Data Breaches 2019-2018

The companies listed below have IT services or data warehouses based in Australia, which have all been compromised or suffered from a data breach in 2018-2019 –  you never want to see your business or your business partners on this list.

Contact ICTAA today and ask how we can protect your IT ecosystem, staff and business partners and ensure you never make it onto the naughty list below.

SpecSavers – July 2019

Symantec – June 2019

Australian Catholic University – June 2019

Revenue NSW – June 2019

Australian National University – June 2019

Microsoft – May 2019

Princess Polly – May 2019

Canva – May 2019

Instagram – May 2019

CCH software – May 2019

Binance – May 2019

Twitter – May 2019

WhatsApp – May 2019

WPA3 Dragonfly – April 2019

Wipro – April 2019

Speedrun.com – April 2019

Australia Post – March 2019

ASUS – March 2019

Bank of Queensland – March 2019

Kathmandu – March 2019

Citrix – March 2019

Melbourne Hospital – February 2019

CoffeeMeetsBagel – February 2019

9Honey – February 2019

Toyota Australia – February 2019

AMP – February 2019

LandMark White – February 2019

Department of Parliamentary Services – February 2019

Bunnings – February 2019

Facebook – January 2019

Global Hacking Scare – January 2019

SkoolBag – January 2019

Optus – January 2019

Collection #1 – January 2019

Fisheries Queensland – January 2019

First National Real Estate – January 2019

Department of Planning and Environment, NSW Major Projects – January 2019

Victorian Government – January 2019

Marriott Hotel Group / Starwood – January 2019

Early Warning Network – January 2019

Big W – January 2019

Hawthorn Football Club – January 2019

Nova Entertainment – January 2019

My Health Records – January 2019

Victorian Public Servants – January 2019

Commonwealth Bank – December 2018

Humble Bundle – December 2018

News Corp – December 2018

Marriott’s Hotels – December 2018

Dell – November 2018

Victoria’s Emergency Services – November 2018

Amazon – November 2018

PageUp People – November 2018 Update

Federal Group Hotel – November 2018

Under Armour’s MyFitnessPal App – November 2018

Austal – October 2018

Facebook – September 2018

Perth Mint – September 2018

RCR Tomlinson Engineering – August 2018

Strathmore Secondary College – August 2018

Airport Security Identity Cards (ASICs) – July 2018

MY Health Record – July 2018

Townsville City Council [Typeform] –  July 2018

Timehop App – July 2018

Cairns council hit by data breach [Typeform] | July 2018

PEXA – National e-conveyancing platform – July 2018

Australian National University – July 2018

Airtasker – July 2018

Bakers Delight – July 2018

Tasmanian Electoral Commission – July 2018

Ticketmaster – June 2018

HealthEngine – June 2018

Flightradar24 – June 2018

PageUp People – June 2018

MyHeritage – June 2018

Family Planning NSW – May 2018

Svitzer Australia – March 2018

GoGet – January 2018

Signup to our mailing list and get the latest data breach notices delivered to your inbox

Worldwide Major Data Breaches
 2019

Data Breach Notice: Xiaomi (unverified) – 7,088,010 breached accounts

In August 2012, the Xiaomi user forum website suffered a data breach. In all, 7 million email addresses appeared in the breach although a significant portion of them were numeric aliases on the bbs_ml_as_uid.xiaomi.com domain. Usernames, IP addresses and passwords stored as salted MD5 hashes were also exposed. The data was provided with support from dehashed.com.

Data Breach Notice: Flash Flash Revolution (2019 breach) – 1,858,124 breached accounts

In July 2019, the music-based rhythm game Flash Flash Revolution suffered a data breach. The 2019 breach imapcted almost 1.9 million members and is in addition to the 2016 data breach of the same service. Email and IP addesses, usernames, dates of birth and salted MD5 hashes were all exposed in the breach. The data was provided with support from dehashed.com.

Data Breach Notice: Stronghold Kingdoms – 5,187,305 breached accounts

In July 2018, the massive multiplayer online game Stronghold Kingdoms suffered a data breach. Almost 5.2 million accounts were impacted by the incident which exposed emails addresses, usernames and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: GameSalad – 1,506,242 breached accounts

In February 2019, the education and game creation website Game Salad suffered a data breach. The incident impacted 1.5M accounts and exposed email addresses, usernames, IP addresses and passwords stored as SHA-256 hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: Armor Games – 10,604,307 breached accounts

In January 2019, the game portal website Armor Games suffered a data breach. A total of 10.6 million email addresses were impacted by the breach which also exposed usernames, IP addresses, birthdays of administrator accounts and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: Roll20 – 3,994,436 breached accounts

In December 2018, the tabletop role-playing games website Roll20 suffered a data breach. Almost 4 million customers were impacted by the breach and had email and IP addresses, names, bcrypt hashes of passwords and the last 4 digits of credit cards exposed. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: EatStreet – 6,353,564 breached accounts

In May 2019, the online food ordering service EatStreet suffered a data breach affecting 6.4 million customers. An extensive amount of personal data was obtained including names, phone numbers, addresses, partial credit card data and passwords stored as bcrypt hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: Bulgarian National Revenue Agency – 471,167 breached accounts

In July 2019, a massive data breach of the Bulgarian National Revenue Agency began circulating with data on 5 million people. Allegedly obtained in June, the data was broadly shared online and included taxation information alongside names, phone numbers, physical addresses and 471 thousand unique email addresses. The breach is said to have affected "nearly all adults in Bulgaria".

Data Breach Notice: YouNow – 18,241,518 breached accounts

In February 2019, data from the live broadcasting service YouNow appeared for sale on a dark web marketplace. Whilst it's not clear what date the actual breach occurred on, the impacted data included 18M unique email addresses, IP addresses, names, usernames and links to social media profiles. As authentication is performed via social providers, no passwords were exposed in the breach. Many records didn't have associated email addresses thus the unique number is lower than the reported total number...

Data Breach Notice: Animoto – 22,437,749 breached accounts

In July 2018, the cloud-based video making service Animoto suffered a data breach. The breach exposed 22 million unique email addresses alongside names, dates of birth, country of origin and salted password hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: Animoto – 22,437,749 breached accounts

In July 2018, the cloud-based video making service Animoto suffered a data breach. The breach exposed 22 million unique email addresses alongside names, dates of birth, country of origin and salted password hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: BlackSpigotMC – 140,029 breached accounts

In July 2019, the hacking website BlackSpigotMC suffered a data breach. The XenForo forum based site was allegedly compromised by a rival hacking website and resulted in 8.5GB of data being leaked including the database and website itself. The exposed data included 140k unique email addresses, usernames, IP addresses, genders, geographic locations and passwords stored as bcrypt hashes.

Data Breach Notice: SHEIN – 39,086,762 breached accounts

In June 2018, online fashion retailer SHEIN suffered a data breach. The company discovered the breach 2 months later in August then disclosed the incident another month after that. A total of 39 million unique email addresses were found in the breach alongside MD5 password hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: piZap – 41,817,893 breached accounts

In approximately December 2017, the online photo editing site piZap suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in February 2019. A total of 42 million unique email addresses were included in the breach alongside names, genders and links to Facebook profiles when the social media platform was used to authenticate to piZap. When accounts were created directly on piZap without using...

Data Breach Notice: Netlog – 49,038,354 breached accounts

In July 2018, the Belgian social networking site Netlog identified a data breach of their systems dating back to November 2012 (PDF). Although the service was discontinued in 2015, the data breach still impacted 49 million subscribers for whom email addresses and plain text passwords were exposed. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Data Breach Notice: Evite – 100,985,047 breached accounts

In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed. The data was provided to HIBP...

Data Breach Notice: Social Engineered – 89,392 breached accounts

In June 2019, the "Art of Human Hacking" site Social Engineered suffered a data breach. The breach of the XenForo forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes. Stay safe out there!

Data Breach Notice: OGUsers – 161,143 breached accounts

In May 2019, the account hijacking and SIM swapping forum OGusers suffered a data breach. The breach exposed a database backup from December 2018 which was published on a rival hacking forum. There were 161k unique email addresses spread across 113k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes. Stay safe out there!

Data Breach Notice: Illawarra drivers licenses details

Illawarra drivers may have had their private details leaked to the media as part of a "political smear campaign", according to Wollongong MP Paul Scully. At the last election, a file containing names, addresses, ages and driving history - including those of then Labor leader Michael Daley - was leaked to the media by the office of Customer Service Minister Victor Dominello. The leak occurred after Revenue NSW advised Mr Dominello's office the file was a privacy breach and it must...

Data Breach Notice: Ordine Avvocati di Roma – 41,960 breached accounts

In May 2019, the Lawyers Order of Rome suffered a data breach by a group claiming to be Anonymous Italy. Data on tens of thousands of Roman lawyers was taken from the breached system and redistributed online. The data included contact information, email addresses and email messages themselves encompassing tens of thousands of unique email addresses. A total of 42k unique addresses appeared in the breach. Stay safe out there!

Data Breach Notice: Appartoo – 49,681 breached accounts

In March 2017, the French Flatsharing site known as Appartoo suffered a data breach. The incident exposed an extensive amount of personal information on almost 50k members including email addresses, genders, ages, private messages sent between users of the service and passwords stored as SHA-256 hashes. Appartoo advised that all subscribers were notified of the incident in early 2017. Stay safe out there!

Data Breach Notice: Club Penguin Rewritten – 1,688,176 breached accounts

In January 2018, the children's gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach (note: CPRewritten is an independent recreation of Disney's Club Penguin game). The incident exposed almost 1.7 million unique email addresses alongside IP addresses, usernames and passwords stored as bcrypt hashes. When contacted, CPRewritten advised they were aware of the breach and had "contacted affected users". Stay safe out there!

Data Breach Notice: Bukalapak – 13,369,666 breached accounts

In March 2019, the Indonesian e-commerce website Bukalapak discovered a data breach of the organisation's backups dating back to October 2017. The incident exposed approximately 13 million unique email addresses alongside IP addresses, names and passwords stored as bcrypt and salted SHA-512 hashes. Prefer to get this by email? Sign-up to Data Breach mailing list   Stay safe out there!

Data Breach Notice: DataCamp – 760,561 breached accounts

In January 2017, the data science website DataCamp suffered a data breach. The incident exposed 760k unique email and IP addresses along with names and passwords stored as bcrypt hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "BenjaminBlue@exploit.im". Prefer to get this by email? Sign-up to...

Data Breach Notice: Knuddels – 808,330 breached accounts

In September 2018, the German social media website Knuddels suffered a data breach. The incident exposed 808k unique email addresses alongside usernames, real names, the city of the person and their password in plain text. Knuddels was subsequently fined €20k for the breach. Prefer to get this by email? Sign-up to Data Breach mailing list   Stay safe out there!

Data Breach Notice: Verifications.io – 763,117,241 breached accounts

In February 2019, the email address validation service verifications.io suffered a data breach. The breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure...

Data Breach Notice: ShareThis.com – 40,960,499 breached accounts

In July 2018, the social bookmarking and sharing service ShareThis suffered a data breach. The incident exposed 41 million unique email addresses alongside names and in some cases, dates of birth and password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly.

Data Breach Notice: MyFitnessPal – 143,606,147 breached accounts

In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested...

Data Breach Notice: MyHeritage – 91,991,358 breached accounts

In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a...

Data Breach Notice: Dubsmash – 161,749,950 breached accounts

In December 2018, the video messaging service Dubsmash suffered a data breach. The incident exposed 162 million unique email addresses alongside usernames and PBKDF2 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "BenjaminBlue@exploit.im".

Data Breach Notice: Symantec breach revealed client list, passwords

A February data breach at Symantec gave hackers access to account numbers, passwords, and a purported list of prominent Australian clients, according to a Guardian Australia report. The platform security vendor characterised the breach as a "minor incident" since it involved a self-enclosed demo lab in Australia that wasn't connected to Symantec's corporate network. Symantec told Guardian Australia it didn't report the breach since the demo lab didn't host or have any sensitive personal data extracted from it. The Australian Privacy Act requires...

Get your business accredited and prevent becoming the next data breach victim.