In July 2016, a hacker known as Phineas Fisher hacked Turkey's ruling party (Justice and Development Party or \"AKP\") and gained access to 300k emails. The full contents of the emails were subsequently published by WikiLeaks and made searchable. HIBP identified over 917k unique email address patterns in the data set, including message IDs and a number of other non-user addresses.
In December 2016, a huge list of email address and password pairs appeared in a \"combo list\" referred to as \"Anti Public\". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for \"credential stuffing\", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.
In November 2020, a collection of more than 23,000 allegedly breached websites known as Cit0day were made available for download on several hacking forums. The data consisted of 226M unique email address alongside password pairs, often represented as both password hashes and the cracked, plain text versions. Independent verification of the data established it contains many legitimate, previously undisclosed breaches. The data was provided to HIBP by dehashed.com.
In January, the maker of teddy bears that record children's voices and sends them to family and friends via the internet CloudPets left their database publicly exposed and it was subsequently downloaded by external parties (the data was also subject to 3 different ransom demands). 583k records were provided to HIBP via a data trader and included email addresses and bcrypt hashes, but the full extent of user data exposed by the system was over 821k records and also included children's names and references to portrait photos and voice recordings.
In June 2020, the digital banking app Dave suffered a data breach which exposed 7.5 million rows of data and subsequently appeared for public download on a hacking forum. The breach exposed extensive personal information including almost 3 million unique email addresses alongside names, dates of birth, encrypted social security numbers and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
In December 2020, the car dealership service provider DriveSure suffered a data breach. The incident resulted in 26GB of data being downloaded and later shared on a hacking forum. Impacted personal information included 3.6 million unique email addresses, names, phone numbers and physical addresses. Vehicle data was also exposed and included makes, models, VIN numbers and odometer readings. A small number of passwords stored as bcrypt hashes were also included in the data set.
In June 2018, the Cybercrime Bureau of the Estonian Central Criminal Police contacted HIBP and asked for assistance in making a data set of 655k email addresses searchable. The Estonian police suspected the email addresses and passwords they obtained were being used to access mailboxes, cryptocurrency exchanges, cloud service accounts and other similar online assets. They've requested that individuals who find themselves in the data set and also identify that cryptocurrency has been stolen contact them at email@example.com.
In September 2016, the new eThekwini eServices website in South Africa was launched with a number of security holes that lead to the leak of over 98k residents' personal information and utility bills across 82k unique email addresses. Emails were sent prior to launch containing passwords in plain text and the site allowed anyone to download utility bills without sufficient authentication. Various methods of customer data enumeration was possible and phishing attacks began appearing the day after launch.
In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed. The data was provided to HIBP by a source who requested it be attributed to \"JimScott.Sec@protonmail.com\".
In late 2016, a huge list of email address and password pairs appeared in a \"combo list\" referred to as \"Exploit.In\". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for \"credential stuffing\", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.
In April 2021, a large data set of over 500 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook's subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer.
In October 2019, the Dutch prostitution forum Hookers.nl suffered a data breach which exposed the personal information of sex workers and their customers. The IP and email addresses, usernames and either bcrypt or salted MD5 password hashes of 291k members were accessed via an unpatched vulnerability in the vBulletin forum software.
In approximately March 2019, the online Brazilian travel agency Hurb (formerly Hotel Urbano) suffered a data breach. The data subsequently appeared online for download the following year and included over 20 million customer records with email and IP addresses, names, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes. The data was provided to HIBP by dehashed.com.
In March 2019, a spam operation known as \"Intelimost\" sent millions of emails appearing to come from people the recipients knew. Security researcher Bob Diachenko found over 3 million unique email addresses in an exposed Elasticsearch database, alongside plain text passwords used to access the victim's mailbox and customise the spam.
In October 2017, the Malaysian website lowyat.net ran a story on a massive set of breached data affecting millions of Malaysians after someone posted it for sale on their forums. The data spanned multiple separate breaches including the JobStreet jobs website which contained almost 4 million unique email addresses. The dates in the breach indicate the incident occurred in March 2012. The data later appeared freely downloadable on a Tor hidden service and contained extensive information on job seekers including names, genders, birth dates, phone numbers, physical addresses and passwords.
During the first half of 2021, LinkedIn was targeted by attackers who scraped data from hundreds of millions of public profiles and later sold them online. Whilst the scraping did not constitute a data breach nor did it access any personal data not intended to be publicly accessible, the data was still monetised and later broadly circulated in hacking circles. The scraped data contains approximately 400M records with 125M unique email addresses, as well as names, geographic locations, genders and job titles. LinkedIn specifically addresses the incident in their post on An update on report of scraped data.
In April 2019, the PDF management service Lumin PDF suffered a data breach. The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been \"contacted multiple times, but ignored all the queries\". The exposed data included names, email addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to \"JimScott.Sec@protonmail.com\".
In March 2017, a 27GB database backup file named \"Master Deeds\" was sent to HIBP by a supporter of the project. Upon detailed analysis later that year, the file was found to contain the personal data of tens of millions of living and deceased South African residents. The data included extensive personal attributes such as names, addresses, ethnicities, genders, birth dates, government issued personal identification numbers and 2.2 million email addresses. At the time of publishing, it's alleged the data was sourced from Dracore Data Sciences (Dracore is yet to publicly confirm or deny the data was sourced from their systems). On 18 October 2017, the file was found to have been published to a publicly accessible web server where it was located at the root of an IP address with directory listing enabled. The file was dated 8 April 2015.
In August 2016, the Swiss scholarly open access publisher known as MDPI had 17.5GB of data obtained from an unprotected Mongo DB instance. The data contained email exchanges between MDPI and their authors and reviewers which included 845k unique email addresses. MDPI have confirmed that the system has since been protected and that no data of a sensitive nature was impacted. As such, they concluded that notification to their subscribers was not necessary due to the fact that all their authors and reviewers are available online on their website.
In October 2013, the (now defunct) downloads website \"Mecho Download\" suffered a data breach that exposed 438k records. Data from the vBulletin based website included email and IP addresses, usernames and passwords stored as salted MD5 hashes. 59ce067264