Here’s your weekly #databreach news roundup:​​​​

Carousell, EnergyAustralia, Medibank, Advocate Aurora Health, Whitworth University, Microsoft, and Vinomofo.



A database of user accounts believed to have been stolen from online marketplace Carousell is being sold on the Dark Web and hacking forums, checks by The Sunday Times found.

The database, allegedly containing the information of 2.6 million accounts, is being sold for $1,000. Carousell said on Friday that 1.95 million user accounts were affected.

It informed affected users on Friday evening that their data was compromised after a bug was introduced during a system migration and used by a third party to gain unauthorised access. The bug has been fixed, said its spokesman.


EnergyAustralia has become the latest company to be targeted by a cyber-attack, with hundreds of customers’ details exposed.

In a statement released late on Friday, the electricity company said 323 residential and small business customers were affected by unauthorised access to their online platform, My Account.


Details including customer names, addresses, email addresses, electricity and gas bills, phone numbers and the first six and last three digits of their credit cards are all included with those accounts.

The company said there was “no evidence” customer details were transferred outside the company’s platform.


Nearly 4 million Medibank customers have potentially had their personal details accessed after the health insurer was targeted by hackers last week.

A “significant cybersecurity incident” occurred within Medibank, Home Affairs Minister Clare O’Neil confirmed.

Medibank halted trading on Wednesday after receiving ransom demands from the alleged hackers.

Advocate Aurora Health


Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients.

The incident was caused by the improper use of Meta Pixel on AAH’s websites, where patients log in and enter sensitive personal and medical information.

Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements.

However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions.

Whitworth University


Whitworth University has informed the state attorney general’s office that a data breach this summer was a ransomware attack that may have affected thousands of former and current students and staff.

The notification was made in a letter dated Oct. 4 from the law firm Wilson Elser based in New York City. In the letter, the private university acknowledges for the first time publicly the data breach that occurred July 29 was a ransomware attack, a growing field of cyber crime in which hackers seize control of data and demand payment for its release. Under state law, a data breach affecting more than 500 residents of Washington must be reported to the Washington Attorney General.



Microsoft said today that some of its customers’ sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet.

The company secured the server after being notified of the leak on September 24, 2022 by security researchers at threat intelligence firm SOCRadar.

“This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,” the company revealed.

“Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.”



Wine dealer Vinomofo is the latest Australian company to be targeted by a cyber-attack.

At risk of exposure are the names, dates of birth, addresses, email addresses, phone numbers and genders of customers – Vinomofo has about 500,000 people on its books, but it’s not clear if all were exposed.


Vinomofo said the risk to members was “low” because other information, such as passports, credit card details and driver’s licences were not held by Vinomofo.

“Vinomofo experienced a cybersecurity incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website,” the chief executive, Paul Edginton, said in a statement emailed to customers.