Customer data exposure incidents
In late March / early April 2026, Hasbro Inc. — the US toy and entertainment conglomerate (maker of Monopoly, Transformers, My Little Pony, Magic: The Gathering, Dungeons & Dragons, and numerous other …
On March 20, 2026, the WorldLeaks extortion gang breached a third-party digital system used by the Los Angeles City Attorney's Office to transfer legal discovery documents. The LA City Attorney's …
AppsFlyer — one of the world's largest mobile attribution platforms, with its SDK embedded in thousands of iOS and Android applications including crypto wallets and fintech apps — suffered a supply …
On March 19, 2026, ShinyHunters obtained an AWS API key belonging to the European Commission's cloud environment via a prior compromise of the open-source security tool Trivy. This enabled …
A Washington State-based employee benefits administrator notified approximately 2.7 million individuals of a data breach. The firm provides employee benefits enrollment, administration, and management …
On March 17, 2026, identity protection firm Aura disclosed a data breach after ShinyHunters used targeted vishing to compromise a single employee's account. The attacker had access for approximately …
On March 16, 2026, CareCloud (a Somerset, NJ-based healthcare IT company) detected unauthorized access to one of its six EHR environments. The threat actor had access for approximately 8 hours before …
On March 12, 2026, a threat actor gained access to Crunchyroll's customer support ticketing system after compromising an Okta account belonging to an employee of Telus Digital, Crunchyroll's business …
On approximately 31 March 2026, a California-based maker of implantable orthopedic devices disclosed it had been the victim of a cybersecurity incident. DataBreachToday reported the company as the …
In early 2026, the Dutch Ministry of Finance (Ministerie van Financiën, also known as Rijksfinancien) disclosed a cybersecurity breach, details of which were reported in DataBreachToday's weekly …
In early April 2026, a data leak affecting approximately 450,000 Lloyds Banking Group customers was reported, with details emerging in DataBreachToday's weekly breach roundup. Lloyds Banking Group is …
UFP Technologies — a Massachusetts-based manufacturer of single-use medical device components, specialty packaging, and protective solutions for healthcare — disclosed a data theft hack to the SEC via …
PayPal disclosed a data breach and associated fraud incident caused by a coding error in its payment application. The error allowed unauthorized access to a subset of user account data and was used to …
Kettering Health (an Ohio-based health system operating multiple hospitals and care sites) was notifying current and former patients of data exposure resulting from an Interlock ransomware attack. The …
On the weekend of February 7–8, 2026, ShinyHunters breached Odido's (Netherlands' largest mobile network operator) customer contact system and downloaded records for approximately 6.2 million …
In early 2026, the former Nuance Communications IT worker responsible for the Geisinger Health patient data breach (documented separately) faced additional federal charges. The original breach …
Harvard University and the University of Pennsylvania were named as victims and had data leaked by ShinyHunters, the prolific hack-and-leak group responsible for numerous high-profile breaches …
Between February 4–7, 2026, threat actors used a compromised Okta SSO account to access Hims & Hers' Zendesk support instance and exfiltrate customer support tickets. The breach was detected February …
On February 3, 2026, security researcher Jeremiah Fowler discovered three unsecured publicly exposed databases during routine Shodan scans, containing 4.3 terabytes of data linked to Sears Home …
In February 2026, ShinyHunters breached CarGurus (a major US online automotive marketplace) via social engineering. After CarGurus declined to pay ransom, the data was published publicly. The breach …
LexisNexis, the major legal research and information services platform used extensively by law firms, government agencies, and courts, confirmed a data breach in early 2026. Hackers claimed access to …
An ambulance billing and medical collections firm agreed to pay $515,000 to Massachusetts and Indiana attorneys general following a hack that compromised patient data. The firm provided revenue cycle …
In 2025, a Maryland-based firm providing AI-powered services (identity or background verification) was hacked, with the breach disclosed in early 2026 affecting approximately 3.1 million individuals. …
On January 9, 2026, Betterment (a major US robo-advisor and investment platform) suffered a data breach after ShinyHunters used vishing to compromise IT support at a third-party vendor believed to be …
In January 2026, ShinyHunters breached Crunchbase (a major business intelligence and startup data platform) via vishing — attackers impersonated internal employees to social-engineer IT support into …
On January 29, 2026, ShinyHunters posted data allegedly stolen from Bumble (dating app) and Match Group (parent of Tinder, Hinge, OkCupid) on a dark web leak site. ShinyHunters claimed to have stolen …
Figure Technology Solutions (fintech lending company) disclosed in February 2026 that ShinyHunters conducted a vishing (voice phishing) attack against an employee in January 2026, obtaining …
Telus Digital (Canadian BPO providing outsourced customer support, content moderation, and AI services) confirmed a multi-month breach on March 12, 2026. ShinyHunters claimed credit, alleging theft of …
On December 26, 2025, an unauthorized actor exfiltrated data from Eurail B.V.'s (European rail pass operator covering 33 national railways) AWS S3, Zendesk, and GitLab instances. Eurail identified the …
Navia Benefit Solutions, an employee benefits administration company, suffered a data breach due to a BOLA (Broken Object Level Authorization) API vulnerability. An unknown threat actor accessed …
On December 20, 2025, a threat actor called 'Lovely' posted a 2.366 million-record database from WIRED.com on the Breach Stars forum, selling access for approximately $2.30. Exposed data included full …
In December 2025, ShinyHunters breached SoundCloud via vishing — attackers convinced employees to provide access to an ancillary service dashboard. SoundCloud confirmed the breach on December 15, …
On January 4, 2026, the Crimson Collective threat group publicly claimed via Telegram to have breached Brightspeed (a major US fiber broadband provider) and stolen records for over 1 million …
Ledger (hardware crypto wallet manufacturer) disclosed in January 2026 that an unnamed unauthorized party accessed a Global-e cloud system used to process international orders. Global-e detected …
Cegedim Santé (French healthcare software provider) confirmed on March 3, 2026, that attackers stole 15.8 million administrative patient records from its MonLogicielMedical platform, used by 3,800 …
SitusAMC (a financial technology provider serving 1,500+ clients including major US banks, real estate firms, and insurers) became aware of a breach on November 12, 2025, and notified all clients on …
Cybernews researchers discovered on November 11, 2025, that IDMerit (a US identity verification and KYC/AML services provider) had left a MongoDB database publicly exposed without authentication. The …
A former Coupang employee maintained unauthorized access to the company's systems and exfiltrated customer data, with the breach continuing until November 8, 2025. Coupang (South Korea's largest …
Freedom Mobile, one of Canada's largest wireless carriers (owned by Shaw/Rogers), disclosed in December 2025 that a third-party vendor had been compromised, resulting in the exposure of customer data. …
Marquis Software Solutions, a provider of core banking and analytics software to community banks and credit unions across the United States, disclosed in December 2025 that a breach had exposed …
On October 25, 2025, an unauthorized third party gained access to DoorDash's internal systems after successfully social engineering a company employee. The number of affected individuals was not …
Iberia, the Spanish national airline and subsidiary of IAG (International Airlines Group), disclosed in November 2025 that a third-party vendor breach had exposed loyalty programme member data. The …
In October 2025, Discord disclosed that an unnamed third-party customer service provider had been breached, exposing data for approximately 55 million Discord users. The exposed information included …
In October 2025, DocketWise (a cloud-based immigration case management platform for law firms) discovered that credentials to one of its third-party partner repositories had been accessed by …
In November 2025, OpenAI disclosed that customer data had been exposed via Mixpanel, its third-party product analytics platform. OpenAI had shared user behavioral data with Mixpanel for product …
The Washington Post disclosed in November 2025 that a breach of its Oracle E-Business Suite ERP system had exposed sensitive personal and financial data for approximately 10,000 current and former …
MANGO, the Spanish global fashion retailer, disclosed in October 2025 that a third-party marketing provider had been compromised, exposing customer data. Exposed information included customer first …
In September 2025, SwissBorg, a Swiss crypto asset management platform, lost approximately $41 million worth of Solana (SOL) after threat actors compromised Kiln, the third-party staking …
In September 2025, ShinyHunters exploited a vulnerability in Wynn Resorts' Oracle PeopleSoft platform to access employee records. The breach was discovered in February 2026. ShinyHunters demanded a …
Renault and Dacia UK disclosed in October 2025 that a third-party vendor had been compromised, exposing data for UK customers. Exposed information included customer names, gender, phone numbers, email …
From August 28 to September 21, 2025, an individual affiliated with a licensed healthcare provider accessed the Minnesota Department of Human Services' MnCHOICES disability services system without …
London North Eastern Railway (LNER), the UK train operator serving the East Coast Main Line between London King's Cross, Edinburgh, and Aberdeen, disclosed in September 2025 that a third-party vendor …
Wealthsimple, a major Canadian online investment and financial services platform, disclosed in September 2025 that a third-party vendor had been compromised, resulting in the exposure of sensitive …
On August 4, 2025, Bouygues Telecom — France's third-largest mobile phone carrier — detected a cyberattack. The company publicly disclosed the breach on August 6-7, 2025. Approximately 6.4 million …
Beginning in August 2025, attackers exploited CVE-2025-61882 (a zero-day in Oracle E-Business Suite) to breach the University of Phoenix's network and steal sensitive data. The university detected the …
In September 2025, the Canadian government disclosed that 2Keys Corporation, a digital identity and authentication service provider contracted by multiple federal agencies, had been compromised. The …
Chess.com, the world's largest online chess platform with over 100 million registered users, disclosed in September 2025 that a third-party file transfer provider had been compromised. The breach …
In September 2025, Harrods, the iconic London luxury department store, disclosed that a third-party vendor had been compromised, exposing contact details for online customers. Exposed information …
TransUnion disclosed on August 28, 2025, that unauthorized actors accessed a third-party application serving its US consumer support operations between July 28–30, 2025. The attack is attributed to …
On July 16, 2025, threat actors gained access to a third-party cloud CRM (Salesforce) used by Allianz Life Insurance of North America via social engineering/vishing. Attackers used Salesforce Data …
700Credit — the largest provider of credit reporting, identity verification, fraud and compliance services for US automotive dealerships — suffered a data breach between approximately May and October …
In July 2025, McDonald's disclosed a breach affecting approximately 64 million job applicants whose data was stored on systems operated by Paradox, Inc., McDonald's third-party AI-powered hiring …
A code update error in PayPal's Working Capital loan application exposed approximately 100 customers' personally identifiable information from July 1 to December 13, 2025 — approximately six months. …
In July 2025, Qantas Airways (Australia's flag carrier) suffered a Salesforce data breach attributed to ShinyHunters/Scattered Lapsus$ Hunters via a vishing campaign. Approximately 5.7 million …
Air France-KLM, the Franco-Dutch multinational airline group, disclosed in August 2025 that their Salesforce CRM environment had been compromised as part of the ShinyHunters/Scattered Spider …
Cisco confirmed in August 2025 that it had been affected by the ShinyHunters Salesforce social engineering campaign. Exposed data included names, addresses, user IDs, email addresses, phone numbers, …
Pandora (Danish jewelry brand) and Chanel (French luxury fashion house) both disclosed in August 2025 that their Salesforce CRM environments had been compromised as part of the ShinyHunters/Scattered …
In August 2025, TransUnion confirmed it had been affected by the ShinyHunters/Scattered Spider Salesforce social engineering campaign, with limited personal information exposed for an estimated 44 …
Stellantis, the multinational automotive manufacturer (maker of Jeep, Chrysler, Fiat, Peugeot, and other brands), disclosed in September 2025 that a breach via its Salesforce platform had exposed …
On June 12, 2025, Aflac insurance company's US network was compromised via social engineering. The attack is attributed to Scattered Spider, a financially motivated English-speaking group known for …
Between June and August 2025, unauthorized actors accessed Prosper Marketplace's customer databases by exploiting compromised credentials. Prosper (a San Francisco-based peer-to-peer lending platform) …
In October 2025, Scattered Lapsus$ Hunters published 63.62 GB of data (23+ million records) from Vietnam Airlines' Salesforce CRM system. The initial intrusion occurred around June 2025 as part of the …
On May 29, 2025, hackers breached a third-party vendor system used by Farmers Insurance Exchange and its subsidiaries. Farmers was alerted to the suspicious activity on May 30, 2025. Although Farmers …
Beginning around April 22, 2025, Scattered Spider (also tracked as UNC3944 and Octo Tempest) attacked Marks & Spencer, the UK's largest clothing retailer, by socially engineering employees at TCS …
Between April 17–22, 2025, an unknown threat actor accessed files at an unnamed third-party service provider used by Ericsson Inc. (US operations). The investigation concluded in February 2026, and …
In May 2025, Adidas disclosed that a data breach had occurred via an unnamed third-party customer service provider. The breach exposed customer contact information including names, email addresses, …
In May 2025, the UK Legal Aid Agency (part of the Ministry of Justice) disclosed a significant data breach affecting information on 2,000 legal service providers and their clients. The exposed data …
In late March 2025, a threat actor claimed to have stolen approximately 144GB of data from Royal Mail by compromising Spectos GmbH, a data analytics vendor used by Royal Mail for postal service …
Anne Arundel Dermatology (a Maryland-based multi-site dermatology practice) disclosed a data breach affecting approximately 1.9 million individuals. Attackers maintained unauthorized access to the …
Unauthorised access to Western Sydney University's systems via the SSO service occurred between 28 January and 25 February 2025. Approximately 10,000 current and former students notified 15 April …
Starting January 20, 2025, operatives associated with the Department of Government Efficiency (DOGE), led by Elon Musk, were granted unprecedented access to sensitive federal government systems. …
In March 2025, a threat actor known as 'rose87168' advertised on BreachForums the sale of approximately 6 million records allegedly stolen from Oracle Cloud's federated SSO login servers. The attacker …
Grubhub detected unusual activity traced to a compromised third-party contractor account in early 2025. The contractor had access to internal systems used for customer care. Stolen data included …
Starting in approximately early 2025, cybercriminals recruited and bribed several customer support agents employed by TaskUs, Coinbase's outsourced support provider operating from India. These rogue …
PowerSchool, the dominant K-12 student information system provider serving approximately 16,000 schools and 50 million students in North America, suffered a data breach beginning December 19, 2024 …
Monroe University, a New York-based for-profit university, suffered a cyberattack between December 9 and December 23, 2024, in which threat actors exfiltrated data on 320,973 individuals — including …
In early 2025, the HellCat-affiliated threat actor 'Rey' exfiltrated 6.5 GB of data (12,000 files) from Orange Romania's back-office systems, resulting in exposure of over 600,000 records including …
Hertz Corporation disclosed in April 2025 that customer data had been stolen in attacks exploiting Cleo managed file transfer (MFT) software vulnerabilities in approximately December 2024 and January …
On November 20, 2024, an unauthorized party gained access to a single employee account and computer within the Southeast Series of Lockton Companies' network — one of the largest insurance brokerage …
Legends International, a major entertainment venue management and premium services company, detected unauthorized activity on November 9, 2024. The company manages venue services for major sports …
Finastra (London-based fintech serving 45 of the world's top 50 banks and 8,100+ financial institutions in 130 countries) had its SFTP platform accessed between 31 October and 8 November 2024. Threat …
Threat actor 'Satanic' posted on BreachForums on 21 October 2024 claiming 350 million Hot Topic user records (figure likely inflated); confirmed data set is ~730 GB covering Hot Topic and its brands …
Stiiizy, a major California-based cannabis brand and retailer, disclosed in January 2025 that a breach via its unnamed third-party POS system provider in approximately October 2024 had exposed records …
US Bitcoin ATM operator Byte Federal (which operates 1,200+ ATMs nationwide) was breached on 30 September 2024 via a GitLab vulnerability but did not detect the incident until 18 November 2024. …
Beginning September 28, 2024, an attacker accessed Free's network through VPN credentials using insufficiently robust multi-factor authentication. The attacker connected to MOBO, Free Mobile's …
Threat actor (SN_BlackMeta, linked to pro-Palestinian hacktivist movement) defaced archive.org with a JavaScript alert and simultaneously exfiltrated a 6.4 GB SQL file 'ia_users.sql' containing 31 …
MoneyGram, a major international money transfer and payment services company, suffered a data breach September 20–22, 2024 via an IT helpdesk social engineering attack (attributed to Scattered …
Between September 19 and November 5, 2024, Serviceaide (an agentic AI-powered IT and workflow management platform based in Santa Clara, CA) left an Elasticsearch database containing Catholic Health …
Between 17-19 August 2024, unauthorized third parties exploited two newly created Fidelity customer accounts to access personal data of 77,099 customers including Social Security numbers and driver's …
Globe Life Inc. (insurance holding company, parent of American Income Life Insurance) detected suspicious activity on June 13, 2024. A threat actor obtained customer PII and attempted to extort Globe …
CBIZ Benefits & Insurance Services (subsidiary of business services giant CBIZ Inc.) disclosed a breach affecting 35,953 individuals who had retiree health information on file. Exposed data included …
An attacker gained access to Tile's customer support system using credentials belonging to a former employee, then scraped millions of customer records and attempted to extort Life360 (Tile's parent …
Threat actor 'Menelik' registered as a Dell partner using fake company information (access granted within 24–48 hours), then used automated tooling to enumerate 49 million customer records by …
Nearly 110 million AT&T wireless customers had call and text metadata stolen — which numbers were contacted, call duration, and for some users cell tower location data. Data covered May 2022 through …
Background check company National Public Data (Jerico Pictures) breached via plaintext admin credentials found in Members.zip archive on sister site RecordsCheck.net. 2.9 billion records allegedly …
Ryan Mitchell Kramer (alias 'NullBulge'), a 25-year-old from Santa Clarita, California, distributed a malicious AI art generation tool on GitHub. When a Disney employee downloaded it, Kramer stole …
HealthEquity, a Utah-based administrator of health savings accounts (HSAs), health reimbursement arrangements (HRAs), and COBRA benefits serving millions of Americans, disclosed a data breach …
IntelBroker breached federal IT contractor Acuity Inc. on 7 March 2024 and claimed to have stolen data from US State Department, DoD, NSA, ICE, USCIS, and other agencies. The stolen data appeared on …
VeriSource Services (Texas-based employee benefits and HR administration provider) discovered unusual activity on 28 February 2024. The final breach count was approximately 4 million individuals, …
Cencora detected a cyberattack on 21 February 2024. Attackers exfiltrated patient data from its patient support program platform used by major pharmaceutical clients including AbbVie, Bayer, …
Financial Business and Consumer Solutions (FBCS), a Pennsylvania-based debt collection agency, suffered a ransomware attack between February 14-26, 2024. The breach ultimately affected 4.2 million …
Financial Business and Consumer Solutions (FBCS), a third-party debt collection agency used by Comcast, was hit by ransomware in February 2024. As a result, data on approximately 273,703–275,000 …
DISA Global Solutions (background check, drug testing, and employment screening provider to 55,000+ companies including 135 Fortune 500 firms) was breached for 100+ days before discovery on 22 April …
ALPHV/BlackCat claimed responsibility for the breach, detected 5 February 2024 (breach date 4 February). Initial SEC disclosure in February cited ~36,000 potential victims; updated notification to …
NTT Communications Corporation, the international subsidiary of Japan's NTT Group, disclosed in March 2025 that a breach had exposed data for 17,891 corporate customers. The attackers gained access to …
In January 2024, AnyDesk — the widely-used remote desktop software with over 170,000 customers including major enterprises and government agencies — discovered a breach of its production systems. …
Threat actor 'emo' fed 500 million email addresses from prior breach corpora into Trello's publicly accessible REST API which returned public user profile data for each match, compiling 15 million …
Kaiser Permanente disclosed that tracking technologies (pixels) embedded in its website and mobile apps transmitted member health information to third-party tech companies (Microsoft Bing, Google, …
Outabox, an Australian hospitality IT provider offering facial recognition sign-in services for clubs, suffered a data breach exposing biometric and personal data of approximately 1 million …
Volkswagen Group's software subsidiary CARIAD left data on approximately 800,000 EV owners unencrypted and publicly accessible in AWS cloud storage for months. Affected brands: Volkswagen, Audi, SEAT, …
On 19 December 2023, St Vincent's Health Australia — the country's largest non-government healthcare and aged care provider, operating hospitals and aged care facilities across New South Wales, …
Geisinger Health (major Pennsylvania health system) discovered on 29 November 2023 that former Nuance employee Andre Burk (age 46, California) had accessed patient records from 27 November 2023, two …
Truist Bank (6th-largest US bank) confirmed an October 2023 breach after threat actor 'Sp1d3r' listed the stolen data for sale on a dark web forum on 12 June 2024 for $1 million. Data included …
On October 19-20, 2023, unauthorized actors accessed the Sands LifeStyle loyalty programme database of Marina Bay Sands, Singapore's iconic integrated resort and casino. The breach exposed personal …
Between October 16–19, 2023, attackers exploited the Citrix Bleed vulnerability (CVE-2023-4966) to gain unauthorized access to Comcast's Xfinity systems. Citrix had issued a patch on October 10, 2023, …
Truist Bank, a major US financial institution formed by the merger of SunTrust Banks and BB&T, confirmed in June 2024 that its systems had been breached in October 2023. The breach came to light when …
Payment gateway provider Slim CD disclosed that attackers had access to its systems from 17 August 2023, with credit card data specifically accessed 14-15 June 2024 before discovery on 15 June 2024. …
On 5 July 2023, a threat actor posted for sale on an online forum a database purporting to contain approximately 27.7 million records from HCA Healthcare — the largest US for-profit hospital chain, …
In September 2023, Dymocks Booksellers — Australia's largest book retailer operating approximately 65 stores — disclosed a data breach affecting approximately 836,000 customers. The breach was first …
Akira ransomware group breached Stanford University's Department of Public Safety (SUDPS) network between May 12 and September 27 2023. Stanford disclosed the incident on October 27 2023 after the …
Beginning April 29, 2023, a threat actor using the alias 'Golem' conducted credential stuffing against 23andMe's login portal over five months, gaining access to ~18,000 customer accounts directly. …
WebTPA, a Texas-based third-party health insurance plan administrator, suffered a data breach discovered in April 2023 but not publicly disclosed until May 2024 — a 13-month delay. The breach affected …
NCB Management Services, a debt purchasing and collections company that works with major banks, suffered a data breach on April 4, 2023. The breach exposed data of approximately 1.08 million …
HWL Ebsworth, one of Australia's largest law firms with over 2,500 staff and a significant federal and state government client base, was attacked by the ALPHV/BlackCat ransomware group in April 2023. …
Perry Johnson & Associates (PJ&A), a Nevada-based medical transcription services company, was breached between March 27 and May 2, 2023. The breach went undetected for over a month, and PJ&A did not …
On March 20, 2023, OpenAI took ChatGPT offline after discovering a bug in its Redis client library (redis-py open-source library) that caused some users to see other users' conversation history titles …
Attacker stole employee credentials and used them to access Latitude Financial's data held by two service providers including DXC Technology. 14 million records affected across Australia and New …
In March 2023, data for approximately 56,415 individuals enrolled in DC Health Link — the health insurance marketplace for Washington D.C. residents including US House of Representatives members, …
In March 2023, Ferrari N.V. disclosed that it had received a ransom demand from a threat actor following unauthorized access to some of its IT systems. Ferrari detected the breach and immediately …
San Francisco-based law firm Orrick, Herrington & Sutcliffe LLP — which ironically specializes in advising companies on cybersecurity incidents and data breaches — suffered a double extortion attack …
The U.S. Consumer Financial Protection Bureau (CFPB) disclosed in March 2023 that a former CFPB employee had sent 14 emails containing sensitive personal and financial information on approximately …
Attacker sent convincing phishing email mimicking Reddit IT, tricked employee into entering credentials and TOTP codes in real time on fake login page. Accessed internal documents, dashboards, …
Western Sydney University (WSU) disclosed a data breach in May 2023 involving unauthorized access to its Microsoft 365 email environment and SharePoint files from approximately January 2023. …
Fast fashion retailer Forever 21 suffered a data breach where hackers had access to its systems from January 5 to March 21, 2023. The breach affected 539,207 current and former employees and their …
Toyota confirmed a data breach in August 2024 after threat actor ZeroSevenGroup posted 240 GB of data on a hacking forum. Data included employee and customer PII, contracts, financial records, network …
On December 4, 2022, an attacker used SMS phishing (smishing) to social-engineer an Activision HR employee into providing their MFA authentication code. With access to Activision's Slack workspace and …
Attackers exploited an unprotected API endpoint starting Nov 25 2022, exfiltrating data over weeks undetected. 37 million customer records exposed including names, phone numbers, billing addresses, …
TPG Telecom, Australia's second-largest telco (which acquired iiNet in 2015), disclosed on December 14 2022 that an unauthorised party had accessed its Hosted Exchange email platform. The attacker …
Australian telco Optus exposed an unauthenticated internet-facing API due to coding error from 2018 not fully remediated. Attacker used simple trial-and-error over 3 days in Sept 2022 to enumerate …
On 17-18 September 2022 — just two days after the Uber breach — the same 18-year-old Scattered Spider attacker (Arion Kurtaj) breached Rockstar Games' internal systems and leaked approximately 90 …
On 23 August 2022, Plex — a media management and streaming platform with approximately 30 million registered users — discovered that an attacker had accessed a subset of their database including …
Two-stage breach in 2022. Aug 8-11: attacker compromised software developer's laptop, stole 14 source code repositories. Aug 12: senior DevOps engineer's personal computer compromised via unpatched …
On August 25, 2022, DoorDash disclosed a data breach caused by a phishing attack against an employee of an unnamed third-party vendor with access to DoorDash's internal systems. The attack was …
Lapsus$ hacking group leaked 190GB of alleged Samsung source code and proprietary data in March 2022. Stolen data included: TrustZone trusted applet source code, biometric unlock algorithms, Galaxy …
On approximately 23 February 2022, the Lapsus$ extortion group compromised Nvidia's internal network and exfiltrated approximately 1 terabyte of data, including proprietary GPU source code, DLSS (Deep …
In approximately February 2022, Australian Clinical Labs' Medlab Pathology subsidiary suffered a ransomware attack that exfiltrated approximately 223,000 patients' sensitive medical and personal data. …
On 18 January 2022, the International Committee of the Red Cross (ICRC) discovered a cyberattack on servers hosted by a contractor in Switzerland that stored data for its Restoring Family Links …
In early 2022, SafetyDetectives researchers discovered a publicly accessible Amazon S3 bucket belonging to Pegasus Airlines — a major Turkish airline with approximately 74 million passengers per year …
A vulnerability in Twitter's account authentication system, introduced in a June 2021 code change, allowed any caller of Twitter's `id.twitter.com` API to submit a phone number or email address and …
In November 2022, a threat actor using the alias 'Ryushi' posted a dataset of 487 million WhatsApp user phone numbers for sale on the Breached hacking forum, claiming it was scraped in 2022. The …
In December 2021, a former employee of Cash App Investing — a subsidiary of Block, Inc. (formerly Square) — downloaded CSV reports containing brokerage account data for 8.2 million current and former …
In December 2021, a threat actor exploited a Twitter API vulnerability that allowed them to query any phone number or email address and receive the corresponding Twitter account information in return. …
On October 11, 2021, Cox Communications discovered that a hacker had impersonated a Cox support agent to gain access to internal systems, then accessed a small number of customer accounts. Cox …
On 6 October 2021, an anonymous actor posted a 125 GB torrent on 4chan containing Twitch's entire source code, internal security tools, mobile and desktop clients, proprietary SDKs, internal AWS …
On October 6, 2021, an anonymous user posted a 125GB torrent to 4chan claiming it was a complete Twitch data dump intended to 'foster more disruption and competition in the online video streaming …
In September 2021, Ambulance Victoria — the state ambulance service providing emergency medical services across Victoria, Australia — inadvertently uploaded a file containing staff personal data to a …
On 6 September 2021, an unauthorized actor used a compromised password to access GoDaddy's Managed WordPress hosting provisioning system. GoDaddy is the world's largest domain registrar and web …
Apria Healthcare, a major US home healthcare equipment provider (durable medical equipment, infusion therapy, oxygen therapy), disclosed in May 2022 that it had experienced two separate unauthorized …
In August 2021, John Binns — a 21-year-old US citizen living in Turkey — exploited an improperly secured T-Mobile testing environment that had been exposed to the internet, gaining access to …
T-Mobile agreed to pay a $31.5 million FCC settlement in September 2024 covering four separate data breaches between 2021 and 2023. The 2021 breach (discovered August 2021) affected approximately 76.6 …
In early June 2021, a group (later attributed to early Lapsus$ affiliates) breached Electronic Arts' internal network using purchased Slack cookies worth approximately $10 purchased from underground …
In mid-2021, Latitude Financial Services suffered an earlier, smaller data security incident — separate from the major March 2023 breach (which affected 14 million customers via a compromised MSP …
Twitter API change in June 2021 introduced vulnerability allowing anyone to look up Twitter accounts via email/phone. Threat actors scraped at scale before patch in Jan 2022. 200-235M email addresses …
In June 2021, data for approximately 700 million LinkedIn users — representing 93% of LinkedIn's total user base at the time — was posted for sale on RaidForums by a user calling themselves 'GOD User …
Security researchers at Upguard and Wiz.io discovered in mid-2021 that Microsoft Power Apps portals had a default configuration that left internal data tables publicly accessible on the internet. …
The Illinois Department of Human Services (IDHS) exposed sensitive personal data of more than 700,000 state residents for approximately four years, from April 2021 to September 2025. On September 22, …
Blue Shield of California disclosed on April 9, 2025, that a misconfigured Google Analytics integration had been sharing member protected health information (PHI) with Google Ads from approximately …
In March 2021, an unauthorized actor gained access to a Luxottica partner appointment scheduling application that contained patient data for customers of Luxottica's vision care brands — particularly …
On 11 January 2021, 20/20 Eye Care Network — a managed vision care benefits company providing administration services to health plans — discovered that an unauthorized actor had accessed and deleted …
On January 8, 2021, Amazon Web Services notified Parler — a social media platform popular with right-wing users — that it would terminate Parler's hosting services on January 10 due to Parler's role …
On 20 July 2022, a threat actor posted on BreachForums offering to sell 69 million Neopets user records and — uniquely — live access to Neopets' database (with read and write capabilities) for 4 …
In January 2021, security researchers at vpnMentor discovered a publicly accessible Elasticsearch database belonging to Socialarks — a Chinese social media management company that offers social media …
Security researcher Jan Masters (working with Pen Test Partners) discovered in January 2021 that Peloton's API endpoints did not enforce authentication or authorization checks, allowing anyone to …
In December 2020, Nickolas Sharp, a senior cloud engineer at Ubiquiti Networks (maker of UniFi networking equipment), used his legitimate access to Ubiquiti's AWS infrastructure and GitHub to …
In October 2020, Nitro Software — the company behind Nitro PDF, a widely used PDF productivity and e-signature service — suffered a data breach that exposed data for approximately 77 million unique …
In October 2020, security researcher Carlo di Dato published details of a dataset containing 167 million Gravatar user records obtained by systematically scraping Gravatar's public API. Gravatar is a …
In August 2020, security researcher Volodymyr Diachenko discovered a publicly accessible Elasticsearch cluster belonging to Razer — the US gaming hardware company known for gaming peripherals, …
On July 20, 2020, Microsoft's AI research team published open-source AI training data to GitHub and inadvertently included an overpermissioned Azure SAS token in the repository. The token granted …
In August 2020, Freepik — one of the world's largest stock photography and design resources websites (along with its vector icon subsidiary Flaticon) — disclosed a data breach affecting approximately …
In July 2020, Microsoft's AI research division accidentally published an Azure Shared Access Signature (SAS) token with overly permissive access when sharing an open-source training data contribution …
In June 2020, Wattpad — the online creative writing platform with over 90 million users — suffered a data breach exposing approximately 268 million user records. The data was initially offered for …
In August 2020, Experian South Africa disclosed that a suspected fraudster had obtained personal data of approximately 24 million South African individuals and 793,749 businesses by fraudulently …
In March 2020, First Republic Bank (a US private bank and wealth management company) disclosed that an insider threat incident had occurred. A bank employee with legitimate access to AWS cloud systems …
In March 2020, Safety Detectives researchers discovered a publicly accessible Elasticsearch database belonging to CAM4 — a popular adult livestreaming platform operated by Irish company Granity …
Norwegian Cruise Line Holdings (NCLH), parent company of Norwegian Cruise Line, Regent Seven Seas Cruises, and Oceania Cruises, disclosed in July 2020 that it had suffered a data breach resulting from …
In February 2020, Clearview AI — a controversial facial recognition company that scraped billions of photos from social media to build its facial recognition database, primarily serving law …
EasyJet disclosed on 19 May 2020 that it had suffered a cyberattack that exposed the personal data of approximately 9 million customers. The attack was first detected in late January 2020 and …
In February 2020, security researcher Jeremiah Fowler discovered a publicly accessible Elasticsearch database belonging to Estée Lauder — one of the world's largest cosmetics and beauty companies …
In May 2020, easyJet (the UK-based low-cost airline) disclosed that it had suffered a cyberattack in which approximately 9 million customers had their email addresses and travel details exposed, and …
National General (later acquired by Allstate) suffered two sequential data breaches via its online auto insurance quoting portals. First breach (2020): exposed driver's licence numbers of ~12,000 …
On 22 November 2019, T-Mobile detected and stopped a cyberattack that gained access to information for approximately 1 million T-Mobile prepaid customers. T-Mobile disclosed the breach on 26 November …
Cerebral, a US telehealth startup specializing in mental health treatment (therapy, psychiatry, and medication management), disclosed in March 2023 that it had transmitted sensitive health information …
Cerebral, a telehealth company specializing in mental health services (particularly ADHD and anxiety/depression treatment), disclosed in March 2023 that it had shared sensitive patient data with Meta, …
In August 2019, vpnMentor security researchers Noam Rotem and Ran Locar discovered a publicly accessible Elasticsearch database belonging to Suprema — a South Korean security company whose BioStar 2 …
On approximately July 2, 2019, security researcher Bob Diachenko (working with Comparitech) discovered a publicly accessible, unauthenticated MongoDB database containing approximately 5.6 million …
In July 2019, an attacker accessed a cloud server at MGM Resorts International and extracted personal data for approximately 10.6 million hotel guests. The breach went undetected until February 2020, …
On July 1, 2019, the day the 7pay mobile payment app launched in Japan, criminals immediately began exploiting a critical vulnerability in the app's password reset mechanism. The reset flow allowed …
In July 2019, the Bulgarian National Revenue Agency (Национална агенция за приходите, NAP) suffered the largest data breach in Bulgarian history. A hacker sent a link to the stolen data to Bulgarian …
In June/July 2019, Sprint discovered that hackers had exploited a vulnerability on Samsung's 'Add a Line' promotional webpage — a co-branded retail portal used to add new Sprint lines to existing …
On 24 May 2019, the graphic design platform Canva was breached by the GnosticiPlayers hacker collective. Approximately 137 million user records were stolen, containing usernames, real names, email …
In May 2019, an attacker obtained user data from StockX — the Detroit-based sneaker and streetwear authentication and resale marketplace valued at over $1 billion. The breach went undiscovered until …
On 25 April 2019, Docker discovered unauthorized access to a Docker Hub database containing data for approximately 190,000 accounts (less than 5% of Hub users). Docker Hub is the world's largest …
On March 22-23, 2019, Paige Thompson (alias 'erratic'), a former AWS software engineer, exploited a misconfigured AWS Web Application Firewall (WAF) running on Capital One's EC2 infrastructure. The …
In March 2019, security researchers Bob Diachenko and Vinny Troia discovered a massive publicly accessible Elasticsearch database belonging to Verifications.io — an email verification service that …
In June 2022, Canada's Office of the Privacy Commissioner (OPC), together with privacy commissioners from Alberta, British Columbia, and Quebec, published findings of a joint investigation into the …
In early 2019, attackers exploited a feature in Facebook's contact import tool that allowed them to upload large lists of phone numbers and identify which were linked to Facebook accounts, retrieving …
In March 2024, AT&T confirmed that a dataset containing personal information on approximately 73 million people (7.6 million current and 65.4 million former AT&T customers) had been posted on a dark …
Georgia Institute of Technology disclosed on April 2 2019 that an unknown external actor had exploited a vulnerability in a web application to access a central data warehouse containing records for …
On 3 December 2018, Quora — the popular question-and-answer platform with approximately 300 million monthly unique visitors — disclosed that an unknown attacker had accessed data for approximately 100 …
Between 21 August and 5 September 2018, a Magecart Group 6 skimmer silently exfiltrated payment card details from approximately 500,000 British Airways customers who purchased tickets online or via …
On 20 August 2018, T-Mobile detected and shut down an attack that exploited a vulnerability in T-Mobile's API, exposing account data for approximately 2 million customers. T-Mobile disclosed the …
Between August 1, 2018 and March 30, 2019, the web payment portal of American Medical Collection Agency (AMCA) — a third-party medical debt collections company — was compromised by attackers who …
Between 27 June and 4 July 2018, attackers exfiltrated personal data of 1.495 million patients from SingHealth's Sunrise Clinical Manager outpatient database — approximately 25% of Singapore's total …
Flipboard — the popular social news aggregation app — disclosed on 28 May 2019 that it had suffered two separate periods of unauthorized access to its databases. The first period ran from 2 June 2018 …
Security researcher Vinnie Troia discovered in June 2018 that Exactis, a Florida-based data broker and marketing aggregation company, had left a 2-terabyte Elasticsearch database publicly accessible …
On June 1, 2018, PageUp — an Australian HR software company whose recruitment platform is used by over 100 Australian and international enterprises — disclosed that it had detected unauthorized access …
In April 2018, Chegg, an American education technology company, suffered a data breach when a contract worker used Chegg's AWS root account credentials — which had been shared widely within the …
UnityPoint Health, a major Iowa-based health system operating 32 hospitals and 280+ clinics across Iowa, Illinois, and Wisconsin, suffered two phishing-related breaches in 2018. The first (not widely …
In March 2018, an attacker accessed Cathay Pacific's IT systems and obtained data for approximately 9.4 million passengers — one of the largest aviation data breaches ever. Cathay Pacific discovered …
In February 2018, an unauthorized party obtained data from approximately 150 million MyFitnessPal user accounts. Under Armour, which had acquired MyFitnessPal in 2015 for $475 million, discovered the …
HealthEngine, Australia's largest health appointment booking platform with over 17 million users across approximately 60,000 healthcare practices, was found by Australian regulators to have improperly …
Imperva, a cybersecurity company providing cloud-based web application firewall (WAF) and DDoS protection services, disclosed in August 2019 that a data breach had exposed customer data for its Cloud …
In August 2017, security researcher Dylan Houlihan discovered that Panera Bread's website had an unauthenticated API endpoint at panerabread.com that returned customer records in plaintext — …
In late July/early August 2017, a hacker exfiltrated approximately 1.5 terabytes of data from HBO's internal systems including unreleased episodes of Game of Thrones (the most watched show on …
In late July 2017, Aetna mailed letters to approximately 11,887 members nationwide regarding a court-ordered change to HIV prescription coverage policy (members were being notified they could obtain …
In June 2017, UpGuard cybersecurity researcher Chris Vickery discovered an Amazon S3 bucket belonging to Deep Root Analytics — a data analytics firm that had been contracted by the Republican National …
On 17-18 May 2017, Zomato — India's largest food delivery and restaurant discovery platform, operating in 24 countries with approximately 120 million monthly visitors — disclosed that approximately 17 …
An unnamed hacker breached Bell Canada in May 2017 and exfiltrated data on approximately 1.9 million active and former customer accounts, including names, email addresses, phone numbers, and …
Between May 2017 and March 2018, the FIN7 cybercriminal group (operating the JokerStash carding shop) compromised point-of-sale systems at all Saks Fifth Avenue and Lord & Taylor luxury department …
In April 2017, Wonga Finance — the UK's largest payday loan company at its peak, with approximately 1 million UK customers — suffered a data breach affecting approximately 270,000 UK customers and …
Between 24 March and 18 April 2017, attackers installed malware on point-of-sale systems at most Chipotle Mexican Grill restaurant locations in the United States. The malware scraped payment card …
Apache disclosed CVE-2017-5638 March 7 2017 and patched same day. Equifax security scans failed to identify the vulnerable system. Attackers exploited Apache Struts flaw in Equifax's online dispute …
First American Financial Corporation, one of the largest title insurance and real estate settlement services providers in the United States, had an IDOR (Insecure Direct Object Reference) …
India's Aadhaar national biometric identity system — which stores fingerprint and iris scan data for approximately 1.2 billion Indian citizens and links to bank accounts, mobile phones, and government …
A Desjardins Group employee with legitimate access to member data exfiltrated personal information of members over approximately 26 months (from early 2017 to March 2019) and shared it with …
Desjardins Group, Canada's largest federation of credit unions with over 7 million members, disclosed in June 2019 that a malicious insider (a now-former employee) had been exfiltrating member data …
GoodRx, the US prescription drug discount platform with approximately 55 million users, disclosed its use of third-party advertising trackers in 2023 when the FTC took enforcement action. GoodRx had …
GoodRx, a health technology company offering prescription drug discount coupons and telehealth services, shared sensitive user health data with Facebook/Meta, Google, Criteo, Branch, and other …
In November 2016, Three Mobile UK — one of the UK's major mobile network operators — disclosed a breach of its customer upgrade system. Fraudsters used compromised employee login credentials to access …
In October 2016, a contractor responsible for building Australian Red Cross Blood Service's donor portal accidentally included a 1.74 GB SQL database backup file in a publicly accessible web directory …
On 25 October 2016, a file named 'donorquestionnaire.bak' containing registration data for 550,000 blood donors was inadvertently left in a publicly accessible directory on the Australian Red Cross …
On December 6, 2016, data breach tracking service LeakedSource reported that a dataset containing 85.2 million Dailymotion user records had been offered for sale and contained data from a breach …
FriendFinder Networks, the operator of adult dating websites, suffered a breach that exposed approximately 412 million accounts across six properties including AdultFriendFinder.com, Cams.com, …
An attacker compromised a single Deloitte administrator account that lacked multi-factor authentication, granting access to Deloitte's global email server hosted on Microsoft Azure. The breach gave …
Attackers found Uber AWS credentials in GitHub and downloaded data affecting 57M users and drivers (names, emails, phone numbers; 600K US driver license numbers). Uber CSO Joe Sullivan paid hackers …
LifeBridge Health, a Maryland-based health system operating Sinai Hospital, Northwest Hospital, Levindale Hebrew Geriatric Center, and other facilities, disclosed in May 2018 that it had discovered …
Beginning in mid-2016, a cybercriminal group calling themselves 'The Dark Overlord' (TDO) conducted a sustained campaign of healthcare data theft and extortion against multiple US healthcare …
Between 23 June and 7 July 2016, attackers first compromised Banner Health's point-of-sale (POS) systems at food and beverage outlets within Banner Health facilities, using RAM-scraping malware to …
Banner Health, a Phoenix, Arizona-based nonprofit hospital system operating 28 hospitals and numerous clinics across seven western states, disclosed on August 3, 2016 that it had suffered the largest …
Newkirk Products, Inc., a New York-based company that printed and mailed health plan identification cards on behalf of multiple Blue Cross Blue Shield (BCBS) plans, disclosed a data breach in August …
On 27 March 2016, hacktivist group LulzSec Pilipinas defaced and dumped the Philippines Commission on Elections (COMELEC) entire voter database — weeks before the 9 May 2016 Philippine general …
In February 2016, Weebly — a popular drag-and-drop website builder platform serving approximately 40 million users and 625,000 paying customers — suffered a data breach. The breach went undiscovered …
On January 7, 2016, Centene Corporation — one of the largest Medicaid-focused managed care organizations in the United States, operating health plans in over 25 states — discovered that six …
In early 2016, Lifeboat — one of the most popular Minecraft Pocket Edition server networks with over 3 million registered accounts — was breached. The breach affected approximately 7 million user …
In early 2016, Verizon Enterprise Solutions — the business division of Verizon that provides managed network services to Fortune 500 companies and government agencies — suffered a data breach exposing …
On 14 November 2015, a hacker breached VTech's Learning Lodge — the app store and content platform for the company's range of children's electronic learning tablets and toys. VTech is a major Hong …
On 21 October 2015, TalkTalk — one of the UK's largest broadband and telecoms providers serving approximately 4 million customers — was attacked by a group of teenagers who exploited a SQL injection …
In October 2015, an unknown attacker compromised the patient database of 21st Century Oncology Holdings — the largest radiation oncology treatment chain in the United States, operating approximately …
21st Century Oncology, the largest integrated cancer care provider in the United States at the time (operating 180+ locations in 17 states plus international), suffered a database intrusion on or …
On July 12, 2015, a hacking group calling themselves 'Impact Team' notified Ashley Madison (a dating website for married people seeking affairs, operated by Avid Life Media) that they had stolen the …
On 5 July 2015, Hacking Team — an Italian cybersecurity company that sold offensive surveillance software (Remote Control System, branded 'Galileo') to governments and law enforcement agencies …
On 12 June 2015, LastPass — one of the world's most widely used password managers with tens of millions of users — discovered that its network had been compromised and that user data had been …
In May 2015, Sally Beauty Holdings disclosed its second payment card breach in approximately one year. The beauty supply retailer discovered unauthorized access to payment card data from its …
Between January and May 2015, sophisticated cybercriminals exploited the IRS 'Get Transcript' web application to access prior-year tax return transcripts for over 100,000 taxpayers. The attackers did …
Anthem (now Elevance Health), the second-largest US health insurer, disclosed in February 2015 that attackers had gained access to its enterprise data warehouse and exfiltrated approximately 78.8 …
In late 2014, Morgan Stanley financial advisor Galen Marsh used his authorized access to the firm's internal systems to download account information for approximately 350,000 wealth management …
In late 2014, Russian state-sponsored hackers breached the U.S. State Department's unclassified email system (SBU — Sensitive But Unclassified network), gaining persistent access that proved extremely …
In September 2014, a sophisticated cyberattacker accessed portions of the UCLA Health network containing protected health information. UCLA Health — one of California's largest academic medical …
UCLA Health, one of the leading academic medical centers in the United States, disclosed in July 2015 that attackers had accessed parts of its network containing personal and medical information for …
Hacker collective NullCrew claimed responsibility for a breach of Bell Canada, Canada's largest telecom, disclosed August 28 2014. Approximately 1.9 million email addresses and 76,000 names and active …
K Box Entertainment Group — a Singapore-based karaoke chain with approximately 25 outlets — suffered a breach of its customer membership database in 2014, exposing data for approximately 317,000 …
The 2015 OPM breach is widely regarded as the most damaging government data breach in U.S. history. Chinese state-sponsored hackers (APT10/Deep Panda) used credentials stolen from KeyPoint Government …
In June 2014, hacker group Rex Mundi announced they had stolen approximately 592,000 customer records from Domino's Pizza's online ordering systems in Belgium and France. Rex Mundi was a group known …
In June 2014, a sophisticated cyberattacker — assessed by Mandiant as the same China-linked group responsible for the Anthem (February 2015) and Premera Blue Cross (March 2015) breaches — compromised …
In June 2014, Rex Mundi — a cybercriminal extortion group known for targeting European companies — compromised Domino's Pizza France and Belgium's online ordering systems and threatened to publish …
Between June and August 2014, a sophisticated attack attributed to a Russian cybercriminal group compromised JPMorgan Chase's internal network, gaining access to data for 76 million households and 7 …
In June 2014, a sophisticated hacking group breached JPMorgan Chase's network and maintained access until it was discovered approximately in August 2014. The attackers accessed data on approximately …
CareFirst BlueCross BlueShield, the dominant health insurer for the Washington D.C./Maryland/Virginia region, disclosed on May 20, 2015 that approximately 1.1 million members had their data accessed …
On 5 May 2014, attackers believed to be a Chinese APT group (assessed as Winnti/APT41) gained access to Premera Blue Cross's network via a spear-phishing attack. The attackers maintained persistent …
Premera Blue Cross, one of the largest health insurance carriers in the Pacific Northwest, disclosed in March 2015 that attackers had gained access to its IT systems beginning May 5, 2014 — …
Between April and June 2014, a China-linked APT group (assessed as APT18/Wekby by Mandiant, who CHS hired to investigate) compromised Community Health Systems (CHS) — at the time the second-largest …
Between April and September 2014, POS malware infected point-of-sale systems at 115 Staples store locations across the United States. The breach resulted in approximately 1.16 million customer payment …
Between approximately April and June 2014, APT18 (also known as Dynamite Panda, Threat Group-0416, or Wekby), a Chinese state-linked advanced persistent threat group attributed by Mandiant, exploited …
Between April and September 2014, attackers used stolen credentials belonging to a third-party Home Depot vendor to gain initial access to the retailer's network. They exploited an unpatched Windows …
Between approximately April and September 2014, attackers deployed POS malware at Staples retail stores across the eastern United States. Staples first acknowledged an investigation in October 2014 …
The OPM breach disclosed in June 2015 actually comprised two distinct intrusions. This earlier intrusion — dating to approximately March 2014 or possibly as early as late 2013 — targeted OPM's …
On February 18, 2014, the University of Maryland suffered a data breach in which attackers accessed a database containing records for 309,079 faculty, staff, and students who had been issued a …
On February 12, 2014, Kickstarter was notified by law enforcement that its database had been accessed by unauthorized attackers via a SQL injection vulnerability. Kickstarter disclosed the breach to …
In early 2014, the Federal Aviation Administration (FAA) suffered an unauthorized intrusion into an agency computer system that contained personally identifiable information for approximately 45,000 …
In approximately February-March 2014, attackers compromised the credentials of a small number of eBay corporate employees and used those credentials to access the company's network, ultimately …
In early 2014, Andrew Skelton — a senior IT auditor at Morrisons, one of the UK's largest supermarket chains — deliberately leaked the personal data of 99,998 Morrisons employees as an act of …
Indiana University discovered in May 2014 that files containing Social Security numbers and other personal data for approximately 146,000 current and former students had been inadvertently exposed on …
In November 2014, the U.S. Postal Service disclosed that Chinese government hackers had breached its corporate networks and accessed personnel data for approximately 800,000 employees. The intrusion …
Chinese state-sponsored hackers (linked to PLA) compromised Starwood Hotels reservation system as early as 2014, 2 years before Marriott acquired Starwood (2016). Breach persisted undetected until …
In December 2013, a sophisticated cyberattack — widely attributed to a China-linked nation-state APT group believed to be the same threat actor responsible for the Anthem and Premera health insurance …
Excellus BlueCross BlueShield, a Rochester, New York-based health insurer covering approximately 3.5 million members in upstate New York, disclosed on September 10, 2015 that attackers had gained …
Toyota disclosed in May 2023 that vehicle data for 2.15 million Toyota and Lexus customers in Japan had been publicly accessible via a misconfigured cloud environment for approximately 10 years …
Toyota Motor Corporation disclosed on May 12, 2023 that vehicle location data and other connected vehicle information for approximately 2.15 million customers in Japan had been publicly accessible for …
In November 2013, Cupid Media — an Australian company operating approximately 35 niche online dating websites including ChristianCafe, CatholicMingle, MilfDate, AsianDating, and others — suffered a …
Between approximately November 2013 and April 2014, employees at AT&T's outsourced call centers in Colombia, Mexico, and the Philippines improperly accessed records of approximately 280,000 U.S. …
In October 2015, Scottrade announced that it had been notified by federal law enforcement that its systems had been breached between approximately late 2013 and early 2014. The attackers accessed a …
In October 2013, Adobe disclosed two simultaneous major security incidents: (1) Source code theft: attackers exfiltrated source code for Adobe Acrobat, Adobe Reader, Adobe ColdFusion, and ColdFusion …
Between approximately July 16, 2013 and October 30, 2013, attackers installed RAM-scraping malware on Neiman Marcus point-of-sale (POS) systems at the luxury retailer's stores. The malware captured …
On July 15, 2013, four unencrypted desktop computers were stolen from Advocate Medical Group's administrative offices in Park Ridge, Illinois. The computers contained personal and health information …
On 15 July 2013, four unencrypted laptops were stolen from an administrative office of Advocate Medical Group — the largest physician practice group in Illinois, associated with Advocate Health Care. …
Yahoo suffered two separate mega-breaches that collectively represent the largest credential theft in internet history. (1) August 2013 breach (disclosed December 2016, revised to 3 billion accounts …
Between 2013-2015, Aleksandr Kogan (Cambridge University researcher) built a personality quiz app ('This Is Your Digital Life') and used Facebook's Open Graph API to harvest personal data from …
Between 8 May 2013 and 27 January 2014, POS malware infected approximately 7.2% of Michaels stores' point-of-sale terminals nationwide, capturing payment card data for approximately 2.6 million cards. …
In May 2016, a dataset containing 65.5 million Tumblr user email addresses and hashed passwords appeared for sale on dark web markets, offered by the same seller ('peace_of_mind') who was …
On 26 April 2013, LivingSocial — a daily deals website owned by Amazon — disclosed that attackers had accessed its database containing up to 50 million customer records. Exposed data included names, …
In late April 2013, LivingSocial (an online deals and local offers marketplace, then majority-owned by Amazon) suffered a cyberattack in which hackers accessed a database containing information for up …
In late February 2013, Evernote — the popular note-taking application with approximately 50 million registered users — detected and blocked suspicious activity on its network. The attackers accessed …
In November 2017, security researcher Troy Hunt (operator of Have I Been Pwned) notified Imgur that a dataset containing 1.7 million Imgur user email addresses and passwords had been shared with him. …
Howard University Hospital in Washington, D.C. disclosed in January 2013 that an unencrypted laptop containing information on approximately 34,503 patients had been stolen. The laptop contained …
In May 2015, Pennsylvania State University disclosed that its College of Engineering computer network had been compromised by two separate sophisticated cyberattacks. One was attributed to …
A foreign hacker (attributed to Eastern Europe, never charged) penetrated the South Carolina Department of Revenue via a spear-phishing email that compromised an employee's credentials. The attacker …
On 4 August 2012, Blizzard Entertainment — maker of World of Warcraft, Diablo, and StarCraft — discovered that an unauthorized party had illegally accessed their internal network and obtained …
Disqus — the widely-used blog comment hosting service embedded across millions of websites — disclosed in October 2017 that a database snapshot from July 2012 containing data for 17.5 million users …
On October 5, 2017, Disqus disclosed that it had been notified by security researcher Troy Hunt that a dataset containing user data from a 2012 breach had been provided to him by an anonymous source. …
In August 2012, the South Carolina Department of Health and Human Services disclosed that a former agency employee, Christopher Lykes Jr., had accessed the state's Medicaid eligibility database after …
In June 2012, LinkedIn disclosed that a subset of member passwords had been compromised after approximately 6.5 million unsalted SHA-1 password hashes appeared on a Russian security forum. LinkedIn …
On approximately January 15-16, 2012, Zappos (the online shoe and clothing retailer owned by Amazon) suffered a breach in which attackers accessed a customer database server. Approximately 24 million …
In March 2019, security journalist Brian Krebs reported that Facebook had been storing hundreds of millions of user passwords in plaintext in internal log files since as early as 2012. The logs were …
Global Payments, a major Atlanta-based credit card processing company, disclosed in March 2012 that it had suffered a data breach affecting approximately 1.5 million credit and debit card accounts. …
On October 15, 2011, an unencrypted desktop computer was stolen from a Sutter Medical Foundation administrative office in Sacramento, California. The computer contained an unprotected Microsoft Access …
On October 14, 2011, a desktop computer was stolen from a Sutter Physicians Services administrative office in Sacramento, California. The computer contained an unencrypted Microsoft Access database …
On September 14, 2011, backup tapes containing personal and protected health information for approximately 4.9 million TRICARE (US military healthcare) beneficiaries were stolen from the personal …
On September 14, 2011, backup tapes containing TRICARE (the U.S. military health insurance program) data were stolen from a car belonging to an employee of Science Applications International …
Between April 17-19, 2011, attackers exploited a known Apache vulnerability to breach Sony's PlayStation Network (PSN) and Sony Online Entertainment (SOE) — the online gaming and entertainment …
In May 2011 (discovered internally, disclosed June 2011), hackers breached Citigroup's online banking portal by exploiting a straightforward insecure direct object reference (IDOR) vulnerability — …
In late March 2011, Epsilon Data Management — the world's largest permission-based email marketing company at the time (subsidiary of Alliance Data Systems) — suffered a data breach that exposed names …
In September 2010, NewYork-Presbyterian Hospital (NYP) and Columbia University Medical Center (CUMC) disclosed that approximately 6,800 patient records had been exposed on the internet due to a …
New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) operated a shared data network that included electronic health records. In September 2010, a Columbia University …
RockYou was a social media widget company (popular Facebook/MySpace apps) that stored all 32 million user passwords in plaintext — with no hashing whatsoever. A SQL injection exploit allowed a hacker …
In late 2008 through early 2009 (with disclosure occurring in late 2009 and broader reporting in 2010), RBS WorldPay (a payment processing subsidiary of the Royal Bank of Scotland operating in the US) …
Between April 2008 and late 2010, Wyndham Hotel & Resorts suffered three separate network intrusions that collectively compromised approximately 619,000 consumer payment card account numbers, …
MySpace, once the world's largest social network, suffered a breach (believed to have occurred around 2008) that was not publicly revealed until May 2016 when approximately 360 million email address …
Hannaford Brothers, a supermarket chain operating in the northeastern United States, disclosed in March 2008 that its point-of-sale systems had been compromised by malware that stole approximately 4.2 …
Heartland Payment Systems, one of the largest payment processors in the United States, disclosed in January 2009 that it had been breached by Albert Gonzalez and two Russian accomplices beginning …
On August 4, 2006, AOL's research team released a dataset of approximately 20 million search queries from 657,000 users to a public research website for academic purposes. Users were assigned random …
On May 3, 2006, a laptop computer and external hard drive belonging to a U.S. Department of Veterans Affairs (VA) data analyst were stolen from his home in Aspen Hill, Maryland in a residential …
The TJX breach was the largest retail breach in history at the time of disclosure. Beginning around July 2005, Albert Gonzalez's crew drove through TJX store parking lots with laptops equipped with …
In February 2005, the contents of Paris Hilton's T-Mobile Sidekick device were stolen and posted on the internet — including her celebrity contact list, personal photos, and SMS messages. The T-Mobile …
DSW (Designer Shoe Warehouse) Inc. disclosed in March 2005 that a data breach had compromised payment card information from 108 of its 175 retail stores across the United States. Approximately 1.4 …
DSW Inc. (Designer Shoe Warehouse), operating approximately 175 shoe retail stores across the United States, disclosed in March 2005 that attackers had accessed its computer network and stolen payment …
ChoicePoint, one of the largest US data brokers, disclosed in February 2005 that fraudsters had created approximately 50 fake business subscriber accounts using stolen identities to gain legitimate …
CardSystems Solutions, a payment card processor based in Tucson, Arizona, was breached via SQL injection between approximately January 2004 and May 2005. The attackers accessed approximately 40 …
BJ's Wholesale Club, a membership warehouse retailer operating in the eastern United States, suffered a payment card breach that was publicly disclosed in March 2004. Attackers compromised BJ's …
BJ's Wholesale Club, a members-only retail warehouse chain on the US East Coast, suffered payment card data breaches beginning as early as 2003 due to systemic security failures, including using WEP …
Between March 2001 and March 2002, Gary McKinnon — a 36-year-old IT administrator from London, UK, operating under the alias 'Solo' — conducted what the US government called 'the biggest military …
Between August and October 1999, Jonathan James — a 15-year-old from Pinecrest, Florida using the handle 'c0mrade' — conducted a series of intrusions against US government systems that made him the …
In February 1998, during the height of the Iraq crisis (US was preparing military action against Iraq over UN weapons inspections), unknown actors began systematically attacking US DoD computer …
Moonlight Maze is one of the first documented nation-state cyber espionage campaigns against the United States. Beginning as early as October 1996 and continuing through at least 1999, Russian …
