The companies listed below have IT services or data warehouses based in Australia, which have all been compromised or suffered from a data breach in 2018-2019 – you never want to see your business or your business partners on this list.
Contact ICTAA today and ask how we can protect your IT ecosystem, staff and business partners and ensure you never make it onto the naughty list below.

SpecSavers – July 2019
Symantec – June 2019
Australian Catholic University – June 2019
- Staff details stolen in fresh data breach
- ACU discloses data breach
- Phishers hit ACU, compromised systems
- ACU systems compromised and details stolen after cyber breach
- Attackers use phishing to gain access to ACU staff data
Revenue NSW – June 2019
- Privacy fears for Illawarra drivers as NSW govt data breach referred to ICAC Illawarra drivers may have had their private details leaked to the media as part of a “political smear campaign”
- NSW Labor refers alleged data leak to ICAC
Australian National University – June 2019
- China ‘behind’ huge ANU hack amid fears government employees could be compromised
- ANU breach a risk for security officials as China becomes key suspect
- Almost 20 years of personal data was stolen from ANU. It could show up on the dark web
- 19 years’ worth of personal data stolen from ANU – It could be sold on the dark web
Microsoft – May 2019
- Patch now against wormable ‘BlueKeep’ remote desktop flaw: ACSC – Spectre of another WannaCry-style epidemic raised
Princess Polly – May 2019
- Aussie fashion e-tailer Princess Polly suffers data breach – Card info may have been captured as it was entered into site
Canva – May 2019
- Canva under cyber-attack, with reportedly as many as 139 million users affected
- Aussie Canva Hit By Massive Data Breach: User Details Stolen
- Canva criticised after data breach exposed 139m user details
- “Marketing fluff”: What startups can learn from Canva’s data-breach response
Instagram – May 2019
- Instagram hit by two privacy breaches in a week – The Facebook-owned company fails it users.
- Instagram users’ data exposed to hackers
- Instagram has a MAJOR personal data breach 50 million users have had their personal details shared
- Perth socialite Melissa Graham held to ransom after Instagram privacy breach
CCH software – May 2019
- Wolters Kluwer takes down cloud services after malware infection – Impacts Australian users of CCH software
Binance – May 2019
- Binance hackers shift stolen bitcoin, identity still unclear: researchers – Funds now sitting in several digital wallets
Twitter – May 2019
WhatsApp – May 2019
- WhatsApp flaw allowed spyware injection via calls | Pegasus comes calling whether you answer or not
- WhatsApp urges upgrade after ‘serious’ security breach allowed hackers to put spyware on phones
- WhatsApp major security flaw could let hackers access phones
- WhatsApp patches flaw after spyware revelation
- WhatsApp security breach likely a government surveillance attack, company says
WPA3 Dragonfly – April 2019
Wipro – April 2019
- Wipro hacked, internal systems used to attack customers: report Months-long intrusion
- Wipro confirms breach, says customers are ‘anxious’
- Connectwise CEO defends security stance after Wipro breach
Speedrun.com – April 2019
Australia Post – March 2019
- AusPost’s Bill Scanner caught up in Gmail privacy sweep – Works with Google to ensure API permissions aren’t revoked
ASUS – March 2019
- ASUS users targeted in large supply chain attack – Users infected via software update utility
- ASUS releases fix after ShadowHammer malware attack – But some users unable to update to non-backdoored software
Bank of Queensland – March 2019
- Bank warns of reported third-party data breach – The Bank of Queensland has announced that it has been made aware of a personal data breach by a third party provider
Kathmandu – March 2019
- Credit cards cancelled as Kathmandu reveals online store hacked – month-long breach during peak discount period
- Kathmandu hit by hackers
- Credit cards cancelled as Kathmandu reveals online store hacked
- Kathmandu flags suspected data breach
- Data breaches have possibility to ruin customer relationships
Citrix – March 2019
- Citrix investigates major security breach – resecurity says it believes at least 6TB of data was downloaded
- Citrix hackers stole employee, financial data
Melbourne Hospital – February 2019
- A cyber crime syndicate accessed the medical files of 15,000 patients at Melbourne Heart Group at Melbourne’s Cabrini Hospital
- ‘The crooks are ahead’: Cabrini breach a warning for Australia
- Melbourne heart clinic hit by ransomware attack
CoffeeMeetsBagel – February 2019
- Dating site Coffee MeetsBagel warns Aussie users of data breach on Valentines Day
- ‘Coffee Meets Bagel’ Dating Site Hit by Data Breach
9Honey – February 2019
Toyota Australia – February 2019
- Toyota Australia hit by cyber attack – takes down email and other systems
- Cyber Ransom Attacks On The Rise, Toyota Australia has confirmed it has been subject to an attempted cyber attack
- Millions of customers’ data accessed in second Toyota hack – Tokyo sales subsidiaries raided
- Toyota Australia hit by cyber attack
AMP – February 2019
LandMark White – February 2019
- Australian bank customers caught in valuation firm data breach | Caused by undisclosed ‘security vulnerability’
- Home loan details of 100,000 customers hacked in major data breach
- LandMark White blames exposed API for data breach – ANZ confirms it has suspended use of the property valuer
- Valuation firm hit by data breach LandMark White pleads for long share suspension
- Embattled LandMark White shares drop 10.6 pc after data breach
- NAB pulls plug on LandMark White as home loan breach scandal grows
- LandMark White blames ill-informed public commentary on its dark web data breach for further ASX share suspension
- Centrelink keeps LandmarkWhite, says data breach hit ‘very small’ client group
- LandMark White counts cost of data breach – LandMark White still unsure of financial impact
- LandmarkWhite knew of IT weakness in 2017, a year before data breach
- Landmark White’s stolen data re-appears on dark web
- Landmark White data disaster claims CEO scalp
- LandmarkWhite faces regulator scrutiny over IT response, disclosure
- LandMark White CEO exits after data breach – two directors step down from board
- CBA assures itself of LandMark White’s post-breach infosec
- LandMark White’s data breach just the beginning for cyber criminals
Department of Parliamentary Services – February 2019
- Security breach strikes parliament’s IT network – all passwords reset
- Political party networks caught up in parliament’s IT breach – but no evidence of electoral interference
- The cyber attack on Parliament was done by a ‘state actor’
- Citrix | Australian parliament hackers gain remote access
Bunnings – February 2019
- Bunnings exposed staff performance database – individual staffer did unwanted homework
Facebook – January 2019
- Apple Shuts Down Facebook Data Collecting App – Since 2016, Facebook has been asking users to install a “Facebook Research” VPN that lets the company monitor their phone and online activity, according to Tech Crunch
- Apple punishes Facebook over app that paid users to hand over data
- The Apple-Facebook Feud Hits a Breaking Point
- Facebook stored millions of user passwords in plain text – hundreds of millions of users to be notified
- Facebook says up to 111,813 Aussies in last year’s security breach
- Facebook’s lax security has left millions of users with a lot to worry about
- Facebook staff had access to millions of users’ passwords in plain text, violating security practices
Global Hacking Scare – January 2019
- Global hacking scare nets Queensland MP, Surf Life Saving as millions of passwords breached – websites belonging to Queensland’s Deputy Opposition Leader, a real estate business and Surf Life Saving Australia are among thousands of pages caught up in the latest international data breach
SkoolBag – January 2019
Optus – January 2019
Collection #1 – January 2019
- Breach Exposes a Record 773 Million Email Addresses – The massive trove of leaked data, which was posted to a hacking forum, also includes 21,222,975 unique passwords.
- Experts comment on record 772mil-user data breach – Cybersecurity expert and founder of website Have I Been Pwned Troy Hunt broke the news recently that the largest ever database of breached login details have been leaked on the dark web.
- Data leak – Collection #1 is the just the beginning
- Cyber watchdog warns on dark web PS data – The Australian Cyber Security Centre (ACSC) has urged organisations and individuals across the Australian Public Service to check if their email addresses and/or passwords are included on recently released lists of stolen data.
Fisheries Queensland – January 2019
- Fisheries Qld blames bad update for password ‘fault – allowed fisherman to get into any account.
First National Real Estate – January 2019
- Job applicant data exposed online CVs and cover letters published
- Real estate industry provider exposes data
- Data breach exposes personal info of jobseekers
Department of Planning and Environment, NSW Major Projects – January 2019
Victorian Government – January 2019
Marriott Hotel Group / Starwood – January 2019
- Marriott Unsure How Many Hundreds Of Millions Of Guests Got Screwed By Data Breach
- Starwood hack exposed 5.25m unencrypted passport numbers
- Marriott CEO apologises for data breach, vows improvements
Early Warning Network – January 2019
Big W – January 2019
Hawthorn Football Club – January 2019
Nova Entertainment – January 2019
- Nova notifies listeners of data breach – Nova Entertainment has admitted that listeners’ data from the period of May 2009 to October 2011 has been “publicly disclosed”.
- Nova admits to huge data breach
- Nova Admits Listener Info Has Been Leaked
My Health Records – January 2019
- Critics want My Health Record delayed again after recording 42 data breaches this year.
- My Health Record system data reaches rise
- As My Health Record opt-out ends, security concerns continue
Victorian Public Servants – January 2019
- Victorian Public Servants hit by massive data theft – The work details of 30,000 of Victorian public servants were stolen from a government directory in a data breach just days before Christmas.

Commonwealth Bank – December 2018
- Commonwealth Bank customers’ medical data exposed in potential privacy breach – The Commonwealth Bank is urgently investigating a potential data breach that may have given its staff access to customers’ sensitive medical information.
Humble Bundle – December 2018
News Corp – December 2018
Marriott’s Hotels – December 2018
- Massive data breach at Marriott’s hotels exposes private data of 500,000 guests – A massive data breach has exposed the private data, including passport and credit card numbers, of half a million guests of the international hotel chain.
- Credit card info and passport details of 500 million Marriott guests stolen in mammoth data breach
Dell – November 2018
- Dell resets dell.com passwords after finding likely data breach – Computer manufacturer Dell has reset all passwords for accounts on its dell.com site, after it became aware on 9 November that an attempt to exfiltrate data was taking place.
Victoria’s Emergency Services – November 2018
- ‘Appalling’ emergency services data breach to be investigated – The state government will launch an immediate investigation into an “appalling” data breach that saw personal details of emergency services staff posted to the web.
Amazon – November 2018
- Amazon suffers data breach, but says little about it –Amazon delivered a nasty surprise on one of its busiest days of the year today after discovering it had “inadvertently” leaked customers’ personal information.
- Amazon suffers customer data breach hours before Black Friday
- Amazon is getting slammed for a confusing email telling some customers they don’t need to change their password after a data leak
- Amazon Is Offering Gift Cards To Customers Who Complain About Its Data Breach
PageUp People – November 2018 Update
Federal Group Hotel – November 2018
- Contact databases hit by ‘low risk’ data breach – A Tasmanian luxury hotel and casino group has told some guests their personal information may have been accessed by a third party after a “low risk” data breach saw contact databases affected.
- Data breach hits luxury hotels in Tasmania, with guest details at risk of theft by ‘third party’.
Under Armour’s MyFitnessPal App – November 2018
Austal – October 2018
- Extortionists target Aussie defence shipbuilder after cyber security breach
Australia’s biggest defence exporter has been targeted by extortionists who launched a successful cyber attack to breach the company’s data management systems. - Shipbuilder’s information accessed and offered for sale.
Facebook – September 2018
- Security breach affects 50 million users – company logs off 90 million accounts as a precaution.
- Everything we know about Facebook’s data breach
- Forbes coverage of Facebooks massive data breach
- Facebook trims data breach to 29m users
- Facebook says it will message users affected following the theft of data from 29 million accounts to tell them what type of information has been accessed.
Perth Mint – September 2018
- Perth Mint revises data breach impact – thousands of customers now affected.
RCR Tomlinson Engineering – August 2018
Strathmore Secondary College – August 2018
- Probe into Melb high school privacy breach – The education department is investigating a privacy breach resulting in the accidental publication of Melbourne high school students’ personal records.
Airport Security Identity Cards (ASICs) – July 2018
MY Health Record – July 2018
- Could be our worst government data breach yet.
- My Health record data breach.
- Privacy Commissioner poised to release delayed data breach report but My Health Record adopts a different definition
Townsville City Council [Typeform] – July 2018
- Online system used by Townsville City Council hacked exposing public’s personal details. HACKERS may have obtained the personal details who entered an art competition run by Townsville City Council. The council confirmed it had been notified about a security breach on Typeform, a company it uses.
Timehop App – July 2018
- Social media memories app Timehop got hit by a data breach affecting 21 million users.
- Security Brief’s article on the Timehop hack
- PC Authority’s coverage on the Timehop data breach
Cairns council hit by data breach [Typeform] | July 2018
- Cairns Regional Council has confirmed two of its online surveys were impacted by data security breaches
- Cairns Council Apologies After Hackers Breach Forms
PEXA – National e-conveyancing platform – July 2018
- PEXA account compromise sees family lose home sale funds – Security team scanning logs for same pattern.
Australian National University – July 2018
- ANU network ‘significantly compromised’ by hackers – University has spent ‘months’ containing threat
- Chinese Hackers Breach ANU
Airtasker – July 2018
- Airtasker caught up in Typeform data breach – Jobs marketplace Airtasker has revealed a “small amount” of data it collected through web forms may have been compromised in the Typeform breach
Bakers Delight – July 2018
- Bakers Delight warns comp entrants after Typeform breach – latest Australian company to notify customers of potential exposure to the Typeform data breach.
Tasmanian Electoral Commission – July 2018
Ticketmaster – June 2018
- Ticketmaster Australia admits customer details may have been stolen in hack.
- Musicfeeds Article
- Sydney Morning Herald Article
HealthEngine – June 2018
Flightradar24 – June 2018
- Flightradar24 suffers security breach – Attackers hit single server – Popular flight tracking site Flightradar24 has suffered a security breach that “may” have compromised the email addresses and hashed passwords
PageUp People – June 2018
- PageUp People all but confirms personal data ‘accessed’ – Widely-used Australian cloud HR vendor
MyHeritage – June 2018
- MyHeritage breach leaks 92 million users’ details – A security breach at family networking and genealogy website leaked email addresses and hashed passwords of users
Family Planning NSW – May 2018
- Family Planning NSW hit by ransomware attack – may have compromised online databases.
Svitzer Australia – March 2018
- First data breach publicised under Australian notice scheme – Svizter reveals email leak
GoGet – January 2018
- GoGet reveals data breach as police arrest alleged hacker – Car Sharing Service – Customer data accessed
Signup to our mailing list and get the latest data breach notices delivered to your inbox
Worldwide Major Data Breaches
2019
Data Breach Notice: Xiaomi (unverified) – 7,088,010 breached accounts
In August 2012, the Xiaomi user forum website suffered a data breach. In all, 7 million email addresses appeared in the breach although a significant portion of them were numeric aliases on the bbs_ml_as_uid.xiaomi.com domain. Usernames, IP addresses and passwords stored as salted MD5 hashes were also exposed. The data was provided with support from dehashed.com.
Data Breach Notice: Flash Flash Revolution (2019 breach) – 1,858,124 breached accounts
In July 2019, the music-based rhythm game Flash Flash Revolution suffered a data breach. The 2019 breach imapcted almost 1.9 million members and is in addition to the 2016 data breach of the same service. Email and IP addesses, usernames, dates of birth and salted MD5 hashes were all exposed in the breach. The data was provided with support from dehashed.com.
Data Breach Notice: Stronghold Kingdoms – 5,187,305 breached accounts
In July 2018, the massive multiplayer online game Stronghold Kingdoms suffered a data breach. Almost 5.2 million accounts were impacted by the incident which exposed emails addresses, usernames and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: GameSalad – 1,506,242 breached accounts
In February 2019, the education and game creation website Game Salad suffered a data breach. The incident impacted 1.5M accounts and exposed email addresses, usernames, IP addresses and passwords stored as SHA-256 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Armor Games – 10,604,307 breached accounts
In January 2019, the game portal website Armor Games suffered a data breach. A total of 10.6 million email addresses were impacted by the breach which also exposed usernames, IP addresses, birthdays of administrator accounts and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Roll20 – 3,994,436 breached accounts
In December 2018, the tabletop role-playing games website Roll20 suffered a data breach. Almost 4 million customers were impacted by the breach and had email and IP addresses, names, bcrypt hashes of passwords and the last 4 digits of credit cards exposed. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: EatStreet – 6,353,564 breached accounts
In May 2019, the online food ordering service EatStreet suffered a data breach affecting 6.4 million customers. An extensive amount of personal data was obtained including names, phone numbers, addresses, partial credit card data and passwords stored as bcrypt hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Bulgarian National Revenue Agency – 471,167 breached accounts
In July 2019, a massive data breach of the Bulgarian National Revenue Agency began circulating with data on 5 million people. Allegedly obtained in June, the data was broadly shared online and included taxation information alongside names, phone numbers, physical addresses and 471 thousand unique email addresses. The breach is said to have affected "nearly all adults in Bulgaria".
Data Breach Notice: YouNow – 18,241,518 breached accounts
In February 2019, data from the live broadcasting service YouNow appeared for sale on a dark web marketplace. Whilst it's not clear what date the actual breach occurred on, the impacted data included 18M unique email addresses, IP addresses, names, usernames and links to social media profiles. As authentication is performed via social providers, no passwords were exposed in the breach. Many records didn't have associated email addresses thus the unique number is lower than the reported total number...
Data Breach Notice: Animoto – 22,437,749 breached accounts
In July 2018, the cloud-based video making service Animoto suffered a data breach. The breach exposed 22 million unique email addresses alongside names, dates of birth, country of origin and salted password hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Animoto – 22,437,749 breached accounts
In July 2018, the cloud-based video making service Animoto suffered a data breach. The breach exposed 22 million unique email addresses alongside names, dates of birth, country of origin and salted password hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: BlackSpigotMC – 140,029 breached accounts
In July 2019, the hacking website BlackSpigotMC suffered a data breach. The XenForo forum based site was allegedly compromised by a rival hacking website and resulted in 8.5GB of data being leaked including the database and website itself. The exposed data included 140k unique email addresses, usernames, IP addresses, genders, geographic locations and passwords stored as bcrypt hashes.
Data Breach Notice: SHEIN – 39,086,762 breached accounts
In June 2018, online fashion retailer SHEIN suffered a data breach. The company discovered the breach 2 months later in August then disclosed the incident another month after that. A total of 39 million unique email addresses were found in the breach alongside MD5 password hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: piZap – 41,817,893 breached accounts
In approximately December 2017, the online photo editing site piZap suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in February 2019. A total of 42 million unique email addresses were included in the breach alongside names, genders and links to Facebook profiles when the social media platform was used to authenticate to piZap. When accounts were created directly on piZap without using...
Data Breach Notice: Netlog – 49,038,354 breached accounts
In July 2018, the Belgian social networking site Netlog identified a data breach of their systems dating back to November 2012 (PDF). Although the service was discontinued in 2015, the data breach still impacted 49 million subscribers for whom email addresses and plain text passwords were exposed. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Evite – 100,985,047 breached accounts
In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed. The data was provided to HIBP...
Data Breach Notice: MindJolt – 28,364,826 breached accounts
In March 2019, the online gaming website MindJolt suffered a data breach that exposed 28M unique email addresses. Also impacted were names and dates of birth, but no passwords. The data was provided to HIBP by a source who requested it be attributed to "[email protected]". Stay safe out there!
Data Breach Notice: Wiener Büchereien – 224,119 breached accounts
In June 2019, the library of Vienna (Wiener Büchereien) suffered a data breach. The compromised data included 224k unique email addresses, names, physical addresses, phone numbers and dates of birth. The breached data was subsequently posted to Twitter by the alleged perpetrator of the breach.
Data Breach Notice: Social Engineered – 89,392 breached accounts
In June 2019, the "Art of Human Hacking" site Social Engineered suffered a data breach. The breach of the XenForo forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes. Stay safe out there!
Data Breach Notice: OGUsers – 161,143 breached accounts
In May 2019, the account hijacking and SIM swapping forum OGusers suffered a data breach. The breach exposed a database backup from December 2018 which was published on a rival hacking forum. There were 161k unique email addresses spread across 113k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes. Stay safe out there!
Data Breach Notice: Emuparadise – 1,131,229 breached accounts
In April 2018, the self-proclaimed "biggest retro gaming website on earth", Emupardise suffered a date breach. The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com. Stay safe out there!
Data Breach Notice: Illawarra drivers licenses details
Illawarra drivers may have had their private details leaked to the media as part of a "political smear campaign", according to Wollongong MP Paul Scully. At the last election, a file containing names, addresses, ages and driving history - including those of then Labor leader Michael Daley - was leaked to the media by the office of Customer Service Minister Victor Dominello. The leak occurred after Revenue NSW advised Mr Dominello's office the file was a privacy breach and it must...
Data Breach Notice: Ordine Avvocati di Roma – 41,960 breached accounts
In May 2019, the Lawyers Order of Rome suffered a data breach by a group claiming to be Anonymous Italy. Data on tens of thousands of Roman lawyers was taken from the breached system and redistributed online. The data included contact information, email addresses and email messages themselves encompassing tens of thousands of unique email addresses. A total of 42k unique addresses appeared in the breach. Stay safe out there!
Data Breach Notice: Appartoo – 49,681 breached accounts
In March 2017, the French Flatsharing site known as Appartoo suffered a data breach. The incident exposed an extensive amount of personal information on almost 50k members including email addresses, genders, ages, private messages sent between users of the service and passwords stored as SHA-256 hashes. Appartoo advised that all subscribers were notified of the incident in early 2017. Stay safe out there!
Data Breach Notice: Club Penguin Rewritten – 1,688,176 breached accounts
In January 2018, the children's gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach (note: CPRewritten is an independent recreation of Disney's Club Penguin game). The incident exposed almost 1.7 million unique email addresses alongside IP addresses, usernames and passwords stored as bcrypt hashes. When contacted, CPRewritten advised they were aware of the breach and had "contacted affected users". Stay safe out there!
Data Breach Notice: Morele.net – 2,467,304 breached accounts
In October 2018, the Polish e-commerce website Morele.net suffered a data breach. The incident exposed almost 2.5 million unique email addresses alongside phone numbers, names and passwords stored as md5crypt hashes. Prefer to get this by email? Sign-up to Data Breach mailing list Stay safe out there!
Data Breach Notice: Bukalapak – 13,369,666 breached accounts
In March 2019, the Indonesian e-commerce website Bukalapak discovered a data breach of the organisation's backups dating back to October 2017. The incident exposed approximately 13 million unique email addresses alongside IP addresses, names and passwords stored as bcrypt and salted SHA-512 hashes. Prefer to get this by email? Sign-up to Data Breach mailing list Stay safe out there!
Data Breach Notice: DataCamp – 760,561 breached accounts
In January 2017, the data science website DataCamp suffered a data breach. The incident exposed 760k unique email and IP addresses along with names and passwords stored as bcrypt hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]". Prefer to get this by email? Sign-up to...
Data Breach Notice: Knuddels – 808,330 breached accounts
In September 2018, the German social media website Knuddels suffered a data breach. The incident exposed 808k unique email addresses alongside usernames, real names, the city of the person and their password in plain text. Knuddels was subsequently fined €20k for the breach. Prefer to get this by email? Sign-up to Data Breach mailing list Stay safe out there!
Data Breach Notice: Verifications.io – 763,117,241 breached accounts
In February 2019, the email address validation service verifications.io suffered a data breach. The breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure...
Data Breach Notice: ShareThis.com – 40,960,499 breached accounts
In July 2018, the social bookmarking and sharing service ShareThis suffered a data breach. The incident exposed 41 million unique email addresses alongside names and in some cases, dates of birth and password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly.
Data Breach Notice: MyFitnessPal – 143,606,147 breached accounts
In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested...
Data Breach Notice: MyHeritage – 91,991,358 breached accounts
In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a...
Data Breach Notice: Dubsmash – 161,749,950 breached accounts
In December 2018, the video messaging service Dubsmash suffered a data breach. The incident exposed 162 million unique email addresses alongside usernames and PBKDF2 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Data Breach Notice: Symantec breach revealed client list, passwords
A February data breach at Symantec gave hackers access to account numbers, passwords, and a purported list of prominent Australian clients, according to a Guardian Australia report. The platform security vendor characterised the breach as a "minor incident" since it involved a self-enclosed demo lab in Australia that wasn't connected to Symantec's corporate network. Symantec told Guardian Australia it didn't report the breach since the demo lab didn't host or have any sensitive personal data extracted from it. The Australian Privacy Act requires...