Data Breaches Examples

A threat actor is selling account databases containing an aggregate total of 34 million user records that they claim were stolen from seventeen companies during data breaches.
The seventeen databases being sold are shown below:

Company User Records Disclosed? 8.1 million Yes 4.7 million No 4.3 million Yes via email 2.9 million No 2.9 million No 2.8 million No 2.2 million No 1.3 million No
RedMart 1.1 million Yes 1 million No 789 thousand No 779 thousand No 571 thousand No 386 thousand No 227 thousand No 162 thousand Yes 129 thousand No

A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.

Claimed to be used by over 10 thousand business customers and 1.8 million licensed users, Nitro is an application used to create, edit, and sign PDFs and digital documents.

A series of popular apps using an outdated piece of code owned by Twitter are exposing their users' location data. In total, the apps have been downloaded nearly 10 million times

One of the largest lab testing companies in India left a huge cache of patient data on a public server for months.
The lab testing giant, headquartered in New Delhi, serves some 70,000 patients a day, and quickly became a major player in testing patients for COVID-19 after winning approval from the Indian government

But the company was storing hundreds of large spreadsheets packed with sensitive patient data in a storage bucket, hosted on Amazon Web Services (AWS), without a password, allowing anyone to access the data inside.

University Hospital New Jersey in Newark, New Jersey, paid a $670,000 ransomware demand this month to prevent the publishing of 240 GB of stolen data, including patient info.

After a Sept. 9 ransomware attack at Düsseldorf University Hospital, a patient had to be directed to another hospital and died as a result of the delay. The female patient had been scheduled for life-saving treatment but was diverted to another hospital 19 miles away

Razer suffered a data leak that exposed over 100,000 customers' personal information. The leak affected customers who purchased Razer products from its website before September 9, 2020.

The Netwalker ransomware group has hit the only real electrical energy supplier for town of Karachi, Ok-Electrical, with a ransomware assault and is demanding a $7.7 million bitcoin ransom.
In response to BleepingComputer, Ok-Electrical is Pakistan’s largest energy provider and serves 2.5 million prospects. It employs 10,000 individuals and since yesterday, prospects have been unable to entry their account’s on-line companies due to the assault

NorthShore University HealthSystem said the personal information of about 348,000 people may have been exposed in a breach involving one of the health system’s vendors earlier this year

NGRAVE, a digital asset security company that claims it has developed the world’s most secure cryptocurrency hardware wallet, reveals that hackers regularly use automated scripts (malicious computer code) that allow them to attack computer systems every 39 seconds (on average 2,244 times per day)

Arizona-based Assured Imaging is notifying 244,813 patients that some of their data was potentially exfiltrated after a ransomware attack in May

More than 143 million malware targeted consumer smart-devices in the second quarter of 2020, mainly in the form of coronavirus-themed attacks

On July 1, the WebsitePlanet research team and cybersecurity researcher Jeremiah Fowler uncovered an unsecured Elasticsearch database containing over 62 million records. In total, data belonging to 863,412 Digital Point users was included in the leak.
Over 200 of the world’s most prominent brands are affected by over 50,000 fake login pages used for executing various phishing attacks

PayPal was the top target for phishing scams with over 11,000 fake login pages mimicking the brand. Others included Microsoft (9,500), Facebook (7,500), eBay (3,000), and Amazon (1,500). Brands like Adobe, Aetna, Apple, Alibaba, JP Morgan Chase, Tesco, Wells Fargo, and others also had spoofed pages trying to harvest users’ login details.

A few days after the cyber-attack took place, security firm Cyble said it came across a post in which a threat actor "claimed to be in possession of staff profiles of the British Dental Association and was sharing it for free".
In order to investigate the threat actor's claims, the security firm acquired the data and found that it contained a total of 172 data folders which further contained 5517 data files. These files contained Personally Identifiable Information (PII) of multiple employees along with their training materials, payroll documents, appraisals and benefits files, performance reports, etc.

As for what was taken, Freepik said that not all users had passwords associated with their accounts, and the hacker only took user emails for some.
The company puts this number at 4.5 million, representing users who used federated logins (Google, Facebook, or Twitter) to log into their accounts.
"For the remaining 3.77M users the attacker got their email address and a hash of their password," the company added. "For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt."

Standard Bank, the continent’s largest bank by assets, has said some of its clients are among victims of a data breach at one of the world’s top credit bureaus, while FNB and African Bank also warned their customers to be vigilant.
The hack of Experian SA exposed some personal information of as many as 24-million South Africans and almost 800,000 businesses, the SA Banking Risk Centre (Sabric), a non-profit organisation set up by major lenders to combat bank-related organised crime, said in a statement on Wednesday.
It said it is co-operating with individual banks and Experian to secure data and apprehend the perpetrators.
Experian said no consumer credit or financial information was obtained and that the suspect had planned to use the information to offer insurance and credit-related services

NSW Police have leaked the emails of over 150 complainants who contacted them in order to raise concerns regarding officer’s use of force following the Sydney Black Lives Matter protest on Saturday, 6 June

Hacker has released the databases of Utah-based gun exchange, hunting, and kratom sites for free on a cybercrime forum.
On August 10th, a threat actor posted databases that they claim contain 195,000 user records for the, 45,000 records for their video site, 15,000 records from the hunting site, and 24,000 user records from the Kratom site

US chipmaker Intel is investigating a security breach after earlier today 20 GB of internal documents, with some marked "confidential" or "restricted secret," were uploaded online on file-sharing site MEGA

Argentina's health officials have apparently exposed personal medical data relating to some 115,000 COVID-19 quarantine exemption applicants, in what represents a major health sector data breach.

The number of deaths from coronavirus in Iran is nearly triple what Iran's government claims, a BBC Persian service investigation has found.
The government's own records appear to show almost 42,000 people died with Covid-19 symptoms up to 20 July, versus 14,405 reported by its health ministry.
The number of people known to be infected is also almost double official figures: 451,024 as opposed to 278,827.

Students of Gujarat Technological University have complained of massive data leaks during online pre-check trial/mock tests.
GTU is yet to respond to the students' concerns about the data breach

Scientists and genealogists say the GEDmatch breach — which exposed more than a million additional profiles to law enforcement officials — offers an important window into what can go wrong when those responsible for storing genetic information fail to take necessary precautions.

South East Coast Ambulance Service has experienced a massive data breach in May, the personal and medical details of all ambulance staff could have been seen by employees outside of senior management.

Security Expert Jeremiah Fowler to expose a leak of millions of personal medical records by an Artificial Intelligence company
I discovered 2.5 million records that appeared to contain sensitive medical data and PII (Personally Identifiable Information). The records included names, insurance records, medical diagnosis notes, and much more. Upon further research, there were multiple references to an artificial intelligence company called Cense. The records were labeled as staging data and we can only speculate that this was a storage repository intended to hold the data temporarily while it is loaded into the AI Bot or Cense’s management system. As soon as I could validate the data, I sent a responsible disclosure notice. Shortly after my notification was sent to Cense I saw that public access to the database was restricted.

vpnMentor research team, led by Noam Rotem, uncovered the ElasticSearch Server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users. Apps affected:(UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN)

Researcher found an exposed database belonging to the company containing account access tokens for thousands of LogBox users, which if used would grant full access to users’ accounts without requiring their password. Researcher reported the exposed database to the company but did not hear back. After TechCrunch reached out, the database was pulled offline. an UNKNOWN number of accounts was affected.

Over a million North American students (many of them minors) exposed on an unsecured Elasticsearch server. Data exposed included students’ full names, email addresses, schools/universities, phone numbers, account details and school enrollment details

US tech giant Oracle owns BlueKai, a company very few have heard of outside of marketing circles but it possesses one of the largest banks of web tracking data outside of the federal government. The company uses website cookies, and other tracking technology, to follow your activities on the web then sells that data to companies and marketing firms. For an unknown period of time, all of that web tracking data was left exposed on a server without a password. Billions of records were unsecured for anyone to find. The data exposed included names, home addresses, email addresses and other identifiable data including web browsing activity. The details are still fuzzy. Oracle says that they have taken care of the problem but haven’t offered up any information as to how this happened and who was affected.

The Postbank in South Africa has had to replace over 12 million bank cards after an unencrypted master key was stolen by employees. The master key granted anyone complete access to the bank’s systems and the ability to change information on any of the bank’s 12 million cards. The breach specifically affected between 8 and 10 million beneficiaries who receive social grants every month. It’s still unclear if any funds were stolen, and exactly what data was exposed.

Keepnet Labs is a UK security company that initially experienced a breach back in March 2020 when a database was exposed containing data that had been previously been exposed in other data breaches. After being notified, Keepnet Labs quickly took the data down but refused to acknowledge the breach. They even went as far as to pursue legal action against at least one tech reporter who had written about the breach. The breach was finally acknowledged this month when Keepnet Labs issued a statement saying that they were not directly responsible, but rather a third-party provider was. Although no new data was exposed, it’s ironic that a security company would experience a data breach.

Chartered Professional Accountants of Canada (CPA) experienced a cyberattack early in the month that allowed unauthorized third parties to gain access to the personal information of over 329,000 members and stakeholders. The stolen information was mostly related to the distribution of the CPA Canada magazine and included personal data such as names, addresses, email addresses, and employer information.Passwords and credit card numbers were also exposed, but CPA Canada says they were all protected by encryption. Anyone affected by the breach has been notified by the company, and CPA Canada notified the relevant authorities.

The personal data of 47.5 million Indians was found for sale on the dark web for $1,000, and is claimed to have originated from the popular caller ID and spam blocking app Truecaller. Personal information such as phone numbers, service providers, names, genders, and more was made available.Howeve r, Truecaller denies there was a breach at all. Truecaller suffered a previous data breach in May 2019, and the company suggests that it is the same data set that is for sale. If Truecaller has suffered a breach this month, then it’s a case of gross negligence, or it could just be criminals trying to make a quick buck.

For years rumors have circled that blogging platform LiveJournal suffered from a data breach, and many users have reportedly received extortion letters tied to their LiveJournal accounts. The breach was finally confirmed this month by multiple hackers who are selling the user data on the dark web. It’s unclear what year the breach actually took place, but the details weren’t revealed until this month when Have I Been Pwnd? received a copy of the leaked user database.The data that was breached included usernames, emails, and plaintext passwords of over 26 million users. LiveJournal and it’s parent company, DreamWidth, have yet to acknowledge the breach despite users complaining of having their data stolen for years.

Thailand’s largest cellphone network pulled a database containing billions of Thai internet users offline after discovering records were being leaked for over two weeks. The passwordless database was discovered by security researcher Justin Paine who quickly notified AIS about the massive breach. AIS has come out saying that no personal information was made available, but unfortunately, that’s just not true. The leaked data included DNS queries, which have the potential to let authorities and hackers know who was visiting which websites and from where. This is particularly problematic as Thailand has incredibly strict censorship laws, and if the authorities get ahold of the leaked data, it could lead to arrests.

A popular website for helping students and children learn mathematics suffered from a data breach, resulting in more than 25 million records being exposed. The breach was only discovered when the records were being sold on the dark web earlier in May. So far, it is believed that only emails and hashed passwords were exposed.

While many governments have talked about using an app to track the spread of COVID-19, only a handful of countries have actually created one. In Qatar, the app used by the government to track COVID-19, EHTERAZ, is compulsory. Unfortunately, due to inadequate security measures, the app suffered a data breach exposing the sensitive personal information of over one million residents. Information such as names, birth dates, national ID numbers, location, and health status were all made available. It is unknown how long this data was exposed for, but luckily the Qatari government was quick to act.

The private data of over two million voters in Indonesia was found for sale on the dark web, along with a threat to release a further 200 million records. It’s unclear exactly where the data came from, and how it got stolen, but some of the records date back as far as 2013. Information such as home addresses, names, and national ID numbers were breached. The investigation is still ongoing.

European budget airline EasyJet suffered a major breach that began in January 2020 but didn’t notify customers until April and May 2020. Emails and travel information were amongst the information that was breached, and over 2,000 customers had their credit and debit card details accessed. EasyJet has declined to say how the attack happened, and who committed it. Thanks to the GDPR, EasyJet could face a major fine if they are discovered to have inadequate security measures in place.

Russian delivery company, CDEC Express, suffered a major breach when it was discovered that the . CDEC Express has denied that they were the ones who were breached, stating that personal data is collected many companies and that they were not the source. Information such as the delivery of goods, buyer information, and tax ID numbers were all breached.

Millions of users of a popular online dating app, MobiFriends, were hacked early in May. The breached data includes dates of birth, gender, website activity, mobile numbers, usernames, email addresses and MD5 hashed passwords. The breach is believed to have originally taken place in January 2019, but the information has recently been available for sale (and now for free) on the dark web.

A security researcher in Ireland discovered an unsecured database and contacted Wellington firm LPM Property Management. More than 31,000 images of people’s passports and driver’s licences that had been leaked. The files included expired and active passports from New Zealand and overseas, driver’s licences, evidence of age documents, pictures of applicants and maintenance requests. It was reported than engineers found the breach on Jun10 and fixed on June 11.

One of India’s largest online learning platforms, Unacademy, suffered from a massive breach after a hacker gained access to a database and began selling account information of more than 20 million users. Names, emails, passwords, and account activity were among the data that was stolen. Hackers have claimed to have stolen more data than just user information, but what that may be (and if it’s true) remain to be seen.

Indonesia’s largest e-commerce platform, Tokopedia, began investigations after security researchers discovered a treasure trove of customer data for sale on the dark web. However, the initial breach turned out to be far worse than anticipated. The initial number of 15 million records ballooned up to 91 million after the investigation was launched. While Tokopedia has stated several times that passwords were not included in the data that was leaked, plenty of other personal information was. Names, emails and birthdays were all available for sale, and there were at least two buyers of the information.

Major US pharmaceutical firm ExecuPharm suffered a major data breach in March but didn’t notify the public until a month later. Malicious actors gained access to ExecuPharm’s servers and held them for ransom. Additionally, the hackers also sent out phishing emails to ExecuPharm’s employees. It’s unclear exactly how many people were affected, but a large amount of sensitive data was leaked including social security numbers, taxpayer IDs, driver’s license numbers, passport numbers, bank account details, credit card numbers, and more. The hackers later went on to publish the stolen data on the dark web.

Video game giant Nintendo experienced a breach that affected 160,000 users. The issues began in early April when hackers gained access to login IDs and passwords to Nintendo accounts. Malicious actors gained access to nicknames, emails, birth dates, and country of residence. Even worse, some accounts experienced fraudulent purchases.

GoDaddy is one of the world’s largest domain registrars and a web hosting company that provides services to roughly 19 million customers around the world. While only 28,000 customers were affected, any breach for a company of this size is a big deal. The data breach itself took place in October 2019 but wasn’t discovered until April 2020. An unauthorized individual gained access to login credentials for SSH on hosting accounts, and as a result, the breach only affected hosting accounts. So far, it doesn’t appear like any personal information was leaked. That being said, the investigation is still ongoing.

This isn’t the first time hotel giant Marriott has suffered a data breach. Back in 2018, 383 million records were leaked. This time, hackers obtained login details of two employees and broke into the system in January 2020. Marriott has said that they have no reason to believe that any payment information was breached, just personal data of their customers (such as names, addresses, and contact information).

March was already a bad months for cruise lines, and things got a lot worse for Norwegian Cruise Line when one of it’s databases was breached. The leaked information was only regarding travel agents, no guests were affected. Despite being notified of the breach earlier in the month, the company was slow to react and has since attempted to downplay the extent of the breach.

Canadian telecommunications giant Rogers experienced a data breach when one of their external providers inadvertently made information available online that provided access to a customer database. It’s unclear how many customers were affected, but the company has over 10 million wireless subscribers. Rogers stated that although personal information like names, addresses, and contact information was leaked, no payment information or passwords were compromised.

It’s been a rather unfortunate month for Princess Cruises. First they had to suspend operations thanks to COVID-19, then they announced that they had experienced a data breach. The breach actually took place from April to July 2019 and discovered the breach in May 2019. It’s unclear why the cruise line waited so long to notify customers. An authorized party managed to gain access to employee email accounts and accessed personal information of employees, crew members, and guests. It’s unclear exactly how many people were affected, and Princess Cruises has been pretty quiet about the whole thing.

In a rather bizarre turn of events, the Dutch government admitted to losing two external hard drives that contained the personal data of more than 6.9 million organ donors. The hard drives contained records from 1998 to 2010 and had been placed in a vault in 2016. When officials went to access them this year, they were mysteriously gone. So far, there is no evidence that anyone has attempted to use the data.

Brazilian biometric solutions company Antheus Tecnologia suffered from a significant data leak and other security flaws, which lead to an Elasticsearch server containing biometric data to be exposed. An estimated 76,000 fingerprints were on the server. Other records included employee company emails and telephone numbers.

The Comparitech security research team alongside security expert Bob Diachenko discovered an unprotected Google cloud server containing the personal data of 200 million US residents. The server was originally found in January, and the team worked to identify the owner of the server but couldn’t uncover who they were.The server was finally taken offline in March, although the data was exposed for at least one month. Most of the data exposed contained personal, demographic, and property information. The majority of the information was incredibly detailed, including things like net worth, property value, mortgage details, and tax assessment info.

A Virgin Media database containing the personal information of 900,000 people was left unsecured online for ten months. The data breach is not the result of criminal activity, just negligence on the part of Virgin Media. The database was for marketing purposes and contained information such as names, phone numbers, emails, and home addresses.The database was accessed by an unknown person while it was available on at least once. Virgin Media reported to incident to the ICO and has launched a full investigation.

On the 25th of February The Verge reported that Slickwraps, a company that makes vinyl skins for phones, tablets and laptops, suffered a significant data breach affecting the personal information of over 330,000 customers. Worryingly, the hackers sent out an email blast to all affected users, mentioning their name, home address and an indictment of Slickwraps security measures.

The US defence agency that handles secure communications for the White House suffered a data breach between May and July of 2019, but the breach wasn’t discovered until February 2020. The Defence Information Systems Agency (DISA) is responsible for direct telecommunications and IT support for President Donald Trump, Vice President Mike Pence, their staff, the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members. The extent of the breach, including how many were affected and what data was compromised, is unclear as DISA has been extremely tight-lipped. The agency employs over 8,000 military and civilian employees according to their website.

Hackers compromised dozens of UN servers in the summer of 2019, yet the world body kept it a secret, even from it’s own employees. While the size of the breach is unclear, staff records, health insurance, and commercial contract data were compromised. As the UN is under diplomatic immunity, they are not required to divulge what data was taken or notify those affected. The UN was allegedly notified about several security issues years ago.

Clinical laboratory LabCorp suffered an earlier breach in July 2019 when 7.7 million records were stolen. Unfortunately, the security upgrades they must have made were not enough to prevent another breach at the end of January 2020. At least 10,000 patient records were exposed including names, addresses, and in some cases, social security numbers.

Microsoft didn’t have a great start to 2020. 250 million customer service and support records, going all the way back to 2005, were breached. Microsoft has said that only email addresses and IP addresses were exposed, but security researchers believe that it goes beyond that.

Smart home device maker Wyze Labs has disclosed a data leak impacting more than 2.4 million customers. Production databases belonging to Wyze were left exposed for most of the month, containing user names and email addresses, WiFi network names, camera names, and tokens that identified smartphone and personal digital assistant device connections. The databases also included the personal health information for some users doing beta testing for the company. The company asserts that no passwords or financial account details were included in the database records.

Popular East Coast convenience store and gas station operator, Wawa, has reported the discovery of malware on their payment processing servers. This malicious software captured credit and debit card numbers, cardholder names, and card expiration dates from payments made in-store and at gas pumps. The number of customers impacted by the breach has not been disclosed.

Over 267 million Facebook records were discovered, exposing Facebook users’ names, Facebook IDs, and phone numbers. The unsecured webpage was open to cybercriminals for at least two weeks.

A breach first reported in September 2019 has been updated with confirmation by HaveIBeenPwned that more than 170 million players of Zynga’s popular mobile games Draw Something and Words With Friends had their account information accessed. The data stolen includes names, email addresses, login IDs, hashed passwords, phone numbers, Facebook IDs and Zynga account IDs.

Online retailer, LightInTheBox, left an unsecured database exposed, impacting the information of over 1.6 billion customers. The information exposed includes consumer’s email addresses, IP addresses, countries of residence, destination pages and user activity. Although no personally identifiable information was disclosed, users’ email addresses can be used in targeted phishing scams.

A database belonging to American communications company, TrueDialog, exposed tens of millions of SMS text messages as well as the personal information of more than 1 billion subscribers. Impacted information includes names of recipients, account holders and users, email addresses, phone numbers of recipients and users, content of messages, dates and times messages were sent, message status, and account details.

Over 1 million T-Mobile customers had their personal information accessed by a hacker. Their names, billing addresses, phone numbers, account numbers, rates, plans and calling features were exposed, but no financial or password data were compromised.

An unsecured server was discovered, containing over 622 million email addresses, 50 million phone numbers, along with names and profile information from LinkedIn and Facebook, such as email addresses, employers, locations, job titles, names, phone numbers, and social media profiles. The data of over 1.2 billion individuals has been exposed and the owner of the database remains unknown.

Macy’s e-commerce site was hacked by a third-party, embedding malicious code into Macy’s online checkout page. A skimming code was also placed on the Macy’s Wallet page, used by account holders to store payment credentials. The malware gathered names, full addresses, phone numbers, email addresses, payment card numbers, card security codes, and payment expiration dates of shoppers who made purchases through the Macy’s website.

Users of the newly released Disney+ streaming services were locked out of their accounts after being hijacked by fraudsters. Disney+ members’ login credentials, including usernames and passwords, were found up for sale on the Dark Web starting at $3 per record.

Millions of individuals who have used the world’s first internet domain name provider, Network Solutions, had their PII accessed by a third-party. along with and confirmed the hacker accessed names, addresses, phone numbers, email addresses and service information of their customers and recommended a password reset.

The account information of over 7.5 million users of Adobe Creative Cloud was exposed due to an unprotected online database, including email addresses, usernames, location, Adobe products, account creation dates, dates of last login, subscriptions and payment status.

After a phishing attack in the summer of 2019, the information of over 130,000 patients of Kalispell Regional Healthcare. Hackers were given access to patient names, Social Security numbers, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, medical history and treatment information, dates of service, treating/referring physicians, medical bill account numbers and/or health insurance information.

The cybersecurity team at vpnMentor discovered an open database belonging to Autoclerk, a hotel property management system, impacting the information of hundreds of thousands of individuals, including those belonging to U.S. government and military personnel. The records exposed include names, dates of birth, home addresses, phone numbers, dates and travel costs, check-in times, room numbers, and masked credit card details.

After two employees fell victim to an email phishing scam, the personal information of over 68,000 patients of Indiana-based Methodist Hospitals was accessed by hackers. The information compromised in the hack includes names, addresses, dates of birth, Social Security numbers, driver’s license/state ID/passport numbers, credit card information, and patient health records.

DoorDash, a food delivery service, confirmed a data breach through a third-party vendor, exposing the information of 4.9 million customers, delivery workers, and merchants. The leaked data includes names, delivery addresses, phone numbers, hashed passwords, order history, last four digits of both customers’ credit cards and employee bank account numbers. The driver’s license information of 100,000 delivery drivers was also disclosed.

The personal information of 198 million prospective car buyers was left exposed in an unsecured database belonging to Dealer Leader, a digital marketing company for car dealerships. The information exposed included names, email addresses, phone numbers, home addresses, and IP addresses.

Players of the popular games Draw Something, Words With Friends, and Farmville have been notified by mobile game maker Zynga that their system was breached and user data was accessed illegally. The hacker claiming responsibility says he accessed a database that included data from 218 million Android and iOS players, including names, email addresses, login IDs, hashed passwords, phone numbers, Facebook IDs and Zynga account IDs. The number of users impacted has not been confirmed by Zynga.

Providence Health Plan has notified 122,000 of its members that their personal information was impacted after an unauthorized party accessed their servers. The hackers accessed names, addresses, email addresses, dates of birth, Social Security numbers, member identification numbers, group numbers, and subscriber numbers.

An unprotected server containing over 419 million records of Facebook users was discovered, giving hackers access to Facebook users’ unique ID and phone numbers. In some cases, user’s names, genders, and locations were also included.

Over 328,000 users of Foxit, a PDF Reader software company, were sent a password reset email after they discovered a hacked had access to names, email addresses, passwords, phone numbers, company names, and IP addresses.

The web hosting company, Hostinger, sent out password reset emails to 14 million clients whose information was hacked through an API server. The company is urging its clients to update their passwords after first names, usernames, email addresses, IP addresses, and hashed passwords were exposed in the data breach.

Personal and credit card information of 58,000 subscribers to movie ticket subscription service, MoviePass, were left unsecured on a server that was not password protected. MoviePass customers are issued cards that function like debit cards. Names, addresses, MoviePass debit card number, card expiration date, card balance, and activation date were impacted in this breach.

Security researchers and the VPNMentor team uncovered a data breach containing the fingerprint data of 1 million individuals along with the facial recognition information, and unencrypted usernames and passwords of 27.8 million individuals. The exposed database belongs to BioStar 2, a biometric security platform used by organizations worldwide.

A database containing 700,000 guest records of the hotel franchise, Choice Hotels, was found exposed and left with a ransom note. The hackers requested 0.4 Bitcoin, approximately $4,000, to stop further exposure of the stolen information, including names, addresses, and phone numbers.

Hy-Vee has reported a security breach of its point-of-sale (PoS) system, impacting consumers who made purchases at Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Express, and Wahlburgers.) The company says the hackers did not access the separate PoS systems that run their grocery stores, drugstores, or convenience stores. Updated August 23, 2019: KrebsonSecurity discovered 5.3 million stolen credit and debit card accounts linked to the Hy-Vee breach were up for sale on the Dark Web under the name “Solar Energy” Breach.

A hacker used usernames and passwords exposed from another company’s data breach to gain access to the accounts of State Farm insurance users, also known as a credential stuffing attack. No other personal information was exposed and the number of affected victims has not been disclosed. State Farm has reset the passwords for accounts whose login credentials were impacted.

Over 23.2 million accounts were exposed by CafePress, a custom T-shirt and merchandise company, exposing the names, email addresses, physical addresses, phone numbers and hashed passwords of its customers. CafePress has not disclosed the breach leading back to February 2019 but has sent out a passwords reset claiming it has updated its password policy.

The online marketplace, Poshmark, announced in a blog post that a hacker gained access to the names, usernames, genders, city data, email addresses, size preferences, and scrambled passwords of its users. Poshmark has over 50 million users but has not confirmed how many where affected by the breach.

Stock X, a fashion and sneaker trading platform, exposed the personally identifiable information of over 6.8 million customers. The company sent a password reset to its users after an unknown third-party accessed customer names, email addresses, shipping addresses, usernames, hashed passwords, and purchase histories.

A phishing attack on Presbyterian Healthcare Services of New Mexico gave hackers unauthorized access to the personal and medical information of 183,000 patients. The reported data breach exposed the names, dates of birth, Social Security numbers, along with health plan and clinical information.

A security incident was announced by Capital One, impacting credit card applications for 100 million consumers in the United States. Of those applications, approximately 140,000 included the applicant’s Social Security number, and 80,000 included linked bank account information. Included as part of the credit card application were names, addresses, phone numbers, email addresses, dates of birth, and individual or household income. Also compromised were credit scores, credit limits, and credit balances.

A hacker has stolen personal information of about 20,000 Los Angeles Police Department officers, recruits, and applicants from the Los Angeles Personnel Department Candidate Application Program. The compromised data included names, birth dates, partial social security numbers, email addresses, and applicant account passwords.

An unknown number of Sprint customer accounts were hacked via the “add a line” website. The information exposed by the mobile network operator includes names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, and add-on services.

Another clinical lab reported personal information of their patients was compromised following the previously-reported AMCA data breach, shortly after the Quest Diagnostics, LapCorp, and Opko Health data breaches. Clinical Pathology Laboratories (CPL) disclosed 2.2 million patients had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information exposed, and an additional 34,500 patients had their credit card or banking information affected.

Patients of Essentia Health were notified of a protected health information breach as the result of a third-party vendor, California Reimbursement Enterprises, being targeted by a phishing attack. Specific data impacted was not disclosed, but may have included medical records, billing information, and dates of birth, as types of information routinely shared with a billing services vendor.

An unsecured database belonging to Fieldwork Software was discovered by vpnMentor researchers, exposing customer names, credit cards, alarm codes, client information, and other sensitive details of the company’s small business customers. Of significant concern was a direct access link to the company’s backend system, and communication logs that detailed such information as alarm codes, building access details, and the location of clients’ hidden keys.

A contractor for the Los Angeles County Department of Health Services fell victim to a phishing attack, exposing the personal information of 14,600 patients, including names, addresses, patient information, and social security numbers.

Multiple systems managed by the Maryland Department of Labor were reported as breached, containing files dating back to 2009. The stolen data is suspected to include names, social security numbers, dates of birth, and other sensitive personally identifiable information of 78,000 users of the state’s unemployment insurance services and Literacy Works Information System.

The database of smart home IOT devices, Orvibo, exposed the personal information of over 2 billion customers. Impacted information includes email addresses, passwords, account reset codes, precise geolocation, IP address, username, user ID, family name, family ID, smart device, devices that accessed account, and scheduling information.

The information of consumers, plan providers, and healthcare companies involving 95,000 Delaware residents was exposed in a Dominion National data breach. Names, addresses, dates of birth, email addresses, Social Security numbers, tax ID numbers, bank account and routing numbers, and member ID numbers were among the data compromised

Data on 2.7 million individuals and 173,000 businesses was stolen by a Desjardins employee. Desjardins is Canada’s largest credit union, and it has fired said employee after containing the incident. Names, dates of birth, social insurance numbers, addresses, phone numbers, email addresses were compromised.

Employees of the Oregon DHS were targeted in a phishing attack that gave a cybercriminal control over their email accounts. As many as 2 million emails containing full names, addresses, dates of birth, Social Security numbers, case numbers, health information, and other record keeping data were exposed.

An unauthorized third-party broke into the systems of popular food delivery service, EatStreet. The hacker was able to steal customer data including names, phone numbers, email addresses, bank accounts and routing numbers, full payment card information, and billing addresses. While it’s unknown exactly how many customers were impacted, the hacker claims to have captured information on 6 million users.

A security vulnerability within Evernote’s Web Clipper Chrome extension gave hackers access to the online data of its 4.6 million users. Authentication, financials, private communications, and more could have been accessed by malicious actors by exploiting a flaw in the Evernote code. The company has since corrected the issue, but it’s unclear how long user data may have been compromised.

A misconfiguration of an Amazon S3 file storage service potentially compromised the information of students who registered for exams like the PSAT and Advanced Placement. Total Registration, a Kentucky-based facilitator of test registrations, admitted that names of students and parents, dates of birth, languages, grade level, gender, student ID, and some Social Security numbers were implicated.

Ten million users of online event planning service company, Evite, have had their information put up for sale on the dark web. A hacker who goes by the name Gnosticplayers released user names, email addresses, IP addresses, and cleartext passwords. In some cases, dates of birth phone numbers, and postal addresses were also included.

Images of travelers’ faces and license plates were compromised in a cyberattack on a contractor for U.S. Customs and Border Protection. The agency said that fewer than 100,000 people were impacted while entering and exiting a border entry point.

More than 1.1 million users of gaming website, Emuparadise have had their IP address, username, and password exposed in a data breach. This security incident originated from the site's vBulletin forum.

Another healthcare-related company has been impacted by the hack of American Medical Collection Agency (AMCA), which compromised Quest Diagnostics and LabCorp. Opko Health announced a data breach affecting 422,600 customers. Credit card and bank account information, email addresses, addresses, phone numbers, and balance information were exposed.

One day after Quest Diagnostics reported a data breach, LabCorp disclosed that 7.7 million of its customers were also impacted by the same hack. The records kept on LabCorp customers were less sensitive, however, exposing names, addresses, dates of birth, and balance information.

Nearly 12 million patients have been exposed in a Quest Diagnostics data breach. The breach occurred after hackers took control of the payments page of one of Quest’s billing collections vendors, AMCA, between August 2018 and March 2019. Financial account data, Social Security numbers, and health information were likely stolen.

More than 100 Checkers and Rally’s restaurants had their point-of-sale systems hacked, compromising customers’ full payment card information. The restaurant discovered the attack in April 2019, but found that 15 percent of its location’s systems had been compromised for years.

Flipboard announced it was hacked after an unauthorized third-party accessed databases containing user information. Names, usernames, email addresses, and encrypted passwords are among the data that could have been stolen. Flipboard has 150 million monthly users.

The massively popular online design tool, Canva was hacked, exposing 139 million users. Hacker(s) stole Canva customers’ usernames, real names, and email addresses. The company is urging all users to change their passwords as a precaution.

A massive data leak containing 885 million personal and financial records was found unprotected on the website of First American Financial Corp. The company, a leading title insurer for the U.S. real estate market, exposed consumers’ Social Security numbers, bank account numbers, mortgage and tax records, wire transaction receipts, and driver’s license images dating as far back as 2003. It is unclear if malicious actors accessed and stole any of the data, which sat unprotected and accessible to anyone who had the URL, for more than two years.

The website of a healthcare company, Inmediata was breached after a setting allowed search engines to index internal pages that contained patient data. More than 1.5 million people may have had their names, addresses, dates of birth, gender, medical information, and Social Security numbers may have been exposed. The company has notified those affected.

More than 49 million Instagram influencers, celebrities, and brands have had their private contact information exposed after an India-based social media marketing company left the data unprotected on an Amazon Web Services database. TechCrunch reported that the bio, profile photo, location, verification status, email address and phone number of high-profile accounts were exposed.

Facebook is facing another data privacy scandal after a WhatsApp data breach. The messaging app, which has over 1.5 billion users worldwide, experienced a security flaw that left people vulnerable to spyware designed by the NSO Group, an Israeli government surveillance agency. Those affected would have been able to be spied on through their phone’s microphone and camera, WhatsApp messages and connected apps.

The largest retailer in Asia, Fast Retailing Co., revealed that hackers may have accessed as many as 460,000 Uniqlo shoppers‘ names, addresses, and partial credit card information. The company is urging customers to change their login credentials.

The legal entity behind the basketball team Indiana Pacers, Pacers Sports & Entertainment (PSE), recently announced a phishing email campaign caused a security breach of sensitive information. The number of affected individuals is still unknown, but the information exposed may include names, addresses, date of births, Social Security numbers, passport numbers, medical insurance information, driver’s license number, account number, payment card number, digital signature, and username and password. PSE has not shared if the information disclosed belonged to employees or customers.

A data breach of Freedom Mobile has affected an estimated 1.5 million customers after a database of information was found unprotected on an Elasticsearch server. The Canada-based telecommunications company exposed customer names, email addresses, phone numbers, physical addresses, dates of birth, account numbers, and credit card information.

An online tutoring marketplace with more than two million registered users and 80,000 instructors, Wyzant announced a breach of customer data. A hacker was able to break into one of the company’s databases, compromising names, email addresses, ZIP codes, and Facebook profile pictures of those who use single sign on to login to their Wyzant account.

The personal information of 1.6 million subscribers of AMC Network’s premium streaming video platforms, Sundance Now and Shudder, were disclosed after the company’s database was left accessible to the public. The breach included names, email addresses, details about subscription plans and last four digits of credit cards. The exposed database also encompassed video analytics data gathered by Youbora, adding 441,943 exposed records including user IP addresses, country, city, state, ZIP code, and location coordinates.

In a letter to potential data breach victims, Citrix revealed that hackers gained access to the company’s internal systems between October 2018 and March 2019. The U.S. software company in investigating the cyber intrusion with help from the FBI, but thinks that the data stolen could include the Social Security numbers, financial information, and other data on current and former employees.

Up to 65% of U.S. households have had their information exposed by an unsecured database housed on a Microsoft cloud server. While the owner of the data is unknown, over 80 million households have had their names, addresses, geographic location, age, dates of birth, and other demographic information compromised. VPNMentor, whose research team discovered the breach, is asking for help in identifying who the database belongs to.

Users have been notified of a Docker Hub data breach after hackers exposed the information of 190,000 account holders. The company offers cloud-based services to application developers and programmers. Information stolen in the breach includes usernames, hashed passwords, Github, and Bitbucket tokens.

Magecart, a notorious hacking syndicate known for targeting online shopping portals, compromised the eCommerce website of the NBA’s Atlanta Hawks. The hackers installed a credit card skimming code on the site, stealing the names, dates of birth, and payment card details of anyone who shopped on the site after April 20, 2019.

The largest online retailer of fitness supplements, announced a data breach that potentially impacted its 7 million registered users. The company has since forced a password reset and notified its customers. The information that could have been stolen by hackers includes names, email addresses, billing/shipping addresses, phone numbers, order history, birth date, and information included in BodySpace profiles.

As many as 60,000 patients and employees of Florida’s EmCare have been notified of a data breach after a third-party gained access to several employees’ email accounts. Those email accounts contained personal information including names, dates of birth, age, clinical information, and some Social Security and driver’s license numbers.

Patients seeking treatment for drug and alcohol abuse have had their sensitive personal information exposed in a data breach of several addiction rehabilitation centers. The data was discovered unprotected by security researcher, Justin Paine. Approximately 145,000 patients have been impacted.

In a statement to TechCrunch, Microsoft admitted a data breach of its non-corporate email services, including,, and The breach, which lasted from January 1 to March 28, 2019, allowed hackers to access email accounts by misusing Microsoft’s customer support portal.

Nearly $500,000 of the city of Tallahassee employees’ payroll was stolen by hackers who redirected direct deposits into an unauthorized account. City officials responsible for investigating the incident suspect the cyberattack came from a foreign nation.

A phishing attack on Prisma Health of South Carolina gave hackers unauthorized access to several employee email accounts. The investigation into the attack determined that 23,811 patients had their protected health information exposed, including names, health insurance information, Social Security numbers, and financial information.

An estimated 12,000 patients of Springfield, MA-based hospital, Baystate Health had their information exposed after a phishing attack compromised the email accounts of several employees. Patient names, dates of birth, health information, and some Medicare and Social Security numbers were involved in this healthcare data breach.

Two third-party applications which hold Facebook datasets were left exposed to the public online. Over 540 million records, including account names, Facebook ID, and user activity were exposed through Cultura Colectiva. The second application, At the Pool, disclosed passwords along with information regarding photos, events, groups, check-ins and more.

Personal information of current and former faculty, students, staff and student applicants of Georgia Tech were accessed by a hacker through a central database. The database affected by the breach includes names, addresses, Social Security Numbers and birth dates of 1.3 million individuals. This is the university’s second breach in less than a year.

A database controlled by email validation company was discovered on an unprotected server that was accessible to anyone who knew where to look. Nearly 1 billion email accounts, along with other personal information, were exposed in one of the largest single-source data breaches ever recorded. The company has seemingly closed its doors after news of the breach broke.

The parent company of Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria, Earl Enterprises announced a breach of its payment systems after discovering malware that stole customer credit and debit card information. More than 2 million customers were impacted.

A hacker gained access to three of Verity Health Systems employee email accounts, compromising the protected health information of 14,894 patients. The sensitive data included names, patient ID numbers, dates of birth, addresses, phone numbers, health insurance information, payment information, driver’s licenses, and Social Security numbers.

The names, addresses, dates of birth, health insurance information, Social Security numbers, and service information of 32,178 patients may have been stolen in a Milestone Family Medicine data breach.

A tracking app that allows family members to track each other’s location in real-time, Family Locator leaked data exposing more than 238,000 users. The locations of users was left accessible on an unprotected server, and included additional information such as name, email address, profile photo, and passwords.

Survivors who sought shelter assistance after hurricanes Maria and Irma, as well as California wildfires, have had their PII exposed in a FEMA privacy incident. About 2.5 million disaster victims had information like names and addresses, bank account information and birth dates shared with a contractor, leaving them unprotected.

The Oregon Department of Human Services announced a data breach after nine of its employees clicked on a phishing link, compromising nearly 2 million emails. These emails may have exposed the names, addresses, dates of birth, Social Security numbers, and other information of as many as 1.6 million clients.

Facebook has admitted that since 2012 it has not properly secured the passwords of as many as 600 million users. These passwords were stored in plain text and able to be accessed by more than 20,000 of the company’s employees. If you use Facebook, change your password

Bedding retailers MyPillow & Amerisleep experienced a breach at the hands of Magecart, a hacking syndicate that targets eCommerce websites with credit card skimming software. Hackers also set up a dummy URL to trick shoppers who made a typo in trying to visit the site.

The personal information of 277,319 patients has been exposed by a Zoll Medical data breach. The medical device manufacturer headquartered in Chelmsford, MA announced that data from emails was leaked during a server migration, including names, addresses, dates of birth, and medical information. Some patients also has their SSN exposed.

More than 72,000 patients have had their personal information exposed in a Rutland Regional Medical Center data breach. Patient names, contact information, medical record numbers, and 3,683 Social Security numbers were compromised after several employees email accounts were accessed illegally.

Michigan-based Spectrum Health Lakeland has announced it was also impacted in the hack of Wolverine Services Group, a mail vendor that works with multiple healthcare networks. Approximately 60,000 patients had their names, addresses, health services rendered, health insurance and billing information exposed.

An estimated 20,420 people have been affected in a cyberattack on North Carolina-based EMS company, Pasquotank-Campden Emergency Medical Services. The company’s billing information server was infiltrated by an unauthorized third-party, leading to the exposure of Social Security numbers, dates of birth, and medical information.

The protected medical information of 120,000 patients has been exposed in a Health Alliance Plan data breach. The names, addresses, dates of birth, member ID numbers, healthcare provider names, patient ID numbers, and claim information were compromised after a ransomware attack infiltrated Wolverine Solutions Group, a third-party vendor who manages the network’s mailing services.

About 45,000 patients of Chicago-based Rush health system were exposed in a data breach. Names, addresses, birthdays, Social Security numbers, and health insurance information were compromised after an employee disclosed billing documents to an unauthorized third-party.

A database containing 2,418,862 identity records on government officials and politicians from every country in the world was leaked online from a Dow Jones watchlist. The watchlist is compiled from publicly available information on prominent individuals who have the ability to embezzle money, accept bribes, or launder funds.

In another major data breach of a university health facility, patients of UConn Health have had their personal information exposed after a third-party accessed employee email accounts. About 326,000 people were affected in the breach, which compromised names, dates of birth, addresses, Social Security numbers, and limited medical information.

Nearly 1 million patients have been notified of a UW Medicine data breach, which was discovered December 26, 2018. A vulnerability on the health network’s website server exposed protected health information including names, medical record numbers, and a description of each individual’s information.

The usernames and hashed passwords of 450,000 users of Coinmama were recently posted on a dark web registry. The cryptocurrency broker has notified its customers and has encouraged all users to change their passwords.

Patients of Florida-based Advent Health Medical Group are being notified of a 16-month long data breach. Approximately 42,000 individuals had their sensitive personal and health information exposed, including medical histories, insurance information, Social Security numbers, names, phone numbers, and addresses.

A data breach affecting North Country Business Products, a vendor of credit card processing services, has impacted at least 50 businesses across the state of Arizona. Customers of any of the following businesses between January 3rd and 24th, 2019, have had their name, credit card number, expiration date, and CVV compromised.

The accounts of 14.8 million users of 500px have been hacked, revealing full names, usernames, email addresses, birth dates, locations, and gender. The photo sharing website has notified its users and is forcing a password reset.

Love was not in the air for users of dating app Coffee Meets Bagel, who announced a data breach on Valentine’s Day. The names and email addresses of all users who registered before May 2018 were exposed, impacting approximately 6 million people.

For the second time in three months, Dunkin’ Donuts announced a data breach affecting DD Perks rewards members. Hackers used credential stuffing attacks to gain access to customer accounts, and have been selling them on the Dark Web for profits.

Over 24,000 patients of Georgia-based EyeSouth Partners are being notified of a breach. The breach occurred after an unauthorized third-party gained access to an employee email account – a trend we’ve seen all too much of in recent times. Patient names, health insurance information, and some account balance information were compromised.

The point of sale systems of U.S.-based restaurant chain, Huddle House were compromised through a third-party vendor’s system, giving hackers the ability to install malware to capture the payment card information of customers between August 2017 and February 2019.

Patients of North Carolina-based Catawba Valley Medical Center have had their names, birth dates, Social Security numbers, and Personal Health Information (PHI) exposed in a cyberattack. Three employee email accounts were hacked in a phishing scam between July and August 2018. An estimated 20,000 patients have been impacted.

Popular home improvement startup, Houzz announced a data breach affecting users of the platform. In a statement, the company said that information such as names, city, state, country, profile description, username, and hashed passwords were taken by an unauthorized third-party.

Patients of the Colorado-based healthcare facility had their personal health information exposed after CCPSA employees fell for a phishing attack. Approximately 23,000 people have been notified of the breach, which included names, medical information, dates of birth, addresses, Social Security numbers, and driver’s licenses.

IT security and cloud data management provider, Rubrik exposed a massive database containing customer information including names, contact information, and other details related to corporate accounts. The data leak was discovered on an unprotected Amazon Elasticsearch server that didn’t require a password.

Home improvement retailer B&Q has suffered a data breach of a database which contained a list of people who had been caught stealing products from B&Q stores. The document included the names of the offenders, the items they had stolen, the value of the goods and the stores they were taken from.

A cyberattack targeting Alaska’s Division of Public Assistance has exposed data on at least 100,000 people. The attacker was able to access the names, Social Security numbers, dates of birth, addresses, health information, and income of people who applied for government programs.

More than 24 million mortgage and banking documents sat unprotected in an online database for at least two weeks. According to the report from TechCrunch, the data leak was traced back to Fort-Worth, TX-based Ascension, a data analytics company who serves the financial services industry. The documents included people’s names, addresses, dates of birth, Social Security numbers, and financial information.

Three online betting sites copied data containing 108 million records to Elasticsearch cloud storage without securing it. If you’ve placed bets via,,, or your information was likely exposed, including: names, addresses, phone numbers, email addresses, birth dates, usernames, account balances, IP addresses, browser and OS details, games played, and win and loss information.

Cincinnati-based purveyor of sweets, Graeter’s Ice Cream has notified approximately 12,000 customers who purchased items through the company’s online store. Malicious code was found on the website’s checkout page, which could capture customer names, addresses, phone numbers, fax numbers, payment card type, payment card numbers, expiration dates, and verification codes.

As many as 20,000 financial advisers had their information leaked by the world’s largest asset manager, BlackRock. The company posted confidential sales documents related to advisers who work with BlackRock’s iShares unit. Names, emails, and assets managed by advisers were among the information exposed.

Security researcher Troy Hunt discovered a massive database on cloud storage site, MEGA, which contained 773 million email addresses and 22 million unique passwords collected from thousands of different breaches dating back to 2008. The information was shared on a popular hacking forum where they could be shared about. If you’re concerned if your credentials could may have been compromised, visit Have I Been Pwned?

Millions of government files, including records pertinent to FBI investigations, were left unprotected on an open storage server belonging to the Oklahoma Department of Securities (ODS). The oldest records exposed dated back to 1986 and ranged from personal data to login credentials and internal communication records.

A flaw within the online video game Fortnite has exposed players to being hacked. According to the security firm Check Point, who discovered the vulnerabilities, a threat actor could take over the account of any game player, view their personal account information, purchase V-bucks (in-game currency), and eavesdrop on game chatter. Fortnite has 200 million users worldwide, 80 million of whom are active each month.

The personal health information of more than 31,000 patients of Managed Health Services of Indiana has been exposed following a phishing attack. Names, insurance ID numbers, addresses, dates of birth, and medical conditions are among the potentially

New York-based manufacturer, OXO was hacked in two separate incidents over the past two years, exposing customer information entered on their website. The company discovered unauthorized code on its site which captured customer names, billing and shipping addresses, and credit card information.

U.S. provider of payroll, HR, and employer services, BenefitMall announced a data breach that occurred after an email phishing attack compromised employee login credentials. Though the exact number of records exposed hasn’t been released, the emails may have included customer names, addresses, Social Security numbers, dates of birth, bank account numbers, and information on the payment of insurance premiums.

Online retailer of custom mugs and apparel, was hacked for a four-month period in the latter half of 2018. The company announced that it had discovered malicious card skimming code placed on its payment website. Hackers were able to steal full payment card details (number, security code, and expiration date), names, addresses, phone numbers, email addresses, and postal codes.

The information of 7.6 million gamers was stolen in a hack of Town of Salem. BlankMediaGames (BMG) announced that its server was compromised and usernames, email addresses, IP addresses, game & forum activity, and purchased game premium features were exposed.

Blur announced a breach after an unsecured server exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords. The password management company urged their users to change their Blur login credentials and enable two-factor authentication.