| Risiko / Label | Veröffentlichung | |
|---|---|---|
| Risiko ? / 10 CVE-2024-3085 | vor 419 Stunde(n) | |
| A vulnerability classified as critical has been found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login Page. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-258678 is the identifier assigned to this vulnerability. | ||
| Risiko ? / 10 CVE-2024-3086 | vor 419 Stunde(n) | |
| A vulnerability classified as problematic was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. Affected by this vulnerability is an unknown functionality of the file ambulance-tracking.php of the component Ambulance Tracking Page. The manipulation of the argument searchdata leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258679. | ||
| Risiko ? / 10 CVE-2024-2948 | vor 420 Stunde(n) | |
| The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user_favorites' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes such as 'no_favorites'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-3084 | vor 420 Stunde(n) | |
| A vulnerability was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. It has been rated as problematic. This issue affects some unknown processing of the component Hire an Ambulance Page. The manipulation of the argument Patient Name/Relative Name/Relative Phone Number/City/State/Message leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-258677 was assigned to this vulnerability. | ||
| Risiko ? / 10 CVE-2024-2144 | vor 421 Stunde(n) | |
| The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Separator widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-2140 | vor 421 Stunde(n) | |
| The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Icons widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-2142 | vor 421 Stunde(n) | |
| The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Info Table widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-2141 | vor 421 Stunde(n) | |
| The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-2143 | vor 421 Stunde(n) | |
| The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Heading widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-1051 | vor 423 Stunde(n) | |
| The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.89.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-2047 | vor 423 Stunde(n) | |
| The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||
| Risiko ? / 10 CVE-2024-2794 | vor 423 Stunde(n) | |
| The Gutenberg Block Editor Toolkit – EditorsKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'editorskit' shortcode in all versions up to, and including, 1.40.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-0367 | vor 423 Stunde(n) | |
| The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link field of an installed widget (e.g., 'Button Link') in all versions up to, and including, 1.5.96 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-1238 | vor 423 Stunde(n) | |
| The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button ID parameter in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-1692 | vor 423 Stunde(n) | |
| The BoldGrid Easy SEO – Simple and Effective SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the meta description field in all versions up to, and including, 1.6.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-2086 | vor 423 Stunde(n) | |
| The Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers to modify plugin settings as well as allowing full read/write/delete access to the Google Drive associated with the plugin. | ||
| Risiko ? / 10 CVE-2024-2193 | vor 424 Stunde(n) | |
| A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. | ||
| Risiko ? / 10 CVE-2023-28746 | vor 424 Stunde(n) | |
| Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | ||
| Risiko ? / 10 CVE-2024-28176 | vor 424 Stunde(n) | |
| jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5. | ||
| Risiko ? / 10 CVE-2024-28180 | vor 424 Stunde(n) | |
| Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. | ||
| Risiko ? / 10 CVE-2024-2947 | vor 426 Stunde(n) | |
| A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer. | ||
| Risiko ? / 10 CVE-2024-29131 | vor 426 Stunde(n) | |
| Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | ||
| Risiko ? / 10 CVE-2024-29133 | vor 426 Stunde(n) | |
| Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | ||
| Risiko ? / 10 CVE-2024-27318 | vor 426 Stunde(n) | |
| Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch added for CVE-2022-25882. | ||
| Risiko ? / 10 CVE-2024-27319 | vor 426 Stunde(n) | |
| Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNX_ASSERT and ONNX_ASSERTM functions have an off by one string copy. | ||
| Risiko ? / 10 CVE-2023-38745 | vor 426 Stunde(n) | |
| Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names). | ||
| Risiko ? / 10 CVE-2023-35936 | vor 426 Stunde(n) | |
| Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `--extract-media` option. The fix is to unescape the percent-encoding prior to checking that the resource is not above the working directory, and prior to extracting the extension. Some code for checking that the path is below the working directory was flawed in a similar way and has also been fixed. Note that the `--sandbox` option, which only affects IO done by readers and writers themselves, does not block this vulnerability. The vulnerability is patched in pandoc 3.1.4. As a workaround, audit the pandoc command and disallow PDF output and the `--extract-media` option. | ||
| Risiko ? / 10 CVE-2024-28288 | vor 427 Stunde(n) | |
| Ruijie RG-NBR700GW 10.3(4b12) router lacks cookie verification when resetting the password, resulting in an administrator password reset vulnerability. An attacker can use this vulnerability to log in to the device and disrupt the business of the enterprise. | ||
| Risiko ? / 10 CVE-2024-29278 | vor 427 Stunde(n) | |
| funboot v1.1 is vulnerable to Cross Site Scripting (XSS) via the title field in "create a message ." | ||
| Risiko ? / 10 CVE-2024-3094 | vor 433 Stunde(n) | |
| Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. | ||
| 02.04.2024 - Salvadoran Citizens | 946.989 Datensätze geleaked | |
| Dates of birth, Email addresses, Government issued IDs, Names, Phone numbers, Physical addresses, Profile photos In April 2024, nearly 6 million records of Salvadoran citizens were published to a popular hacking forum. The data included names, dates of birth, phone numbers, physical addresses and nearly 1M unique email addresses. Further, over 5M corresponding profile photos were also included in the breach. |
||
| 31.03.2024 - Pandabuy | 1.348.407 Datensätze geleaked | |
| Email addresses, IP addresses, Names, Phone numbers, Physical addresses In March 2024, 1.3M unique email addresses from the online store for purchasing goods from China, Pandabuy, were posted to a popular hacking forum. The data also included IP and physical addresses, names, phone numbers and order enquiries. The breach was alleged to be attributed to "Sanggiero" and "IntelBroker". |
||
| 25.03.2024 - boAt | 7.528.985 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In March 2024, the Indian audio and wearables brand boAt suffered a data breach that exposed 7.5M customer records. The data included physical and email address, names and phone numbers, all of which were subsequently published to a popular clear web hacking forum. |
||
| 24.03.2024 - Kaspersky Club | 55.971 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Usernames In March 2024, the independent fan forum Kaspersky Club suffered a data breach. The incident exposed 56k unique email addresses alongside usernames, IP addresses and passwords stored as either MD5 or bcrypt hashes. |
||
| 23.03.2024 - England Cricket | 43.299 Datensätze geleaked | |
| Email addresses, Passwords In March 2024, English Cricket's icoachcricket website suffered a data breach that exposed over 40k records. The data included email addresses and passwords stored as either bcrypt hashes, salted MD5 hashes or both. The data was provided to HIBP by a source who requested it be attributed to "IntelBroker". |
||
| 04.03.2024 - GiantTiger | 2.842.669 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In March 2024, Canadian discount store Giant Tiger suffered a data breach that exposed 2.8M customer records. Attributed to a vendor of the retailer, the breach included physical and email addresses, names and phone numbers. |
||
| 03.03.2024 - WoTLabs | 21.994 Datensätze geleaked | |
| Dates of birth, Email addresses, IP addresses, Time zones, Usernames In March 2024, WoTLabs (World of Tanks Statistics and Resources) suffered a data breach and website defacement attributed to "chromebook breachers". The breach exposed 22k forum members' personal data including email and IP addresses, usernames, dates of birth and time zones. |
||
| 01.03.2024 - Mr. Green Gaming | 27.123 Datensätze geleaked | |
| Dates of birth, Email addresses, Geographic locations, IP addresses, Usernames In March 2024, the online games community Mr. Green Gaming suffered a data breach that exposed 27k user records. Acknowledged on their Discord server, the incident exposed email and IP addresses, usernames, geographic locations and dates of birth. |
||
| 26.02.2024 - Cutout.Pro | 19.972.829 Datensätze geleaked | |
| Email addresses, IP addresses, Names, Passwords In February 2024, the AI-powered visual design platform Cutout.Pro suffered a data breach that exposed 20M records. The data included email and IP addresses, names and salted MD5 password hashes which were subsequently broadly distributed on a popular hacking forum and Telegram channels. |
||
| 18.02.2024 - Tangerine | 243.462 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations In February 2024, the Australian Telco Tangerine suffered a data breach that exposed over 200k customer records. Attributed to a legacy customer database, the data included physical and email addresses, names, phone numbers and dates of birth. Whilst the Tangerine login process involves sending a one-time password after entering an email address and phone number, it previously used a traditional password which was also exposed as a bcrypt hash. |
||
| 01.02.2024 - SurveyLama | 4.426.879 Datensätze geleaked | |
| Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses In February 2024, the paid survey website SurveyLama suffered a data breach that exposed 4.4M customer email addresses. The incident also exposed names, physical and IP addresses, phone numbers, dates of birth and passwords stored as either salted SHA-1, bcrypt or argon2 hashes. When contacted about the incident, SurveyLama advised that they had already "notified the users by email". |
||
| 31.01.2024 - Spoutible | 207.114 Datensätze geleaked | |
| Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Usernames In January 2024, Spoutible had 207k records scraped from a misconfigured API that inadvertently returned excessive personal information. The data included names, usernames, email and IP addresses, phone numbers (where provided to the platform), genders and bcrypt password hashes. The incident also exposed 2FA secrets and backup codes along with password reset tokens. |
||
| 16.01.2024 - Trello | 15.111.945 Datensätze geleaked | |
| Email addresses, Names, Usernames In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred. |
||
| 17.12.2023 - Hathway | 4.670.080 Datensätze geleaked | |
| Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations, Support tickets In December 2023, hundreds of gigabytes of data allegedly taken from Indian ISP and digital TV provider Hathway appeared on a popular hacking website. The incident exposed extensive personal information including 4.7M unique email addresses along with names, physical and IP addresses, phone numbers, password hashes and support ticket logs. |
||
| 12.12.2023 - InflateVids | 13.405 Datensätze geleaked | |
| Email addresses, Genders, IP addresses, Passwords, Usernames In December 2023, the inflatable and balloon fetish videos website InflateVids suffered a data breach. The incident exposed over 13k unique email addresses alongside usernames, IP addresses, genders and SHA-1 password hashes. |
||
| 14.11.2023 - KitchenPal | 98.726 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Physical attributes, Social media profiles In November 2023, the kitchen management application KitchenPal suffered a data breach that exposed 146k lines of data. When contacted about the incident, KitchenPal advised the corpus of data came from a staging environment, although acknowledged it contained a small number of users for debugging purposes and included passwords that could not be used. Impacted data included almost 100k email addresses, names, geolocations and incomplete data on dates of birth, genders, height and weight, social media profile identifiers and bcrypt password hashes. |
||
| 08.11.2023 - Chess | 827.620 Datensätze geleaked | |
| Email addresses, Geographic locations, Names, Usernames In November 2023, over 800k user records were scraped from the Chess website and posted to a popular hacking forum. The data included email address, name, username and the geographic location of the user. |
||
| 04.11.2023 - LinkedIn Scraped and Faked Data (2023) | 19.788.753 Datensätze geleaked | |
| Email addresses, Genders, Geographic locations, Job titles, Names, Professional skills, Social media profiles In November 2023, a post to a popular hacking forum alleged that millions of LinkedIn records had been scraped and leaked. On investigation, the data turned out to be a combination of legitimate data scraped from LinkedIn and email addresses constructed from impacted individuals' names. |
||
| 18.10.2023 - Toumei | 76.682 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In October 2023, the Japanese consultancy firm Toumei suffered a data breach. The breach exposed over 100M lines and 10GB of data including 77k unique email addresses along with names, phone numbers and physical addresses. |
||
| 01.10.2023 - Facebook Marketplace | 77.267 Datensätze geleaked | |
| Email addresses, Geographic locations, Names, Passwords, Phone numbers, Social media profiles In February 2024, 200k Facebook Marketplace records allegedly obtained from a Meta contractor in October 2023 were posted to a popular hacking forum. The data contained 77k unique email addresses alongside names, phone numbers, Facebook profile IDs and geographic locations. The data also contained bcrypt password hashes, although there is no indication these belong to the corresponding Facebook accounts. |
||
| 20.09.2023 - Naz.API | 70.840.771 Datensätze geleaked | |
| Email addresses, Passwords In September 2023, over 100GB of stealer logs and credential stuffing lists titled "Naz.API" was posted to a popular hacking forum. The incident contained a combination of email address and plain text password pairs alongside the service they were entered into, and standalone credential pairs obtained from unnamed sources. In total, the corpus of data included 71M unique email addresses and 100M unique passwords. |
||
| 09.09.2023 - Sphero | 832.255 Datensätze geleaked | |
| Dates of birth, Email addresses, Geographic locations, Names, Usernames In September 2023, over 1M rows of data from the educational robots company Sphero was posted to a popular hacking forum. The data contained 832k unique email addresses alongside names, usernames, dates of birth and geographic locations. |
||
| 29.08.2023 - Qakbot | 6.431.319 Datensätze geleaked | |
| Email addresses, Passwords In August 2023, the US Justice Department announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, and the United Kingdom to disrupt the botnet and malware known as Qakbot and take down its infrastructure. After the takedown, 6.43M email addresses were provided to HIBP to help notify victims of the malware. |
||
| 09.08.2023 - PlayCyberGames | 3.681.753 Datensätze geleaked | |
| Email addresses, Passwords, Usernames In August 2023, PlayCyberGames which "allows users to play any games with LAN function or games using IP address" suffered a data breach which exposed 3.7M customer records. The data included email addresses, usernames and MD5 password hashes with a constant value in the "salt" field. PlayCyberGames did not respond to multiple attempts to disclose the breach. |
||
| 02.08.2023 - MagicDuel | 138.443 Datensätze geleaked | |
| Email addresses, IP addresses, Nicknames, Passwords In August 2023, the MagicDuel Adventure website suffered a data breach that exposed 138k user records. The data included player names, email and IP addresses and bcrypt password hashes. |
||
| 16.07.2023 - Manipulated Caiman | 39.901.389 Datensätze geleaked | |
| Email addresses In July 2023, Perception Point reported on a phishing operation dubbed "Manipulated Caiman". Targeting primarily the citizens of Mexico, the campaign attempted to gain access to victims' bank accounts via spear phishing attacks using malicious attachments. Researchers obtained almost 40M email addresses targeted in the campaign and provided the data to HIBP to alert potential victims. |
||
| 09.07.2023 - Rightbiz | 65.376 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In June 2023, data belonging to the "UK's No.1 Business Marketplace" Rightbiz appeared on a popular hacking forum. Comprising of more than 18M rows of data, the breach included 65k unique email addresses along with names, phone numbers and physical address. Rightbiz didn't respond to mulitple attempts to disclose the incident. The data was provided to HIBP by a source who requested it be attributed to "https://discord.gg/gN9C9em". |
||
| 20.06.2023 - Dymocks | 836.120 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Names, Phone numbers, Physical addresses In September 2023, the Australian book retailer Dymocks announced a data breach. The data dated back to June 2023 and contained 1.2M records with 836k unique email addresses. The breach also exposed names, dates of birth, genders, phone numbers and physical addresses. |
||
| 17.06.2023 - BreachForums Clone | 4.204 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Usernames In June 2023, a clone of the previously shuttered popular hacking forum "BreachForums" suffered a data breach that exposed over 4k records. The breach was due to an exposed backup of the MyBB database which included email and IP addresses, usernames and Argon2 password hashes. |
||
| 31.05.2023 - JD Group | 521.878 Datensätze geleaked | |
| Email addresses, Government issued IDs, Names, Phone numbers, Physical addresses In May 2023, the South African retailer JD Group announced a data breach affecting a number of their online assets including Bradlows, Everyshop, HiFi Corp, Incredible (Connection), Rochester, Russells, and Sleepmasters. The breach exposed over 520k unique customer records including names, email and physical addresses, phone numbers and South African ID numbers. |
||
| 29.05.2023 - Polish Credentials | 1.204.870 Datensätze geleaked | |
| Email addresses, Passwords In May 2023, a credential stuffing list of 6.3M Polish email address and password pairs appeared on a local forum. Likely obtained by malware running on victims' machines, each record included an email address and plain text password alongside the website the credentials were used on. The data included 1.2M unique email addresses. |
||
| 15.04.2023 - Jobzone | 29.708 Datensätze geleaked | |
| Dates of birth, Email addresses, Family members' names, Genders, Government issued IDs, Names, Phone numbers, Physical addresses In April 2023, data from the Israeli jobs website Jobzone was posted online. The data included 30k records of email addresses, names, social security numbers, genders, dates of birth, fathers' names and physical addresses. |
||
| 15.04.2023 - RentoMojo | 2.185.697 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Passwords, Phone numbers, Purchases, Social media profiles In April 2023, the Indian rental service RentoMojo suffered a data breach. The breach exposed over 2M unique email addresses along with names, phone, passport and Aadhaar numbers, genders, dates of birth, purchases and bcrypt password hashes. |
||
| 05.04.2023 - Genesis Market | 8.000.000 Datensätze geleaked | |
| Browser user agent details, Credit card CVV, Credit cards, Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames In April 2023, the stolen identity marketplace Genesis Market was shut down by the FBI and a coalition of law enforcement agencies across the globe in "Operation Cookie Monster". The service traded in "browser fingerprints" which enabled criminals to impersonate victims and access their online services. As many of the impacted accounts did not include email addresses, "8M" is merely an approximation intended to indicate scale. Other personal data compromised by the service included names, addresses and credit card information, although not all individuals had each of these fields exposed. |
||
| 31.03.2023 - Tigo | 700.394 Datensätze geleaked | |
| Device information, Email addresses, Genders, Geographic locations, IP addresses, Names, Private messages, Profile photos, Usernames In Mid-2023, 300GB of data containing over 100M records from the Chinese video chat platform "Tigo" dating back to March that year was discovered. The data contained over 700k unique names, usernames, email and IP addresses, genders, profile photos and private messages. Tigo did not respond to multiple attempts to disclose the incident. |
||
| 15.03.2023 - MediaWorks | 162.710 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Phone numbers, Physical addresses In March 2024, millions of rows of data from the New Zealand media company MediaWorks was publicly posted to a popular hacking forum. The incident exposed 163k unique email addresses provided by visitors who filled out online competitions and included names, physical addresses, phone numbers, dates of birth, genders and the responses to questions in the competition. Some victims of the breach subsequently received ransom demands requesting payment to have their data deleted. |
||
| 06.03.2023 - DC Health Link | 48.145 Datensätze geleaked | |
| Citizenship statuses, Dates of birth, Email addresses, Employers, Ethnicities, Genders, Names, Phone numbers, Physical addresses, Purchases, Social security numbers In March 2023, DC Health Link discovered a data breach that was later publicly posted to a popular data breach forum. The impacted data included 48k unique email addresses alongside names, genders, dates of birth, home addresses, phone numbers and social security numbers. The data was provided to HIBP by a source who requested it be attributed to "Aegis" and "IntelBroker". |
||
| 27.02.2023 - CityJerks | 177.554 Datensätze geleaked | |
| Bios, Dates of birth, Email addresses, Geographic locations, IP addresses, Passwords, Private messages, Profile photos, Sexual orientations, Usernames In early 2023, the "mutual masturbation" website CityJerks suffered a data breach that exposed 177k unique email addresses. The breach also included data from the TruckerSucker "dating app for REAL TRUCKERS and REAL MEN" with the combined corpus of data also exposing usernames, IP addresses, dates of birth, sexual orientations, geo locations, private messages between members and passwords stored as salted MD5 hashes. The data was listed on a public hacking site and provided to HIBP by a source who requested it be attributed to "discord.gg/gN9C9em". |
||
| 26.02.2023 - TheGradCafe | 310.975 Datensätze geleaked | |
| Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames In February 2023, the grad school admissions search website TheGradCafe suffered a data breach that disclosed the personal records of 310k users. The data included email addresses, names and usernames, genders, geographic locations and passwords stored as bcrypt hashes. Some records also included physical address, phone number and date of birth. TheGradCafe did not respond to multiple attempts to disclose the breach. |
||
| 25.02.2023 - Phished Data via CERT Poland | 67.943 Datensätze geleaked | |
| Email addresses, Passwords In August 2023, CERT Poland observed a phishing campaign that collected credentials from 68k victims. The campaign collected email addresses and passwords via a phishing email masquerading as a purchase order confirmation. CERT Poland identified a further 202 other phishing campaigns operating on the same C2 server, which has now been dismantled. |
||