| Risiko / Label | Veröffentlichung | |
|---|---|---|
| Risiko ? / 10 CVE-2024-2258 | vor 7 Stunde(n) | |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-2838 | vor 7 Stunde(n) | |
| The WPC Composite Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wooco_components[0][name]' parameter in all versions up to, and including, 7.2.7 due to insufficient input sanitization and output escaping and missing authorization on the ajax_save_components function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-1394 | vor 10 Stunde(n) | |
| A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs?. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey? and ctx?. That function uses named return parameters to free pkey? and ctx? if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey? and ctx? will be nil inside the deferred function that should free them. | ||
| Risiko ? / 10 CVE-2024-2859 | vor 11 Stunde(n) | |
| By default, SANnav OVA is shipped with root user login enabled. While protected by a password, access to root could expose SANnav to a remote attacker should they gain access to the root account. | ||
| Risiko ? / 10 CVE-2024-29963 | vor 12 Stunde(n) | |
| Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. Note: Brocade SANnav doesn't have access to remote Docker registries. | ||
| Risiko ? / 10 CVE-2024-28322 | vor 13 Stunde(n) | |
| SQL Injection vulnerability in /event-management-master/backend/register.php in PuneethReddyHC Event Management 1.0 allows attackers to run arbitrary SQL commands via the event_id parameter in a crafted POST request. | ||
| Risiko ? / 10 CVE-2024-30804 | vor 13 Stunde(n) | |
| An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert before v.10013 allows an attacker to execute arbitrary code via crafted IOCTL requests. | ||
| Risiko ? / 10 CVE-2024-31551 | vor 13 Stunde(n) | |
| Directory Traversal vulnerability in lib/admin/image.admin.php in cmseasy v7.7.7.9 20240105 allows attackers to delete arbitrary files via crafted GET request. | ||
| Risiko ? / 10 CVE-2024-31741 | vor 13 Stunde(n) | |
| Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login. | ||
| Risiko ? / 10 CVE-2024-31828 | vor 13 Stunde(n) | |
| Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | ||
| Risiko ? / 10 CVE-2024-3051 | vor 13 Stunde(n) | |
| Malformed Device Reset Locally command classes can be sent to temporarily deny service to an end device. Any frames sent by the end device will not be acknowledged by the gateway during this time. | ||
| Risiko ? / 10 CVE-2024-3052 | vor 13 Stunde(n) | |
| Malformed S2 Nonce Get command classes can be sent to crash the gateway. A hard reset is required to recover the gateway. | ||
| Risiko ? / 10 CVE-2024-4243 | vor 13 Stunde(n) | |
| A vulnerability classified as critical has been found in Tenda W9 1.0.0.7(4456). Affected is the function formwrlSSIDset of the file /goform/wifiSSIDset. The manipulation of the argument ssidIndex leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-262134 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||
| Risiko ? / 10 CVE-2024-4244 | vor 13 Stunde(n) | |
| A vulnerability classified as critical was found in Tenda W9 1.0.0.7(4456). Affected by this vulnerability is the function fromDhcpSetSer of the file /goform/DhcpSetSer. The manipulation of the argument dhcpStartIp/dhcpEndIp/dhcpGw/dhcpMask/dhcpLeaseTime/dhcpDns1/dhcpDns2 leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-262135. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||
| Risiko ? / 10 CVE-2024-29960 | vor 13 Stunde(n) | |
| In Brocade SANnav server before v2.3.1 and v2.3.0a, the SSH keys inside the OVA image are identical in the VM every time SANnav is installed. Any Brocade SAnnav VM based on the official OVA images is vulnerable to MITM over SSH. An attacker can decrypt and compromise the SSH traffic to the SANnav. | ||
| Risiko 7.5 / 10 CVE-2022-29622 | vor 13 Stunde(n) | |
| An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability. | ||
| Risiko ? / 10 CVE-2024-31502 | vor 14 Stunde(n) | |
| An issue in Insurance Management System v.1.0.0 and before allows a remote attacker to escalate privileges via a crafted POST request to /admin/core/new_staff. | ||
| Risiko ? / 10 CVE-2024-31601 | vor 14 Stunde(n) | |
| An issue in Beijing Panabit Network Software Co., Ltd Panalog big data analysis platform v. 20240323 and before allows attackers to execute arbitrary code via the exportpdf.php component. | ||
| Risiko ? / 10 CVE-2024-32878 | vor 14 Stunde(n) | |
| Llama.cpp is LLM inference in C/C++. There is a use of uninitialized heap variable vulnerability in gguf_init_from_file, the code will free this uninitialized variable later. In a simple POC, it will directly cause a crash. If the file is carefully constructed, it may be possible to control this uninitialized value and cause arbitrary address free problems. This may further lead to be exploited. Causes llama.cpp to crash (DoS) and may even lead to arbitrary code execution (RCE). This vulnerability has been patched in commit b2740. | ||
| Risiko ? / 10 CVE-2024-32881 | vor 14 Stunde(n) | |
| Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63. | ||
| Risiko ? / 10 CVE-2024-32883 | vor 14 Stunde(n) | |
| MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image. The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. | ||
| Risiko ? / 10 CVE-2024-32887 | vor 14 Stunde(n) | |
| Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4. | ||
| Risiko ? / 10 CVE-2024-4239 | vor 14 Stunde(n) | |
| A vulnerability was found in Tenda AX1806 1.0.0.1 and classified as critical. Affected by this issue is the function formSetRebootTimer of the file /goform/SetRebootTimer. The manipulation of the argument rebootTime leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-262130 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||
| Risiko ? / 10 CVE-2024-4240 | vor 14 Stunde(n) | |
| A vulnerability was found in Tenda W9 1.0.0.7(4456). It has been classified as critical. This affects the function formQosManageDouble_user. The manipulation of the argument ssidIndex leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-262131. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||
| Risiko ? / 10 CVE-2024-4241 | vor 14 Stunde(n) | |
| A vulnerability was found in Tenda W9 1.0.0.7(4456). It has been declared as critical. This vulnerability affects the function formQosManageDouble_auto. The manipulation of the argument ssidIndex leads to stack-based buffer overflow. The attack can be initiated remotely. The identifier of this vulnerability is VDB-262132. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||
| Risiko ? / 10 CVE-2024-4242 | vor 14 Stunde(n) | |
| A vulnerability was found in Tenda W9 1.0.0.7(4456). It has been rated as critical. This issue affects the function formwrlSSIDget of the file /goform/wifiSSIDget. The manipulation of the argument ssidIndex leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262133 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||
| Risiko ? / 10 CVE-2022-48611 | vor 15 Stunde(n) | |
| A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.4 for Windows. A local attacker may be able to elevate their privileges. | ||
| Risiko ? / 10 CVE-2023-26603 | vor 15 Stunde(n) | |
| JumpCloud Agent before 1.178.0 Creates a Temporary File in a Directory with Insecure Permissions. This allows privilege escalation to SYSTEM via a repair action in the installer. | ||
| Risiko ? / 10 CVE-2024-25343 | vor 15 Stunde(n) | |
| Tenda N300 F3 router vulnerability allows users to bypass intended security policy and create weak passwords. | ||
| Risiko ? / 10 CVE-2024-28326 | vor 15 Stunde(n) | |
| Incorrect Access Control in Asus RT-N12+ B1 routers allows local attackers to obtain root terminal access via the the UART interface. | ||
| 24.04.2024 - Piping Rock | 2.103.100 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In April 2024, 2.1M email addresses from the online health products store Piping Rock were publicly posted to a popular hacking forum. The data also included names, phone numbers and physical addresses. The account posting the data had previously posted multiple other data breaches which all appear to have been obtained from the Shopify service used by the respective websites. |
||
| 17.04.2024 - T2 | 94.584 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases, Salutations In April 2024, 95k records from the T2 tea store were posted to a popular hacking forum. Data included email and physical addresses, names, phone numbers, dates of birth, purchases and passwords stored as scrypt hashes. |
||
| 13.04.2024 - Le Slip Français | 1.495.127 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In April 2024, the French underwear maker Le Slip Français suffered a data breach. The breach included 1.5M email addresses, physical addresses, names and phone numbers. |
||
| 02.04.2024 - Salvadoran Citizens | 946.989 Datensätze geleaked | |
| Dates of birth, Email addresses, Government issued IDs, Names, Phone numbers, Physical addresses, Profile photos In April 2024, nearly 6 million records of Salvadoran citizens were published to a popular hacking forum. The data included names, dates of birth, phone numbers, physical addresses and nearly 1M unique email addresses. Further, over 5M corresponding profile photos were also included in the breach. |
||
| 31.03.2024 - Pandabuy | 1.348.407 Datensätze geleaked | |
| Email addresses, IP addresses, Names, Phone numbers, Physical addresses In March 2024, 1.3M unique email addresses from the online store for purchasing goods from China, Pandabuy, were posted to a popular hacking forum. The data also included IP and physical addresses, names, phone numbers and order enquiries. The breach was alleged to be attributed to "Sanggiero" and "IntelBroker". |
||
| 25.03.2024 - boAt | 7.528.985 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In March 2024, the Indian audio and wearables brand boAt suffered a data breach that exposed 7.5M customer records. The data included physical and email address, names and phone numbers, all of which were subsequently published to a popular clear web hacking forum. |
||
| 24.03.2024 - Kaspersky Club | 55.971 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Usernames In March 2024, the independent fan forum Kaspersky Club suffered a data breach. The incident exposed 56k unique email addresses alongside usernames, IP addresses and passwords stored as either MD5 or bcrypt hashes. |
||
| 23.03.2024 - England Cricket | 43.299 Datensätze geleaked | |
| Email addresses, Passwords In March 2024, English Cricket's icoachcricket website suffered a data breach that exposed over 40k records. The data included email addresses and passwords stored as either bcrypt hashes, salted MD5 hashes or both. The data was provided to HIBP by a source who requested it be attributed to "IntelBroker". |
||
| 04.03.2024 - Giant Tiger | 2.842.669 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In March 2024, Canadian discount store Giant Tiger suffered a data breach that exposed 2.8M customer records. Attributed to a vendor of the retailer, the breach included physical and email addresses, names and phone numbers. |
||
| 03.03.2024 - WoTLabs | 21.994 Datensätze geleaked | |
| Dates of birth, Email addresses, IP addresses, Time zones, Usernames In March 2024, WoTLabs (World of Tanks Statistics and Resources) suffered a data breach and website defacement attributed to "chromebook breachers". The breach exposed 22k forum members' personal data including email and IP addresses, usernames, dates of birth and time zones. |
||
| 01.03.2024 - Mr. Green Gaming | 27.123 Datensätze geleaked | |
| Dates of birth, Email addresses, Geographic locations, IP addresses, Usernames In March 2024, the online games community Mr. Green Gaming suffered a data breach that exposed 27k user records. Acknowledged on their Discord server, the incident exposed email and IP addresses, usernames, geographic locations and dates of birth. |
||
| 26.02.2024 - Cutout.Pro | 19.972.829 Datensätze geleaked | |
| Email addresses, IP addresses, Names, Passwords In February 2024, the AI-powered visual design platform Cutout.Pro suffered a data breach that exposed 20M records. The data included email and IP addresses, names and salted MD5 password hashes which were subsequently broadly distributed on a popular hacking forum and Telegram channels. |
||
| 18.02.2024 - Tangerine | 243.462 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations In February 2024, the Australian Telco Tangerine suffered a data breach that exposed over 200k customer records. Attributed to a legacy customer database, the data included physical and email addresses, names, phone numbers and dates of birth. Whilst the Tangerine login process involves sending a one-time password after entering an email address and phone number, it previously used a traditional password which was also exposed as a bcrypt hash. |
||
| 01.02.2024 - SurveyLama | 4.426.879 Datensätze geleaked | |
| Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses In February 2024, the paid survey website SurveyLama suffered a data breach that exposed 4.4M customer email addresses. The incident also exposed names, physical and IP addresses, phone numbers, dates of birth and passwords stored as either salted SHA-1, bcrypt or argon2 hashes. When contacted about the incident, SurveyLama advised that they had already "notified the users by email". |
||
| 31.01.2024 - Spoutible | 207.114 Datensätze geleaked | |
| Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Usernames In January 2024, Spoutible had 207k records scraped from a misconfigured API that inadvertently returned excessive personal information. The data included names, usernames, email and IP addresses, phone numbers (where provided to the platform), genders and bcrypt password hashes. The incident also exposed 2FA secrets and backup codes along with password reset tokens. |
||
| 16.01.2024 - Trello | 15.111.945 Datensätze geleaked | |
| Email addresses, Names, Usernames In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred. |
||
| 17.12.2023 - Hathway | 4.670.080 Datensätze geleaked | |
| Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations, Support tickets In December 2023, hundreds of gigabytes of data allegedly taken from Indian ISP and digital TV provider Hathway appeared on a popular hacking website. The incident exposed extensive personal information including 4.7M unique email addresses along with names, physical and IP addresses, phone numbers, password hashes and support ticket logs. |
||
| 12.12.2023 - InflateVids | 13.405 Datensätze geleaked | |
| Email addresses, Genders, IP addresses, Passwords, Usernames In December 2023, the inflatable and balloon fetish videos website InflateVids suffered a data breach. The incident exposed over 13k unique email addresses alongside usernames, IP addresses, genders and SHA-1 password hashes. |
||
| 14.11.2023 - KitchenPal | 98.726 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Physical attributes, Social media profiles In November 2023, the kitchen management application KitchenPal suffered a data breach that exposed 146k lines of data. When contacted about the incident, KitchenPal advised the corpus of data came from a staging environment, although acknowledged it contained a small number of users for debugging purposes and included passwords that could not be used. Impacted data included almost 100k email addresses, names, geolocations and incomplete data on dates of birth, genders, height and weight, social media profile identifiers and bcrypt password hashes. |
||
| 08.11.2023 - Chess | 827.620 Datensätze geleaked | |
| Email addresses, Geographic locations, Names, Usernames In November 2023, over 800k user records were scraped from the Chess website and posted to a popular hacking forum. The data included email address, name, username and the geographic location of the user. |
||
| 04.11.2023 - LinkedIn Scraped and Faked Data (2023) | 19.788.753 Datensätze geleaked | |
| Email addresses, Genders, Geographic locations, Job titles, Names, Professional skills, Social media profiles In November 2023, a post to a popular hacking forum alleged that millions of LinkedIn records had been scraped and leaked. On investigation, the data turned out to be a combination of legitimate data scraped from LinkedIn and email addresses constructed from impacted individuals' names. |
||
| 18.10.2023 - Toumei | 76.682 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In October 2023, the Japanese consultancy firm Toumei suffered a data breach. The breach exposed over 100M lines and 10GB of data including 77k unique email addresses along with names, phone numbers and physical addresses. |
||
| 01.10.2023 - Facebook Marketplace | 77.267 Datensätze geleaked | |
| Email addresses, Geographic locations, Names, Passwords, Phone numbers, Social media profiles In February 2024, 200k Facebook Marketplace records allegedly obtained from a Meta contractor in October 2023 were posted to a popular hacking forum. The data contained 77k unique email addresses alongside names, phone numbers, Facebook profile IDs and geographic locations. The data also contained bcrypt password hashes, although there is no indication these belong to the corresponding Facebook accounts. |
||
| 20.09.2023 - Naz.API | 70.840.771 Datensätze geleaked | |
| Email addresses, Passwords In September 2023, over 100GB of stealer logs and credential stuffing lists titled "Naz.API" was posted to a popular hacking forum. The incident contained a combination of email address and plain text password pairs alongside the service they were entered into, and standalone credential pairs obtained from unnamed sources. In total, the corpus of data included 71M unique email addresses and 100M unique passwords. |
||
| 09.09.2023 - Sphero | 832.255 Datensätze geleaked | |
| Dates of birth, Email addresses, Geographic locations, Names, Usernames In September 2023, over 1M rows of data from the educational robots company Sphero was posted to a popular hacking forum. The data contained 832k unique email addresses alongside names, usernames, dates of birth and geographic locations. |
||
| 29.08.2023 - Qakbot | 6.431.319 Datensätze geleaked | |
| Email addresses, Passwords In August 2023, the US Justice Department announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, and the United Kingdom to disrupt the botnet and malware known as Qakbot and take down its infrastructure. After the takedown, 6.43M email addresses were provided to HIBP to help notify victims of the malware. |
||
| 09.08.2023 - PlayCyberGames | 3.681.753 Datensätze geleaked | |
| Email addresses, Passwords, Usernames In August 2023, PlayCyberGames which "allows users to play any games with LAN function or games using IP address" suffered a data breach which exposed 3.7M customer records. The data included email addresses, usernames and MD5 password hashes with a constant value in the "salt" field. PlayCyberGames did not respond to multiple attempts to disclose the breach. |
||
| 02.08.2023 - MagicDuel | 138.443 Datensätze geleaked | |
| Email addresses, IP addresses, Nicknames, Passwords In August 2023, the MagicDuel Adventure website suffered a data breach that exposed 138k user records. The data included player names, email and IP addresses and bcrypt password hashes. |
||
| 16.07.2023 - Manipulated Caiman | 39.901.389 Datensätze geleaked | |
| Email addresses In July 2023, Perception Point reported on a phishing operation dubbed "Manipulated Caiman". Targeting primarily the citizens of Mexico, the campaign attempted to gain access to victims' bank accounts via spear phishing attacks using malicious attachments. Researchers obtained almost 40M email addresses targeted in the campaign and provided the data to HIBP to alert potential victims. |
||
| 09.07.2023 - Rightbiz | 65.376 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In June 2023, data belonging to the "UK's No.1 Business Marketplace" Rightbiz appeared on a popular hacking forum. Comprising of more than 18M rows of data, the breach included 65k unique email addresses along with names, phone numbers and physical address. Rightbiz didn't respond to mulitple attempts to disclose the incident. The data was provided to HIBP by a source who requested it be attributed to "https://discord.gg/gN9C9em". |
||
| 20.06.2023 - Dymocks | 836.120 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Names, Phone numbers, Physical addresses In September 2023, the Australian book retailer Dymocks announced a data breach. The data dated back to June 2023 and contained 1.2M records with 836k unique email addresses. The breach also exposed names, dates of birth, genders, phone numbers and physical addresses. |
||
| 17.06.2023 - BreachForums Clone | 4.204 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Usernames In June 2023, a clone of the previously shuttered popular hacking forum "BreachForums" suffered a data breach that exposed over 4k records. The breach was due to an exposed backup of the MyBB database which included email and IP addresses, usernames and Argon2 password hashes. |
||
| 31.05.2023 - JD Group | 521.878 Datensätze geleaked | |
| Email addresses, Government issued IDs, Names, Phone numbers, Physical addresses In May 2023, the South African retailer JD Group announced a data breach affecting a number of their online assets including Bradlows, Everyshop, HiFi Corp, Incredible (Connection), Rochester, Russells, and Sleepmasters. The breach exposed over 520k unique customer records including names, email and physical addresses, phone numbers and South African ID numbers. |
||
| 29.05.2023 - Polish Credentials | 1.204.870 Datensätze geleaked | |
| Email addresses, Passwords In May 2023, a credential stuffing list of 6.3M Polish email address and password pairs appeared on a local forum. Likely obtained by malware running on victims' machines, each record included an email address and plain text password alongside the website the credentials were used on. The data included 1.2M unique email addresses. |
||
| 15.04.2023 - Jobzone | 29.708 Datensätze geleaked | |
| Dates of birth, Email addresses, Family members' names, Genders, Government issued IDs, Names, Phone numbers, Physical addresses In April 2023, data from the Israeli jobs website Jobzone was posted online. The data included 30k records of email addresses, names, social security numbers, genders, dates of birth, fathers' names and physical addresses. |
||
| 15.04.2023 - RentoMojo | 2.185.697 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Passwords, Phone numbers, Purchases, Social media profiles In April 2023, the Indian rental service RentoMojo suffered a data breach. The breach exposed over 2M unique email addresses along with names, phone, passport and Aadhaar numbers, genders, dates of birth, purchases and bcrypt password hashes. |
||
| 05.04.2023 - Genesis Market | 8.000.000 Datensätze geleaked | |
| Browser user agent details, Credit card CVV, Credit cards, Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames In April 2023, the stolen identity marketplace Genesis Market was shut down by the FBI and a coalition of law enforcement agencies across the globe in "Operation Cookie Monster". The service traded in "browser fingerprints" which enabled criminals to impersonate victims and access their online services. As many of the impacted accounts did not include email addresses, "8M" is merely an approximation intended to indicate scale. Other personal data compromised by the service included names, addresses and credit card information, although not all individuals had each of these fields exposed. |
||
| 31.03.2023 - Tigo | 700.394 Datensätze geleaked | |
| Device information, Email addresses, Genders, Geographic locations, IP addresses, Names, Private messages, Profile photos, Usernames In Mid-2023, 300GB of data containing over 100M records from the Chinese video chat platform "Tigo" dating back to March that year was discovered. The data contained over 700k unique names, usernames, email and IP addresses, genders, profile photos and private messages. Tigo did not respond to multiple attempts to disclose the incident. |
||
| 15.03.2023 - MediaWorks | 162.710 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Phone numbers, Physical addresses In March 2024, millions of rows of data from the New Zealand media company MediaWorks was publicly posted to a popular hacking forum. The incident exposed 163k unique email addresses provided by visitors who filled out online competitions and included names, physical addresses, phone numbers, dates of birth, genders and the responses to questions in the competition. Some victims of the breach subsequently received ransom demands requesting payment to have their data deleted. |
||
| 06.03.2023 - DC Health Link | 48.145 Datensätze geleaked | |
| Citizenship statuses, Dates of birth, Email addresses, Employers, Ethnicities, Genders, Names, Phone numbers, Physical addresses, Purchases, Social security numbers In March 2023, DC Health Link discovered a data breach that was later publicly posted to a popular data breach forum. The impacted data included 48k unique email addresses alongside names, genders, dates of birth, home addresses, phone numbers and social security numbers. The data was provided to HIBP by a source who requested it be attributed to "Aegis" and "IntelBroker". |
||