New breach: South American mobility services platform Ualabee had 472k records scraped last month. Data included email address, name, DoB, phone number and profile photo. 52% were already in @haveibeenpwned. Read more: https://news.ualabee.com/Aclaraci-n-sobre-datos-vinculados-a-Ualabee-20f75bdc4ce88041916bfeb5055087e8

New breach: Now defunct social media influencer platform WiredBucks was breached in 2022. Over 900k email and IP addresses, names, usernames and plain text passwords were exposed. 32% were already in @haveibeenpwned. Read more: https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

New breach: Japanese record chain store Disk Union had 690k email addresses breached in June 2022. Data included name, post code, phone and plain text password. 40% were already in @haveibeenpwned. Read more: https://news.kaduu.io/blog/2022/07/04/the-worlds-best-record-shop-leaks-701k-user-records-and-personal-info/

New breach: ColoCrossing had 7k email addresses breached from their ColoCloud cloud/VPS service last month. Data also included name and MD5-Crypt password hash. 38% were already in @haveibeenpwned. Read more: https://lowendbox.com/blog/colocloud-breach-virtualizer-bugs-lead-to-wild-lowendtalk-thread/

New breach: French ISP "Free" was breached in Oct and the data later published publicly. It contains 14M email addresses along with name, physical address, gender, DoB, phone and for many records, IBAN. 59% were already in @haveibeenpwned. Read more: https://www.bleepingcomputer.com/news/security/free-frances-second-largest-isp-confirms-data-breach-after-leak/

New sensitive breach: The 2nd wave of Operation Endgame to disrupt criminal ransomware infrastructure has resulted in 15.4M email addresses and 43.8M passwords being provided to HIBP by law enforcement agencies. 83% were already in @haveibeenpwned. More: https://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-strikes-again-ransomware-kill-chain-broken-its-source

New breach: Fédération Francaise de Rugby had 282k email addresses breached in June 2023. Data also included name, DoB and phone number. 69% were already in @haveibeenpwned. Read more: https://www.lemonde.fr/sport/article/2023/06/22/des-pirates-informatiques-tentent-de-faire-chanter-la-federation-francaise-de-rugby-victime-d-une-attaque_6178763_3242.html

New breach: OnRPG had 1M email addresses breached in 2016. Data also included IP address, username and salted MD5 password hash. 86% were already in @haveibeenpwned. Read more: https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

New breach: Hungarian education office website TehetségKapu had almost 55k records breached in March. Data included email address, name and username. 32% were already in @haveibeenpwned. Read more: https://444.hu/2025/03/27/55-ezer-szemelyes-adat-magyar-diakok-tanarok-es-az-oktatasi-hivatal-dolgozoinak-informacioi-szivaroghattak-ki

New breach: Samsung Germany had 216k unique email addresses exposed due to a compromise of their logistics provider, Spectos. Data included name, physical address, purchases and shipping tracking numbers. 49% were already in @haveibeenpwned. Read more: https://www.infostealers.com/article/samsung-tickets-data-leak-infostealers-strike-again-in-massive-free-dump/

The unique email address count on this breach has been revised to 2M. The source data included spaces as padding after the address which our open source email address extractor didn't properly recognise: https://github.com/HaveIBeenPwned/EmailAddressExtractor/commit/cf1bdb0b68e40dcd24e500814ca08e022e47264b

New breach: Indonesian restaurant website Qraved had almost 1M email addresses breached in 2021. Data also included name, phone, DoB and MD5 password hash. 83% were already in @haveibeenpwned. Read more: https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

New breach: French electronics retailer Boulanger had 967k email addresses breached in September. Data also included name, physical address, phone number and lat and long. 65% were already in @haveibeenpwned. Read more: https://therecord.media/france-retailers-hacked-confirm-cyberattack

New breach: German Doner Kebab had 162k unique email addresses publicly posted to a hacking forum last week. Data also included name, phone and physical addrress. 74% were already in @haveibeenpwned. Read more: https://x.com/DarkWebInformer/status/1905275857159008341

New breach: Troy Hunt's Mailchimp account was successfully phished and a subscriber list for his personal blog was exported. Data included 16k email and IP addresses, plus derived lat long and time zone. 75% were already in @haveibeenpwned. Read more: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

New sensitive breach: Spyware maker SpyX had almost 2M email addresses breached in June. The data also included IP address, country and what appears to be plain text iCloud credentials. 40% were already in @haveibeenpwned. Read more: https://techcrunch.com/2025/03/19/data-breach-at-stalkerware-spyx-affects-close-to-2-million-including-thousands-of-apple-users/

New sensitive breach: Lexipol had 672k email addresses breached last month by self-proclaimed "Puppygirl Hacker Polycule". Data included name, phone and MD5 or SHA-256 password hashes. 23% were already in @haveibeenpwned. Read more: https://www.them.us/story/puppygirl-hacker-polycule-leak

New sensitive breach: Color Dating had 220k unique email addresses breached in 2018. Data also included name, bio, photo and bcrypt password hash. 59% were already in @haveibeenpwned. Read more: https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

New breach: The flat earth sun, moon & zodiac app by "Flat Earth Dave" had 33k unique email addresses breached in Oct. Data included plain text passwords and users' lat and long (their position on the globe). 73% were already in @haveibeenpwned. More: https://www.youtube.com/watch?v=71FRE9cZczw

New sensitive breach: Spyware service Spyzie had almost 519k email addresses breached this month. The exploited vulnerability also granted access to captured messages, photos, call logs, and more. 48% were already in @haveibeenpwned. Read more: https://techcrunch.com/2025/02/27/spyzie-stalkerware-spying-on-thousands-of-android-and-iphone-users/