Risiko / Label | Veröffentlichung | |
---|---|---|
Risiko ? / 10 CVE-2024-49193 | vor 10 Stunde(n) | |
Zendesk before 2024-07-02 allows remote attackers to read ticket history via e-mail spoofing, because Cc fields are extracted from incoming e-mail messages and used to grant additional authorization for ticket viewing, the mechanism for detecting spoofed e-mail messages is insufficient, and the support e-mail addresses associated with individual tickets are predictable. | ||
Risiko ? / 10 CVE-2024-9894 | vor 11 Stunde(n) | |
A vulnerability, which was classified as critical, was found in code-projects Blood Bank System 1.0. Affected is an unknown function of the file reset.php. The manipulation of the argument useremail leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||
Risiko ? / 10 CVE-2024-8757 | vor 14 Stunde(n) | |
The WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the linked_user_id parameter in all versions up to, and including, 3.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||
Risiko ? / 10 CVE-2024-8902 | vor 14 Stunde(n) | |
The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.8 via the render_column function in modules/data-table/widgets/data-table.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | ||
Risiko ? / 10 CVE-2024-8760 | vor 15 Stunde(n) | |
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users. | ||
Risiko ? / 10 CVE-2024-8915 | vor 15 Stunde(n) | |
The Category Icon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||
Risiko ? / 10 CVE-2024-9595 | vor 15 Stunde(n) | |
The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
Risiko ? / 10 CVE-2024-9696 | vor 15 Stunde(n) | |
The Rescue Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rescue_tab' shortcode in all versions up to, and including, 2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
Risiko ? / 10 CVE-2024-9047 | vor 17 Stunde(n) | |
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier. | ||
Risiko ? / 10 CVE-2024-9704 | vor 17 Stunde(n) | |
The Social Sharing (by Danny) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dvk_social_sharing' shortcode in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
Risiko ? / 10 CVE-2024-9756 | vor 17 Stunde(n) | |
The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in versions 2.0 to 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload limited file types. | ||
Risiko ? / 10 CVE-2024-7489 | vor 18 Stunde(n) | |
The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form color parameters in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||
Risiko ? / 10 CVE-2024-9187 | vor 18 Stunde(n) | |
The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons. | ||
Risiko ? / 10 CVE-2024-9656 | vor 18 Stunde(n) | |
The Mynx Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.27.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||
Risiko ? / 10 CVE-2024-9670 | vor 18 Stunde(n) | |
The 2D Tag Cloud plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 6.0.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||
Risiko ? / 10 CVE-2024-9776 | vor 18 Stunde(n) | |
The ImagePress – Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||
Risiko ? / 10 CVE-2024-9778 | vor 18 Stunde(n) | |
The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the 'imagepress_admin_page' function. This makes it possible for unauthenticated attackers to update plugin settings, including redirection URLs, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||
Risiko ? / 10 CVE-2024-9824 | vor 18 Stunde(n) | |
The ImagePress – Image Gallery plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'ip_delete_post' and 'ip_update_post_title' functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts and update post titles. | ||
Risiko ? / 10 CVE-2024-9592 | vor 21 Stunde(n) | |
The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgc_plugin_options' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | ||
Risiko ? / 10 CVE-2024-9821 | vor 21 Stunde(n) | |
The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature. | ||
Risiko ? / 10 CVE-2024-9860 | vor 21 Stunde(n) | |
The Bridge Core plugin for WordPress is vulnerable to unauthorized modification of data or loss of data due to a missing capability check on the 'import_action' and 'install_plugin_per_demo' functions in versions up to, and including, 3.3. This makes it possible for authenticated attackers with subscriber-level permissions or above, to delete or change plugin settings, import demo data, and install limited plugins. | ||
Risiko ? / 10 CVE-2023-40158 | vor 26 Stunde(n) | |
Hidden functionality vulnerability in the CBC products allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter its settings. As for the affected products/versions, see the detailed information provided by the vendor. Note that NR4H, NR8H, NR16H series and DR-16F, DR-8F, DR-4F, DR-16H, DR-8H, DR-4H, DR-4M41 series are no longer supported, therefore updates for those products are not provided. | ||
Risiko ? / 10 CVE-2024-35517 | vor 26 Stunde(n) | |
Netgear XR1000 v1.0.0.64 is vulnerable to command injection in usb_remote_smb_conf.cgi via the share_name parameter. | ||
Risiko ? / 10 CVE-2024-35522 | vor 26 Stunde(n) | |
Netgear EX3700 ' AC750 WiFi Range Extender Essentials Edition before 1.0.0.98 contains an authenticated command injection in operating_mode.cgi via the ap_mode parameter with ap_24g_manual set to 1 and ap_24g_manual_sec set to NotNone. | ||
Risiko ? / 10 CVE-2024-45754 | vor 26 Stunde(n) | |
An issue was discovered in the centreon-bi-server component in Centreon BI Server 24.04.x before 24.04.3, 23.10.x before 23.10.8, 23.04.x before 23.04.11, and 22.10.x before 22.10.11. SQL injection can occur in the listing of configured reporting jobs. Exploitation is only accessible to authenticated users with high-privileged access. | ||
Risiko ? / 10 CVE-2023-4685 | vor 26 Stunde(n) | |
Delta Electronics' CNCSoft-B version 1.0.0.4 and DOPSoft versions 4.0.0.82 and prior are vulnerable to stack-based buffer overflow, which could allow an attacker to execute arbitrary code. | ||
Risiko ? / 10 CVE-2024-45132 | vor 26 Stunde(n) | |
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect confidentiality. Exploitation of this issue does not require user interaction. | ||
Risiko ? / 10 CVE-2024-45133 | vor 26 Stunde(n) | |
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may aid in further attacks. Exploitation of this issue does not require user interaction. | ||
Risiko ? / 10 CVE-2024-45134 | vor 26 Stunde(n) | |
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may aid in further attacks. Exploitation of this issue does not require user interaction. | ||
Risiko ? / 10 CVE-2024-45135 | vor 26 Stunde(n) | |
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An admin attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require user interaction. |
01.10.2024 - Switch | 5.397 Datensätze geleaked | |
Email addresses, Job applications, Names, Social media profiles In October 2024, the Hungarian IT headhunting service Switch inadvertently exposed thousands of customer records via a public GitHub repository. The exposed data contained job applications with names, email addresses and in some cases, commentary on the applicant. |
||
28.09.2024 - Internet Archive | 31.081.179 Datensätze geleaked | |
Email addresses, Passwords, Usernames In September 2024, the digital library of internet sites Internet Archive suffered a data breach that exposed 31M records. The breach exposed user records including email addresses, screen names and bcrypt password hashes. |
||
17.09.2024 - Muah.AI | 1.910.261 Datensätze geleaked | |
Email addresses, Sexual fetishes In September 2024, the "AI girlfriend" website Muah.AI suffered a data breach. The breach exposed 1.9M email addresses alongside prompts to generate AI-based images. Many of the prompts were highly sexual in nature, with many also describing child exploitation scenarios. |
||
12.09.2024 - Instituto Nacional de Deportes de Chile | 319.613 Datensätze geleaked | |
Dates of birth, Email addresses, Genders, Names, Passwords, Usernames In September 2024, the Instituto Nacional de Deportes de Chile (Chile's National Sports Institute) suffered a data breach. The incident exposed 1.7M rows of data with 320k unique email addresses alongside names, dates of birth, genders and bcrypt password hashes. The newest records in the data date back to August 2022, suggesting the breach may be of an older data set. |
||
15.08.2024 - Explore Talent (August 2024) | 8.929.384 Datensätze geleaked | |
Email addresses In August 2024, a slew of security vulnerabilities were identified with a conglomerate of online services which included the talent network Explore Talent. A vulnerable API exposed the personal records of 11.4M users of the service of which 8.9M unique email addresses were provided to HIBP. This incident is separate to the Explore Talent breach which occurred in 2022 and was loaded into HIBP in July 2024. |
||
15.08.2024 - Tracki | 372.557 Datensätze geleaked | |
Email addresses, Names In August 2024, a slew of security vulnerabilities were identified with a conglomerate of online services which included the GPS tracking service Tracki. Multiple vulnerabilities exposed the personal records of 372k users of the service including names and email addresses. |
||
10.08.2024 - Chris Leong | 27.096 Datensätze geleaked | |
Dates of birth, Email addresses, Genders, Names, Nationalities, Phone numbers, Physical addresses, Purchases, Social media profiles In August 2024, the website of Master Chris Leong "a leading Tit Tar practitioner in Malaysia" suffered a data breach. The incident exposed 27k unique email addresses along with names, physical addresses, dates of birth, genders, nationalities and in many cases, links to Facebook profiles. The company did not respond when contacted about the breach. |
||
03.08.2024 - Not SOCRadar | 282.478.425 Datensätze geleaked | |
Email addresses In August 2024, over 332M rows of email addresses were posted to a popular hacking forum. The post alleged the addresses were scraped from cybersecurity firm SOCRadar, however an investigation on their behalf concluded that "the actor merely utilised functionalities inherent in the platform's standard offerings, designed to gather information from publicly available sources". There is no suggestion the incident compromised SOCRadar's security or posed any risk to their customers. In total, the data set contained 282M unique addresses of valid email address format. |
||
28.07.2024 - Ubook | 699.908 Datensätze geleaked | |
Dates of birth, Email addresses, Genders, Names, Profile photos In July 2024, 700k unique email addresses from the audiobook platform Ubook were posted to a popular hacking forum. Allegedly scraped from the service, the data appears to be sourced from the Ubook Exchange (UBX) and also includes names, genders, dates of birth and links to profile photos. |
||
18.07.2024 - Stealer Logs Posted to Telegram | 26.105.473 Datensätze geleaked | |
Email addresses, Passwords In July 2024, info stealer logs with 26M unique email addresses were collated from malicious Telegram channels. The data contained 22GB of logs consisting of email addresses, passwords and the websites they were used on, all obtained by malware running on infected machines. |
||
09.07.2024 - The Heritage Foundation | 72.004 Datensätze geleaked | |
Email addresses, IP addresses, Names, Passwords, Usernames In July 2024, hacktivists published almost 2GB of data taken from The Heritage Foundation and their media arm, The Daily Signal. The data contained 72k unique email addresses, primarily used for commenting on articles (along with names, IP addresses and the comments left) and by content contributors (along with usernames and passwords stored as either MD5 or phpass hashes). |
||
06.07.2024 - LuLu | 2.796.835 Datensätze geleaked | |
Email addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases In July 2024, the Emirati-based LuLu retail store suffered a data breach. The impacted data included 190k email addresses and associated phone numbers which were subsequently shared on a popular hacking forum. The data was provided to HIBP by a source who requested it be attributed to "IntelBroker". The following month, the threat of leaking the full database was carried out and a backup from October 2022 with a further 2.6M unique email addresses appeared. This data also included names, physical addresses, orders and PBKDF2 password hashes. |
||
04.07.2024 - AnimeLeague | 192.134 Datensätze geleaked | |
Dates of birth, Email addresses, IP addresses, Passwords, Phone numbers, Private messages, Purchases, Usernames In July 2024, AnimeLeague disclosed a data breach of their services. The data was posted for sale on a popular hacking forum and included 2 databases covering both event registration records and a dump of the phpBB bulletin board. The impacted data included passwords in various hashed formats including SHA-1, salted md5 and bcrypt, as well as usernames, private messages, dates of birth, purchases and 192k unique email addresses. |
||
04.07.2024 - FNTECH | 10.386 Datensätze geleaked | |
Email addresses, IP addresses, Names In July 2024, the events management platform FNTECH suffered a data breach that exposed 10k unique email addresses. The data contained registrants from various events, including participants of the Roblox Developer Conference registration list. The data also included names and IP addresses. |
||
04.07.2024 - Husky Owners | 16.502 Datensätze geleaked | |
Dates of birth, Email addresses, Time zones, Usernames In July 2024, the Husky Owners forum website was defaced and linked to a breach of user data containing 16k records. The exposed data included usernames, email addresses, dates of birth and time zones. |
||
01.07.2024 - Central Tickets | 722.860 Datensätze geleaked | |
Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Purchases In September 2024, data from the ticketing service Central Tickets was publicly posted to a hacking forum. The data suggests the breach occurred several months earlier and exposed 723k unique email addresses alongside names, phone numbers, IP addresses, purchases and passwords stored as unsalted SHA-1 hashes. |
||
28.06.2024 - Shoe Zone | 46.140 Datensätze geleaked | |
Email addresses, Names, Partial credit card data, Physical addresses, Purchases In June 2024, the UK footwear chain Shoe Zone disclosed a data breach that was subsequently posted for sale on a popular hacking forum. The data included over 100k orders containing names, addresses, partial credit card numbers (card type and last 4 digits), and 46k unique email addresses. The data was provided to HIBP by a source who requested it be attributed to "IntelBroker". |
||
27.06.2024 - BudTrader | 2.721.185 Datensätze geleaked | |
Email addresses, Passwords, Usernames In July 2024, a data breach of the now defunct cannabis social platform BudTrader was posted for sale on a hacking forum. Dating back to the previous month, the breach of the website exposed 2.7M email addresses, usernames and WordPress password hashes. |
||
09.06.2024 - mSpy (2024) | 2.394.179 Datensätze geleaked | |
Email addresses, IP addresses, Names, Photos In June 2024, a huge trove of data from spyware maker mSpy was obtained by hacktivists and published online. Comprising of 142GB of user data and support tickets along with 176GB of more than half a million attachments, the data contained 2.4M unique email addresses, IP addresses names and photos. The data was predominantly support tickets seeking help to install the spyware on target devices, whilst the attachments contained various data including screen grans of financial transactions, photos of credit cards and nude selfies. |
||
05.06.2024 - Advance Auto Parts | 79.243.727 Datensätze geleaked | |
Email addresses, Names, Phone numbers, Physical addresses In June 2024, Advance Auto Parts confirmed they had suffered a data breach which was posted for sale to a popular hacking forum. Linked to unauthorised access to Snowflake cloud services, the breach exposed a large number of records related to both customers and employees. In total, 79M unique email addresses were included in the breach, alongside names, phone numbers, addresses and further data attributes related to company employees. |
||
04.06.2024 - Spytech | 5.645 Datensätze geleaked | |
Browsing histories, Device information, Email addresses, Names, Passwords, Purchases, Usernames In July 2024, spyware maker Spytech suffered a data breach that exposed data collected as recently as the previous month. Designed to "invisibly record everything users do", the breach exposed information related to both purchasers and targets of the product. Target data collection (and subsequent exposure) included the infected computer name, browsing history, applications used, usernames of authenticated users, keywords being monitored, file operations (creation and deletion), computer usage times and email addresses, often captured within the spyware's logs. The data also included the names, purchases and md5 password hashes of purchasers. |
||
31.05.2024 - Ticketek | 17.643.173 Datensätze geleaked | |
Dates of birth, Email addresses, Genders, Names, Passwords, Salutations In May 2024, the Australian event ticketing company Ticketek reported a data breach linked to a third party cloud-based platform. The following month, the data appeared for sale on a popular hacking forum and was later linked to a series of breaches of the Snowflake cloud storage service. The data contained almost 30M rows with 17.6M unique email addresses alongside names, genders, dates of birth and hashed passwords. |
||
30.05.2024 - Operation Endgame | 16.466.858 Datensätze geleaked | |
Email addresses, Passwords In May 2024, a coalition of international law enforcement agencies took down a series of botnets in a campaign they coined "Operation Endgame". Data seized in the operation included impacted email addresses and passwords which were provided to HIBP to help victims learn of their exposure. |
||
28.05.2024 - Combolists Posted to Telegram | 361.468.099 Datensätze geleaked | |
Email addresses, Passwords, Usernames In May 2024, 2B rows of data with 361M unique email addresses were collated from malicious Telegram channels. The data contained 122GB across 1.7k files with email addresses, usernames, passwords and in many cases, the website they were entered into. The data appears to have been sourced from a combination of existing combolists and info stealer malware. |
||
25.05.2024 - pcTattletale | 138.751 Datensätze geleaked | |
Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, SMS messages, Usernames In May 2024, the spyware service pcTattletale suffered a data breach that defaced the website and posted tens of gigabytes of data to the homepage, allegedly due to pcTattletale not responding to a previous security vulnerability report. The breach exposed data including membership records, infected PC names, captured messages and extensive logs of IP addresses and device information. |
||
02.05.2024 - The Post Millennial | 56.973.345 Datensätze geleaked | |
Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames In May 2024, the conservative news website The Post Millennial suffered a data breach. The breach resulted in the defacement of the website and links posted to 3 different corpuses of data including hundreds of writers and editors (IP, physical address and email exposed), tens of thousands of subscribers to the site (name, email, username, phone and plain text password exposed), and tens of millions of email addresses from thousands of mailing lists alleged to have been used by The Post Millennial (this has not been independently verified). The mailing lists appear to be sourced from various campaigns not necessarily run by The Post Millennial and contain a variety of different personal attributes including name, phone and physical address (depending on the campaign). The data was subsequently posted to a popular hacking forum and extensively torrented. |
||
24.04.2024 - Piping Rock | 2.103.100 Datensätze geleaked | |
Email addresses, Names, Phone numbers, Physical addresses In April 2024, 2.1M email addresses from the online health products store Piping Rock were publicly posted to a popular hacking forum. The data also included names, phone numbers and physical addresses. The account posting the data had previously posted multiple other data breaches which all appear to have been obtained from the Shopify service used by the respective websites. |
||
23.04.2024 - Tappware | 94.734 Datensätze geleaked | |
Dates of birth, Email addresses, Genders, Government issued IDs, Job titles, Names, Phone numbers, Physical addresses, Religions In April 2024, a substantial volume of data was taken from the Bangladeshi IT services provider Tappware and published to a popular hacking forum. Comprising of 95k unique email addresses, the data also included extensive labour information on local citizens including names, physical addresses, job titles, dates of birth, genders and scans of government issued national identity (NID) cards. |
||
18.04.2024 - Sport 2000 | 3.189.643 Datensätze geleaked | |
Dates of birth, Email addresses, Names, Phone numbers, Physical addresses, Purchases, Salutations In April 2024, the French sporting equipment manufacturer Sport 2000 announced it had suffered a data breach. The data was subsequently put up for sale on a popular hacking forum and included 4.4M rows with 3.2M unique email addresses alongside names, physical addresses, phone numbers, dates of birth and purchases made by store name. The data was provided to HIBP by a source who requested it be attributed to "oathnet.ru". |
||
17.04.2024 - T2 | 94.584 Datensätze geleaked | |
Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases, Salutations In April 2024, 95k records from the T2 tea store were posted to a popular hacking forum. Data included email and physical addresses, names, phone numbers, dates of birth, purchases and passwords stored as scrypt hashes. |
||
15.04.2024 - MovieBoxPro | 6.009.014 Datensätze geleaked | |
Email addresses, Usernames In April 2024, over 6M records from the streaming service MovieBoxPro were scraped from a vulnerable API. Of questionable legality, the service provided no contact information to disclose the incident, although reportedly the vulnerability was rectified after being mass enumerated. |
||
14.04.2024 - Neiman Marcus | 31.152.842 Datensätze geleaked | |
Dates of birth, Email addresses, IP addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases In May 2024, the American luxury retailer Neiman Marcus suffered a data breach which was later posted to a popular hacking forum. The data included 31M unique email addresses, names, phone numbers, dates of birth, physical addresses and partial credit card data (note: this is insufficient to make purchases). The breach was traced back to a series of attacks against the Snowflake cloud service which impacted 165 organisations worldwide. |
||
13.04.2024 - Le Slip Français | 1.495.127 Datensätze geleaked | |
Email addresses, Names, Phone numbers, Physical addresses In April 2024, the French underwear maker Le Slip Français suffered a data breach. The breach included 1.5M email addresses, physical addresses, names and phone numbers. |
||
09.04.2024 - National Public Data | 133.957.569 Datensätze geleaked | |
Dates of birth, Email addresses, Genders, Government issued IDs, Names, Phone numbers, Physical addresses In April 2024, a large trove of data made headlines as having exposed "3 billion people" due to a breach of the National Public Data background check service. The initial corpus of data released in the breach contained billions of rows of personal information, including US social security numbers. Further partial data sets were later released including extensive personal information and 134M unique email addresses, although the origin and accuracy of the data remains in question. This breach has been flagged as "unverified" and a full description of the incident is in the link above. |
||
02.04.2024 - Salvadoran Citizens | 946.989 Datensätze geleaked | |
Dates of birth, Email addresses, Government issued IDs, Names, Phone numbers, Physical addresses, Profile photos In April 2024, nearly 6 million records of Salvadoran citizens were published to a popular hacking forum. The data included names, dates of birth, phone numbers, physical addresses and nearly 1M unique email addresses. Further, over 5M corresponding profile photos were also included in the breach. |
||
31.03.2024 - Pandabuy | 1.348.407 Datensätze geleaked | |
Email addresses, IP addresses, Names, Phone numbers, Physical addresses In March 2024, 1.3M unique email addresses from the online store for purchasing goods from China, Pandabuy, were posted to a popular hacking forum. The data also included IP and physical addresses, names, phone numbers and order enquiries. The breach was alleged to be attributed to "Sanggiero" and "IntelBroker". |
||
27.03.2024 - Lookiero | 4.981.760 Datensätze geleaked | |
Email addresses, Names, Phone numbers, Physical addresses In August 2024, a data breach from the online styling service Lookiero was posted to a popular hacking forum. Dating back to March 2024, the data included 5M unique email addresses, with many of the records also including name, phone number and physical address. When contacted about the incident, Lookiero advised that they would "look into it and get back to you if necessary". The data was provided to HIBP by a source who requested it be attributed to "oathnet.ru". |
||
25.03.2024 - boAt | 7.528.985 Datensätze geleaked | |
Email addresses, Names, Phone numbers, Physical addresses In March 2024, the Indian audio and wearables brand boAt suffered a data breach that exposed 7.5M customer records. The data included physical and email address, names and phone numbers, all of which were subsequently published to a popular clear web hacking forum. |
||
24.03.2024 - Kaspersky Club | 55.971 Datensätze geleaked | |
Email addresses, IP addresses, Passwords, Usernames In March 2024, the independent fan forum Kaspersky Club suffered a data breach. The incident exposed 56k unique email addresses alongside usernames, IP addresses and passwords stored as either MD5 or bcrypt hashes. |
||
23.03.2024 - England Cricket | 43.299 Datensätze geleaked | |
Email addresses, Passwords In March 2024, English Cricket's icoachcricket website suffered a data breach that exposed over 40k records. The data included email addresses and passwords stored as either bcrypt hashes, salted MD5 hashes or both. The data was provided to HIBP by a source who requested it be attributed to "IntelBroker". |