Here’s your weekly data breach news roundup: ​

Haven Behavioral Hospital of Albuquerque, Boggi Milano, Vhive, Bookchor, NTUC’s e2i (Employment and Employability Institute), OnlyFans, LinkedIn, Office Depot Europe, Cardpool, PHP source code, Cardinal Care, Facebook, Swarmshop, Q Link Wireless, and Clubhouse.

Haven Behavioral Hospital of Albuquerque


Haven Behavioral Hospital of Albuquerque provided notice last month of a cybersecurity incident that potentially made certain information available, including medical history and health insurance info, according to a news release.

The information affected may have also included names, dates of birth, treatment information and provider information, the release says.

The mental health care organization “observed unusual activity on certain systems” in late September. It then began an investigation with third-party forensic specialists to identify the source of the activity and determine its impact. Haven’s investigation determined that “certain files were potentially accessible on a system that may have been subject to unauthorized access” in September, the release said.

A representative for Haven Behavioral Hospital of Albuquerque, which offers treatments for people experiencing mental health and substance abuse, was unable to be reached for comment. Haven Behavioral Healthcare operates seven behavioral hospitals across the country, with additional locations in Texas, Arizona and Idaho, according to its website.

Boggi Milano


Italian fashion clothing chain ‘Boggi Milano’ has suffered a ransomware attack by the Ragnarok group of actors, who appear to have stolen 40 gigabytes of data in the process. We have visited the brand’s website and tested out regional domains. Everything is up and running, so the security incident doesn’t appear to have had a significant impact on the operations. This was also confirmed by a company representative, who stated that they are simply taking the matter to the law authorities for further investigation.

With the help of KELA, we were able to find the first leaked samples on the dark web in order to determine if customer data is included in the exfiltrated files. From what we were able to discern, judging by the filenames presented on the leak portal, the actors may have stolen payroll files, payment PDFs, vouchers, liability documents, tax-related files, etc.



The authorities are investigating a data breach at local furniture retailer, Vhive, which led to customers’ personal information – such as phone numbers and physical addresses – being leaked online.

Replying to queries from The Sunday Times yesterday, the police confirmed that a report has been lodged on the matter.

In a Facebook post last Monday, Vhive said that its server was hacked on March 23 and that it was working with the police and other relevant authorities as well as an IT forensic investigator to look into the breach.

Information compromised in the hack included customers’ names, physical and e-mail addresses and mobile numbers, but did not include identification numbers or financial information, said the company.

“All financial records in relation to purchases made with Vhive are held on a separate system which was not hacked,” it added.

“We are truly sorry for the incident and stand ready to assist you if you require immediate help,” Vhive told customers.



A hacker has alleged that he has breached the website of famous second-hand book dealer Bookchor.com and downloaded information of 5,33,275 users. As per the post on a hacking forum, the threat actor breached the website in February but made the data available online on March 26.

n the post, the hacker wrote that he took the data dump on February 18, 2021. Though he had counted 5,05,373 unique email IDs, the total number of customers in the CSV file was 5,33,275. In the data, he had included IP Addresses, Hashed Passwords, Full names, Phone Numbers, Physical Addresses, Orders, Email addresses, and what type of phone they use (If they were using a phone).

NTUC’s e2i (Employment and Employability Institute)


NTUC’s e2i (Employment and Employability Institute) has had a data breach incident that has resulted in the exposure of the personal details of about 30,000, according to a media statement shared with Channel News Asia. Reportedly, the incident took place on March 12, 2021, so it’s been three weeks already. The breached entity states that someone managed to gain unauthorized access to a mailbox that contained the personal data of approximately 30,000 individuals, users of the e2i services.

e2i is a platform that connects workers and employers in Singapore, offering technical solutions relevant to job-matching, career guidance, skills upgrading, continuous professional development, manpower need changes, auto-recruitment, training, job redesign solutions, and more. Being on the top-3000 most visited sites in Singapore, the platform is bound to have many more members than the 30,000 that were exposed by this incident, so we would suppose that the attack must have been mitigated.



After a shared Google Drive was posted online containing the private videos and images from hundreds of OnlyFans accounts, a researcher has created a tool allowing content creators to check if they are part of the leak.

It is common for people to share OnlyFans content they subscribe to but what stands out about this leak is the large amount of creators whose private content has been shared at once.

OnlyFans is a website that allows content creators to earn money by sharing images, videos, and live streams with fans who pay to subscribe to their content.

While OnlyFans is promoted as a way for celebrities and social influencers to share their content, it is also heavily used to share adult-themed content with fans who pay to access it.


Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn.

An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author.

The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more. 

To see if your email address has been exposed in this data leak or other security breaches, use our personal data leak checker with a library of 15+ billion breached records.

While users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor appears to be auctioning the much-larger 500 million user database for at least a 4-digit sum, presumably in bitcoin.

Office Depot Europe


The latest Elasticsearch database tumble comes from Office Depot Europe, who, according to a report shared by researcher Jeremiah Fowler, failed to protect a “live” production server. The researcher and his team found the accessible data on March 3, 2021, and immediately sent a disclosure notice to Office Depot.

The firm secured it within hours, and two days later, they thanked the reporters. Although the response was quick, the data may have stayed online and accessible by anyone for long enough to be exfiltrated by malicious actors.



E-gift cards falling into the hands of malicious individuals who then sell them for a profit isn’t anything new. However, when a huge batch like that one spotted by Gemini Advisory recently is sold, it’s worth looking into it more thoroughly. According to the relevant report, in February 2021, someone sold 895,000 stolen gift cards for a buy-now price of only $20,000.

Following a successful transaction, the same cybercriminal sold 330,000 payment cards with full cardholder name details, CVV codes, expiration date, card number, bank name, etc. That second batch was sold for just $15,000, and it was purchased within a couple of days.

Following an analysis of the data that was offered for purchase, Gemini Advisory concluded that the credit cards came from a breach on the online gift card shop ‘Cardpool.com.’ The evidence suggests that the breach lasted between February 4, 2019, and August 4, 2019, a period during which the actors were actively exfiltrating card details, probably by means of a skimmer planted on the now-defunct platform. About 85% of the visitors of Cardpool.com were residents of the United States, so the recently sold card set mainly affects Americans.

PHP source code


PHP maintainer Nikita Popov has posted an update concerning how the source code was compromised and malicious code inserted – blaming a user database leak rather than a problem with the server itself.

The PHP code repository was compromised late last month with the insertion of code that, if left in place, would have enabled a backdoor into any web server running it. The code was initially committed in the name of Rasmus Lerdorf, creator of PHP, and after it was removed, recommitted under Popov’s name.

The team originally believed that the server hosting the repository had suffered a break-in, but in a new post Popov said: “We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked.”

Cardinal Care

Personal and medical data from students using Stanford’s Cardinal Care health insurance service — including medical conditions and treatment information — was compromised in a data breach in January. 

Health Net, the insurance provider through which Stanford offers Cardinal Care, disclosed the breach to affected users in late March.

Over the past week, students received letters from Health Net informing them that their addresses, dates of birth, insurance IDs and health information was compromised in a cyberattack, just days after personal information from Stanford community members was

posted online in a separate data breach announced by the School of Medicine.

Though Stanford students’ data was compromised in both incidents, the two breaches were separate attacks on Stanford and Health Net. The Health Net breach does not appear to be limited to users associated with Stanford: According to the U.S. Department of Health and Human Services, over 1,200,000 individuals have been affected by the Health Net breach.



An online tool lets customers pay to unmask the phone numbers of Facebook users that liked a specific Page, and the underlying dataset appears to be separate from the 500 million account database that made headlines this week, signifying another data breach or large scale scraping of Facebook users’ data, Motherboard has found.

Motherboard verified the tool, which comes in the form of a bot on the social network and messaging platform Telegram, outputs accurate phone numbers of Facebook users that aren’t included in the dataset of 500 million users. The data also appears to be different to another Telegram bot outputting Facebook phone numbers that Motherboard first reported on in January.


A breach of Swarmshop, an online hub for selling stolen personal and payment records, has led to the exposure of more than 600,000 payment card numbers and nearly 70,000 sets of US Social Security numbers and Canadian Social Insurance numbers, Group-IB researchers report.

Group-IB calls Swarmshop a midsize “neighborhood” store for selling stolen records. The shop has been in operation since at least April 2019; by March 2021, it had more than 12,000 users and more than 600,000 payment card records for sale.

Researchers discovered data belonging to Swarmshop users leaked on March 17, 2021, when they found the information posted on a different underground forum. The leaked database contained the records of four shop admins, 90 sellers, and 12,250 buyers of stolen data, whose nicknames, hashed passwords, account balance, and, for some, contact details, were exposed.

Q Link Wireless


A mobile carrier allowed anyone with one of its customers phone numbers to access their personal information, including name, address, phone number, and text and call history, according to a report by Ars Technica. The carrier, Q Link Wireless, claimed to have over two million customers in 2019.

Ars Technica noted a Reddit post saying that the app used by the carrier and its subsidiary Hello Mobile never asked for a password or any identifying information when the user was logging on with a phone number. Looking through the reviews, there are references to the poor security practices (to put it mildly) going back to December of 2020. While it’s unclear when the credential-less login system appeared, there is an update note from two years ago that mentions an “updated login process.”


The personal data of 1.3 million Clubhouse users has leaked online on a popular hacker forum, according to a Saturday report from Cyber News.

The scraped data of Clubhouse users includes names, social media profile names, and other details.

Clubhouse did not immediately respond to Insider’s request for comment that was made on Saturday. As Cyber News reported, the exposed data could enable bad actors to target users through phishing schemes or identity theft.

Clubhouse on Sunday pushed back on the Cyber News report, posting on Twitter: “Clubhouse has not been breached or hacked,” it said. “The data referred to is all public profile information from our app, which anyone can access via the app or our API (application programming interface).”