Woflow Breach: 447K Records - Emails & Addresses Exposed (2026)

Overview

On March 14, 2026, the ShinyHunters data extortion group publicly claimed responsibility for breaching Woflow, an AI-driven merchant data platform. The group published tens of thousands of files totaling over 2TB of data, including a database containing 447,593 unique records. The exposed data includes email addresses, names, phone numbers, and physical addresses. This breach was subsequently verified by Have I Been Pwned, allowing affected individuals to check their exposure.

What Was Exposed

The leaked records include:

• Email Addresses - The primary identifier enabling credential-stuffing attacks and targeted phishing campaigns.
• Names - Combined with emails, makes spear-phishing more convincing (e.g., “Dear [Name], your Woflow account requires verification”).
• Phone Numbers - Opens the door to SMS-based phishing (smishing) and SIM-swap attacks.
• Physical Addresses - Risky for individuals who value location privacy; can enable doxxing or physical harassment.

No financial data, Social Security numbers, or login passwords were reported in the leak, lowering the immediate risk of account takeover or identity theft but heightening the risk of targeted social engineering.

How the Breach Happened

ShinyHunters is a known data extortion group that exploits insecure cloud storage, exposed APIs, or compromised credentials to exfiltrate data before demanding payment. The group did not claim to have deployed ransomware - the attack appears purely focused on data theft. With over 2TB of files published, the breach likely involved access to backend databases, file storage, or both. Woflow has not yet confirmed the exact attack vector, but the scale suggests either a misconfigured S3 bucket, a compromised admin credential, or an unpatched vulnerability in their web application.

The Attacker

ShinyHunters has been active since 2020 and has claimed responsibility for breaches at companies like Tokopedia, Wattpad, and Microsoft’s private GitHub repository. Their modus operandi is to steal data, demand a ransom, and if unpaid, dump the stolen files publicly. In Woflow’s case, the data was published without a ransom demand, suggesting either the ransom wasn’t met or the group is using the leak for reputation building. This is consistent with their pattern of targeting companies with large datasets but less robust security postures.

What to Do Right Now

If you used Woflow’s platform or provided personal information to one of their merchant clients:

1. Check if you’re affected - Visit Have I Been Pwned and search your primary email address. If it appears, your name, phone number, and address may also be exposed.
2. Watch for phishing - With email, name, and phone number available, attackers can craft convincing messages. Do not click links or download attachments from unexpected emails or texts that reference Woflow.
3. Enable multifactor authentication - On any account that uses the same email address you provided to Woflow. This is especially critical for email, banking, and social media accounts.
4. Freeze your phone number - Contact your mobile carrier to request a port-out PIN or SIM lock to prevent SIM-swap attacks.
5. Monitor for physical mail fraud - If your home address was exposed, watch for unsolicited credit card offers or suspicious packages that may indicate identity misuse.

How to Check If You’re Affected

Have I Been Pwned has ingested the Woflow dataset. Visit haveibeenpwned.com and enter your email address. If you receive a “Pwned” result with Woflow listed, treat all your data - email, name, phone, address - as compromised.

Security Insight

Woflow’s breach repeats a pattern seen across data-aggregation platforms: they collect vast amounts of personally identifiable information from merchants but often lack the security maturity of the financial or healthcare sectors. The publication of 2TB of raw data suggests minimal encryption or access controls were applied to stored data. For AI-driven platforms like Woflow, the lesson is clear: data volume and AI capabilities must be matched by proportional investment in data security, not just data processing.

Further Reading

• All High Breaches
• Recent Data Breaches