In the digital age, data breaches have become a frequent and troubling occurrence. Understanding these breaches is crucial for enhancing our cybersecurity measures and protecting sensitive information.
This comprehensive review of the top 100 data breaches offers insights into the magnitude of each incident and its impact on various industries.
From exposed personal details to compromised corporate data, each breach presents unique challenges and learning opportunities.
Let’s delve into these breaches to better grasp the current cybersecurity landscape.
Breach #1: 1.4BillionRecords
| Breach Date | March 2017 |
|---|---|
| Domain | Not-Applicable |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 1,114,303,554 |
| Industry | Entertainment |
| Password Risk | unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In December 2017, a significant data breach was discovered by 4iQ, revealing 1.4 billion user credentials on the dark web. This breach, consisting of a 41-gigabyte file, was not just a list but an interactive database that allowed for quick searches of usernames and passwords in plaintext. It was the largest known aggregation of personal data breaches at the time, containing almost twice as many records as the previous largest exposure.
The database compiled data from 252 previous data breaches, including major incidents like LinkedIn and MySpace breaches. It was organized alphabetically, making it easier to analyze trends in password usage and changes over time. This incident highlighted the severe risks of password reuse and the importance of strong cybersecurity practices for protecting personal and organizational data
Breach #2: Collection-1
| Breach Date | January 2019 |
|---|---|
| Domain | Not-Applicable |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 790,803,860 |
| Industry | Information Technology |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In January 2019, the online world was shaken by the discovery of “Collection #1,” a massive data breach that exposed a staggering 2.7 billion email address and password combinations. This colossal compilation, discovered by security researchers was not merely a random collection of data but a well-organized aggregation of breached credentials from numerous sources. Weighing in at over 87GB of data, Collection #1 was hosted on a popular cloud service, making it easily accessible to malicious actors.
This breach stood out for its sheer volume and the way it amalgamated data from over 2000 previous breaches, effectively creating a one-stop shop for cybercriminals. Unlike typical breaches that impact one organization, Collection #1 combined data from various sources, dramatically increasing the risk for individuals who reuse passwords across multiple platforms.
Breach #3: Verifications
| Breach Date | February 2019 |
|---|---|
| Domain | verifications.io |
| Exposed Data | 📬 Email addresses, 📛 Names, 📅 Dates of birth, 🚹🚺 Genders, 🌍 Geographic locations, 📱 Phone numbers, 🏠 Physical addresses |
| Exposed Records | 762,579,945 |
| Industry | Information Technology |
| Password Risk | unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In February 2019, the cybersecurity world was rocked by one of the largest and most unique data breaches in history, involving the email validation service, Verifications.io. This breach was notable not for the exposure of passwords or sensitive financial information, but for leaking an enormous trove of over 763 million unique email addresses. What set this breach apart was its focus on email validation – a critical aspect of digital marketing and communication strategies.
Verifications.io’s database, inadvertently left unsecured and accessible to anyone, contained detailed information including not just email addresses but also phone numbers, physical addresses, and even personal financial details in some cases.
Breach #4: ExploitIN
| Breach Date | October 2016 |
|---|---|
| Domain | exploit.in |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 592,919,058 |
| Industry | Information Technology |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
In a significant cyber incident that came to light in late 2016, the hacker forum Exploit.in found itself at the center of a massive data breach. This breach was particularly alarming due to the nature of the forum – a known hub for cybercriminal activities, including the buying and selling of stolen data, hacking tools, and zero-day exploits. The breach resulted in the exposure of over 800,000 user accounts, which included not just email addresses but also highly sensitive and encrypted passwords.
It also highlighted the risks associated with participating in illicit online forums. The exposed data provided a unique insight into the underworld of cybercrime, revealing not only user identities but also the dynamics of the cybercriminal community.
Breach #5: AntiPublicCombo
| Breach Date | December 2016 |
|---|---|
| Domain | Not-Applicable |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 457,399,902 |
| Industry | Education |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
In a striking revelation during December 2016, the cyber world was confronted with the AntiPublic Combo List breach. This wasn’t just a typical data leak; it was a profound invasion of personal privacy, affecting over 457 million personal records. What made this breach deeply unsettling was its composition – a compilation of previous data leaks from various sources, all bundled into one massive list.
The AntiPublic Combo List highlighted the increasingly interconnected nature of data breaches. It wasn’t merely a technical failure, but a human-centric disaster. Real people, with their emails and passwords laid bare, found their digital lives exposed and vulnerable to exploitation. This breach was a poignant reminder of the cascading effects of cybersecurity lapses.
Breach #6: Alleged-SOCRadar
| Breach Date | August 2024 |
|---|---|
| Domain | Not Applicable |
| Exposed Data | 📧 Email addresses |
| Exposed Records | 282,977,267 |
| Industry | Information Technology |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
SOCRadar, a well-known cyber threat intelligence platform trusted by organizations worldwide, found itself at the center of an unusual security incident in August 2024. A notorious threat actor called USDoD claimed to have scraped over 330 million email addresses from the platform. The irony was hard to miss: a company built to protect others from cyber threats had its own tools turned against it. USDoD, who had previously targeted the FBI’s InfraGard platform and leaked CrowdStrike data, initially tried to sell the 14GB dataset for $7,000. Within days, another actor named Dominatrix released it for free, exposing nearly 283 million unique email addresses to the public.
SOCRadar conducted a thorough investigation and confirmed that their internal systems were never actually breached. What happened was far more subtle. The threat actor had purchased legitimate access to SOCRadar’s Dark Web monitoring platform using a real company account. From there, they used the platform’s own capabilities to identify public Telegram channels and crawl them for email addresses that were already floating around in stealer logs and combolists. While the exposed data contained only email addresses and no passwords, the sheer volume creates real risks. Cybercriminals can use such massive lists to launch large-scale phishing campaigns and credential-stuffing attacks. This incident highlights an uncomfortable truth: even security tools designed to protect can become weapons when they fall into the wrong hands.
Breach #7: Wattpad
| Breach Date | June 2020 |
|---|---|
| Domain | wattpad.com |
| Exposed Data | 📛 Names, 👤 Usernames, 📅 Dates of birth, 🔑 Passwords, 🌐 IP addresses, 🚹🚺 Genders, 🌐 Social media profiles, 🌍 Geographic locations |
| Exposed Records | 268,113,400 |
| Industry | Entertainment |
| Password Risk | 🛡️ Secure |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Breach #8: Deezer
| Breach Date | April 2019 |
|---|---|
| Domain | deezer.com |
| Exposed Data | 👤 Usernames, 📛 Names, 📬 Email addresses, 📅 Dates of birth |
| Exposed Records | 244,007,616 |
| Industry | Music |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In the world of digital music streaming, the Deezer breach in 2019 struck a particularly discordant note. Deezer, known for its vast library of songs and personalized playlists, experienced a data breach that compromised the personal details of millions of its users. This breach was not just a technical glitch in a system; it was an intrusion into the personal musical worlds of individuals who relied on Deezer to soundtrack their lives.
The compromised data included email addresses, usernames, and hashed passwords. For many, Deezer was more than just a platform to stream music; it was a personal archive of musical preferences, memories, and moments. This breach did more than expose user data; it disrupted the personal connection users had with their music, casting a shadow of vulnerability over what many considered a safe, personal space.
Breach #9: NetEase
| Breach Date | October 2015 |
|---|---|
| Domain | 163.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 232,857,074 |
| Industry | Information Technology |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | Yes |
| Verified | No |
In October 2015, Netease, a prominent Chinese internet technology company, experienced a significant data breach that impacted millions of its users. This breach was more than just an unfortunate cybersecurity incident; it was a stark intrusion into the digital lives of a vast user base that relied on Netease for a variety of online services, including email and gaming.
The breach resulted in the exposure of over 235 million user accounts, including email addresses, usernames, and passwords. For many of Netease’s users, this breach was not merely a loss of data but a violation of their digital identities. Netease’s platforms are integral to the daily digital interactions of its users, and the breach disrupted this routine, creating a ripple effect of vulnerability and mistrust.
Breach #10: Cit0day
| Breach Date | November 2020 |
|---|---|
| Domain | cit0day.in |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 226,803,683 |
| Industry | Information Technology |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
The Cit0Day breach, unfolding in September 2020, marked a concerning trend in cyber incidents involving massive data leaks. Cit0Day, a website notorious for collecting and selling access to breached data, became the victim of its own game when its entire database was leaked online. This ironic twist in the tale of cyber vulnerabilities exposed a staggering amount of data – including millions of personal records from various sources.
This breach was not just about the sheer volume of data leaked; it was about the layered complexities of data breaches in the cyber world. Cit0Day had been aggregating data from numerous smaller breaches, creating a vast repository of personal information. When this repository was leaked, it underscored the multiplying effect of data breaches, where one platform’s compromise could lead to widespread repercussions across the internet.
Breach #11: Twitter-Scraped
| Breach Date | January 2021 |
|---|---|
| Domain | twitter.com |
| Exposed Data | 👤 Usernames, 📬 Email addresses, 📛 Names, 🌍 Geographic locations, 📷 Profile photos, 📱 Phone numbers |
| Exposed Records | 208,918,735 |
| Industry | Information Technology |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Twitter-Scape breach, an alarming cyber incident that occurred in 2020, brought to light significant security vulnerabilities within one of the world’s most influential social media platforms. This breach wasn’t just a technical lapse; it represented a significant threat to the digital discourse and public opinion shaping that Twitter is known for. High-profile accounts, including those of celebrities, politicians, and business leaders, were compromised, demonstrating the potential for widespread misinformation and manipulation.
This breach involved sophisticated social engineering tactics, where attackers gained access to Twitter’s internal systems and tools. They hijacked prominent accounts to execute a cryptocurrency scam, but the implications were far-reaching, raising concerns about the security of online identities and the potential for more damaging exploits. The Twitter-Scape incident was a jarring reminder of the fragility of digital platforms and the potential consequences when they are compromised.
Breach #12: Zynga
| Breach Date | September 2019 |
|---|---|
| Domain | zynga.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords, 📱 Phone numbers |
| Exposed Records | 172,817,913 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Zynga breach, which came to light in September 2019, marked a significant moment in mobile application security. Zynga, a powerhouse in the world of mobile gaming with popular titles like Words With Friends and Draw Something, faced a massive data breach impacting over 200 million users. This incident exposed a wide array of personal information, including names, email addresses, login IDs, and hashed passwords.
This breach was particularly impactful due to Zynga’s popularity and the casual, often security-lax nature of mobile game users. It brought to the forefront the vulnerabilities in mobile app data security and the importance of protecting user data in even the most seemingly innocuous of digital spaces. The Zynga breach was a wake-up call to the gaming industry and app developers worldwide, emphasizing the need for stringent security measures and responsible data handling practices.
Breach #13: AdultFriendFinder
| Breach Date | October 2016 |
|---|---|
| Domain | adultfriendfinder.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 📛 Names, 💕 Sexual preferences, 🚹🚺 Genders, 🌍 Geographic locations, 🌐 IP addresses, 📅 Dates of birth |
| Exposed Records | 169,745,941 |
| Industry | Entertainment |
| Password Risk | 🔍 Assessment Needed |
| Searchable | No |
| Sensitive | Yes |
| Verified | Yes |
The AdultFriendFinder breach, one of the largest of its kind, was revealed in November 2016 and had a profound impact on personal privacy. The breach affected more than 412 million accounts, making it one of the most significant data security incidents ever recorded. AdultFriendFinder, a site known for adult dating and entertainment services, saw the exposure of highly sensitive personal information, including email addresses, passwords, and in some cases, private sexual preferences and intentions.
This breach was not just a violation of digital security; it was an unprecedented invasion of personal and intimate details of millions of individuals. The AdultFriendFinder incident served as a stark reminder of the risks associated with entrusting personal and sensitive information to online platforms.
Breach #14: Dubsmash
| Breach Date | December 2018 |
|---|---|
| Domain | dubsmash.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords |
| Exposed Records | 161,835,382 |
| Industry | Entertainment |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Dubsmash breach, which emerged in December 2018, represented a significant security setback for social media applications. Dubsmash, a popular video messaging app known for its lip-syncing features, experienced a massive data breach impacting over 162 million user accounts. This incident exposed a wide range of personal data, including email addresses, usernames, and hashed passwords, along with other personal details.
The breach’s impact was amplified by the app’s young and active user base, highlighting the vulnerability of social media platforms to cyber-attacks and the potential risks to user privacy. This incident was particularly concerning due to the personal nature of the content shared on the app – videos often featuring users in personal or humorous moments.
Breach #15: LinkedIn
| Breach Date | May 2012 |
|---|---|
| Domain | linkedin.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 160,042,644 |
| Industry | Information Technology |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The LinkedIn breach, which surfaced in 2012, marked a critical moment in the realm of professional network security. LinkedIn, the world’s largest professional networking platform, faced a massive data breach that compromised the passwords of over 6.5 million users. The breach gained notoriety not only for the number of affected accounts but also for the platform’s prominence in professional circles.
This breach was particularly significant due to LinkedIn’s role as a hub for professional networking and career development. The exposed data included encrypted passwords, which were later cracked and made available on various online platforms.
Breach #16: Adobe
| Breach Date | October 2013 |
|---|---|
| Domain | adobe.com |
| Exposed Data | 👤 Usernames, 🔑 Passwords, 📬 Email addresses |
| Exposed Records | 152,403,035 |
| Industry | Information Technology |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Adobe breach, which came to light in October 2013, was a significant disruption in the digital creative industry. Adobe, known for its extensive suite of creative software, including Photoshop, Illustrator, and Acrobat, experienced a massive security breach that compromised the data of approximately 153 million user accounts. The breach involved the exposure of user names, email addresses, encrypted passwords, and information related to customer orders.
This incident was particularly alarming given Adobe’s position as a leading software provider for professionals in creative fields.
Breach #17: MyFitnessPal
| Breach Date | February 2018 |
|---|---|
| Domain | myfitnesspal.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords, 🌐 IP addresses |
| Exposed Records | 143,570,814 |
| Industry | Health Care |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The MyFitnessPal breach, which became public in March 2018, posed a critical challenge in the realm of health and fitness app security. MyFitnessPal, a popular fitness tracking and diet monitoring app owned by Under Armour, experienced a significant data breach affecting approximately 150 million users. The breach exposed a wide array of user information, including usernames, email addresses, and hashed passwords.
This incident was particularly impactful due to MyFitnessPal’s role in the daily health routines of millions. Users rely on the app not just for tracking physical activity and dietary intake, but also as a motivational tool for maintaining a healthy lifestyle.
Breach #18: Canva
| Breach Date | May 2019 |
|---|---|
| Domain | canva.com |
| Exposed Data | 📬 Email addresses, 📛 Names, 👤 Usernames |
| Exposed Records | 137,504,762 |
| Industry | Information Technology |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Breach #19: DemandScience
| Breach Date | February 2024 |
|---|---|
| Domain | demandscience.com |
| Exposed Data | 📧 Email addresses, 📛 Names, 🏠 Physical addresses, 📞 Phone numbers, 🌐 Social media profiles |
| Exposed Records | 121,865,345 |
| Industry | Information Technology |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
DemandScience, formerly known as Pure Incubation, is a B2B demand generation company that aggregates business contact information for marketing purposes. In February 2024, a threat actor named KryptonZambie put up a massive dataset for sale on a hacking forum. The company initially denied any breach. They claimed their systems were fully operational and found no evidence of compromise. But the truth eventually surfaced. DemandScience finally admitted the breach, revealing that the data came from a legacy system that had been decommissioned for nearly two years. By August 2024, the dataset was made available for just a few dollars, essentially leaking it for free.
The breach exposed 122 million unique corporate email addresses along with names, physical addresses, phone numbers, job titles, employer information, and LinkedIn profile links. This was not consumer data. It was professional information aggregated from public sources and used for B2B marketing.
Breach #20: Pemiblanc
| Breach Date | April 2018 |
|---|---|
| Domain | pemiblanc.com |
| Exposed Data | 📧 Email addresses, 🔑 Passwords |
| Exposed Records | 114,015,423 |
| Industry | Miscellaneous |
| Password Risk | ⚠️ Plaintext |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
Pemiblanc is a massive credential stuffing list discovered on a French web server in April 2018. It contained 111 million email address and password pairs stored in plaintext. The list was organized in a folder called “USA” with several files, though the email domains suggest the data actually came from users all over the world. This was not a single breach from one company. Instead, it was a compilation cobbled together from multiple different data breaches over time.
Credential stuffing lists like Pemiblanc serve a specific purpose for attackers. They use automated tools to try these email and password combinations across various online services, hoping users have reused the same credentials elsewhere. The Pemiblanc list contained 6.8 million email addresses that had never appeared in any known breach before, making it a valuable addition to understanding the scope of exposed credentials. With over 114 million records and passwords in plaintext, this list remains one of the larger credential compilations to surface publicly.
Breach #21: Badoo
| Breach Date | June 2013 |
|---|---|
| Domain | badoo.com |
| Exposed Data | 📛 Names, 👤 Usernames, 🔑 Passwords, 📬 Email addresses, 📅 Dates of birth |
| Exposed Records | 112,083,678 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | No |
| Sensitive | Yes |
| Verified | No |
The Badoo breach, surfacing in 2019, marked a significant moment in the security landscape of online dating platforms. Badoo, a well-known dating-focused social network, experienced a data breach that impacted the privacy of millions of its users. The breach exposed a range of personal information, including names, email addresses, dates of birth, location data, and website activity.
This breach was particularly sensitive due to the nature of Badoo’s service. As a platform for personal and romantic connections, the exposure of user data was not just a privacy violation but also a potential threat to personal safety.
Breach #22: 1Win
| Breach Date | November 2024 |
|---|---|
| Domain | 1win.com |
| Exposed Data | 📧 Email addresses, 📅 Dates of birth, 🔑 Passwords, 📞 Phone numbers, 🌐 IP addresses, 🌍 Geographic locations |
| Exposed Records | 96,394,096 |
| Industry | Entertainment |
| Password Risk | 🛡️ Hard to crack |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
1Win, a popular online betting platform, suffered a massive data breach in November 2024 that exposed 96 million user records. The breach first came to light when a hacker using the alias “fe0dor” uploaded the stolen database to a hacking forum. That same day, an official 1Win Telegram channel, reportedly managed by the company’s CEO, confirmed the incident and acknowledged that approximately 100 million users were affected. The leaked data totaled 28GB and came from multiple internal tables, including user databases and affiliate partner records containing over 418 million entries.
The breach exposed email addresses, phone numbers, IP addresses, dates of birth, geographic locations, and SHA-256 hashed passwords. Investigators believe the attackers gained access through misconfigured ElasticSearch and ClickHouse analytics clusters that were left exposed without authentication. Once inside, they reportedly escalated privileges using legacy service accounts that still had write access to production backups.
Breach #23: MyHeritage
| Breach Date | October 2017 |
|---|---|
| Domain | myheritage.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 91,997,033 |
| Industry | Miscellaneous |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The MyHeritage breach, disclosed in June 2018, represented a significant incident in the security of genealogical and familial history data. MyHeritage, a platform offering services like DNA analysis and family tree tracking, reported a breach affecting over 92 million users. This breach involved the exposure of email addresses and hashed passwords of users who had signed up to the site up to October 2017.
This incident was particularly concerning due to the nature of MyHeritage’s services. Users of genealogical platforms often share sensitive personal and family history information, expecting high levels of confidentiality and security.
Breach #24: Youku
| Breach Date | December 2016 |
|---|---|
| Domain | youku.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 91,891,665 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Youku breach, which came to public attention in 2016, highlighted a significant vulnerability in the realm of digital entertainment and streaming services. Youku, often referred to as the “Chinese YouTube”, is a leading video hosting and streaming platform in China. The breach compromised the data of over 100 million users, including usernames, email addresses, and encrypted passwords.
This breach was particularly significant due to Youku’s vast user base and its status as a primary source of entertainment content in China.
Breach #25: VK
| Breach Date | January 2012 |
|---|---|
| Domain | vk.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 90,679,566 |
| Industry | Entertainment |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The VK breach, which became widely known in June 2016, was a significant event in the landscape of social networking security. VKontakte (VK), often referred to as Russia’s answer to Facebook, is one of the largest social networks in Europe, particularly popular in Russia and neighboring countries. The breach compromised the security of nearly 100 million user accounts, involving the exposure of personal details such as names, email addresses, and plaintext passwords.
This breach was especially alarming due to VK’s status as a major social networking platform, where users share a wealth of personal information, communicate privately, and form social and professional networks. The leak of plaintext passwords was particularly concerning, as it posed an immediate risk of unauthorized account access and potential misuse of personal information.
Breach #26: Dailymotion
| Breach Date | October 2016 |
|---|---|
| Domain | dailymotion.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords |
| Exposed Records | 85,277,547 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Dailymotion breach, which came to light in December 2016, was a significant setback in the security of online video platforms. Dailymotion, a popular video-sharing website akin to YouTube, experienced a data breach affecting more than 85 million user accounts. The compromised data included email addresses, usernames, and hashed passwords.
This breach was particularly impactful due to Dailymotion’s status as a major platform for sharing and viewing videos across the world. The exposure of user data raised serious concerns about the security practices of video platforms, especially those hosting large volumes of user-generated content.
Breach #27: JD
| Breach Date | January 2013 |
|---|---|
| Domain | jd.com |
| Exposed Data | 📛 Names, 📧 Email addresses, 🏠 Physical addresses, 🪪 Government IDs, 📞 Phone numbers |
| Exposed Records | 78,171,293 |
| Industry | Retail |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
JD.com, also known as Jingdong, is one of China’s largest e-commerce platforms, often compared to Amazon. With revenue exceeding $150 billion and over 620,000 employees, it operates across retail, logistics, technology, and healthcare sectors. In 2013, the platform suffered a significant data breach that exposed 78 million user records. The breach remained relatively unknown until 2016 when the data surfaced publicly. JD attributed the incident to a security vulnerability in Apache Struts 2, an open-source web application framework widely used by internet companies at the time.
The exposed data included email addresses, passwords, phone numbers, usernames, and for some users, government-issued ID numbers. JD publicly apologized for the breach and stated they had enhanced their security measures to prevent future incidents. The sheer scale of this breach made it one of the largest e-commerce data exposures in China’s history.
Breach #28: Nitro
| Breach Date | September 2020 |
|---|---|
| Domain | gonitro.com |
| Exposed Data | 📛 Names, 🔑 Passwords, 📬 Email addresses |
| Exposed Records | 77,165,608 |
| Industry | Information Technology |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Nitro breach, which emerged in October 2020, was a notable incident in the realm of document management and PDF software services. Nitro Software, Inc., known for its Nitro PDF Reader and Nitro Cloud services, faced a breach that potentially impacted millions of user data records. The breach exposed user data including email addresses, full names, bcrypt-hashed passwords, titles, company names, and IP addresses.
This breach was significant due to Nitro’s widespread use in both individual and corporate contexts for creating, editing, and sharing PDF documents.
Breach #29: Luxottica
| Breach Date | March 2021 |
|---|---|
| Domain | luxottica.com |
| Exposed Data | 📛 Names, 🏠 Physical addresses, 📬 Email addresses, 📱 Phone numbers |
| Exposed Records | 74,411,022 |
| Industry | Retail |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Luxottica breach, a critical security incident that unfolded in the latter half of 2020, marked a disruptive moment in the retail and eyewear industry. Luxottica, the world’s largest eyewear company, owner of brands like Ray-Ban and Oakley, and operator of EyeMed, Sunglass Hut, and other retail outlets, faced a significant data breach. This breach led to the exposure of personal and prescription information of customers, along with other sensitive data.
Luxottica’s incident was more than just a loss of data; it was a breach of trust between the company and its vast clientele who depend on it for their eyewear needs. The exposure of prescription details, in particular, added a layer of concern due to the sensitive nature of personal health information involved.
Breach #30: Tumblr
| Breach Date | January 2013 |
|---|---|
| Domain | tumblr.com |
| Exposed Data | 📧 Email addresses, 🔑 Passwords |
| Exposed Records | 73,524,878 |
| Industry | Entertainment |
| Password Risk | ⚠️ Easy to crack |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Tumblr, the popular microblogging and social networking platform, suffered a data breach in early 2013 that remained hidden for over three years. The company only disclosed the incident in May 2016 after the stolen data surfaced on underground forums. Over 65 million unique email addresses and passwords were compromised. The breach occurred before Yahoo acquired Tumblr, and at the time of discovery, it ranked as one of the largest data breaches ever recorded, sitting behind only LinkedIn and Adobe in terms of scale.
The stolen data was put up for sale on a darknet marketplace called The Real Deal by a hacker known as “Peace,” the same individual behind the sale of stolen LinkedIn, Fling, and MySpace credentials.
Breach #31: Tokopedia
| Breach Date | April 2020 |
|---|---|
| Domain | tokopedia.com |
| Exposed Data | 📬 Email addresses, 📛 Names, 📅 Dates of birth, 🚹🚺 Genders, 🔑 Passwords |
| Exposed Records | 71,443,767 |
| Industry | Retail |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In May 2020, Tokopedia, one of Indonesia’s largest e-commerce platforms, faced a severe security breach that shook the foundations of online retail security. This breach resulted in the data of over 91 million users being compromised. The leaked information included names, emails, hashed passwords, and other personal user details.
Tokopedia’s breach was not just a technical failure; it was a breach of the implicit trust millions of users placed in the platform for their online shopping needs. Given the platform’s prominence in Indonesia’s burgeoning e-commerce sector, the breach had significant implications for consumer confidence in online shopping security.
How secure is your email 👉
Breach #32: Naz.API
| Breach Date | September 2023 |
|---|---|
| Domain | Not Applicable |
| Exposed Data | 📧 Email addresses, 🔑 Passwords |
| Exposed Records | 71,064,705 |
| Industry | Miscellaneous |
| Password Risk | ⚠️ Plaintext |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Naz.API is a massive credential stuffing dataset that surfaced on a popular hacking forum in September 2023. It contained over 100GB of data spread across 319 files. The collection included 71 million unique email addresses and 100 million unique passwords, totaling more than 343 million individual records. Each record typically contained an email address, a plaintext password, and the URL of the service where the credentials were used. The dataset gained notoriety after it was used to power an OSINT platform called illicit.services, which allowed anyone to search through stolen personal information. That service shut down in July 2023 amid concerns it was being used for doxxing and SIM-swapping attacks.
Breach #33: Dropbox
| Breach Date | July 2012 |
|---|---|
| Domain | dropbox.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 68,760,320 |
| Industry | Information Technology |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Dropbox, a leader in cloud storage and file synchronization services, faced a significant security challenge when it suffered a data breach in 2012. This incident led to the exposure of email addresses and passwords of nearly 68 million users. The breach was a result of hackers exploiting a Dropbox employee’s stolen password, which provided them access to a document containing user email addresses and hashed passwords.
The breach at Dropbox was more than a mere leak of user credentials; it represented a crucial vulnerability in the safeguarding of digital assets in the cloud. Dropbox, being a repository for personal and professional documents for millions, the breach raised serious concerns about the safety of cloud storage services and the potential risks of storing sensitive data online.
Breach #34: ModernBusinessSolutions
| Breach Date | October 2016 |
|---|---|
| Domain | modbsolutions.com |
| Exposed Data | 📬 Email addresses, 🚹🚺 Genders, 🏠 Physical addresses, 📛 Names, 🌐 IP addresses, 📅 Dates of birth |
| Exposed Records | 58,843,480 |
| Industry | Information Technology |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Breach #35: Evite
| Breach Date | April 2019 |
|---|---|
| Domain | evite.com |
| Exposed Data | 📛 Names, 🔑 Passwords, 📧 Email addresses, 📅 Dates of birth, 📞 Phone numbers, 🏠 Physical addresses |
| Exposed Records | 58,773,935 |
| Industry | Miscellaneous |
| Password Risk | ⚠️ Plaintext |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Evite, the popular online invitation and social planning service, disclosed a data breach in May 2019 after discovering unauthorized access to their servers. The intrusion began on February 22, 2019, and was traced back to a hacker known as “Gnosticplayers.” The attacker gained access to an inactive database archive dating back to 2013. By April 15, 2019, nearly 10 million Evite user records appeared for sale on the Dream Market darknet marketplace. The total breach ultimately affected over 100 million unique email addresses, though the majority belonged to invitation recipients rather than registered members.
The exposed data included names, email addresses, phone numbers, physical addresses, dates of birth, genders, and passwords stored in plaintext. No financial information or social security numbers were compromised.
Breach #36: Apollo
| Breach Date | July 2018 |
|---|---|
| Domain | apollo.io |
| Exposed Data | 📛 Names, 📧 Email addresses, 📞 Phone numbers, 🌍 Geographic locations, 🌐 Social media profiles |
| Exposed Records | 56,478,358 |
| Industry | Information Technology |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Apollo, a sales engagement and intelligence startup, left a massive database publicly exposed without a password in July 2018. Security researcher Vinny Troia discovered the breach and initially thought it was a LinkedIn leak due to the sheer volume and detail of the data. The exposed database contained 212 million contact listings and 9 billion data points related to companies and organizations. Apollo had aggregated this information from various sources including public profiles, LinkedIn, Twitter, and data imported by their own clients. The company reported the incident to law enforcement on July 23, 2018.
The breach exposed names, email addresses, phone numbers, employers, job titles, and geographic locations. No passwords, social security numbers, or financial data were included. Over 125 million unique email addresses were affected. Apollo claimed most of the data came from publicly available sources, but the incident raised serious concerns about data aggregation practices.
Breach #37: Acxiom
| Breach Date | June 2020 |
|---|---|
| Domain | Not-Applicable |
| Exposed Data | 📛 Names, 📬 Email addresses, 📱 Phone numbers, 🌐 IP addresses, 🏠 Physical addresses |
| Exposed Records | 51,681,368 |
| Industry | Miscellaneous |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
A dataset consisting of nearly a quarter of a billion records spanning over 400 different fields was initially and wrongly attributed to the database marketing company Acxiom. The data, which was being circulated within hacking communities, led to claims of a breach at Acxiom. However, upon inspection, Acxiom confirmed that “the claims are indeed false” and the data, which was available across various platforms, did not originate from Acxiom. This data contained almost 52M unique email addresses
Breach #38: Imesh
| Breach Date | September 2013 |
|---|---|
| Domain | imesh.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords, 👤 Usernames, 🌐 IP addresses |
| Exposed Records | 49,594,661 |
| Industry | Music |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The iMesh breach, which came to public attention in 2016, was a significant event in the realm of peer-to-peer (P2P) file sharing and social networking. iMesh, once a popular P2P file sharing service, experienced a breach that resulted in the exposure of approximately 50 million user accounts. The compromised data included usernames, passwords, email addresses, and in some cases, IP addresses and physical locations.
This breach was particularly notable due to the nature of iMesh as a file-sharing platform. Users of iMesh not only shared music and video files but also engaged in social networking through the service. The breach raised serious concerns about the security practices of P2P networks, where personal and often sensitive data is frequently exchanged.
Breach #39: ATT-Speculated
| Breach Date | August 2021 |
|---|---|
| Domain | Not applicabe |
| Exposed Data | 📧 Email addresses, 📅 Dates of birth, 📛 Names, 📞 Phone numbers, 🏠 Physical addresses |
| Exposed Records | 49,102,843 |
| Industry | Telecommunication |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The situation changed in March 2024 when a hacker named MajorNelson released a 5GB archive containing the same data for free. The dump included names, email addresses, phone numbers, dates of birth, physical addresses, and in some cases Social Security numbers. AT&T finally confirmed that 73 million current and former customers were affected.
Breach #40: Netlog
| Breach Date | November 2012 |
|---|---|
| Domain | netlog.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 49,026,690 |
| Industry | Entertainment |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Breach #41: Houzz
| Breach Date | May 2018 |
|---|---|
| Domain | houzz.com |
| Exposed Data | 👤 Usernames, 📬 Email addresses, 🌍 Geographic locations, 🌐 IP addresses, 📛 Names, 🌐 Social media profiles |
| Exposed Records | 48,851,647 |
| Industry | Retail |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Houzz breach, which came to light in early 2019, was a notable security incident in the online home design and renovation industry. Houzz, a popular platform for home remodeling and design, offering a unique mix of content, community, and commerce, experienced a data breach that affected millions of its users. The compromised information included user names, email addresses, city, state, country, profile descriptions, and, in some cases, encrypted passwords.
This breach was significant for several reasons. Houzz is not just a shopping platform but also a community where people share ideas, experiences, and personal tastes in home design and renovation.
Breach #42: SpecialKDataFeedSpamList
| Breach Date | June 2015 |
|---|---|
| Domain | data4marketers.com |
| Exposed Data | 📧 Email addresses, 📛 Names, 🏠 Physical addresses, 🌐 IP addresses, 📅 Dates of birth |
| Exposed Records | 45,084,900 |
| Industry | Miscellaneous |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Special K Data Feed Spam List is a large collection of personal data discovered in mid-2015. The list was associated with the domain data4marketers.com and contained over 45 million records. Unlike typical data breaches that target a single company, this was a spam list compiled for marketing and potentially malicious purposes. The data was added to breach notification services in November 2016 after it was discovered circulating online.
The exposed information included email addresses, names, physical addresses, IP addresses, genders, dates of birth, and phone numbers. No passwords were part of this leak.
Breach #43: Edmodo
| Breach Date | May 2017 |
|---|---|
| Domain | edmodo.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords |
| Exposed Records | 43,415,654 |
| Industry | Music |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Edmodo breach, which came into the spotlight in May 2017, was a significant event in the realm of educational technology and digital learning platforms. Edmodo, a widely used educational platform that connects teachers, students, and parents, experienced a data breach compromising the information of nearly 77 million users. The leaked data included usernames, email addresses, and hashed passwords.
This breach was particularly concerning due to the nature of Edmodo’s user base – primarily educators and school-aged students. The platform is utilized for a range of educational purposes, from homework assignments to classroom discussions, making it a repository of not only personal information but also of sensitive educational data.
Breach #44: PiZap
| Breach Date | December 2017 |
|---|---|
| Domain | pizap.com |
| Exposed Data | 📬 Email addresses, 🚹🚺 Genders, 📛 Names, 🌍 Geographic locations, 🌐 Social media profiles |
| Exposed Records | 41,779,112 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The online photo editing platform, piZap, faced a security breach in December 2017. Later, in February 2019, this compromised data appeared for sale on a dark web marketplace alongside other datasets. This breach exposed 42 million unique email addresses, as well as names, genders, and links to Facebook profiles for those who authenticated through Facebook. Furthermore, for accounts on piZap created without Facebook’s authentication, passwords stored as SHA-1 hashes were also disclosed.
Breach #45: ShareThis
| Breach Date | July 2018 |
|---|---|
| Domain | sharethis.com |
| Exposed Data | 📛 Names, 👤 Usernames, 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 40,952,354 |
| Industry | Information Technology |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
ShareThis, a widely used social bookmarking and sharing service, suffered a substantial data breach in 2018 leading to the leakage of user information. Exposed data included essential details like email addresses, hashed passwords, and in some instances, usernames.
Breach #46: Fling
| Breach Date | March 2011 |
|---|---|
| Domain | fling.com |
| Exposed Data | 👤 Usernames, 🔑 Passwords, 🌍 Geographic locations, 🌐 IP addresses, 🚹🚺 Genders, 📅 Dates of birth, 💕 Sexual preferences |
| Exposed Records | 40,743,414 |
| Industry | Miscellaneous |
| Password Risk | ⚠️ Weak Security |
| Searchable | No |
| Sensitive | Yes |
| Verified | Yes |
The Fling data breach, which was publicly revealed in 2016, was a significant event in the realm of online dating and adult content. Fling, a website known for adult dating and casual hookup services, suffered a breach that led to the exposure of personal information for millions of its users. The exposed data included email addresses, usernames, passwords, birthdates, and sexual preferences.
This breach was notable not just for the volume of data exposed, but also for the nature of the content and the potential implications for the privacy and personal lives of the users. Given the adult-oriented services of Fling, the breach raised serious concerns about personal privacy and the risks associated with the exposure of sensitive and intimate information.
Breach #47: Chegg
| Breach Date | April 2018 |
|---|---|
| Domain | chegg.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords |
| Exposed Records | 39,736,948 |
| Industry | Education |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Chegg data breach, revealed in September 2018, was a significant security incident in the field of educational technology. Chegg, a widely used educational technology company offering textbook rentals, homework help, online tutoring, and other student services, reported a data breach that affected approximately 40 million users. The breached information included names, email addresses, shipping addresses, and hashed passwords. For some users, it also included data such as date of birth and the last four digits of their social security number.
This breach was particularly concerning due to Chegg’s large user base, primarily composed of students. The compromised information posed risks such as identity theft, phishing attacks, and other forms of fraud. Additionally, for students who rely on Chegg’s services for their academic pursuits, the breach was a significant intrusion into their personal and academic lives.
Breach #48: Last.fm
| Breach Date | March 2012 |
|---|---|
| Domain | last.fm |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords |
| Exposed Records | 37,240,736 |
| Industry | Music |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Last.fm breach, which was publicly disclosed in 2012, represented a significant security incident in the realm of online music services. Last.fm, a popular music streaming and recommendation service, experienced a data breach that resulted in the exposure of over 43 million user accounts. The compromised data included usernames, email addresses, and passwords.
This breach was particularly impactful due to Last.fm’s role in the daily lives of music enthusiasts. The platform not only provided music streaming but also personalized music recommendations, creating a tailored experience for users based on their listening habits. The breach of user data, including passwords, raised concerns not only about the security of personal information but also about the potential unauthorized access to users’ music preferences and listening histories.
Breach #49: Poshmark
| Breach Date | May 2018 |
|---|---|
| Domain | poshmark.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords |
| Exposed Records | 36,758,793 |
| Industry | Retail |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Poshmark breach, revealed in August 2019, was a notable incident in the world of online retail and fashion platforms. Poshmark, a popular social commerce marketplace for buying and selling fashion items, experienced a data breach that impacted a large number of users. The compromised data included full names, usernames, email addresses, gender, city, and clothing size preferences. Importantly, the breach did not involve any financial or password data.
This breach was significant because Poshmark is more than just a sales platform; it’s a community where users often develop personal connections based on style and fashion preferences. The exposure of personal details like clothing sizes and city locations, along with names and email addresses, made this breach particularly sensitive due to the personal nature of the shopping experience on Poshmark.
Breach #50: NeimanMarcus
| Breach Date | May 2024 |
|---|---|
| Domain | neimanmarcus.com |
| Exposed Data | 📧 Email addresses, 📛 Names, 🌐 IP addresses, 📞 Phone numbers, 🏠 Physical addresses, 💳 Partial credit card data |
| Exposed Records | 30,409,093 |
| Industry | Retail |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Neiman Marcus, the American luxury department store chain, confirmed a data breach in May 2024 after hackers gained unauthorized access to their Snowflake cloud database. The intrusion began around April 14, 2024, and went undetected until May 24. This breach was part of a larger campaign by a threat actor known as UNC5537, who targeted at least 165 organizations using stolen credentials to access Snowflake accounts that lacked multi-factor authentication. Other companies affected in this wave of attacks included Ticketmaster, Santander, Pure Storage, and Advance Auto Parts.
The company initially reported to regulators that only 64,472 people were affected. However, analysis of the stolen data revealed over 31 million unique email addresses. The exposed information included names, phone numbers, dates of birth, physical addresses, and partial credit card numbers. Gift card information, transaction data, and in some cases Social Security numbers and employee identification numbers were also compromised.
Breach #51: Tianya
| Breach Date | December 2011 |
|---|---|
| Domain | tianya.cn |
| Exposed Data | 📛 Names, 👤 Usernames, 📬 Email addresses |
| Exposed Records | 28,936,872 |
| Industry | News Media |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Tianya breach, which came to public attention in 2011, was a significant security event in the realm of online forums and social networking in China. Tianya, one of China’s largest online community platforms, experienced a data breach that compromised the personal information of approximately 28 million users. This incident involved the exposure of user IDs, usernames, passwords, and email addresses.
This breach was notable due to Tianya’s popularity and its role as a major forum for public discussion and social interaction in China. The platform serves not just as a space for social networking, but also as a significant forum for public discourse, making the breach particularly concerning in terms of privacy and the potential for misuse of user information.
Breach #52: HauteLook
| Breach Date | August 2018 |
|---|---|
| Domain | hautelook.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords, 📛 Names, 🌍 Geographic locations, 📅 Dates of birth, 🚹🚺 Genders |
| Exposed Records | 28,509,466 |
| Industry | Retail |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
HauteLook, an online shopping website, suffered a data breach in 2018 exposing more than 28 million users. The compromised data included passwords, email addresses, dates of birth, genders, geographic locations, and names of the users.
Breach #53: MindJolt
| Breach Date | March 2019 |
|---|---|
| Domain | mindjolt.com |
| Exposed Data | 📬 Email addresses, 📛 Names, 📅 Dates of birth |
| Exposed Records | 28,364,844 |
| Industry | Entertainment |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
MindJolt, a popular social gaming platform, suffered a data breach in 2019 that exposed the personal information of over 28 million users.
Breach #54: Taringa
| Breach Date | August 2017 |
|---|---|
| Domain | taringa.net |
| Exposed Data | 👤 Usernames, 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 28,001,047 |
| Industry | Non-Profit/Charities |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Taringa breach, which came to light in 2017, was a significant security incident in the social networking domain, particularly affecting the Latin American online community. Taringa, often referred to as the “Latin American Reddit,” is a popular social networking site in Spanish-speaking countries. The breach led to the exposure of almost 28 million user accounts. Compromised data included usernames, email addresses, and hashed passwords.
This breach was particularly impactful due to Taringa’s large user base and its status as a key platform for online discussions, content sharing, and community building in the Spanish-speaking world. The exposure of such a large amount of user data not only breached privacy but also raised concerns about potential identity theft and phishing attacks targeting users.
Breach #55: BureauvanDijk
| Breach Date | August 2021 |
|---|---|
| Domain | bvdinfo.com |
| Exposed Data | 📧 Email addresses, 📛 Names, 🏠 Physical addresses, 📞 Phone numbers, 📅 Dates of birth |
| Exposed Records | 27,916,711 |
| Industry | Retail |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Bureau van Dijk, a Moody’s Analytics company specializing in private company data and business intelligence, had hundreds of gigabytes of data from its Orbis product published on a hacking forum in August 2021. Orbis is their flagship database containing comprehensive information on corporations and individuals worldwide. The breach exposed data originally compiled from public sources. In September 2021, hackers put the database up for sale on an underground forum and later confirmed its authenticity. The dataset totaled 462GB of business information.
The exposed data included 28 million unique email addresses along with names, dates of birth, physical addresses, phone numbers, and job titles. Bureau van Dijk clarified that there was no unauthorized access to their internal systems. The breach did not directly expose client data from BvD or Moody’s. Instead, the data originated from a customer’s use of the Orbis product.
Breach #56: Shein
| Breach Date | June 2018 |
|---|---|
| Domain | shein.com |
| Exposed Data | 📧 Email addresses, 🔑 Passwords |
| Exposed Records | 27,718,171 |
| Industry | Retail |
| Password Risk | ⚠️ Plaintext |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
SHEIN, the global fast-fashion e-commerce giant, suffered a data breach in June 2018 when hackers gained unauthorized access to their payment systems. The breach was discovered after SHEIN’s payment processor was contacted by a credit card network that found customer payment details for sale on a hacking forum. Zoetop, the parent company that owns both SHEIN and ROMWE, had 39 million SHEIN accounts and 7 million ROMWE accounts compromised in the attack. The stolen data included email addresses, names, and passwords hashed using MD5, an algorithm already known to be weak at the time. Some credit card information was also exposed after the company misconfigured its systems to store payment data in plain text within debug log files.
Zoetop’s response to the breach drew significant criticism. The company initially claimed only 6.42 million customers were affected. In reality, over 32.5 million account holders were never notified that their credentials had been stolen. Passwords were not reset and accounts were left unprotected. In 2022, the New York Attorney General fined Zoetop $1.9 million for failing to maintain reasonable security measures and for misleading customers about the scope of the breach.
Breach #57: Mate1
| Breach Date | February 2016 |
|---|---|
| Domain | mate1.com |
| Exposed Data | 👤 Usernames, 📛 Names, 📅 Dates of birth, 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 27,391,395 |
| Industry | Entertainment |
| Password Risk | 🔥 Plain Text |
| Searchable | No |
| Sensitive | Yes |
| Verified | Yes |
The Mate1 breach, which became public knowledge in early 2016, was a significant security incident in the world of online dating. Mate1, a popular dating website, experienced a data breach that led to the exposure of personal information from over 27 million user accounts. The compromised data included user names, email addresses, and most notably, unencrypted plaintext passwords, as well as some phone numbers and dating information.
This breach was particularly alarming due to the nature of the data involved. In the context of online dating, users share intimate details and personal information with the expectation of privacy and security. The exposure of plaintext passwords, along with personal details, posed severe risks to users, including potential identity theft, financial fraud, and personal safety concerns.
Breach #58: PostMillennial
| Breach Date | May 2024 |
|---|---|
| Domain | thepostmillennial.com |
| Exposed Data | 📧 Email addresses, 📛 Names, 🔑 Passwords, 📞 Phone numbers, 🌐 IP addresses, 🏠 Physical addresses |
| Exposed Records | 26,929,396 |
| Industry | News Media |
| Password Risk | ⚠️ Plaintext |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Post Millennial, a conservative Canadian news website, was hacked on May 2, 2024. The attackers took the site and its sister publication Human Events offline, then defaced the homepage with a fake message purportedly from senior editor Andy Ngo. Three databases were leaked during the attack: mailing lists, subscriber information, and personal details of writers and editors. The breach exposed over 26 million individuals. The stolen data was posted to BreachForums before the FBI seized that site on May 15, 2024.
The leaked data included names, email addresses, usernames, phone numbers, IP addresses, physical addresses, and passwords stored in plaintext. Hundreds of writers and editors had their personal details exposed. Tens of thousands of subscribers had their full account information compromised. The mailing lists contained tens of millions of email addresses from various campaigns, some not directly run by The Post Millennial. A notable portion of the compromised email accounts belonged to US government and law enforcement personnel.
Breach #59: Neopets
| Breach Date | May 2013 |
|---|---|
| Domain | neopets.com |
| Exposed Data | 📬 Email addresses, 📛 Names, 🔑 Passwords, 📅 Dates of birth, 🚹🚺 Genders, 🌍 Geographic locations |
| Exposed Records | 26,893,291 |
| Industry | Entertainment |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Neopets breach, which came to light in 2016, was a significant incident in the realm of online gaming and virtual communities. Neopets, a popular virtual pet website where users could care for and play with virtual pets, suffered a data breach that compromised a large number of user accounts. The exact number of affected accounts wasn’t officially disclosed, but it’s believed to have impacted a substantial portion of the site’s user base. The compromised data included usernames, email addresses, and passwords. This breach was particularly impactful given Neopets’ popularity, especially among younger internet users.
Breach #60: Livejournal
| Breach Date | January 2017 |
|---|---|
| Domain | livejournal.com |
| Exposed Data | 📬 Email addresses, 👤 Usernames, 🔑 Passwords |
| Exposed Records | 26,368,201 |
| Industry | Entertainment |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The LiveJournal breach, which became widely known in 2020, was a significant event in the realm of online blogging and social networking. LiveJournal, a popular platform for personal blogging and journaling, experienced a data breach that reportedly affected around 26 million accounts. This breach involved the exposure of usernames, email addresses, and plaintext passwords.
This incident was particularly notable due to LiveJournal’s status as a platform for personal expression and community building. Users of LiveJournal often shared intimate details of their lives, thoughts, and experiences, making the platform a repository of personal and sometimes sensitive content.
Breach #61: Mathway
| Breach Date | January 2020 |
|---|---|
| Domain | mathway.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords, 📛 Names, 🌐 Social media profiles |
| Exposed Records | 25,694,866 |
| Industry | Education |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Mathway breach, which came to light in May 2020, was a significant incident in the field of educational technology. Mathway, a popular online mathematical problem-solving tool widely used by students, educators, and parents, experienced a data breach that reportedly affected over 25 million user accounts. The compromised information included email addresses and hashed password data.
This breach was of particular concern due to Mathway’s extensive use in the educational sector. Students, who form a significant portion of Mathway’s user base, trust the platform with their academic information, making the breach not just a loss of data but also a potential threat to their academic integrity and privacy.
Breach #62: VNG
| Breach Date | May 2015 |
|---|---|
| Domain | zing.vn |
| Exposed Data | 👤 Usernames, 📧 Email addresses, 🏠 Physical addresses, 📅 Dates of birth, 🌐 IP addresses, 📛 Names, 🔑 Passwords, 📞 Phone numbers |
| Exposed Records | 24,848,112 |
| Industry | Entertainment |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
VNG Corporation, Vietnam’s largest technology company, suffered a data breach in May 2015 affecting its Zing.vn multimedia platform. The breach remained largely unknown until April 2018 when the stolen data appeared on hacking forums. VNG issued an apology and acknowledged they had been informed of the data leak risk back in 2015. The company claimed the breach mostly involved game accounts and did not affect their other services like Zalo, Vietnam’s largest social media platform, or their mobile payment service ZaloPay. Vietnam’s Ministry of Public Security later cited this incident as a notable case of data exposure involving over 163 million customer accounts.
The compromised data included usernames, email addresses, phone numbers, dates of birth, IP addresses, home addresses, genders, and passwords stored as unsalted MD5 hashes. About 25 million unique email addresses were part of the leak. The breach resurfaced in 2024 when the same records appeared in a massive 12-terabyte data dump considered one of the largest in history. VNG confirmed the 2024 leak contained the same data originally stolen in 2015 and subsequently posted on Raidforums in 2018.
Breach #63: RailYatri
| Breach Date | December 2022 |
|---|---|
| Domain | railyatri.in |
| Exposed Data | 📧 Email addresses, 📞 Phone numbers, 🚹🚺 Genders, 🏠 Physical addresses |
| Exposed Records | 24,549,032 |
| Industry | Transport |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
RailYatri, an Indian government-approved train ticketing platform serving approximately 24 million passengers daily, suffered a data breach in late December 2022. The company acknowledged the security incident on December 28, 2022, and claimed to have fixed the issue within hours. However, the problems had roots going back to February 2020 when cybersecurity researcher Anurag Sen discovered a misconfigured Elasticsearch server exposed to the public without any password protection. RailYatri initially denied the server belonged to them and later claimed it contained only test data. The Indian Computer Emergency Response Team (CERT-In) eventually intervened to help secure the data. In February 2023, a threat actor leaked the stolen database on BreachForums.
The breach exposed over 31 million customer records including 23 million unique email addresses. The 12GB data dump contained names, genders, phone numbers, locations, ticket purchase details, travel information, and fares. About 37,000 invoices were also leaked. The exposed location data was particularly concerning as RailYatri’s integrated GPS functionality allowed users to track their journeys, meaning hackers could potentially identify users’ travel patterns and whereabouts. This was not the company’s first incident. RailYatri had suffered a similar breach in 2020 that affected 700,000 users.
Breach #64: BigBasket
| Breach Date | October 2020 |
|---|---|
| Domain | bigbasket.com |
| Exposed Data | 📛 Names, 📅 Dates of birth, 🌐 IP addresses, 📬 Email addresses, 🏠 Physical addresses, 🔑 Passwords, 📱 Phone numbers |
| Exposed Records | 24,498,022 |
| Industry | Retail |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The BigBasket breach, which was reported in November 2020, marked a significant cybersecurity incident in the online grocery shopping sector. BigBasket, a leading online grocery and food delivery service in India, faced a data breach affecting over 20 million users. The exposed data included personal information such as full names, email addresses, hashed passwords, residential addresses, phone numbers, and the last four digits of credit card numbers.
This breach was particularly alarming due to the nature of BigBasket’s service. As an online grocery provider, the platform had access to not only the personal and contact details of its users but also their shopping habits and preferences.
Breach #65: Justdate
| Breach Date | September 2016 |
|---|---|
| Domain | justdate.com |
| Exposed Data | 📛 Names, 📬 Email addresses, 📅 Dates of birth, 🌍 Geographic locations |
| Exposed Records | 24,455,121 |
| Industry | Entertainment |
| Password Risk | 🔍 Assessment Needed |
| Searchable | No |
| Sensitive | Yes |
| Verified | Yes |
Breach #66: ApexSMS
| Breach Date | April 2019 |
|---|---|
| Domain | Not-Applicable |
| Exposed Data | 📬 Email addresses, 📛 Names, 📱 Phone numbers, 🌍 Geographic locations, 🚹🚺 Genders |
| Exposed Records | 23,246,400 |
| Industry | Miscellaneous |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The ApexSMS data breach occurred on 2019, but only came to light only in 20231. The breach was initially discovered following the exposure of a MongoDB database instance named “ApexSMS” which was found unprotected without a password3. This unprotected database belonged to ApexSMS Inc., a company also known as Mobile Drip that specializes in SMS text marketing.In the breach, a total of about 80 million records were exposed, including 23.2 million specific breached accounts. The data compromised included IP addresses, phone numbers, and email addresses.
Breach #67: Cafepress
| Breach Date | February 2019 |
|---|---|
| Domain | cafepress.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 23,212,395 |
| Industry | Retail |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The custom merchandise retailer, CafePress, faced a significant data breach in February 2019. This incident led to the exposure of 23 million unique email addresses. Some of the compromised records also included details such as names, physical addresses, phone numbers, and passwords, which were encrypted as SHA-1 hashes.
Breach #68: Wanelo
| Breach Date | December 2018 |
|---|---|
| Domain | wanelo.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 23,165,483 |
| Industry | Retail |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Wanelo breach, which came to public attention in April 2019, was a significant incident in the online retail and social shopping space. Wanelo (“Want, Need, Love”), a popular social media e-commerce platform where users can discover, share, and buy products, experienced a data breach that affected almost 23 million users. This breach involved the exposure of user data including email addresses, usernames, and hashed passwords. For some users, other personal details like city and phone number were also compromised.
This breach was particularly impactful due to Wanelo’s unique blend of social media and e-commerce, creating a community where users not only shop but also share personal tastes and styles. The exposure of such personal data raised concerns about user privacy and the potential for phishing attacks or other forms of identity theft.
Breach #69: GFAN
| Breach Date | October 2016 |
|---|---|
| Domain | gfan.com |
| Exposed Data | 👤 Username, 📬 Email addresses, 🔑 Passwords, 🌐 IP addresses |
| Exposed Records | 22,456,012 |
| Industry | Electronics |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
The Gfan breach, which came to light in 2014, was a significant cybersecurity incident in the realm of mobile technology and online forums. Gfan, a popular Chinese forum and marketplace for Android users, suffered a data breach that led to the exposure of approximately 4.5 million user accounts. The compromised data included usernames, email addresses, and hashed passwords.
This breach was notable due to Gfan’s prominence in the Android community, especially among users interested in mobile technology, apps, and modifications. The platform not only served as a discussion forum but also as a repository for Android apps and updates, making it a valuable resource for tech enthusiasts.
Breach #70: Animoto
| Breach Date | July 2018 |
|---|---|
| Domain | animoto.com |
| Exposed Data | 🔑 Passwords, 📬 Email addresses, 🌍 Geographic locations, 📅 Dates of birth, 📛 Names |
| Exposed Records | 22,453,559 |
| Industry | Information Technology |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In a striking reminder of the ever-present risks in the digital realm, Animoto, a cloud-based video creation service, experienced a significant data breach in 2018. This breach compromised the personal data of 22 million users, underscoring the vulnerabilities even in platforms dedicated to creativity and digital expression. The exposed information included users’ names, email addresses, and hashed and salted passwords. For some users, date of birth and gender information were also compromised.
Animoto’s platform, widely used for creating and sharing videos, meant that the breach had far-reaching implications. Not only did it raise concerns about personal data security, but it also highlighted the potential risks associated with cloud-based services, where users frequently upload and share personal content.
Breach #71: ReadNovel
| Breach Date | May 2019 |
|---|---|
| Domain | readnovel.com |
| Exposed Data | 👤 Usernames, 🔑 Passwords, 📬 Email addresses, 🚹🚺 Genders, 📱 Phone numbers |
| Exposed Records | 22,412,132 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
The breach at ReadNovel, a popular platform for literature enthusiasts, unfolded in 2021 and revealed the fragile nature of digital data security in online literary communities. With a substantial number of user accounts affected, the breach exposed sensitive information such as usernames, email addresses, and hashed passwords. This incident was particularly disconcerting for ReadNovel’s community, where members often engage deeply with the content, sharing personal reflections and forming bonds over shared literary interests.
ReadNovel’s breach was more than a data compromise; it was a violation of a trusted space for writers and readers. Such platforms are not just websites but sanctuaries for creativity and expression, making the breach a deeply personal issue for its users.
Breach #72: R2games
| Breach Date | November 2015 |
|---|---|
| Domain | r2games.com |
| Exposed Data | 👤 Usernames, 📬 Email addresses, 🌐 IP addresses, 🔑 Passwords |
| Exposed Records | 21,830,941 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
R2Games, a well-known publisher of browser and mobile games, experienced a significant security breach in 2016, marking a stark reminder of the cybersecurity risks in the online gaming industry. The breach resulted in the exposure of data from an estimated 22 million user accounts. This data included sensitive information such as email addresses, passwords, IP addresses, and even some instances of user names and gaming progress.
The breach’s impact was substantial due to R2Games’ status as a hub for avid gamers, with a variety of popular titles that fostered a dedicated user community. For these gamers, the breach meant not just a loss of data, but a potential threat to their online gaming identities and the progress they had made in games, which, for many, represented significant investments of time and effort.
Breach #73: Parkmobile
| Breach Date | March 2021 |
|---|---|
| Domain | parkmobile.io |
| Exposed Data | 📛 Names, 📬 Email addresses, 🔑 Passwords, 📱 Phone numbers, 🚹🚺 Genders, 🏠 Physical addresses, 🚗 Licence plates |
| Exposed Records | 20,971,517 |
| Industry | Transport |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The ParkMobile breach, an incident in the domain of mobile parking and transportation services, occurred in March 2021, illustrating the vulnerabilities in modern app-based services. ParkMobile, a popular parking app used in many cities across the United States to pay for street and garage parking, experienced a data breach that affected 21 million users. The breach exposed users’ personal data, including license plate numbers, email addresses, phone numbers, and in some cases, mailing addresses. Notably, no payment information was compromised in the breach.
ParkMobile’s breach was particularly concerning due to the app’s widespread use by individuals relying on it for daily parking needs. The exposed data posed risks like potential phishing attacks and identity theft. For many users, the breach was a significant concern, as license plate numbers and other personal information are considered sensitive data.
Breach #74: Hurb
| Breach Date | March 2019 |
|---|---|
| Domain | hurb.com |
| Exposed Data | 📛 Names, 📬 Email addresses, 🔑 Passwords, 🌐 IP addresses |
| Exposed Records | 20,726,194 |
| Industry | Hospitality |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In August 2019, Hurb, formerly known as Hotel Urbano, a Brazilian online travel agency, experienced a significant data breach. This breach exposed sensitive information of over 20 million customers, showcasing the challenges and risks associated with cybersecurity in the travel and hospitality industry. The data compromised in this breach included personal details such as names, email addresses, and hashed passwords.
The Hurb breach was particularly impactful due to the nature of the exposed information, which is crucial in travel arrangements where trust and privacy are paramount. Customers of travel agencies like Hurb entrust the platform with not only their personal information but also details about their travel plans, preferences, and sometimes payment information.
Breach #75: Shopback
| Breach Date | September 2020 |
|---|---|
| Domain | shopback.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords, 📛 Names, 📱 Phone numbers, 🌍 Geographic locations, 🌐 IP addresses |
| Exposed Records | 20,653,700 |
| Industry | Retail |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In September 2020, ShopBack, a prominent cashback reward program based in Singapore, experienced a significant data breach. This incident resulted in unauthorized access to a database containing personal information of an undisclosed number of users. The compromised data included names, email addresses, encrypted passwords, bank account details, and other information linked to users’ accounts.
The ShopBack breach was especially concerning because the platform operates at the intersection of e-commerce and financial transactions, where users accumulate cashback rewards for purchases made through the site. The exposure of such sensitive data, particularly bank account details, posed a serious risk of financial fraud and identity theft.
Breach #76: Indiamart
| Breach Date | May 2021 |
|---|---|
| Domain | indiamart.com |
| Exposed Data | 📛 Name, 📬 Email addresses, 🏠 Physical addresses, 📱 Phone numbers |
| Exposed Records | 20,159,951 |
| Industry | Retail |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Breach #77: CutoutPro
| Breach Date | February 2024 |
|---|---|
| Domain | cutout.pro |
| Exposed Data | 📛 Names, 🔑 Passwords, 📧 Email addresses, 🌐 IP addresses |
| Exposed Records | 20,021,813 |
| Industry | Information Technology |
| Password Risk | ⚠️ Easy to crack |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Cutout.Pro, an AI-powered visual design and photo editing platform, suffered a data breach in February 2024. A threat actor using the handle “KryptonZambie” disclosed the breach on BreachForums on February 27, 2024, claiming they still had active access to the compromised system at the time of posting. The hacker shared 5.93GB of stolen data via CSV files and also distributed the records across multiple Telegram channels to maximize reach. The database dump contained 41.4 million records with 20 million unique users affected.
The exposed data included email addresses, IP addresses, names, and passwords stored as salted MD5 hashes. When contacted for comment, Cutout.Pro’s marketing department denied any evidence of a breach and labeled the leak a “scam.”
Breach #78: Aptoide
| Breach Date | April 2020 |
|---|---|
| Domain | aptoide.com |
| Exposed Data | 📬 Email addresses, 📛 Names, 🔑 Passwords, 🌐 IP addresses, 🌐 Browser user agent details |
| Exposed Records | 20,011,680 |
| Industry | Information Technology |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In April 2020, Aptoide, a popular alternative marketplace for Android apps, experienced a significant data breach. This incident led to the exposure of personal information of about 20 million users of the platform. The data compromised in the breach included email addresses, hashed passwords, real names, sign-up dates, device details, and IP addresses.
Aptoide’s breach was particularly impactful because of the platform’s large user base, offering an alternative to the standard Google Play Store for Android applications. The breach posed risks such as potential identity theft, phishing attacks, and unauthorized access to user accounts, given the nature of the exposed data.
Breach #79: CDEK
| Breach Date | March 2022 |
|---|---|
| Domain | cdek.ru |
| Exposed Data | 📛 Names, 📬 Email addresses, 📱 Phone numbers |
| Exposed Records | 19,216,659 |
| Industry | Transport |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
In 2020, CDEK, a prominent Russian courier, logistics, and freight service company, experienced a significant data breach. This breach led to the unauthorized access and exposure of personal information belonging to a substantial number of its customers. The compromised data reportedly included customers’ names, phone numbers, email addresses, parcel tracking numbers, and shipping details.
The breach at CDEK was particularly concerning due to the nature of the compromised information. In the logistics and courier industry, where customer trust is paramount, the exposure of shipping details and personal contact information could lead to potential privacy violations and security concerns.
Breach #80: YouNow
| Breach Date | February 2019 |
|---|---|
| Domain | younow.com |
| Exposed Data | 📛 Names, 🌐 IP addresses, 📬 Email addresses, 🌐 Social media profiles, 👤 Usernames |
| Exposed Records | 18,240,691 |
| Industry | Retail |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In 2019, YouNow, a live broadcasting service, experienced a data breach that impacted its user community. This breach led to the exposure of information from approximately 40 million user accounts. The compromised data included users’ names, usernames, email addresses, and social media profile information. Notably, passwords and financial data were not included in the breach, as YouNow does not store these details.
This breach was significant for YouNow’s user base, which primarily consists of content creators and viewers engaging in real-time video streaming and social interaction. The platform’s focus on live broadcasting meant that the breach had the potential to impact the digital identities and social media presences of its users.
Breach #81: 8tracks
| Breach Date | June 2017 |
|---|---|
| Domain | 8tracks.com |
| Exposed Data | 👤 Usernames, 🔑 Passwords, 📬 Email addresses |
| Exposed Records | 17,978,503 |
| Industry | Finance |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Breach #82: EyeEm
| Breach Date | February 2018 |
|---|---|
| Domain | eyeem.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords, 📛 Names, 👤 Usernames |
| Exposed Records | 17,723,930 |
| Industry | Entertainment |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The EyeEm breach, surfacing in 2018, marked a concerning event in the world of online photography and digital content. EyeEm, a platform blending photography with a social networking community, faced a data breach that compromised the personal information of approximately 22 million users. The breach exposed a variety of user data, including email addresses, names, usernames, and hashed passwords.
For EyeEm’s community of photographers and enthusiasts, the breach was more than just a loss of data; it was a breach of the trust placed in a platform dedicated to creative expression and sharing. The platform’s focus on photography and its social networking aspect meant that the breach had the potential to impact the digital identities and creative content of its users.
Breach #83: Ticketek
| Breach Date | May 2024 |
|---|---|
| Domain | ticketek.com.au |
| Exposed Data | 📧 Email addresses, 📛 Names, 🔑 Passwords, 📅 Dates of birth, 🚹🚺 Genders |
| Exposed Records | 17,666,971 |
| Industry | Entertainment |
| Password Risk | 🛡️ Hard to crack |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Ticketek, Australia’s major event ticketing company, confirmed a data breach in May 2024 linked to a third-party cloud platform. The breach was part of a larger campaign targeting Snowflake cloud storage customers. A threat actor known as Sp1d3r began selling the stolen data on a hacking forum on June 20, 2024, claiming to have information on 30 million customers. Incident response firm Mandiant reported that approximately 165 companies using Snowflake environments may have been compromised through leaked credentials obtained from info-stealer malware, with accounts lacking multi-factor authentication being the primary targets.
The breach exposed nearly 30 million rows of data containing 17.6 million unique email addresses along with names, genders, dates of birth, and hashed passwords. Ticketek stated that its own password encryption systems and payment processing infrastructure were not directly compromised, as these operate separately with secure encryption. On June 28, 2024, the company obtained a court injunction to prevent further dissemination of the stolen data.s only discovered and disclosed in 2017.
Breach #84: Disqus
| Breach Date | July 2012 |
|---|---|
| Domain | disqus.com |
| Exposed Data | 👤 Usernames, 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 17,557,543 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In 2017, Disqus, a widely-used blog comment hosting service for web sites and online communities, experienced a data breach that impacted approximately 17.5 million users. The breach exposed email addresses, usernames, sign-up dates, and last login dates in plain text; hashed passwords were also leaked. This incident dated back to a breach that occurred in 2012, but it was only discovered and disclosed in 2017.
For Disqus, which facilitates discussion on countless websites across the internet, the breach represented a significant intrusion into the digital identities of its users. The platform’s role as a tool for engaging in public discourse meant that the breach had implications not just for individual privacy, but also for the integrity of online discussions.
Breach #85: Ixigo
| Breach Date | January 2019 |
|---|---|
| Domain | ixigo.com |
| Exposed Data | 📛 Names, 📬 Email addresses, 🆔 Government IDs, 🏠 Physical addresses, 📱 Device information, 🚹🚺 Genders, 🌐 Social media profiles, 🔑 Passwords |
| Exposed Records | 17,198,751 |
| Industry | Transport |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In early 2018, Ixigo, a prominent travel and hotel booking app, found itself grappling with a significant data breach. The incident compromised the personal information of millions of its users, including names, email addresses, and hashed passwords. This breach was part of a larger cybersecurity incident that affected several popular travel apps, highlighting the broader vulnerabilities within the digital travel industry.
For Ixigo, a platform trusted by travelers for booking flights, trains, and hotels, the breach was a serious blow to user trust. It emphasized the critical need for enhanced security measures in safeguarding personal and travel-related information.
Breach #86: Zomato
| Breach Date | May 2017 |
|---|---|
| Domain | zomato.com |
| Exposed Data | 👤 Usernames, 📬 Email addresses, 🔑 Passwords |
| Exposed Records | 16,475,717 |
| Industry | Education |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Breach #87: Eye4fraud
| Breach Date | January 2023 |
|---|---|
| Domain | eye4fraud.com |
| Exposed Data | 📛 Names, 📞 Phone numbers, 🏠 Physical addresses, 📧 Email addresses, 🔑 Passwords, 💳 Partial credit card data, 🌐 IP addresses |
| Exposed Records | 16,032,780 |
| Industry | Electronics |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Eye4Fraud, a fraud prevention service used by e-commerce merchants to protect online transactions, suffered a data breach in January 2023. Cybercriminals gained access to a poorly secured AWS S3 bucket and extracted 65GB of data spread across 147 database tables. The breach was publicly disclosed in February 2023 when the stolen data appeared for sale on a hacking forum. The incident affected approximately 16 million accounts, including both direct users of the Eye4Fraud service and individuals who had placed orders on websites using Eye4Fraud for transaction protection.
The exposed data included email addresses, names, phone numbers, physical addresses, IP addresses, bcrypt password hashes for account holders, and partial credit card information showing card types and last four digits. Eye4Fraud did not respond to multiple attempts to report the incident from security researchers and affected parties. After a month of silence, the company posted a brief statement on its website without providing detailed information.
Breach #88: LuminPDF
| Breach Date | April 2019 |
|---|---|
| Domain | luminpdf.com |
| Exposed Data | 📛 Names, 📬 Email addresses, 🚹🚺 Genders, 🔑 Passwords, 👤 Usernames, 🌐 Spoken languages |
| Exposed Records | 15,453,070 |
| Industry | Information Technology |
| Password Risk | 🔍 Assessment Needed |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In a striking development in the world of online document management, Lumin PDF, known for its cloud-based PDF editing services, reported a significant data breach in September 2019. The breach affected about 24.3 million users, with exposed data including email addresses, names, genders, and both hashed and plaintext passwords. This incident, which gained attention after the data surfaced on a hacking forum, highlighted the vulnerabilities inherent in cloud storage, particularly for services handling potentially sensitive documents.
Breach #89: Epik
| Breach Date | September 2021 |
|---|---|
| Domain | epik.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords, 🌐 IP addresses |
| Exposed Records | 15,389,296 |
| Industry | Information Technology |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
The Epik data breach in September 2021 marked a significant cybersecurity crisis in the domain registration and web hosting industry. Affecting over 15 million users, the breach exposed a wide range of sensitive information, including email addresses, names, phone numbers, and physical addresses. This breach was particularly notable for the nature of Epik’s clientele, which included controversial and fringe elements of the web.
Breach #90: Trello
| Breach Date | January 2024 |
|---|---|
| Domain | trello.com |
| Exposed Data | 📧 Email addresses, 📛 Names, 👤 Usernames |
| Exposed Records | 15,115,458 |
| Industry | Information Technology |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Trello, the popular project management platform owned by Atlassian, had over 15 million user records scraped and posted for sale on a hacking forum in January 2024. A threat actor using the alias “emo” exploited an unsecured Trello REST API endpoint that allowed unauthenticated queries to return public user information based on email addresses. The attacker fed approximately 500 million email addresses from previous breach datasets into the API and successfully matched them to 15 million Trello accounts. The leaked data appeared on hacking forums in July 2024.
The exposed information included email addresses, full names, and usernames associated with Trello accounts. Atlassian clarified that no unauthorized system access occurred and that the API was functioning as designed to allow users to invite others to public boards via email. However, following the incident, Trello modified the API so that unauthenticated users can no longer request public information by email address.
Breach #91: ClearvoiceSurveys
| Breach Date | August 2015 |
|---|---|
| Domain | clearvoicesurveys.com |
| Exposed Data | 📛 Names, 📬 Email addresses, 🔑 Passwords, 📅 Dates of birth, 🏠 Physical addresses, 🚹🚺 Genders, 📱 Phone numbers |
| Exposed Records | 15,074,190 |
| Industry | Retail |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
ClearVoiceSurveys, an online platform for surveys and market research, encountered a significant data breach, bringing into sharp focus the risks associated with data collection services. This breach exposed sensitive participant information, including names, email addresses, and other personal details that users had provided in the course of taking surveys.
Breach #92: 8fit
| Breach Date | July 2018 |
|---|---|
| Domain | 8fit.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords, 🚹🚺 Genders, 🌐 IP addresses, 📛 Names, 🌍 Geographic locations |
| Exposed Records | 15,026,800 |
| Industry | Health Care |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
8fit, a popular health and fitness app known for personalized workout and meal plans, suffered a data breach. The breach compromised the personal data of its users, including email addresses and hashed passwords. Given the app’s focus on personal health and fitness, the breach raised concerns about the security of personal health-related information stored in mobile apps.
Breach #93: 000webhost
| Breach Date | March 2015 |
|---|---|
| Domain | 000webhost.com |
| Exposed Data | 📬 Email addresses, 🔑 Passwords, 🌐 IP addresses |
| Exposed Records | 14,936,538 |
| Industry | Information Technology |
| Password Risk | 🔥 Plain Text |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In 2015, 000Webhost, a free web hosting provider, experienced a major data breach, revealing the challenges in securing web hosting services. This significant breach compromised the personal details of 13.5 million users, including names, email addresses, and plaintext passwords. The breach was notable for the scale of the data loss and the fact that passwords were stored in plain text.
Breach #94: 500px
| Breach Date | June 2018 |
|---|---|
| Domain | 500px.com |
| Exposed Data | 👤 Username, 📬 Email addresses, 🔑 Passwords, 📛 Names, 📅 Dates of birth, 🚹🚺 Genders, 🌍 Geographic locations |
| Exposed Records | 14,875,273 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
In 2019, 500px, a popular platform for photographers to share and sell their work, reported a security breach that impacted approximately 14.8 million users. This breach led to the unauthorized access of personal data such as names, email addresses, hashed passwords, birth dates, and location information.This breach at 500px was particularly impactful due to the platform’s large community of professional and amateur photographers.
Breach #95: Promo
| Breach Date | June 2020 |
|---|---|
| Domain | promo.com |
| Exposed Data | 📛 Names, 📬 Email addresses, 🚹🚺 Genders, 🌐 IP addresses, 👤 Usernames, 🔑 Passwords, 🌍 Geographic locations |
| Exposed Records | 14,610,177 |
| Industry | Information Technology |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Promo, an online video creation and marketing platform, suffered a data breach in 2020 that affected 22 million users. The exposed data included names, email addresses, hashed passwords, and, in some cases, user data like location, gender, and phone numbers. The breach underscored the vulnerabilities present in digital marketing platforms, particularly those handling large volumes of user data.
Breach #96: Evony
| Breach Date | June 2016 |
|---|---|
| Domain | evony.com |
| Exposed Data | 👤 Usernames, 📬 Email addresses, 🔑 Passwords, 🌐 IP addresses |
| Exposed Records | 14,325,896 |
| Industry | Entertainment |
| Password Risk | ⚠️ Weak Security |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Evony, a popular multiplayer online strategy game, faced a significant data breach in 2016, highlighting the security challenges in the online gaming industry. This breach compromised the personal information of over 33 million players. The exposed data included email addresses, usernames, and hashed passwords.The breach at Evony was a critical reminder of the potential vulnerabilities in online gaming platforms, where users often spend considerable time and sometimes money.
Breach #97: Free
| Breach Date | October 2024 |
|---|---|
| Domain | free.fr |
| Exposed Data | 📧 Email addresses, 📛 Names, 🚹🚺 Genders, 📞 Phone numbers, 🏠 Physical addresses, 📅 Dates of birth, 🏦 Bank account numbers (IBAN) |
| Exposed Records | 14,247,989 |
| Industry | Information Technology |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Free, France’s second-largest internet service provider and a subsidiary of the Iliad Group, confirmed a data breach in October 2024. The attack occurred on October 17, 2024, when threat actors targeted an internal management tool to exfiltrate customer data. A hacker using the alias “drussellx” claimed responsibility and posted the stolen data for sale on BreachForums, stating it contained information on 19.2 million customers including 5.11 million IBAN bank account numbers. Free filed a criminal complaint with the public prosecutor and notified French authorities including CNIL and ANSSI.
The breach exposed 14.2 million unique email addresses along with names, physical addresses, phone numbers, genders, and dates of birth. For many Freebox subscribers, IBAN bank account numbers were also compromised. Free clarified that no passwords, bank card details, or communications were affected, and the attack had no operational impact on services.
Breach #98: Hiapk
| Breach Date | January 2014 |
|---|---|
| Domain | hiapk.com |
| Exposed Data | 📧 Email addresses, 👤 Usernames, 🔑 Passwords |
| Exposed Records | 13,843,251 |
| Industry | Information Technology |
| Password Risk | ⚠️ Easy to crack |
| Searchable | Yes |
| Sensitive | No |
| Verified | No |
HiAPK, a Chinese Android app store and community forum, suffered a data breach in approximately January 2014. The breach exposed 13.8 million user accounts. The stolen data was provided to Have I Been Pwned by white hat security researcher Adam Davies and was added to the database in April 2018, over four years after the incident occurred. HiAPK was a popular destination for Chinese Android users to download apps and discuss mobile technology.
The compromised data included usernames, email addresses, and passwords stored as salted MD5 hashes. MD5 is considered a weak hashing algorithm, making the passwords vulnerable to cracking attempts. While evidence suggests the data is legitimate, the breach has been flagged as “unverified” due to the difficulty of conclusively confirming breach details originating from within China.
Breach #99: Yam
| Breach Date | June 2013 |
|---|---|
| Domain | yam.com |
| Exposed Data | 👤 Usernames, 🔑 Passwords, 📧 Email addresses, 📛 Names, 📞 Phone numbers |
| Exposed Records | 13,259,767 |
| Industry | News Media |
| Password Risk | ❓ Unknown |
| Searchable | Yes |
| Sensitive | No |
| Verified | Yes |
Yam, a social networking platform, experienced a data breach , compromising the personal details of its users. This breach exposed a range of sensitive information, including names, email addresses, and hashed passwords.
Breach #100: Hjedd
| Breach Date | July 2022 |
|---|---|
| Domain | hjedd.com |
| Exposed Data | 👤 Usernames, 📬 Email addresses, 🔑 Passwords, 🌐 IP addresses |
| Exposed Records | 13,188,743 |
| Industry | Miscellaneous |
| Password Risk | ⚠️ Weak Security |
| Searchable | No |
| Sensitive | Yes |
| Verified | Yes |
Hjed, an educational platform, reportedly experienced a data breach, although specific details about the incident, including the scale and nature of the data compromised, are not widely known. Educational platforms like Hjed often hold sensitive information, including student personal data, academic records, and sometimes financial information, making them potential targets for cyberattacks.
