| Risiko / Label | Veröffentlichung | |
|---|---|---|
| Risiko ? / 10 CVE-2024-31879 | vor 6 Stunde(n) | |
| IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbitrary code leading to a denial of service of network ports on the system, caused by the deserialization of untrusted data. IBM X-Force ID: 287539. | ||
| Risiko ? / 10 CVE-2024-3745 | vor 9 Stunde(n) | |
| MSI Afterburner v4.6.6.16381 Beta 3 is vulnerable to an ACL Bypass vulnerability in the RTCore64.sys driver, which leads to triggering vulnerabilities like CVE-2024-1443 and CVE-2024-1460 from a low privileged user. | ||
| Risiko ? / 10 CVE-2024-5088 | vor 10 Stunde(n) | |
| The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-3658 | vor 12 Stunde(n) | |
| The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.21. This is due to missing authentication checking in the 'set_user_cart' function with the 'user_id' header value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. | ||
| Risiko ? / 10 CVE-2024-4432 | vor 12 Stunde(n) | |
| The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.4.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-2771 | vor 14 Stunde(n) | |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's settings and features. This also makes it possible for unauthenticated attackers to delete manager accounts. | ||
| Risiko ? / 10 CVE-2024-2772 | vor 14 Stunde(n) | |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 5.1.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Fluent Forms settings, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This can be chained with CVE-2024-2771 for a low-privileged user to inject malicious web scripts. | ||
| Risiko ? / 10 CVE-2024-2782 | vor 14 Stunde(n) | |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings. | ||
| Risiko ? / 10 CVE-2024-4698 | vor 14 Stunde(n) | |
| The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'show_line_text ' and 'slide_button_hover_animation' parameters in versions up to, and including, 10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-4709 | vor 14 Stunde(n) | |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ parameter in versions up to, and including, 5.1.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, and access granted by an administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-3810 | vor 16 Stunde(n) | |
| The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | ||
| Risiko ? / 10 CVE-2024-3811 | vor 16 Stunde(n) | |
| The Salient Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'icon' shortcode in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-4849 | vor 16 Stunde(n) | |
| The WordPress Automatic Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘autoplay’ parameter in all versions up to, and including, 3.94.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-3812 | vor 16 Stunde(n) | |
| The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | ||
| Risiko ? / 10 CVE-2024-3714 | vor 17 Stunde(n) | |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-4891 | vor 17 Stunde(n) | |
| The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-4374 | vor 17 Stunde(n) | |
| The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-3437 | vor 17 Stunde(n) | |
| A vulnerability was found in SourceCodester Prison Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /Admin/add-admin.php of the component Avatar Handler. The manipulation of the argument avatar leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259631. | ||
| Risiko ? / 10 CVE-2024-4865 | vor 19 Stunde(n) | |
| The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||
| Risiko ? / 10 CVE-2024-4761 | vor 21 Stunde(n) | |
| Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | ||
| Risiko 5 / 10 CVE-2021-40655 | vor 21 Stunde(n) | |
| An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page | ||
| Risiko 6.8 / 10 CVE-2014-100005 | vor 21 Stunde(n) | |
| Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php. | ||
| Risiko ? / 10 CVE-2024-23554 | vor 22 Stunde(n) | |
| Cross-Site Request Forgery (CSRF) on Session Token vulnerability that could potentially lead to Remote Code Execution (RCE). | ||
| Risiko ? / 10 CVE-2024-23556 | vor 22 Stunde(n) | |
| SSL/TLS Renegotiation functionality potentially leading to DoS attack vulnerability. | ||
| Risiko ? / 10 CVE-2024-4264 | vor 22 Stunde(n) | |
| A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`. | ||
| Risiko ? / 10 CVE-2024-23583 | vor 23 Stunde(n) | |
| An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems. | ||
| Risiko ? / 10 CVE-2024-25742 | vor 24 Stunde(n) | |
| In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES. | ||
| Risiko ? / 10 CVE-2024-35312 | vor 24 Stunde(n) | |
| In Tor Arti before 1.2.3, STUB circuits incorrectly have a length of 2 (with lite vanguards), aka TROVE-2024-003. | ||
| Risiko ? / 10 CVE-2024-35313 | vor 24 Stunde(n) | |
| In Tor Arti before 1.2.3, circuits sometimes incorrectly have a length of 3 (with full vanguards), aka TROVE-2024-004. | ||
| Risiko ? / 10 CVE-2024-25743 | vor 24 Stunde(n) | |
| In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES. | ||
| 02.05.2024 - The Post Millennial | 56.973.345 Datensätze geleaked | |
| Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames In May 2024, the conservative news website The Post Millennial suffered a data breach. The breach resulted in the defacement of the website and links posted to 3 different corpuses of data including hundreds of writers and editors (IP, physical address and email exposed), tens of thousands of subscribers to the site (name, email, username, phone and plain text password exposed), and tens of millions of email addresses from thousands of mailing lists alleged to have been used by The Post Millennial (this has not been independently verified). The mailing lists appear to be sourced from various campaigns not necessarily run by The Post Millennial and contain a variety of different personal attributes including name, phone and physical address (depending on the campaign). The data was subsequently posted to a popular hacking forum and extensively torrented. |
||
| 24.04.2024 - Piping Rock | 2.103.100 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In April 2024, 2.1M email addresses from the online health products store Piping Rock were publicly posted to a popular hacking forum. The data also included names, phone numbers and physical addresses. The account posting the data had previously posted multiple other data breaches which all appear to have been obtained from the Shopify service used by the respective websites. |
||
| 23.04.2024 - Tappware | 94.734 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Government issued IDs, Job titles, Names, Phone numbers, Physical addresses, Religions In April 2024, a substantial volume of data was taken from the Bangladeshi IT services provider Tappware and published to a popular hacking forum. Comprising of 95k unique email addresses, the data also included extensive labour information on local citizens including names, physical addresses, job titles, dates of birth, genders and scans of government issued national identity (NID) cards. |
||
| 17.04.2024 - T2 | 94.584 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases, Salutations In April 2024, 95k records from the T2 tea store were posted to a popular hacking forum. Data included email and physical addresses, names, phone numbers, dates of birth, purchases and passwords stored as scrypt hashes. |
||
| 15.04.2024 - MovieBoxPro | 6.009.014 Datensätze geleaked | |
| Email addresses, Usernames In April 2024, over 6M records from the streaming service MovieBoxPro were scraped from a vulnerable API. Of questionable legality, the service provided no contact information to disclose the incident, although reportedly the vulnerability was rectified after being mass enumerated. |
||
| 13.04.2024 - Le Slip Français | 1.495.127 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In April 2024, the French underwear maker Le Slip Français suffered a data breach. The breach included 1.5M email addresses, physical addresses, names and phone numbers. |
||
| 02.04.2024 - Salvadoran Citizens | 946.989 Datensätze geleaked | |
| Dates of birth, Email addresses, Government issued IDs, Names, Phone numbers, Physical addresses, Profile photos In April 2024, nearly 6 million records of Salvadoran citizens were published to a popular hacking forum. The data included names, dates of birth, phone numbers, physical addresses and nearly 1M unique email addresses. Further, over 5M corresponding profile photos were also included in the breach. |
||
| 31.03.2024 - Pandabuy | 1.348.407 Datensätze geleaked | |
| Email addresses, IP addresses, Names, Phone numbers, Physical addresses In March 2024, 1.3M unique email addresses from the online store for purchasing goods from China, Pandabuy, were posted to a popular hacking forum. The data also included IP and physical addresses, names, phone numbers and order enquiries. The breach was alleged to be attributed to "Sanggiero" and "IntelBroker". |
||
| 25.03.2024 - boAt | 7.528.985 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In March 2024, the Indian audio and wearables brand boAt suffered a data breach that exposed 7.5M customer records. The data included physical and email address, names and phone numbers, all of which were subsequently published to a popular clear web hacking forum. |
||
| 24.03.2024 - Kaspersky Club | 55.971 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Usernames In March 2024, the independent fan forum Kaspersky Club suffered a data breach. The incident exposed 56k unique email addresses alongside usernames, IP addresses and passwords stored as either MD5 or bcrypt hashes. |
||
| 23.03.2024 - England Cricket | 43.299 Datensätze geleaked | |
| Email addresses, Passwords In March 2024, English Cricket's icoachcricket website suffered a data breach that exposed over 40k records. The data included email addresses and passwords stored as either bcrypt hashes, salted MD5 hashes or both. The data was provided to HIBP by a source who requested it be attributed to "IntelBroker". |
||
| 04.03.2024 - Giant Tiger | 2.842.669 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In March 2024, Canadian discount store Giant Tiger suffered a data breach that exposed 2.8M customer records. Attributed to a vendor of the retailer, the breach included physical and email addresses, names and phone numbers. |
||
| 03.03.2024 - WoTLabs | 21.994 Datensätze geleaked | |
| Dates of birth, Email addresses, IP addresses, Time zones, Usernames In March 2024, WoTLabs (World of Tanks Statistics and Resources) suffered a data breach and website defacement attributed to "chromebook breachers". The breach exposed 22k forum members' personal data including email and IP addresses, usernames, dates of birth and time zones. |
||
| 01.03.2024 - Mr. Green Gaming | 27.123 Datensätze geleaked | |
| Dates of birth, Email addresses, Geographic locations, IP addresses, Usernames In March 2024, the online games community Mr. Green Gaming suffered a data breach that exposed 27k user records. Acknowledged on their Discord server, the incident exposed email and IP addresses, usernames, geographic locations and dates of birth. |
||
| 26.02.2024 - Cutout.Pro | 19.972.829 Datensätze geleaked | |
| Email addresses, IP addresses, Names, Passwords In February 2024, the AI-powered visual design platform Cutout.Pro suffered a data breach that exposed 20M records. The data included email and IP addresses, names and salted MD5 password hashes which were subsequently broadly distributed on a popular hacking forum and Telegram channels. |
||
| 18.02.2024 - Tangerine | 243.462 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations In February 2024, the Australian Telco Tangerine suffered a data breach that exposed over 200k customer records. Attributed to a legacy customer database, the data included physical and email addresses, names, phone numbers and dates of birth. Whilst the Tangerine login process involves sending a one-time password after entering an email address and phone number, it previously used a traditional password which was also exposed as a bcrypt hash. |
||
| 01.02.2024 - SurveyLama | 4.426.879 Datensätze geleaked | |
| Dates of birth, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses In February 2024, the paid survey website SurveyLama suffered a data breach that exposed 4.4M customer email addresses. The incident also exposed names, physical and IP addresses, phone numbers, dates of birth and passwords stored as either salted SHA-1, bcrypt or argon2 hashes. When contacted about the incident, SurveyLama advised that they had already "notified the users by email". |
||
| 31.01.2024 - Spoutible | 207.114 Datensätze geleaked | |
| Email addresses, Genders, IP addresses, Names, Passwords, Phone numbers, Usernames In January 2024, Spoutible had 207k records scraped from a misconfigured API that inadvertently returned excessive personal information. The data included names, usernames, email and IP addresses, phone numbers (where provided to the platform), genders and bcrypt password hashes. The incident also exposed 2FA secrets and backup codes along with password reset tokens. |
||
| 16.01.2024 - Trello | 15.111.945 Datensätze geleaked | |
| Email addresses, Names, Usernames In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred. |
||
| 17.12.2023 - Hathway | 4.670.080 Datensätze geleaked | |
| Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations, Support tickets In December 2023, hundreds of gigabytes of data allegedly taken from Indian ISP and digital TV provider Hathway appeared on a popular hacking website. The incident exposed extensive personal information including 4.7M unique email addresses along with names, physical and IP addresses, phone numbers, password hashes and support ticket logs. |
||
| 12.12.2023 - InflateVids | 13.405 Datensätze geleaked | |
| Email addresses, Genders, IP addresses, Passwords, Usernames In December 2023, the inflatable and balloon fetish videos website InflateVids suffered a data breach. The incident exposed over 13k unique email addresses alongside usernames, IP addresses, genders and SHA-1 password hashes. |
||
| 14.11.2023 - KitchenPal | 98.726 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Physical attributes, Social media profiles In November 2023, the kitchen management application KitchenPal suffered a data breach that exposed 146k lines of data. When contacted about the incident, KitchenPal advised the corpus of data came from a staging environment, although acknowledged it contained a small number of users for debugging purposes and included passwords that could not be used. Impacted data included almost 100k email addresses, names, geolocations and incomplete data on dates of birth, genders, height and weight, social media profile identifiers and bcrypt password hashes. |
||
| 08.11.2023 - Chess | 827.620 Datensätze geleaked | |
| Email addresses, Geographic locations, Names, Usernames In November 2023, over 800k user records were scraped from the Chess website and posted to a popular hacking forum. The data included email address, name, username and the geographic location of the user. |
||
| 04.11.2023 - LinkedIn Scraped and Faked Data (2023) | 19.788.753 Datensätze geleaked | |
| Email addresses, Genders, Geographic locations, Job titles, Names, Professional skills, Social media profiles In November 2023, a post to a popular hacking forum alleged that millions of LinkedIn records had been scraped and leaked. On investigation, the data turned out to be a combination of legitimate data scraped from LinkedIn and email addresses constructed from impacted individuals' names. |
||
| 18.10.2023 - Toumei | 76.682 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In October 2023, the Japanese consultancy firm Toumei suffered a data breach. The breach exposed over 100M lines and 10GB of data including 77k unique email addresses along with names, phone numbers and physical addresses. |
||
| 01.10.2023 - Facebook Marketplace | 77.267 Datensätze geleaked | |
| Email addresses, Geographic locations, Names, Passwords, Phone numbers, Social media profiles In February 2024, 200k Facebook Marketplace records allegedly obtained from a Meta contractor in October 2023 were posted to a popular hacking forum. The data contained 77k unique email addresses alongside names, phone numbers, Facebook profile IDs and geographic locations. The data also contained bcrypt password hashes, although there is no indication these belong to the corresponding Facebook accounts. |
||
| 20.09.2023 - Naz.API | 70.840.771 Datensätze geleaked | |
| Email addresses, Passwords In September 2023, over 100GB of stealer logs and credential stuffing lists titled "Naz.API" was posted to a popular hacking forum. The incident contained a combination of email address and plain text password pairs alongside the service they were entered into, and standalone credential pairs obtained from unnamed sources. In total, the corpus of data included 71M unique email addresses and 100M unique passwords. |
||
| 09.09.2023 - Sphero | 832.255 Datensätze geleaked | |
| Dates of birth, Email addresses, Geographic locations, Names, Usernames In September 2023, over 1M rows of data from the educational robots company Sphero was posted to a popular hacking forum. The data contained 832k unique email addresses alongside names, usernames, dates of birth and geographic locations. |
||
| 29.08.2023 - Qakbot | 6.431.319 Datensätze geleaked | |
| Email addresses, Passwords In August 2023, the US Justice Department announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, and the United Kingdom to disrupt the botnet and malware known as Qakbot and take down its infrastructure. After the takedown, 6.43M email addresses were provided to HIBP to help notify victims of the malware. |
||
| 09.08.2023 - PlayCyberGames | 3.681.753 Datensätze geleaked | |
| Email addresses, Passwords, Usernames In August 2023, PlayCyberGames which "allows users to play any games with LAN function or games using IP address" suffered a data breach which exposed 3.7M customer records. The data included email addresses, usernames and MD5 password hashes with a constant value in the "salt" field. PlayCyberGames did not respond to multiple attempts to disclose the breach. |
||
| 02.08.2023 - MagicDuel | 138.443 Datensätze geleaked | |
| Email addresses, IP addresses, Nicknames, Passwords In August 2023, the MagicDuel Adventure website suffered a data breach that exposed 138k user records. The data included player names, email and IP addresses and bcrypt password hashes. |
||
| 16.07.2023 - Manipulated Caiman | 39.901.389 Datensätze geleaked | |
| Email addresses In July 2023, Perception Point reported on a phishing operation dubbed "Manipulated Caiman". Targeting primarily the citizens of Mexico, the campaign attempted to gain access to victims' bank accounts via spear phishing attacks using malicious attachments. Researchers obtained almost 40M email addresses targeted in the campaign and provided the data to HIBP to alert potential victims. |
||
| 09.07.2023 - Rightbiz | 65.376 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In June 2023, data belonging to the "UK's No.1 Business Marketplace" Rightbiz appeared on a popular hacking forum. Comprising of more than 18M rows of data, the breach included 65k unique email addresses along with names, phone numbers and physical address. Rightbiz didn't respond to mulitple attempts to disclose the incident. The data was provided to HIBP by a source who requested it be attributed to "https://discord.gg/gN9C9em". |
||
| 20.06.2023 - Dymocks | 836.120 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Names, Phone numbers, Physical addresses In September 2023, the Australian book retailer Dymocks announced a data breach. The data dated back to June 2023 and contained 1.2M records with 836k unique email addresses. The breach also exposed names, dates of birth, genders, phone numbers and physical addresses. |
||
| 17.06.2023 - BreachForums Clone | 4.204 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Usernames In June 2023, a clone of the previously shuttered popular hacking forum "BreachForums" suffered a data breach that exposed over 4k records. The breach was due to an exposed backup of the MyBB database which included email and IP addresses, usernames and Argon2 password hashes. |
||
| 31.05.2023 - JD Group | 521.878 Datensätze geleaked | |
| Email addresses, Government issued IDs, Names, Phone numbers, Physical addresses In May 2023, the South African retailer JD Group announced a data breach affecting a number of their online assets including Bradlows, Everyshop, HiFi Corp, Incredible (Connection), Rochester, Russells, and Sleepmasters. The breach exposed over 520k unique customer records including names, email and physical addresses, phone numbers and South African ID numbers. |
||
| 29.05.2023 - Polish Credentials | 1.204.870 Datensätze geleaked | |
| Email addresses, Passwords In May 2023, a credential stuffing list of 6.3M Polish email address and password pairs appeared on a local forum. Likely obtained by malware running on victims' machines, each record included an email address and plain text password alongside the website the credentials were used on. The data included 1.2M unique email addresses. |
||
| 15.04.2023 - Jobzone | 29.708 Datensätze geleaked | |
| Dates of birth, Email addresses, Family members' names, Genders, Government issued IDs, Names, Phone numbers, Physical addresses In April 2023, data from the Israeli jobs website Jobzone was posted online. The data included 30k records of email addresses, names, social security numbers, genders, dates of birth, fathers' names and physical addresses. |
||
| 15.04.2023 - RentoMojo | 2.185.697 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Passwords, Phone numbers, Purchases, Social media profiles In April 2023, the Indian rental service RentoMojo suffered a data breach. The breach exposed over 2M unique email addresses along with names, phone, passport and Aadhaar numbers, genders, dates of birth, purchases and bcrypt password hashes. |
||
| 05.04.2023 - Genesis Market | 8.000.000 Datensätze geleaked | |
| Browser user agent details, Credit card CVV, Credit cards, Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames In April 2023, the stolen identity marketplace Genesis Market was shut down by the FBI and a coalition of law enforcement agencies across the globe in "Operation Cookie Monster". The service traded in "browser fingerprints" which enabled criminals to impersonate victims and access their online services. As many of the impacted accounts did not include email addresses, "8M" is merely an approximation intended to indicate scale. Other personal data compromised by the service included names, addresses and credit card information, although not all individuals had each of these fields exposed. |
||