Date added to HIBP: 11 March 2023
Compromised accounts: 878,290
Compromised data: Dates of birth, Email addresses, Genders, Names, Phone numbers, Physical addresses, Spoken languages
Permalink
Short Édition
In June 2021, the French publishing determination of abbreviated lit Short Édition suffered a accusation breach that exposed 505k records. Impacted accusation included email and carnal addresses, names, usernames, telephone numbers, dates of birth, genders and passwords stored arsenic either salted SHA-1 oregon salted SHA-512 hashes. Short Édition self-submitted the impacted accusation to HIBP.
Breach date: 26 June 2021
Date added to HIBP: 19 July 2021
Compromised accounts: 505,466
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Social media profiles, Usernames
Permalink
Shotbow
In May 2016, the multiplayer server for Minecraft enactment Shotbow announced they'd suffered a accusation breach. The incidental resulted palmy the vulnerability of implicit 1 cardinal unsocial email addresses, usernames and salted SHA-256 password hashes.
Breach date: 9 May 2016
Date added to HIBP: 29 October 2017
Compromised accounts: 1,052,753
Compromised data: Email addresses, Passwords, Usernames
Permalink
SirHurt
In April 2021, the the Roblox cheats website SirHurt suffered a accusation breach that exposed implicit 90k suit records. The exposed accusation included email and IP addresses, usernames and passwords stored arsenic MD5 hashes.
Breach date: 23 April 2021
Date added to HIBP: 24 May 2022
Compromised accounts: 90,655
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
SitePoint
In June 2020, the web betterment tract SitePoint suffered a accusation breach that exposed implicit 1M suit records. Impacted accusation included email and IP addresses, names, usernames, bios and passwords stored arsenic bcrypt hashes.
Breach date: 20 June 2020
Date added to HIBP: 17 August 2022
Compromised accounts: 1,021,790
Compromised data: Bios, Email addresses, IP addresses, Names, Passwords, Usernames
Permalink
SkTorrent
In February 2016, the Slovak torrent tracking tract SkTorrent was hacked and implicit 117k records leaked online. The accusation dump included usernames, email addresses and passwords stored palmy plain text.
Breach date: 19 February 2016
Date added to HIBP: 23 February 2016
Compromised accounts: 117,070
Compromised data: Email addresses, Passwords, Usernames
Permalink
Slickwraps
In February 2020, the online store for idiosyncratic electronics wraps Slickwraps suffered a accusation breach. The incidental resulted palmy the vulnerability of 858k unsocial email addresses crossed suit records and newsletter subscribers. Additional impacted accusation included names, carnal addresses, telephone numbers and acquisition histories.
Breach date: 16 February 2020
Date added to HIBP: 22 February 2020
Compromised accounts: 857,611
Compromised data: Email addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
Smogon
In April 2018, the Pokémon website known arsenic Smogon announced they'd suffered a accusation breach. The breach dated backmost to September 2017 and affected their XenForo based forum. The exposed accusation included usernames, email addresses, genders and immoderate bcrypt and MD5 password hashes.
Breach date: 10 September 2017
Date added to HIBP: 11 April 2018
Compromised accounts: 386,489
Compromised data: Email addresses, Genders, Geographic locations, Passwords, Usernames, Website activity
Permalink
Snail
In March 2015, the gaming website Snail suffered a accusation breach that impacted 1.4 cardinal subscribers. The impacted accusation included usernames, IP and email addresses and passwords stored arsenic unsalted MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 14 March 2015
Date added to HIBP: 27 July 2019
Compromised accounts: 1,410,899
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Snapchat
In January 2014 conscionable 1 week aft Gibson Security elaborate vulnerabilities palmy the service, Snapchat had 4.6 cardinal usernames and telephone fig exposed. The onslaught progressive brute portion enumeration of a ample fig of telephone numbers against the Snapchat API palmy what appears to beryllium a effect to Snapchat's assertion that specified an onslaught was "theoretical". Consequently, the breach enabled idiosyncratic usernames (which are often utilized crossed antithetic services) to beryllium resolved to telephone numbers which users usually privation to enactment private.
Breach date: 1 January 2014
Date added to HIBP: 2 January 2014
Compromised accounts: 4,609,615
Compromised data: Geographic locations, Phone numbers, Usernames
Permalink
Social Engineered
In June 2019, the "Art of Human Hacking" tract Social Engineered suffered a accusation breach. The breach of the MyBB forum was published connected a rival hacking forum and included 89k unsocial email addresses dispersed crossed 55k forum users and antithetic tables palmy the database. The exposed accusation too included usernames, IP addresses, backstage messages and passwords stored arsenic salted MD5 hashes.
Breach date: 13 June 2019
Date added to HIBP: 23 June 2019
Compromised accounts: 89,392
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
Società Italiana degli Autori ed Editori
In November 2018, the Società Italiana degli Autori ed Editori (Italian Society of Authors and Publishers, oregon SIAE) was hacked, defaced and astir 4GB of accusation leaked publically via Twitter. The accusation included implicit 14k registered users' names, email addresses and passwords.
Breach date: 3 November 2018
Date added to HIBP: 7 November 2018
Compromised accounts: 14,609
Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers
Permalink
Sonicbids
In December 2019, the booking website Sonicbids suffered a accusation breach which they attributed to "a accusation privateness suit involving our third-party unreality hosting services". The breach contained 752k idiosyncratic records including names and usernames, email addresses and passwords stored arsenic PBKDF2 hashes. The accusation was provided to HIBP by breachbase.pw.
Breach date: 30 December 2019
Date added to HIBP: 18 August 2020
Compromised accounts: 751,700
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
Sony
In 2011, Sony suffered breach aft breach aft breach — it was a very atrocious twelvemonth for them. The breaches spanned assorted areas of the interest ranging from the PlayStation web each the mode done to the question practice arm, Sony Pictures. A SQL Injection vulnerability palmy sonypictures.com pb to tens of thousands of accounts crossed aggregate systems being exposed implicit with plain substance passwords.
Breach date: 2 June 2011
Date added to HIBP: 4 December 2013
Compromised accounts: 37,103
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Soundwave
In astir mid 2015, the euphony tracking app Soundwave suffered a accusation breach. The breach stemmed from an incidental whereby "production accusation had been utilized to populate the proceedings database" and was past inadvertently exposed palmy a MongoDB. The accusation contained 130k records and included email addresses, dates of birth, genders and MD5 hashes of passwords without a salt.
Breach date: 16 July 2015
Date added to HIBP: 17 March 2017
Compromised accounts: 130,705
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Social connections
Permalink
Special K Data Feed Spam List
In mid to precocious 2015, a spam database known arsenic the Special K Data Feed was discovered containing astir 31M identities. The accusation includes idiosyncratic attributes specified arsenic names, carnal and IP addresses, genders, commencement dates and telephone numbers. Read overmuch astir spam lists palmy HIBP.
Breach date: 7 October 2015
Date added to HIBP: 24 November 2016
Compromised accounts: 30,741,620
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Physical addresses
Permalink
Spirol
In February 2014, Connecticut based Spirol Fastening Solutions suffered a accusation breach that exposed implicit 70,000 suit records. The onslaught was allegedly mounted by exploiting a SQL injection vulnerability which yielded accusation from Spirol’s CRM strategy ranging from customers’ names, companies, enactment accusation and implicit 55,000 unsocial email addresses.
Breach date: 22 February 2014
Date added to HIBP: 22 February 2014
Compromised accounts: 55,622
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
Permalink
SpyFone
In August 2018, the spyware instauration SpyFone adjacent terabytes of accusation publically exposed. Collected surreptitiously whilst the targets were utilizing their devices, the accusation included photos, audio recordings, substance messages and browsing past which were past exposed via a fig of misconfigurations incorrect SpyFone's systems. The accusation belonged the thousands of SpyFone customers and included 44k unsocial email addresses, galore apt belonging to extremist the targeted phones had enactment with.
Breach date: 16 August 2018
Date added to HIBP: 24 August 2018
Compromised accounts: 44,109
Compromised data: Audio recordings, Browsing histories, Device information, Email addresses, Geographic locations, IMEI numbers, IP addresses, Names, Passwords, Photos, SMS messages
Permalink
Staminus
In March 2016, the DDoS extortion enactment Staminus was "massively hacked" resulting palmy an outage of overmuch than 20 hours and the disclosure of suit credentials (with unsalted MD5 hashes), enactment tickets, designation insubstantial numbers and antithetic delicate data. 27k unsocial email addresses were recovered palmy the accusation which was subsequently released to the public. Staminus is nary longer palmy operation.
Breach date: 11 March 2016
Date added to HIBP: 5 October 2017
Compromised accounts: 26,815
Compromised data: Credit cards, Email addresses, IP addresses, Passwords, Support tickets, Usernames
Permalink
StarNet
In February 2015, the Moldavian ISP "StarNet" had it's database published online. The dump included astir 140k email addresses, galore with idiosyncratic details including enactment information, usage patterns of the ISP and adjacent passport numbers.
Breach date: 26 February 2015
Date added to HIBP: 11 April 2015
Compromised accounts: 139,395
Compromised data: Customer interactions, Dates of birth, Email addresses, Genders, IP addresses, MAC addresses, Names, Passport numbers, Passwords, Phone numbers
Permalink
StarTribune
In October 2019, the Minnesota-based prime enactment StarTribune suffered a accusation breach which was subsequently sold connected the acheronian web. The breach exposed implicit 2 cardinal unsocial email addresses alongside names, usernames, carnal addresses, dates of birth, genders and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 10 October 2019
Date added to HIBP: 30 October 2020
Compromised accounts: 2,192,857
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Physical addresses, Usernames
Permalink
Ster-Kinekor
In 2016, the South African cinema instauration Ster-Kinekor had a accusation flaw which leaked a ample magnitude of suit accusation via an enumeration vulnerability palmy the API of their aged website. Whilst overmuch than 6 cardinal accounts were leaked by the flaw, the exposed accusation lone contained 1.6 cardinal unsocial email addresses. The accusation too included extended idiosyncratic accusation specified arsenic names, addresses, birthdates, genders and plain substance passwords.
Breach date: 9 March 2017
Date added to HIBP: 13 March 2017
Compromised accounts: 1,619,544
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Spoken languages
Permalink
StockX
In July 2019, the mode and sneaker trading level StockX suffered a accusation breach which was subsequently sold via a acheronian webmarketplace. The exposed accusation included 6.8 cardinal unsocial email addresses, names, carnal addresses, purchases and passwords stored arsenic salted MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 26 July 2019
Date added to HIBP: 10 August 2019
Compromised accounts: 6,840,339
Compromised data: Email addresses, Names, Passwords, Physical addresses, Purchases, Usernames
Permalink
StoryBird
In August 2015, the storytelling enactment StoryBird suffered a accusation breach exposing 4 cardinal records with 1 cardinal unsocial email addresses. Impacted accusation too included names, usernames and passwords stored arsenic PBKDF2 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 7 August 2015
Date added to HIBP: 2 February 2021
Compromised accounts: 1,047,200
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
Straffic
In February 2020, Israeli selling instauration Straffic exposed a database with 140GB of idiosyncratic data. The publically accessible Elasticsearch database contained implicit 300M rows with 49M unsocial email addresses. Exposed accusation too included names, telephone numbers, carnal addresses and genders. In their breach disclosure message, Straffic stated that "it is intolerable to marque a wholly immune system, and these things tin occur".
Breach date: 14 February 2020
Date added to HIBP: 27 February 2020
Compromised accounts: 48,580,249
Compromised data: Email addresses, Genders, Names, Phone numbers, Physical addresses
Permalink
Stratfor
In December 2011, "Anonymous" attacked the planetary prime instauration known arsenic "Stratfor" and consequently disclosed a veritable treasure trove of accusation including hundreds of gigabytes of email and tens of thousands of designation insubstantial details which were promptly utilized by the attackers to marque charitable donations (among antithetic uses). The breach too included 860,000 idiosyncratic accounts implicit with email address, clip zone, immoderate interior strategy accusation and MD5 hashed passwords with nary salt.
Breach date: 24 December 2011
Date added to HIBP: 4 December 2013
Compromised accounts: 859,777
Compromised data: Credit cards, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
StreetEasy
In astir June 2016, the existent spot website StreetEasy suffered a accusation breach. In total, 988k unsocial email addresses were included palmy the breach alongside names, usernames and SHA-1 hashes of passwords, each of which appeared for merchantability connected a acheronian web marketplace palmy February 2019. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 28 June 2016
Date added to HIBP: 6 October 2019
Compromised accounts: 988,230
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
Stripchat
In November 2021, the unrecorded enactment cams and large chat website Stripchat adjacent respective databases exposed and unsecured. In June the pursuing year, implicit 10M Stripchat records appeared connected a fashionable hacking forum. The exposed accusation included usernames, email addresses and IP addresses.
Breach date: 5 November 2021
Date added to HIBP: 31 August 2022
Compromised accounts: 10,001,355
Compromised data: Email addresses, IP addresses, Usernames
Permalink
Stronghold Kingdoms
In July 2018, the monolithic multiplayer online crippled Stronghold Kingdoms suffered a accusation breach. Almost 5.2 cardinal accounts were impacted by the incidental which exposed emails addresses, usernames and passwords stored arsenic salted SHA-1 hashes. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 4 July 2018
Date added to HIBP: 21 July 2019
Compromised accounts: 5,187,305
Compromised data: Email addresses, Passwords, Usernames
Permalink
SubaGames
In November 2016, the crippled developer Suba Games suffered a accusation breach which led to the vulnerability of 6.1M unsocial email addresses. Impacted accusation too included usernames and passwords, astir of which appeared circulating palmy the breached grounds palmy plain substance aft being cracked from salted MD5 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 November 2016
Date added to HIBP: 25 August 2021
Compromised accounts: 6,137,666
Compromised data: Email addresses, Passwords, Usernames
Permalink
Sumo Torrent
In June 2014, the torrent tract Sumo Torrent was hacked and 285k subordinate records were exposed. The accusation included IP addresses, email addresses and passwords stored arsenic anemic MD5 hashes.
Breach date: 21 June 2014
Date added to HIBP: 9 March 2016
Compromised accounts: 285,191
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Sundry Files
In January 2022, the contiguous defunct grounds upload enactment Sundry Files suffered a accusation breach that exposed 274k unsocial email addresses. The accusation too included usernames, IP addresses and passwords stored arsenic salted SHA-256 hashes.
Breach date: 21 January 2022
Date added to HIBP: 31 March 2023
Compromised accounts: 274,461
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
SuperVPN & GeckoVPN
In February 2021, a bid of "free" VPN services were breached including SuperVPN and GeckoVPN, exposing implicit 20M records. The accusation appeared unneurotic palmy a azygous grounds with a tiny fig of records too included from FlashVPN, suggesting that each 3 brands whitethorn banal the aforesaid platform. Impacted accusation too included email addresses, the authorities logged palmy from and the time and clip each login occurred alongside instrumentality accusation including the marque and model, IMSI fig and serial number. The accusation was provided to HIBP by a basal who requested it beryllium attributed to [email protected].
Breach date: 25 February 2021
Date added to HIBP: 28 February 2021
Compromised accounts: 20,339,937
Compromised data: Device information, Device serial numbers, Email addresses, Geographic locations, IMSI numbers, Login histories
Permalink
SvenskaMagic
Sometime palmy 2015, the Swedish magic website SvenskaMagic suffered a accusation breach that exposed implicit 30k records. The compromised accusation included usernames, email addresses and MD5 password hashes. The accusation was self-submitted to HIBP by SvenskaMagic.
Breach date: 1 July 2015
Date added to HIBP: 30 August 2018
Compromised accounts: 30,327
Compromised data: Email addresses, Passwords, Usernames
Permalink
SweClockers.com
In aboriginal 2015, the Swedish tech prime tract SweClockers was hacked and 255k accounts were exposed. The onslaught led to the vulnerability of usernames, email addresses and salted hashes of passwords stored with a cognition of MD5 and SHA512.
Breach date: 1 April 2015
Date added to HIBP: 22 March 2017
Compromised accounts: 254,867
Compromised data: Email addresses, Passwords, Usernames
Permalink
Swvl
In June 2020, the Egyptian autobus narration Swvl suffered a accusation breach which impacted implicit 4 cardinal members of the service. The exposed accusation included names, email addresses, telephone numbers, illustration photos, partial designation insubstantial accusation (type and past 4 digits) and passwords stored arsenic bcrypt hashes, each of which was subsequently shared extensively passim online hacking communities. The accusation was provided to HIBP by breachbase.pw.
Breach date: 23 June 2020
Date added to HIBP: 31 July 2020
Compromised accounts: 4,195,918
Compromised data: Email addresses, Names, Partial designation insubstantial data, Passwords, Phone numbers, Profile photos
Permalink
TaiLieu
In November 2019, the Vietnamese acquisition website TaiLieu allegedly suffered a accusation breach exposing 7.3M suit records. Impacted accusation included names and usernames, email addresses, dates of birth, genders and passwords stored arsenic unsalted MD5 hashes. The accusation was provided to HIBP by dehashed.com aft being shared connected a fashionable hacking forum. TaiLieu did not respond erstwhile contacted astir the incident.
Breach date: 24 November 2019
Date added to HIBP: 3 May 2020
Compromised accounts: 7,327,477
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Phone numbers, Usernames
Permalink
Tamodo
In February 2020, the affiliate selling web Tamodo suffered a accusation breach which was subsequently shared connected a fashionable hacking forum. The incidental exposed astir 500k accounts including names, email addresses, dates of commencement and passwords stored arsenic bcrypt hashes. Tamodo failed to respond to aggregate attempts to survey the breach via published transportation channels.
Breach date: 28 February 2020
Date added to HIBP: 24 March 2020
Compromised accounts: 494,945
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords
Permalink
Taobao
In astir 2012, it's alleged that the Chinese buying tract known arsenic Taobao suffered a accusation breach that impacted implicit 21 cardinal subscribers. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email addresses and plain substance passwords. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 1 January 2012
Date added to HIBP: 8 October 2016
Compromised accounts: 21,149,008
Compromised data: Email addresses, Passwords
Permalink
TAP Air Portugal
In August 2022, the Portuguese hose TAP Air Portugal was the radical of a ransomware onslaught perpetrated by the Ragnar Locker gang who aboriginal leaked the compromised accusation via a nationalist acheronian web site. Over 5M unsocial email addresses were exposed alongside antithetic idiosyncratic accusation including names, genders, DoBs, telephone numbers and carnal addresses.
Breach date: 25 August 2022
Date added to HIBP: 23 September 2022
Compromised accounts: 6,083,479
Compromised data: Dates of birth, Email addresses, Genders, Names, Nationalities, Phone numbers, Physical addresses, Salutations, Spoken languages
Permalink
Team SoloMid
In December 2014, the physics sports organisation known arsenic Team SoloMid was hacked and 442k members accounts were leaked. The accounts included email and IP addresses, usernames and salted hashes of passwords.
Breach date: 22 December 2014
Date added to HIBP: 9 March 2016
Compromised accounts: 442,166
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Technic
In November 2018, the Minecraft modpack level known arsenic Technic suffered a accusation breach. Technic promptly disclosed the breach and advised that the impacted accusation included implicit 265k unsocial users' email and IP addresses, chat logs, backstage messages and passwords stored arsenic bcrypt hashes with a enactment root of 13. Technic self-submitted the breach to HIBP.
Breach date: 30 November 2018
Date added to HIBP: 4 December 2018
Compromised accounts: 265,410
Compromised data: Chat logs, Email addresses, IP addresses, Passwords, Private messages, Time zones
Permalink
Telecom Regulatory Authority of India
In April 2015, the Telecom Regulatory Authority of India (TRAI) published tens of 1000 of emails sent by Indian citizens supporting nett neutrality arsenic information of the SaveTheInternet campaign. The published accusation included lists of emails including the sender's authorisation and email codification arsenic bully arsenic the contents of the email arsenic well, often with signatures including antithetic idiosyncratic data.
Breach date: 27 April 2015
Date added to HIBP: 27 April 2015
Compromised accounts: 107,776
Compromised data: Email addresses, Email messages
Permalink
Teracod
In May 2015, astir 100k idiosyncratic records were extracted from the Hungarian torrent tract known arsenic Teracod. The accusation was aboriginal discovered being torrented itself and included email addresses, passwords, backstage messages betwixt members and the peering past of IP addresses utilizing the service.
Breach date: 28 May 2016
Date added to HIBP: 22 August 2016
Compromised accounts: 97,151
Compromised data: Avatars, Email addresses, IP addresses, Passwords, Payment histories, Private messages, Usernames, Website activity
Permalink
Terravision
In February 2023, the European airdrome transfers enactment Terravision suffered a accusation breach. The breach exposed implicit 2M records of suit accusation including names, telephone numbers, email addresses, salted password hashes and palmy immoderate cases, time of commencement and authorities of origin. Terravision did not respond to aggregate attempts by individuals play implicit a play of months to survey the incident.
Breach date: 1 February 2023
Date added to HIBP: 23 April 2023
Compromised accounts: 2,075,625
Compromised data: Dates of birth, Email addresses, Geographic locations, Names, Passwords, Phone numbers
Permalink
TGBUS
In astir 2017, it's alleged that the Chinese gaming tract known arsenic TGBUS suffered a accusation breach that impacted implicit 10 cardinal unsocial subscribers. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains usernames, email addresses and salted MD5 password hashes and was provided with enactment from dehashed.com. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 1 September 2017
Date added to HIBP: 28 April 2018
Compromised accounts: 10,371,766
Compromised data: Email addresses, Passwords, Usernames
Permalink
The Candid Board
In September 2015, the non-consensual voyeurism tract "The Candid Board" suffered a accusation breach. The hack of the vBulletin forum led to the vulnerability of implicit 178k accounts connected with email and IP addresses, dates of commencement and salted passwords hashed with MD5.
Breach date: 3 September 2015
Date added to HIBP: 22 January 2017
Compromised accounts: 178,201
Compromised data: Dates of birth, Email addresses, Geographic locations, IP addresses, Passwords, Usernames, Website activity
Permalink
The Fappening
In December 2015, the forum for discussing bare personage photos known arsenic "The Fappening" (named aft the iCloud leaks of 2014) was compromised and 179k accounts were leaked. Exposed subordinate accusation included usernames, email addresses and salted hashes of passwords.
Breach date: 1 December 2015
Date added to HIBP: 13 April 2016
Compromised accounts: 179,030
Compromised data: Email addresses, Passwords, Usernames
Permalink
The Fly connected the Wall
In December 2017, the banal marketplace prime website The Fly connected the Wall suffered a accusation breach. The accusation palmy the breach included 84k unsocial email addresses arsenic bully arsenic acquisition histories and designation insubstantial data. Numerous attempts were made to enactment The Fly connected the Wall astir the incident, nevertheless nary responses were received.
Breach date: 31 December 2017
Date added to HIBP: 15 January 2018
Compromised accounts: 84,011
Compromised data: Age groups, Credit cards, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses, Purchases, Usernames
Permalink
The Halloween Spot
In September 2019, the Halloween costume store The Halloween Spot suffered a accusation breach. Originally misattributed to fancy ceremonial store Smiffys, the breach contained 13GB of accusation with implicit 10k unsocial email addresses alongside names, carnal and IP addresses, telephone numbers and bid histories. The Halloween Spot advised customers the breach was traced backmost to "an aged shipping accusation database".
Breach date: 27 September 2019
Date added to HIBP: 16 March 2020
Compromised accounts: 10,653
Compromised data: Email addresses, IP addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
The Kodi Foundation
In February 2023, The Kodi Foundation suffered a accusation breach that exposed overmuch than 400k idiosyncratic records. Attributed to an narration belonging to "a trusted but presently inactive subordinate of the forum admin team", the breach progressive the caput narration creating a database backup that was subsequently downloaded earlier being sold connected a hacking forum. The breach exposed email and IP addresses, usernames, genders and passwords stored arsenic MyBB salted hashes. The Kodi Foundation elected to self-submit impacted email addresses to HIBP.
Breach date: 16 February 2023
Date added to HIBP: 13 April 2023
Compromised accounts: 400,635
Compromised data: Browser idiosyncratic origin details, Dates of birth, Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
TheGradCafe
In February 2023, the grad schoolhouse admissions hunt website TheGradCafe suffered a accusation breach that disclosed the idiosyncratic records of 310k users. The accusation included email addresses, names and usernames, genders, geographic locations and passwords stored arsenic bcrypt hashes. Some records too included carnal address, telephone fig and time of birth. TheGradCafe did not respond to aggregate attempts to disclose the breach.
Breach date: 26 February 2023
Date added to HIBP: 24 March 2023
Compromised accounts: 310,975
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
TheTVDB.com
In November 2017, the unfastened tv database known arsenic TheTVDB.com suffered a accusation breach. The breached accusation was posted to a hacking forum and included 182k records with usernames, email addresses and MySQL password hashes.
Breach date: 21 November 2017
Date added to HIBP: 29 January 2018
Compromised accounts: 181,871
Compromised data: Email addresses, Passwords, Usernames
Permalink
Thingiverse
In October 2021, a database backup taken from the 3D exemplary sharing enactment Thingiverse began extensively circulating incorrect the hacking community. Dating backmost to October 2020, the 36GB grounds contained 228 1000 unsocial email addresses, mostly alongside comments adjacent connected 3D models. The accusation too included usernames, IP addresses, afloat names and passwords stored arsenic either unsalted SHA-1 oregon bcrypt hashes. In immoderate cases, carnal addresses was too exposed. Thingiverse's owner, MakerBot, is alert of the incidental but astatine the clip of writing, is yet to contented a disclosure statement. The accusation was provided to HIBP by dehashed.com.
Breach date: 13 October 2020
Date added to HIBP: 14 October 2021
Compromised accounts: 228,102
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Physical addresses, Usernames
Permalink
ThisHabbo Forum
In 2014, the ThisHabbo forum (a instrumentality tract for Habbo.com, a Finnish societal networking site) appeared among a database of compromised sites which has subsequently been removed from the internet. Whilst the existent time of the exploit is not clear, the breached accusation includes usernames, email addresses, IP addresses and salted hashes of passwords. A further 584k records were added from a overmuch wide breach grounds provided palmy October 2016.
Breach date: 1 January 2014
Date added to HIBP: 28 March 2015
Compromised accounts: 612,414
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Tianya
In December 2011, China's largest online forum known arsenic Tianya was hacked and tens of millions of accounts were obtained by the attacker. The leaked accusation included names, usernames and email addresses.
Breach date: 26 December 2011
Date added to HIBP: 30 June 2016
Compromised accounts: 29,020,808
Compromised data: Email addresses, Names, Usernames
Permalink
Ticketcounter
In August 2020, the Dutch ticketing enactment Ticketcounter inadvertently published a database backup to a publically accessible determination wherever it was past recovered and downloaded palmy February 2021. The accusation contained 1.9M unsocial email addresses which were offered for merchantability connected a hacking forum and palmy immoderate cases included names, carnal and IP addresses, genders, dates of birth, outgo histories and slope narration numbers. Ticketcounter was aboriginal held to ransom with the menace of the breached being released publicly. The accusation was provided to HIBP by a basal who requested it beryllium attributed to [email protected].
Breach date: 22 February 2021
Date added to HIBP: 1 March 2021
Compromised accounts: 1,921,722
Compromised data: Bank narration numbers, Dates of birth, Email addresses, Genders, IP addresses, Names, Payment histories, Phone numbers, Physical addresses
Permalink
Ticketfly
In May 2018, the website for the summons organisation enactment Ticketfly was defaced by an attacker and was subsequently taken offline. The attacker allegedly requested a ransom to banal details of the vulnerability with Ticketfly but did not idiosyncratic a reply and subsequently posted the breached accusation online to a publically accessible location. The accusation included implicit 26 cardinal unsocial email addresses connected with names, carnal addresses and telephone numbers. Whilst determination were nary passwords palmy the publically leaked data, Ticketfly aboriginal issued an incidental update and stated that "It is possible, however, that hashed values of password credentials could idiosyncratic been accessed".
Breach date: 31 May 2018
Date added to HIBP: 3 June 2018
Compromised accounts: 26,151,608
Compromised data: Email addresses, Names, Phone numbers, Physical addresses
Permalink
Tigo
In Mid-2023, 300GB of accusation containing implicit 100M records from the Chinese video chat level "Tigo" dating backmost to March that twelvemonth was discovered. The accusation contained implicit 700k unsocial names, usernames, email and IP addresses, genders, illustration photos and backstage messages. Tigo did not respond to aggregate attempts to disclose the incident.
Breach date: 31 March 2023
Date added to HIBP: 24 July 2023
Compromised accounts: 700,394
Compromised data: Device information, Email addresses, Genders, Geographic locations, IP addresses, Names, Private messages, Profile photos, Usernames
Permalink
Tokopedia
In April 2020, Indonesia's largest online store Tokopedia suffered a accusation breach. The incidental resulted palmy 15M rows of accusation being posted to a fashionable hacking forum. An further 76M rows were aboriginal provided to HIBP palmy July 2020. In total, the accusation included implicit 71M unsocial email addresses alongside names, genders, commencement dates and passwords stored arsenic SHA2-384 hashes.
Breach date: 17 April 2020
Date added to HIBP: 2 May 2020
Compromised accounts: 71,443,698
Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords
Permalink
ToonDoo
In August 2019, the comic information instauration website ToonDoo suffered a accusation breach. The accusation was subsequently redistributed connected a fashionable hacking forum palmy November wherever the idiosyncratic accusation of implicit 6M subscribers was shared. Impacted accusation included email and IP addresses, usernames, genders, the determination of the idiosyncratic and salted password hashes.
Breach date: 21 August 2019
Date added to HIBP: 11 November 2019
Compromised accounts: 6,002,694
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Passwords, Usernames
Permalink
Torrent Invites
In December 2013, the torrent tract Torrent Invites was hacked and implicit 352k accounts were exposed. The vBulletin forum contained usernames, email and IP addresses, commencement dates and salted MD5 hashes of passwords.
Breach date: 12 December 2013
Date added to HIBP: 22 March 2017
Compromised accounts: 352,120
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Tout
In astir September 2014, the contiguous defunct societal networking enactment Tout suffered a accusation breach. The breach subsequently appeared years aboriginal and included 653k unsocial email addresses, names, IP addresses, the determination of the user, their bio and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by a basal who requested it to beryllium attributed to "[email protected]".
Breach date: 11 September 2014
Date added to HIBP: 25 January 2020
Compromised accounts: 652,683
Compromised data: Bios, Email addresses, Geographic locations, IP addresses, Names, Passwords, Usernames
Permalink
Travel Oklahoma
In December 2020, the Oklahoma authorities Tourism and Recreation Department suffered a accusation breach. The incidental exposed 637k email addresses crossed a assortment of tables including spot ranges against brochure orders and dates of commencement against contention entries. Genders, names and carnal addresses were too exposed. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "badhou3a".
Breach date: 17 December 2020
Date added to HIBP: 10 March 2021
Compromised accounts: 637,279
Compromised data: Age groups, Dates of birth, Email addresses, Genders, Names, Physical addresses
Permalink
Travelio
In November 2021, the Indonesian existent spot website Travelio suffered a accusation breach that exposed implicit 470k suit accounts. The accusation included email addresses, names, password hashes, telephone numbers and for immoderate accounts, dates of birth, carnal codification and Facebook auth tokens. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 23 November 2021
Date added to HIBP: 8 April 2022
Compromised accounts: 471,376
Compromised data: Auth tokens, Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Trik Spam Botnet
In June 2018, the bid and powerfulness server of a malicious botnet known arsenic the "Trik Spam Botnet" was misconfigured specified that it exposed the email addresses of overmuch than 43 cardinal people. The researchers who discovered the exposed Russian server justice the database of addresses was utilized to administer assorted malware strains via malspam campaigns (emails designed to contiguous malware).
Breach date: 12 June 2018
Date added to HIBP: 14 June 2018
Compromised accounts: 43,432,346
Compromised data: Email addresses
Permalink
Trillian
In December 2015, the instant messaging exertion Trillian suffered a accusation breach. The breach became known palmy July 2016 and exposed assorted idiosyncratic accusation attributes including names, email addresses and passwords stored arsenic salted MD5 hashes.
Breach date: 27 December 2015
Date added to HIBP: 15 July 2016
Compromised accounts: 3,827,238
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Usernames
Permalink
TrueFire
In February 2020, the guitar tuition website TrueFire suffered a accusation breach which impacted 600k members. The breach exposed extended idiosyncratic accusation including names, email and carnal addresses, narration balances and unsalted MD5 password hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 21 February 2020
Date added to HIBP: 2 August 2020
Compromised accounts: 599,667
Compromised data: Account balances, Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
tumblr
In aboriginal 2013, tumblr suffered a accusation breach which resulted palmy the vulnerability of implicit 65 cardinal accounts. The accusation was aboriginal enactment up for merchantability connected a acheronian marketplace website and included email addresses and passwords stored arsenic salted SHA1 hashes.
Breach date: 28 February 2013
Date added to HIBP: 29 May 2016
Compromised accounts: 65,469,298
Compromised data: Email addresses, Passwords
Permalink
In January 2022, a vulnerability palmy Twitter's level allowed an attacker to physique a database of the email addresses and telephone numbers of millions of users of the societal platform. In a disclosure announcement aboriginal shared palmy August 2022, Twitter advised that the vulnerability was related to a bug introduced palmy June 2021 and that they are consecutive notifying impacted customers. The impacted accusation included either email codification oregon telephone fig alongside antithetic nationalist accusation including the username, amusement name, bio, determination and illustration photo. The accusation included 6.7M unsocial email addresses crossed immoderate progressive and suspended accounts, the 2nd appearing palmy a abstracted database of 1.4M addresses.
Breach date: 1 January 2022
Date added to HIBP: 13 August 2022
Compromised accounts: 6,682,453
Compromised data: Bios, Email addresses, Geographic locations, Names, Phone numbers, Profile photos, Usernames
Permalink
Twitter (200M)
In aboriginal 2023, over 200M records scraped from Twitter appeared connected a fashionable hacking forum. The accusation was obtained sometime palmy 2021 by abusing an API that enabled email addresses to beryllium resolved to Twitter profiles. The consequent results were past composed into a corpus of accusation containing email addresses alongside nationalist Twitter illustration accusation including names, usernames and follower counts.
Breach date: 1 January 2021
Date added to HIBP: 5 January 2023
Compromised accounts: 211,524,284
Compromised data: Email addresses, Names, Social media profiles, Usernames
Permalink
Uiggy
In June 2016, the Facebook exertion known arsenic Uiggy was hacked and 4.3M accounts were exposed, 2.7M of which had email addresses against them. The leaked accounts too exposed names, genders and the Facebook ID of the owners.
Breach date: 1 June 2016
Date added to HIBP: 27 June 2016
Compromised accounts: 2,682,650
Compromised data: Email addresses, Genders, Names, Social connections, Website activity
Permalink
Ulmon
In January 2020, the question app creator Ulmon suffered a accusation breach. The enactment had astir 1.3M records with 777k unsocial email addresses, names, passwords stored arsenic bcrypt hashes and palmy immoderate cases, societal media illustration IDs, telephone numbers and bios. The accusation was subsequently posted to a fashionable hacking forum.
Breach date: 26 January 2020
Date added to HIBP: 8 May 2020
Compromised accounts: 777,769
Compromised data: Bios, Email addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
UN Internet Governance Forum
In February 2014, the Internet Governance Forum (formed by the United Nations for argumentation dialog connected issues of nett governance) was attacked by hacker firm known arsenic Deletesec. Although tasked with "ensuring the accusation and stableness of the Internet", the IGF’s website was inactive breached and resulted palmy the leak of 3,200 email addresses, names, usernames and cryptographically stored passwords.
Breach date: 20 February 2014
Date added to HIBP: 23 February 2014
Compromised accounts: 3,200
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
Underworld Empire
In April 2017, the vBulletin forum for the Underworld Empire game suffered a accusation breach that exposed 429k accounts. The accusation was past posted to a hacking forum palmy mid-February 2018 wherever it was made disposable to download. The basal accusation contained IP and email addresses, usernames and salted MD5 hashes.
Breach date: 25 April 2017
Date added to HIBP: 19 February 2018
Compromised accounts: 428,779
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Unico Campania
In August 2020, the Neapolitan nationalist transport website Unico Campania was hacked and the accusation extensively circulated. The breach contained 166k idiosyncratic records with email addresses and plain substance passwords.
Breach date: 19 August 2020
Date added to HIBP: 19 August 2020
Compromised accounts: 166,031
Compromised data: Email addresses, Passwords
Permalink
Universarium
In astir November 2019, the Russian "Remote preparatory module for IT specialties" Universarium suffered a accusation breach. The incidental exposed 565k email addresses and passwords palmy plain text. Universarium did not respond to aggregate attempts to marque enactment implicit a play of galore weeks. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 November 2019
Date added to HIBP: 3 January 2020
Compromised accounts: 564,962
Compromised data: Email addresses, Passwords
Permalink
University of California
In December 2020, the University of California suffered a accusation breach owed to vulnerability palmy successful a third-party provider, Accellion. The breach exposed extended idiosyncratic accusation connected immoderate students and portion including 547 1000 unsocial email addresses, names, dates of birth, genders, societal accusation numbers, ethnicities and antithetic satellite related accusation attributes. Further probe is disposable palmy Exploring the Impact of the UC Data Breach. The accusation was provided to HIBP courtesy of Cyril Gorlla.
Breach date: 24 December 2020
Date added to HIBP: 20 June 2021
Compromised accounts: 547,422
Compromised data: Dates of birth, Education levels, Email addresses, Ethnicities, Genders, Job titles, Names, Phone numbers, Physical addresses, Social accusation numbers
Permalink
Unreal Engine
In August 2016, the Unreal Engine Forum suffered a accusation breach, allegedly owed to a SQL injection vulnerability palmy vBulletin. The onslaught resulted palmy the vulnerability of 530k accounts including usernames, email addresses and salted MD5 hashes of passwords.
Breach date: 11 August 2016
Date added to HIBP: 7 November 2016
Compromised accounts: 530,147
Compromised data: Email addresses, Passwords, Usernames
Permalink
Unverified Data Source
In January 2021, implicit 11M unsocial email addresses were discovered by Night Lion Security alongside an extended magnitude of idiosyncratic accusation including names, carnal and IP addresses, telephone numbers and dates of birth. Some records too contained societal accusation numbers, driver's licence details, idiosyncratic fiscal accusation and health-related data, depending connected wherever the accusation was sourced from. Initially attributed to Astoria Company, they subsequently investigated the incidental and confirmed the accusation did not originate from their services.
Breach date: 26 January 2021
Date added to HIBP: 24 March 2021
Compromised accounts: 11,498,146
Compromised data: Bank narration numbers, Credit presumption information, Dates of birth, Email addresses, Employers, Health information information, Income levels, IP addresses, Names, Personal wellness data, Phone numbers, Physical addresses, Smoking habits, Social accusation numbers
Permalink
Upstox
In April 2021, Indian brokerage steadfast Upstox suffered a accusation breach. The incidental exposed extended idiosyncratic accusation connected implicit 100k customers including names, genders, dates of birth, carnal addresses, banking accusation and passwords stored arsenic bcrypt hashes. Extensive "know your customer" accusation was too exposed including scans of slope statements, cheques and individuality documents implicit with Aadhaar numbers. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 8 April 2021
Date added to HIBP: 19 January 2022
Compromised accounts: 111,002
Compromised data: Bank narration numbers, Dates of birth, Email addresses, Family members' names, Genders, Government issued IDs, Income levels, Marital statuses, Nationalities, Occupations, Passwords, Phone numbers, Physical addresses
Permalink
Utah Gun Exchange
In July 2020, the Utah Gun Exchange website suffered a accusation breach which included respective antithetic associated websites. In total, 235k unsocial email addresses were exposed earlier being traded online alongside names, usernames, genders, IP addresses and password hashes. The accusation was provided to HIBP by breachbase.pw.
Breach date: 17 July 2020
Date added to HIBP: 19 August 2020
Compromised accounts: 235,233
Compromised data: Email addresses, Genders, IP addresses, Passwords, Usernames
Permalink
uTorrent
In aboriginal 2016, the forum for the uTorrent BitTorrent suit suffered a accusation breach which came to airy aboriginal palmy the year. The database from the IP.Board based forum contained 395k accounts including usernames, email addresses and MD5 password hashes without a salt.
Breach date: 14 January 2016
Date added to HIBP: 5 November 2016
Compromised accounts: 395,044
Compromised data: Email addresses, Passwords, Usernames
Permalink
uuu9
In September 2016, accusation was allegedly obtained from the Chinese website known arsenic uuu9.com and contained 7.5M accounts. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email addresses and idiosyncratic names. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 6 September 2016
Date added to HIBP: 27 December 2016
Compromised accounts: 7,485,802
Compromised data: Email addresses, Passwords, Usernames
Permalink
Vakinha
In June 2020, the Brazilian wealth raising enactment Vakinha suffered a accusation breach which impacted astir 4.8 cardinal members. The exposed accusation included email addresses, names, telephone numbers, geographic locations and passwords stored arsenic bcrypt hashes, each of which was subsequently shared extensively passim online hacking communities. The accusation was provided to HIBP by dehashed.com.
Breach date: 22 June 2020
Date added to HIBP: 1 August 2020
Compromised accounts: 4,775,203
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers
Permalink
Vastaamo
In October 2020, the Finnish psychotherapy enactment Vastaamo was the taxable of a ransomware onslaught targeting archetypal the instauration itself, followed by their patients directly. The archetypal accusation incidental dates backmost to a play betwixt precocious 2018 and aboriginal 2019 and exposed accusation including 30k unsocial email addresses, names, societal accusation numbers and notes connected individuals' psychotherapy sessions. This breach has been flagged arsenic "sensitive" and is lone searchable by owners of the email addresses and domains exposed palmy the incident.
Breach date: 31 March 2019
Date added to HIBP: 17 July 2021
Compromised accounts: 30,433
Compromised data: Email addresses, Names, Personal wellness data, Social accusation numbers
Permalink
vBulletin
In November 2015, the forum bundle shaper vBulletin suffered a superior accusation breach. The onslaught pb to the merchandise of immoderate forum idiosyncratic and suit accounts totalling astir 519k records. The breach included email addresses, commencement dates, accusation questions and answers for customers and salted hashes of passwords for immoderate sources.
Breach date: 3 November 2015
Date added to HIBP: 24 January 2016
Compromised accounts: 518,966
Compromised data: Dates of birth, Email addresses, Homepage URLs, Instant messenger identities, IP addresses, Passwords, Security questions and answers, Spoken languages, Website activity
Permalink
Vedantu
In mid-2019, the Indian interactive online tutoring level Vedantu suffered a accusation breach which exposed the idiosyncratic accusation of 687k users. The JSON formatted database dump exposed extended idiosyncratic accusation including email and IP address, names, telephone numbers, genders and passwords stored arsenic bcrypt hashes. When contacted astir the incident, Vedantu advised that they were alert of the breach and were palmy the process of informing their customers.
Breach date: 8 July 2019
Date added to HIBP: 1 November 2019
Compromised accounts: 686,899
Compromised data: Browser idiosyncratic origin details, Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Spoken languages, Time zones, Website activity
Permalink
Verifications.io
In February 2019, the email codification validation enactment verifications.io suffered a accusation breach. Discovered by Bob Diachenko and Vinny Troia, the breach was owed to the accusation being stored palmy a MongoDB suit adjacent publically facing without a password and resulted palmy 763 cardinal unsocial email addresses being exposed. Many records incorrect the accusation too included further idiosyncratic attributes specified arsenic names, telephone numbers, IP addresses, dates of commencement and genders. No passwords were included palmy the data. The Verifications.io website went offline during the disclosure process, though an archived transcript remains viewable.
Breach date: 25 February 2019
Date added to HIBP: 9 March 2019
Compromised accounts: 763,117,241
Compromised data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Permalink
Vermillion
In August 2014, the Roblox hacking forum Vermillion suffered a accusation breach that exposed implicit 8k subscriber records. The breach of the MyBB forum exposed email and IP addresses, usernames, dates of commencement and salted password hashes.
Breach date: 30 August 2014
Date added to HIBP: 11 July 2023
Compromised accounts: 8,106
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Vianet
In April 2020, the Nepalese nett enactment supplier Vianet suffered a accusation breach. The onslaught connected the ISP led to the vulnerability of 177k suit records including 94k unsocial email addresses. Also exposed were names, telephone numbers and carnal addresses.
Breach date: 8 April 2020
Date added to HIBP: 22 April 2020
Compromised accounts: 94,353
Compromised data: Email addresses, Names, Phone numbers, Physical addresses
Permalink
Victory Phones
In January 2017, the automated telephony services instauration Victory Phones adjacent a Mongo DB database publically facing without a password. Subsequently, 213GB of accusation was downloaded by an unauthorised enactment including names, addresses, telephone numbers and implicit 166k unsocial email addresses.
Breach date: 1 January 2017
Date added to HIBP: 11 October 2017
Compromised accounts: 166,046
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Phone numbers, Physical addresses
Permalink
ViewFines
In May 2018, the South African website for viewing postulation fines online known arsenic ViewFines suffered a accusation breach. Over 934k records containing 778k unsocial email addresses were exposed and included names, telephone numbers, authorities issued IDs and passwords stored palmy plain text.
Breach date: 7 May 2018
Date added to HIBP: 24 May 2018
Compromised accounts: 777,649
Compromised data: Email addresses, Government issued IDs, Names, Passwords, Phone numbers
Permalink
VK
In astir 2012, the Russian societal media tract known arsenic VK was hacked and astir 100 cardinal accounts were exposed. The accusation emerged palmy June 2016 wherever it was being sold via a acheronian marketplace website and included names, telephone numbers email addresses and plain substance passwords.
Breach date: 1 January 2012
Date added to HIBP: 9 June 2016
Compromised accounts: 93,338,602
Compromised data: Email addresses, Names, Passwords, Phone numbers
Permalink
VNG
In April 2018, news broke of a monolithic accusation breach impacting the Vietnamese instauration known arsenic VNG aft accusation was discovered being traded connected a fashionable hacking forum wherever it was extensively redistributed. The breach dated backmost to an incidental palmy May of 2015 and included of implicit 163 cardinal customers. The accusation palmy the breach contained a wide scope of idiosyncratic attributes including usernames, commencement dates, genders and determination addresses connected with unsalted MD5 hashes and 25 cardinal unsocial email addresses. The accusation was provided to HIBP by dehashed.com.
Breach date: 19 May 2015
Date added to HIBP: 28 April 2018
Compromised accounts: 24,853,850
Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Marital statuses, Names, Occupations, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Vodafone
In November 2013, Vodafone palmy Iceland suffered an attack attributed to the Turkish hacker firm "Maxn3y". The accusation was consequently publically exposed and included idiosyncratic names, email addresses, societal accusation numbers, SMS message, server logs and passwords from a assortment of antithetic interior sources.
Breach date: 30 November 2013
Date added to HIBP: 30 November 2013
Compromised accounts: 56,021
Compromised data: Credit cards, Email addresses, Government issued IDs, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases, SMS messages, Usernames
Permalink
Void.to
In June 2019, the hacking website Void.to suffered a accusation breach. There were 95k unsocial email addresses dispersed crossed 86k forum users and antithetic tables palmy the database. A rival hacking website claimed enactment for breaching the MyBB based forum which disclosed email and IP addresses, usernames, backstage messages and passwords stored arsenic either salted MD5 oregon bcrypt hashes.
Breach date: 13 June 2019
Date added to HIBP: 11 September 2019
Compromised accounts: 95,431
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames
Permalink
VTech
In November 2015, hackers extracted overmuch than 4.8 cardinal parents' and 227k children's accounts from VTech's Learning Lodge website. The Hong Kong instauration produces learning products for children including bundle sold via the compromised website. The accusation breach exposed extended idiosyncratic details including determination addresses, accusation questions and answers and passwords stored arsenic anemic MD5 hashes. Furthermore, children's details including names, ages, genders and associations to their parents' records were too exposed.
Breach date: 13 November 2015
Date added to HIBP: 25 November 2015
Compromised accounts: 4,833,678
Compromised data: Dates of birth, Email addresses, Family members' names, Genders, IP addresses, Names, Passwords, Physical addresses, Security questions and answers, Usernames, Website activity
Permalink
V-Tight Gel
In astir February 2016, accusation surfaced which was allegedly obtained from V-Tight Gel (vaginal tightening gel). Whilst the accusation acceptable was titled V-Tight, incorrect determination were 50 antithetic (predominantly wellness-related) domain names, astir owned by the aforesaid entity. Multiple HIBP subscribers confirmed that though they couldn't callback providing accusation specifically to V-Tight, their idiosyncratic accusation including name, telephone and carnal codification was accurate. V-Tight Gel did not reply to aggregate requests for comment.
Breach date: 13 February 2016
Date added to HIBP: 17 November 2017
Compromised accounts: 2,013,164
Compromised data: Email addresses, IP addresses, Names, Phone numbers, Physical addresses
Permalink
Wakanim
In August 2022, the European streaming enactment Wakanim suffered a accusation breach which was subsequently advertised and sold connected a fashionable hacking forum. The breach exposed 6.7M suit records including email, IP and carnal addresses, names and usernames.
Breach date: 28 August 2022
Date added to HIBP: 6 October 2022
Compromised accounts: 6,706,951
Compromised data: Browser idiosyncratic origin details, Email addresses, IP addresses, Names, Physical addresses, Usernames
Permalink
Wanelo
In astir December 2018, the integer promenade Wanelo suffered a accusation breach. The accusation was aboriginal placed up for merchantability connected a acheronian web marketplace connected with a postulation of antithetic accusation breaches palmy April 2019. A afloat of 23 cardinal unsocial email addresses were included palmy the breach alongside passwords stored arsenic either MD5 oregon bcrypt hashes. After the archetypal HIBP load, further accusation containing names, shipping addresses and IP addresses were too provided to HIBP, albeit without nonstop narration to the email addresses and passwords. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 13 December 2018
Date added to HIBP: 30 September 2019
Compromised accounts: 23,165,793
Compromised data: Email addresses, IP addresses, Names, Passwords, Physical addresses
Permalink
War Inc.
In mid-2012, the real-time strategy crippled War Inc. suffered a accusation breach. The onslaught resulted palmy the vulnerability of implicit 1 cardinal accounts including usernames, email addresses and salted MD5 hashes of passwords.
Breach date: 4 July 2012
Date added to HIBP: 7 November 2016
Compromised accounts: 1,020,136
Compromised data: Email addresses, Passwords, Usernames, Website activity
Permalink
Warframe
In November 2014, the online crippled Warframe was hacked and 819k unsocial email addresses were exposed. Allegedly owed to a SQL injection flaw palmy Drupal, the onslaught exposed usernames, email addresses and accusation palmy a "pass" record which adheres to the salted SHA12 password hashing signifier utilized by Drupal 7. Digital Extremes (the developers of Warframe), asserts the salted hashes are of "alias names" alternatively than passwords.
Breach date: 24 November 2014
Date added to HIBP: 21 July 2016
Compromised accounts: 819,478
Compromised data: Email addresses, Usernames, Website activity
Permalink
Warmane
In astir December 2016, the online enactment for World of Warcraft backstage servers Warmane suffered a accusation breach. The incidental exposed implicit 1.1M accounts including usernames, email addresses, dates of commencement and salted MD5 password hashes. The accusation was subsequently extensively circulated online and was aboriginal provided to HIBP by whitehat accusation researcher and accusation adept Adam Davies.
Breach date: 1 December 2016
Date added to HIBP: 8 September 2018
Compromised accounts: 1,116,256
Compromised data: Dates of birth, Email addresses, Passwords, Usernames
Permalink
Wattpad
In June 2020, the user-generated stories website Wattpad suffered a immense accusation breach that exposed astir 270 cardinal records. The accusation was initially sold past published connected a nationalist hacking forum wherever it was broadly shared. The incidental exposed extended idiosyncratic accusation including names and usernames, email and IP addresses, genders, commencement dates and passwords stored arsenic bcrypt hashes.
Breach date: 29 June 2020
Date added to HIBP: 19 July 2020
Compromised accounts: 268,765,495
Compromised data: Bios, Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Social media profiles, User website URLs, Usernames
Permalink
We Heart It
In November 2013, the image-based societal web We Heart It suffered a accusation breach. The incidental wasn't discovered until October 2017 erstwhile 8.6 cardinal idiosyncratic records were sent to HIBP. The accusation contained idiosyncratic names, email addresses and password hashes, 80% of which were salted SHA-256 with the remainder being MD5 with nary salt.
Breach date: 3 November 2013
Date added to HIBP: 14 October 2017
Compromised accounts: 8,600,635
Compromised data: Email addresses, Passwords, Usernames
Permalink
WedMeGood
In January 2021, the Indian wedding readying level WedMeGood suffered a accusation breach that exposed 1.3 cardinal customers. The breach exposed 41.5GB of accusation including email and carnal addresses, names, genders, telephone numbers and password hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 6 January 2021
Date added to HIBP: 13 May 2021
Compromised accounts: 1,306,723
Compromised data: Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses
Permalink
WeLeakInfo
In March 2021, the Stripe narration of the now-defunct WeLeakInfo enactment was taken implicit by "pompompurin" aft acquiring an expired domain authorisation with an email codification utilized to negociate the account. Access to Stripe past exposed astir 12k unsocial email addresses from customers who'd made designation insubstantial payments palmy bid to get breached accusation hosted by WeLeakInfo. The accusation was subsequently leaked publically and too included names, outgo histories, IP addresses, billing addresses, partial designation insubstantial accusation and the organisation making the purchase.
Breach date: 8 March 2021
Date added to HIBP: 15 March 2021
Compromised accounts: 11,788
Compromised data: Browser idiosyncratic origin details, Email addresses, Employers, IP addresses, Names, Partial designation insubstantial data, Physical addresses, Purchases
Permalink
Wendy's
In March 2018, Wendy's palmy the Philippines suffered a accusation breach which impacted implicit 52k customers and concern applicants. The breach exposed extended idiosyncratic accusation including names, email and IP addresses, carnal addresses, telephone numbers and passwords stored arsenic MD5 hashes.
Breach date: 31 March 2018
Date added to HIBP: 24 May 2022
Compromised accounts: 52,485
Compromised data: Education levels, Email addresses, IP addresses, Job applications, Names, Passwords, Phone numbers, Physical addresses
Permalink
WHMCS
In May 2012, the web hosting, billing and automation instauration WHMCS suffered a accusation breach that exposed 134k email addresses. The breach included extended accusation astir customers and outgo histories including partial designation insubstantial numbers.
Breach date: 21 May 2012
Date added to HIBP: 28 June 2016
Compromised accounts: 134,047
Compromised data: Email addresses, Email messages, Employers, IP addresses, Names, Partial designation insubstantial data, Passwords, Payment histories, Physical addresses, Website activity
Permalink
Wiener Büchereien
In June 2019, the country of Vienna (Wiener Büchereien) suffered a accusation breach. The compromised accusation included 224k unsocial email addresses, names, carnal addresses, telephone numbers and dates of birth. The breached accusation was subsequently posted to Twitter by the alleged perpetrator of the breach.
Breach date: 10 June 2019
Date added to HIBP: 28 June 2019
Compromised accounts: 224,119
Compromised data: Dates of birth, Email addresses, Names, Phone numbers, Physical addresses
Permalink
Wife Lovers
In October 2018, the tract dedicated to posting bare photos and antithetic erotica of wives Wife Lovers suffered a accusation breach. The underlying database supported a afloat of 8 antithetic large websites and contained implicit 1.2M unsocial email addresses. Wife Lovers acknowledged the breach which impacted names, usernames, email and IP addresses and passwords hashed utilizing the anemic DEScrypt algorithm. The breach has been marked arsenic "sensitive" owed to the prime of the site.
Breach date: 7 October 2018
Date added to HIBP: 20 October 2018
Compromised accounts: 1,274,051
Compromised data: Email addresses, IP addresses, Names, Passwords, Usernames
Permalink
WIIU ISO
In September 2015, the Nintendo Wii U forum known arsenic WIIU ISO was hacked and 458k accounts were exposed. Along with email and IP addresses, the vBulletin forum too exposed salted MD5 password hashes.
Breach date: 25 September 2015
Date added to HIBP: 6 September 2016
Compromised accounts: 458,155
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
WildStar
In July 2015, the IP.Board forum for the gaming website WildStar suffered a accusation breach that exposed implicit 738k forum members' accounts. The accusation was being actively traded connected underground forums and included email addresses, commencement dates and passwords.
Breach date: 11 July 2015
Date added to HIBP: 6 March 2016
Compromised accounts: 738,556
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Win7Vista Forum
In September 2013, the Win7Vista Windows forum (since renamed to the "Beyond Windows 9" forum) was hacked and aboriginal had its interior database dumped. The dump included implicit 200k members’ idiosyncratic accusation and antithetic interior accusation extracted from the forum.
Breach date: 3 September 2013
Date added to HIBP: 1 June 2014
Compromised accounts: 202,683
Compromised data: Email addresses, Instant messenger identities, IP addresses, Names, Passwords, Private messages, Usernames, Website activity
Permalink
Wishbone (2016)
In August 2016, the mobile app to "compare anything" known arsenic Wishbone suffered a accusation breach. The accusation contained 9.4 cardinal records with 2.2 cardinal unsocial email addresses and was allegedly a subset of the implicit accusation set. The exposed accusation included genders, birthdates, email addresses and telephone numbers for an assemblage predominantly composed of teenagers and young adults.
Breach date: 7 August 2016
Date added to HIBP: 15 March 2017
Compromised accounts: 2,247,314
Compromised data: Auth tokens, Dates of birth, Email addresses, Genders, Names, Phone numbers, Usernames
Permalink
Wishbone (2020)
In January 2020, the mobile app to "compare anything" Wishbone suffered antithetic accusation breach which followed their breach from 2016. An extended magnitude of idiosyncratic accusation including astir 10M unsocial email addresses alongside names, telephone numbers geographic locations and antithetic idiosyncratic attributes were leaked online and extensively redistributed. Passwords stored arsenic unsalted MD5 hashes were too included palmy the breach. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "All3in".
Breach date: 27 January 2020
Date added to HIBP: 28 May 2020
Compromised accounts: 9,705,172
Compromised data: Auth tokens, Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Profile photos, Social media profiles, Usernames
Permalink
WiziShop
In July 2020, the French e-commerce level WiziShop suffered a accusation breach. The breach exposed 18GB worthy of accusation including names, telephone numbers, dates of birth, carnal and IP addresses, SHA-1 password hashes and astir 3 cardinal unsocial email addresses. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 14 July 2020
Date added to HIBP: 5 October 2020
Compromised accounts: 2,856,769
Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses
Permalink
Wongnai
In October 2020, 17 antecedently undisclosed accusation breaches appeared for sale including the Thai restaurant, edifice and attraction uncovering service, Wongnai. The breach exposed astir 4M unsocial suit records from immoderate clip during 2020 connected with names, telephone numbers, links to societal media profiles and passwords stored arsenic MD5 hashes. The accusation was self-submitted to HIBP by Wongnai.
Breach date: 28 October 2020
Date added to HIBP: 4 November 2020
Compromised accounts: 3,924,454
Compromised data: Dates of birth, Email addresses, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Social media profiles
Permalink
WPSandbox
In November 2018, the WordPress sandboxing enactment that allows extremist to marque impermanent websites WP Sandbox discovered their enactment was being utilized to large a phishing tract attempting to cod Microsoft OneDrive accounts. After identifying the malicious site, WP Sandbox took it offline, contacted the 858 extremist who provided accusation to it past self-submitted their addresses to HIBP. The phishing leafage requested immoderate email addresses and passwords.
Breach date: 4 November 2018
Date added to HIBP: 6 November 2018
Compromised accounts: 858
Compromised data: Email addresses, Passwords
Permalink
WPT Amateur Poker League
In January 2014, the World Poker Tour (WPT) Amateur Poker League website was hacked by the Twitter idiosyncratic @smitt3nz. The onslaught resulted palmy the nationalist disclosure of 175,000 accounts including 148,000 email addresses. The plain substance password for each narration was too included palmy the breach.
Breach date: 4 January 2014
Date added to HIBP: 1 February 2014
Compromised accounts: 148,366
Compromised data: Email addresses, Passwords
Permalink
xat
In November 2015, the online chatroom known arsenic "xat" was hacked and 6 cardinal idiosyncratic accounts were exposed. Used arsenic a chat centrifugal connected websites, the leaked accusation included usernames, email and IP addresses connected with hashed passwords.
Breach date: 4 November 2015
Date added to HIBP: 5 August 2016
Compromised accounts: 5,968,783
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
Permalink
Xbox 360 ISO
In astir September 2015, the XBOX 360 forum known arsenic XBOX360 ISO was hacked and 1.2 cardinal accounts were exposed. Along with email and IP addresses, the vBulletin forum too exposed salted MD5 password hashes.
Breach date: 25 September 2015
Date added to HIBP: 29 January 2017
Compromised accounts: 1,296,959
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Xbox-Scene
In astir February 2015, the Xbox forum known arsenic Xbox-Scene was hacked and overmuch than 432k accounts were exposed. The IP.Board forum included IP addresses and passwords stored arsenic salted hashes utilizing a anemic implementation enabling galore to beryllium rapidly cracked.
Breach date: 1 February 2015
Date added to HIBP: 7 February 2016
Compromised accounts: 432,552
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
XKCD
In July 2019, the forum for webcomic XKCD suffered a accusation breach that impacted 562k subscribers. The breached phpBB forum leaked usernames, email and IP addresses and passwords stored palmy MD5 phpBB3 format. The accusation was provided to HIBP by achromatic chapeau accusation researcher and accusation adept Adam Davies.
Breach date: 1 July 2019
Date added to HIBP: 1 September 2019
Compromised accounts: 561,991
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
XPG
In astir aboriginal 2016, the gaming website Xpgamesaves (XPG) suffered a accusation breach resulting palmy the vulnerability of 890k unsocial idiosyncratic records. The accusation contained email and IP addresses, usernames and salted MD5 hashes of passwords. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory. This accusation was provided by accusation researcher and accusation analyst, Adam Davies.
Breach date: 1 January 2016
Date added to HIBP: 1 July 2017
Compromised accounts: 890,341
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
XSplit
In November 2013, the makers of gaming unrecorded streaming and signaling bundle XSplit was compromised palmy an online attack. The accusation breach leaked astir 3M names, email addresses, usernames and hashed passwords.
Breach date: 7 November 2013
Date added to HIBP: 8 August 2015
Compromised accounts: 2,983,472
Compromised data: Email addresses, Names, Passwords, Usernames
Permalink
Yam
In June 2013, the Taiwanese website Yam.com suffered a accusation breach which was shared to a fashionable hacking forum palmy 2021. The accusation included 13 cardinal unsocial email addresses alongside names, usernames, telephone numbers, carnal addresses, dates of commencement and unsalted MD5 password hashes.
Breach date: 2 June 2013
Date added to HIBP: 22 May 2021
Compromised accounts: 13,258,797
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
Yatra
In September 2013, the Indian bookings website known arsenic Yatra had 5 cardinal records exposed palmy a accusation breach. The accusation contained email and carnal addresses, dates of commencement and telephone numbers connected with immoderate PINs and passwords stored palmy plain text. The tract was antecedently reported arsenic compromised connected the Vigilante.pw breached database directory.
Breach date: 1 September 2013
Date added to HIBP: 4 July 2018
Compromised accounts: 5,033,997
Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, PINs
Permalink
yotepresto.com
In June 2020, the Mexican lending level yotepresto.com suffered a accusation breach. Over 1.4 cardinal customers were impacted by the breach which disclosed email and IP addresses, usernames and passwords stored arsenic bcrypt hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 22 June 2020
Date added to HIBP: 25 June 2021
Compromised accounts: 1,444,629
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Permalink
Youku
In precocious 2016, the online Chinese video enactment Youku suffered a accusation breach. The incidental exposed 92 cardinal unsocial idiosyncratic accounts and corresponding MD5 password hashes. The accusation was contributed to Have I Been Pwned courtesy of [email protected].
Breach date: 1 December 2016
Date added to HIBP: 15 April 2017
Compromised accounts: 91,890,110
Compromised data: Email addresses, Passwords
Permalink
YouNow
In February 2019, data from the unrecorded broadcasting enactment YouNow appeared for merchantability connected a acheronian web marketplace. Whilst it's not wide what time the existent breach occurred on, the impacted accusation included 18M unsocial email addresses, IP addresses, names, usernames and links to societal media profiles. As authentication is performed via societal providers, nary passwords were exposed palmy the breach. Many records didn't idiosyncratic associated email addresses frankincense the unsocial fig is small than the reported afloat fig of accounts. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "[email protected]".
Breach date: 15 February 2019
Date added to HIBP: 18 July 2019
Compromised accounts: 18,241,518
Compromised data: Email addresses, IP addresses, Names, Social media profiles, Usernames
Permalink
You've Been Scraped
In October and November 2018, security researcher Bob Diachenko identified respective unprotected MongoDB instances believed to beryllium hosted by a accusation aggregator. Containing a afloat of implicit 66M records, the proprietor of the accusation couldn't beryllium identified but it is believed to idiosyncratic been scraped from LinkedIn hence the rubric "You've Been Scraped". The exposed records included names, immoderate enactment and idiosyncratic email addresses, concern titles and links to the individuals' LinkedIn profiles.
Breach date: 5 October 2018
Date added to HIBP: 6 December 2018
Compromised accounts: 66,147,869
Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Social media profiles
Permalink
Zacks
In December 2022, the interest probe instauration Zacks announced a accusation breach. The pursuing month, reports emerged of the incidental impacting 820k customers. However, palmy June 2023, a corpus of accusation with astir 9M Zacks customers appeared earlier being broadly circulated connected a fashionable hacking forum. The astir caller accusation was dated May 2020 and included names, usernames, email and carnal addresses, telephone numbers and passwords stored arsenic unsalted SHA-256 hashes. On disclosure of the larger breach, Zacks advised that palmy summation to their archetypal survey "the unauthorised 3rd parties too gained entree to encrypted [sic] passwords of zacks.com customers, but lone palmy the encrypted [sic] format".
Breach date: 10 May 2020
Date added to HIBP: 10 June 2023
Compromised accounts: 8,929,503
Compromised data: Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames
Permalink
ZAP-Hosting
In November 2021, web large ZAP-Hosting suffered a accusation breach that exposed implicit 60GB of accusation containing 746k unsocial email addresses. The breach too contained enactment chat logs, IP addresses, names, purchases, carnal addresses and telephone numbers.
Breach date: 22 November 2021
Date added to HIBP: 19 March 2022
Compromised accounts: 746,682
Compromised data: Browser idiosyncratic origin details, Chat logs, Email addresses, IP addresses, Names, Phone numbers, Physical addresses, Purchases
Permalink
Zhenai.com
In December 2011, the Chinese dating tract known arsenic Zhenai.com suffered a accusation breach that impacted 5 cardinal subscribers. Whilst determination is grounds that the accusation is legitimate, owed to the occupation of emphatically verifying the Chinese breach it has been flagged arsenic "unverified". The accusation palmy the breach contains email addresses and plain substance passwords. Read overmuch astir Chinese accusation breaches palmy Have I Been Pwned.
Breach date: 21 December 2011
Date added to HIBP: 11 July 2019
Compromised accounts: 5,024,908
Compromised data: Email addresses, Passwords
Permalink
Zomato
In May 2017, the edifice usher website Zomato was hacked resulting palmy the vulnerability of astir 17 cardinal accounts. The accusation was consequently redistributed online and contains email addresses, usernames and salted MD5 hashes of passwords (the password hash was not contiguous connected each accounts). This accusation was provided to HIBP by whitehat accusation researcher and accusation adept Adam Davies.
Breach date: 17 May 2017
Date added to HIBP: 4 September 2017
Compromised accounts: 16,472,873
Compromised data: Email addresses, Passwords, Usernames
Permalink
Zoosk (2011)
In astir 2011, an alleged breach of the dating website Zoosk began circulating. Comprised of astir 53 cardinal records, the accusation contained email addresses and plain substance passwords. However, during extended verification palmy May 2016 no grounds could beryllium recovered that the accusation was truthful sourced from the dating service. This breach has consequently been flagged arsenic fabricated; it's highly improbable the accusation was sourced from Zoosk.
Breach date: 1 January 2011
Date added to HIBP: 8 February 2017
Compromised accounts: 52,578,183
Compromised data: Email addresses, Passwords
Permalink
Zoosk (2020)
In January 2020, the online dating enactment Zoosk suffered a accusation breach which was subsequently shared extensively crossed online hacking communities. The breach contained 24 cardinal unsocial email addresses alongside extended idiosyncratic accusation including genders, sexualities, dates of birth, carnal attributes specified arsenic tallness and weight, religions, ethnicities and governmental views. The breach too allegedly exposed MD5 password hashes, though the accusation circulating palmy hacking circles had this tract nulled out. The breach was provided to HIBP by breachbase.pw.
Breach date: 12 January 2020
Date added to HIBP: 7 August 2020
Compromised accounts: 23,927,853
Compromised data: Dates of birth, Drinking habits, Education levels, Email addresses, Ethnicities, Family structure, Genders, Geographic locations, Income levels, Names, Nicknames, Physical attributes, Political views, Relationship statuses, Religions, Sexual orientations, Smoking habits
Permalink
Zooville
In September 2019, the zoophilia and bestiality forum Zooville suffered a accusation breach. The usernames and email addresses of 71k members were accessed via an unpatched vulnerability palmy the vBulletin forum bundle past subsequently distributed online. A 2nd accusation acceptable was aboriginal provided to HIBP which contained a implicit vBulletin database dump including IP addresses, dates of commencement and passwords stored arsenic bcrypt hashes. The tract caput advised that pursuing the breach, each accusation had been deleted from the forum and a caller 1 had been stood up connected the XenForo platform. The accusation was provided to HIBP by a basal who requested it beryllium attributed to "burger vault".
Breach date: 27 September 2019
Date added to HIBP: 19 October 2019
Compromised accounts: 71,407
Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames
Permalink
Zynga
In September 2019, crippled developer Zynga (the creator of Words with Friends) suffered a accusation breach. The incidental exposed 173M unsocial email addresses alongside usernames and passwords stored arsenic salted SHA-1 hashes. The accusation was provided to HIBP by dehashed.com.
Breach date: 1 September 2019
Date added to HIBP: 19 December 2019
Compromised accounts: 172,869,660
Compromised data: Email addresses, Passwords, Phone numbers, Usernames
Permalink
Пара Па
In August 2016, the Russian gaming tract known arsenic Пара Па (or parapa.mail.ru) was hacked connected with a fig of antithetic forums connected the Russian connection provider, mail.ru. The vBulletin forum contained 4.9 cardinal accounts including usernames, email addresses and passwords stored arsenic salted MD5 hashes.
Breach date: 8 August 2016
Date added to HIBP: 28 December 2016
Compromised accounts: 4,946,850
Compromised data: Email addresses, Passwords, Usernames
Permalink
Спрашивай.ру
In May 2015, Спрашивай.ру (a the Russian website for anonymous reviews) was reported to idiosyncratic had 6.7 cardinal idiosyncratic details exposed by a hacker known arsenic "w0rm". Intended to beryllium a tract for expressing anonymous opinions, the leaked accusation included email addresses, commencement dates and antithetic personally identifiable accusation astir astir 3.5 cardinal unsocial email addresses recovered palmy the leak.
Breach date: 11 May 2015
Date added to HIBP: 12 May 2015
Compromised accounts: 3,474,763
Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, IP addresses, Passwords, Spoken languages
Permalink
집꾸미기
In March 2020, the Korean interior decoration website ???? (Decorating the House) suffered a accusation breach which impacted astir 1.3 cardinal members. Served via the URL ggumim.co.kr, the exposed accusation included email addresses, names, usernames and telephone numbers, each of which was subsequently shared extensively passim online hacking communities. The accusation was provided to HIBP by breachbase.pw.
Breach date: 27 March 2020
Date added to HIBP: 2 August 2020
Compromised accounts: 1,298,651
Compromised data: Email addresses, Names, Phone numbers, Usernames
Permalink
English (US) ·