Data Breach Reports

In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt . Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platform". More than 100GB of data was later pu...

In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum . The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt...

In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach . The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders contai...

In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed . The incident exposed 340k unique email addresses along with usernames and argon2 password hashes.

In June 2015, custom gaming controller maker Scuf Gaming suffered a data breach . The incident exposed 129k unique email addresses along with usernames, display names, IP addresses and password hashes.

In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP . The incident impacted 293k unique email addresses and names. Sound Radix advised that it is possible that additional data including hashed passwords may have been exp...

In around 2011, the now defunct RuneScape Boards forum (also known as RSBoards) suffered a data breach that was later redistributed as part of a larger corpus of data . The vBulletin-based service exposed 223k unique email addresses along with usernames, IP addresses and salted MD5 password hashes.

In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses . The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exposed data included names, phone numbers,...

In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum . The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also ...

In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partia...

In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters . Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, ...

In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly . The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card t...

In January 2026, a data breach impacting the French non-profit Association Nationale des Premiers Secours (ANPS) was posted to a hacking forum . The breach exposed 5.6k unique email addresses along with names, dates of birth and places of birth. ANPS self-submitted the data to HIBP and advised the i...

In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack . As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an attacker-control...

In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform . The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, use...

In November 2025, the Everest ransomware group claimed Under Armour as a victim and attempted to extort a ransom , alleging they had obtained access to 343GB of data. In January 2026, customer data from the incident was published publicly on a popular hacking forum , including 72M email addresses. M...

In December 2025, data allegedly breached from the Indian streaming music service 'Raaga' was posted for sale to a popular hacking forum . The data contained 10M unique email addresses along with names, genders, ages (in some cases, full date of birth), postcodes and passwords stored as unsalted MD5...

In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum . The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated ema...

In October 2025, a reincarnation of the hacking forum BreachForums, which had previously been shut down multiple times, was taken offline by a coalition of law enforcement agencies . In the months leading up to the takedown, the site itself suffered a data breach that exposed a total of 672k unique ...

In December 2025, the dating website 'for a Europid vision' WhiteDate suffered a data breach that was subsequently leaked online , initially exposing 6.1k unique email addresses. The leaked data included extensive personal information such as physical appearance, income, education and IQ. A more com...

In August 2012, the forum for making money with botting 'The Botting Network' suffered a data breach that exposed 96k user records . The now defunct vBulletin forum leaked 96k email addresses, usernames, dates of birth and salted MD5 password hashes.

In July 2016, the Web Hosting Talk forum suffered a data breach that was subsequently listed for sale . The breach of the vBulletin based forum exposed 515k user records including usernames, email addresses, IP addresses and salted MD5 password hashes.

In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak . The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. They subsequently published the alleged data which contained over 2M uniqu...

In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service,...

In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users . The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the conten...

In February, the AI-powered comic generation platform KomikoAI suffered a data breach . The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.

In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt . Following the incident, 1M records containing 317k unique email addresses were published, with the attackers threatening to leak additional data in the following days. That threat was subsequently ...

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.

In February 2026, data obtained from the fintech lending platform Figure was publicly posted online . The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and at...

In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum . In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.

In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand , largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 and included 624k uniqu...

In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.

In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as publicatio...

In January 2026, Panera Bread suffered a data breach that exposed 14M records . After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses. Pa...

In December 2025, data from France's Pass'Sport program was posted to a popular hacking forum . Initially misattributed to CAF (the French family allowance fund), the data contained 6.5M unique email addresses affecting 3.5M households. The data also included names, phone numbers, genders and physic...

In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online . The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number,...

In August 2020, news broke of a data breach of Russian airline Utair that dated back to the previous year . The breach contained over 400k unique email addresses along with extensive personal information including names, physical addresses, dates of birth, passport numbers and loyalty program detail...

In April 2022, Russian pharmaceutical company Gemotest suffered a data breach that exposed 31 million patients . The data contained 6.3 million unique email addresses along with names, physical addresses, dates of birth, passport and insurance numbers. Gemotest was later fined for the breach.

In March 2025, the French vehicle inspection company AUTOSUR suffered a data breach exposing over 10M customer records, though only 487k unique email addresses were present. The compromised data included names, phone numbers, physical addresses, and vehicle details such as make and model, VIN, and r...