The Breach List

Title Breached Accounts Breach Date Breach Description
000webhost 13,545,468 March 1, 2015 In approximately March 2015, the free web hosting provider 000webhost suffered a major data breach that exposed over 13 million customer records. The data was sold and traded before 000webhost was alerted in October. The breach included names, email addresses and plain text passwords.
17 4,009,640 April 19, 2016 In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.
Acne.org 432,943 November 25, 2014 In November 2014, the acne website acne.org suffered a data breach that exposed over 430k forum members' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and passwords.
Adobe 152,445,165 October 4, 2013 In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.
Adult Friend Finder 3,867,997 May 21, 2015 In May 2015, the adult hookup site Adult Friend Finder was hacked and nearly 4 million records dumped publicly. The data dump included extremely sensitive personal information about individuals and their relationship statuses and sexual preferences combined with personally identifiable information.
AhaShare.com 180,468 May 30, 2013 In May 2013, the torrent site AhaShare.com suffered a breach which resulted in more than 180k user accounts being published publicly. The breach included a raft of personal information on registered users plus despite assertions of not distributing personally identifiable information, the site also leaked the IP addresses used by the registered identities.
Android Forums 745,355 October 30, 2011 In October 2011, the Android Forums website was hacked and 745k user accounts were subsequently leaked publicly. The compromised data included email addresses, user birth dates and passwords stored as a salted MD5 hash.
Ashley Madison 30,811,934 July 19, 2015 In July 2015, the infidelity website Ashley Madison suffered a serious data breach. The attackers threatened Ashley Madison with the full disclosure of the breach unless the service was shut down. One month later, the database was dumped including more than 30M unique email addresses. This breach has been classed as "sensitive" and is not publicly searchable, although individuals may discover if they've been impacted by registering for notifications. Read about this approach in detail.
Astropid 5,788 December 19, 2013 In December 2013, the vBulletin forum for the social engineering site known as "AstroPID" was breached and leaked publicly. The site provided tips on fraudulently obtaining goods and services, often by providing a legitimate "PID" or Product Information Description. The breach resulted in nearly 6k user accounts and over 220k private messages between forum members being exposed.
Avast 422,959 May 26, 2014 In May 2014, the Avast anti-virus forum was hacked and 423k member records were exposed. The Simple Machines Based forum included usernames, emails and password hashes.
Battlefield Heroes 530,270 June 26, 2011 In June 2011 as part of a final breached data dump, the hacker collective "LulzSec" obtained and released over half a million usernames and passwords from the game Battlefield Heroes. The passwords were stored as MD5 hashes with no salt and many were easily converted back to their plain text versions.
Beautiful People 1,100,089 November 11, 2015 In November 2015, the dating website Beautiful People was hacked and over 1.1M accounts were leaked. The data was being traded in underground circles and included a huge amount of personal information related to dating.
Bell 20,902 February 1, 2014 In February 2014, Bell Canada suffered a data breach via the hacker collective known as NullCrew. The breach included data from multiple locations within Bell and exposed email addresses, usernames, user preferences and a number of unencrypted passwords and credit card data from 40,000 records containing just over 20,000 unique email addresses and usernames.
BigMoneyJobs 36,789 April 3, 2014 In April 2014, the job site bigmoneyjobs.com was hacked by an attacker known as "ProbablyOnion". The attack resulted in the exposure of over 36,000 user accounts including email addresses, usernames and passwords which were stored in plain text. The attack was allegedly mounted by exploiting a SQL injection vulnerability.
Bitcoin Security Forum Gmail Dump 4,789,599 January 9, 2014 In September 2014, a large dump of nearly 5M usernames and passwords was posted to a Russian Bitcoin forum. Whilst commonly reported as 5M "Gmail passwords", the dump also contained 123k yandex.ru addresses. Whilst the origin of the breach remains unclear, the breached credentials were confirmed by multiple source as correct, albeit a number of years old.
BitTorrent 34,235 January 1, 2016 In January 2016, the forum for the popular torrent software BitTorrent was hacked. The IP.Board based forum stored passwords as weak SHA1 salted hashes and the breached data also included usernames, email and IP addresses.
Black Hat World 777,387 June 23, 2014 In June 2014, the search engine optimisation forum Black Hat World had three quarters of a million accounts breached from their system. The breach included various personally identifiable attributes which were publicly released in a MySQL database script.
Boxee 158,093 March 29, 2014 In March 2014, the home theatre PC software maker Boxee had their forums compromised in an attack. The attackers obtained the entire vBulletin MySQL database and promptly posted it for download on the Boxee forum itself. The data included 160k users, password histories, private messages and a variety of other data exposed across nearly 200 publicly exposed tables.
Business Acumen Magazine 26,596 April 25, 2014 In April 2014, the Australian "Business Acumen Magazine" website was hacked by an attacker known as 1337MiR. The breach resulted in over 26,000 accounts being exposed including usernames, email addresses and password stored with a weak cryptographic hashing algorithm (MD5 with no salt).
Cannabis.com 227,746 February 5, 2014 In February 2014, the vBulletin forum for the Marijuana site cannabis.com was breached and leaked publicly. Whilst there has been no public attribution of the breach, the leaked data included over 227k accounts and nearly 10k private messages between users of the forum.
Comcast 616,882 November 8, 2015 In November 2015, the US internet and cable TV provider Comcast suffered a data breach that exposed 590k customer email addresses and plain text passwords. A further 27k accounts appeared with home addresses with the entire data set being sold on underground forums.
COMELEC (Philippines Voters) 228,605 March 27, 2016 In March 2016, the Philippines Commission of Elections website (COMELEC) was attacked and defaced, allegedly by Anonymous Philippines. Shortly after, data on 55 million Filipino voters was leaked publicly and included sensitive information such as genders, marital statuses, height and weight and biometric fingerprint data. The breach only included 228k email addresses.
Crack Community 19,210 September 9, 2013 In late 2013, the Crack Community forum specialising in cracks for games was compromised and over 19k accounts published online. Built on the MyBB forum platform, the compromised data included email addresses, IP addresses and salted MD5 passwords.
Domino's 648,231 June 13, 2014 In June 2014, Domino's Pizza in France and Belgium was hacked by a group going by the name "Rex Mundi" and their customer data held to ransom. Domino's refused to pay the ransom and six months later, the attackers released the data along with troves of other hacked accounts. Amongst the customer data was passwords stored with a weak MD5 hashing algorithm and no salt.
Dungeons & Dragons Online 1,580,933 April 2, 2013 In April 2013, the interactive video game Dungeons & Dragons Online suffered a data breach that exposed almost 1.6M players' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and password hashes.
Final Fantasy Shrine 620,677 September 18, 2015 In September 2015, the Final Fantasy discussion forum known as FFShrine was breached and the data dumped publicly. Approximately 620k records were released containing email addresses, IP addresses and salted hashes of passwords.
Flashback 40,256 February 11, 2015 In February 2015, the Swedish forum known as Flashback had sensitive internal data on 40k members published via the tabloid newspaper Aftonbladet. The data was allegedly sold to them via Researchgruppen (The Research Group) who have a history of exposing otherwise anonymous users, primarily those who they believe participate in "troll like" behaviour. The compromised data includes social security numbers, home and email addresses.
Fling 40,767,652 March 10, 2011 In 2011, the self-proclaimed "World's Best Adult Social Network" website known as Fling was hacked and more than 40 million accounts obtained by the attacker. The breached data included highly sensitive personal attributes such as sexual orientation and sexual interests as well as email addresses and passwords stored in plain text.
Forbes 1,057,819 February 15, 2014 In February 2014, the Forbes website succumbed to an attack that leaked over 1 million user accounts. The attack was attributed to the Syrian Electronic Army, allegedly as retribution for a perceived "Hate of Syria". The attack not only leaked user credentials, but also resulted in the posting of fake news stories to forbes.com.
Foxy Bingo 252,216 April 4, 2008 In April 2007, the online gambling site Foxy Bingo was hacked and 252,000 accounts were obtained by the hackers. The breached records were subsequently sold and traded and included personal information data such as plain text passwords, birth dates and home addresses.
Fridae 35,368 May 2, 2014 In May 2014, over 25,000 user accounts were breached from the Asian lesbian, gay, bisexual and transgender website known as "Fridae". The attack which was announced on Twitter appears to have been orchestrated by Deletesec who claim that "Digital weapons shall annihilate all secrecy within governments and corporations". The exposed data included password stored in plain text.
Fur Affinity 1,270,564 May 17, 2016 In May 2016, the Fur Affinity website for people with an interest in anthropomorphic animal characters (also known as "furries") was hacked. The attack exposed 1.2M email addresses (many accounts had a different "first" and "last" email against them) and hashed passwords.
Gamerzplanet 1,217,166 October 23, 2015 In approximately October 2015, the online gaming forum known as Gamerzplanet was hacked and more than 1.2M accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
Gamigo 8,243,604 March 1, 2012 In March 2012, the German online game publisher Gamigo was hacked and more than 8 million accounts publicly leaked. The breach included email addresses and passwords stored as weak MD5 hashes with no salt.
Gawker 1,247,574 December 11, 2010 In December 2010, Gawker was attacked by the hacker collective "Gnosis" in retaliation for what was reported to be a feud between Gawker and 4Chan. Information about Gawkers 1.3M users was published along with the data from Gawker's other web presences including Gizmodo and Lifehacker. Due to the prevalence of password reuse, many victims of the breach then had their Twitter accounts compromised to send Acai berry spam.
hackforums.net 191,540 June 25, 2011 In June 2011, the hacktivist group known as "LulzSec" leaked one final large data breach they titled "50 days of lulz". The compromised data came from sources such as AT&T, Battlefield Heroes and the hackforums.net website. The leaked Hack Forums data included credentials and personal information of nearly 200,000 registered forum users.
Hacking Team 32,310 July 6, 2015 In July 2015, the Italian security firm Hacking Team suffered a major data breach that resulted in over 400GB of their data being posted online via a torrent. The data searchable on "Have I been pwned?" is from 189GB worth of PST mail folders in the dump. The contents of the PST files is searchable on Wikileaks.
Hemmakväll 47,297 July 8, 2015 In July 2015, the Swedish video store chain Hemmakväll was hacked and nearly 50k records dumped publicly. The disclosed data included various attributes of their customers including email and physical addresses, names and phone numbers. Passwords were also leaked, stored with a weak MD5 hashing algorithm.
hemmelig.com 28,641 December 21, 2011 In December 2011, Norway's largest online sex shop hemmelig.com was hacked by a collective calling themselves "Team Appunity". The attack exposed over 28,000 usernames and email addresses along with nicknames, gender, year of birth and unsalted MD5 password hashes.
Heroes of Newerth 8,089,103 December 17, 2012 In December 2012, the multiplayer online battle arena game known as Heroes of Newerth was hacked and over 8 million accounts extracted from the system. The compromised data included usernames, email addresses and passwords.
iMesh 49,467,477 September 22, 2013 In September 2013, the media and file sharing client known as iMesh was hacked and approximately 50M accounts were exposed. The data was later put up for sale on a dark market website in mid-2016 and included email and IP addresses, usernames and salted MD5 hashes.
Insanelyi 104,097 July 22, 2014 In July 2014, the iOS forum Insanelyi was hacked by an attacker known as Kim Jong-Cracks. A popular source of information for users of jailbroken iOS devices running Cydia, the Insanelyi breach disclosed over 104k users' emails addresses, user names and weakly hashed passwords (salted MD5).
iPmart 2,460,787 July 1, 2015 During 2015, the iPmart forum (now known as Mobi NUKE) was hacked and over 2 million forum members' details were exposed. The vBulletin forum included IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked. A further 368k accounts were added to "Have I been pwned" in March 2016 bringing the total to over 2.4M.
KM.RU 1,476,783 February 29, 2016 In February 2016, the Russian portal and email service KM.RU was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", KM.RU was one of several Russian sites in the breach and impacted almost 1.5M accounts including sensitive personal information.
Lifeboat 7,089,395 January 1, 2016 In January 2016, the Minecraft community known as Lifeboat was hacked and more than 7 million accounts leaked. Lifeboat knew of the incident for three months before the breach was made public but elected not to advise customers. The leaked data included usernames, email addresses and passwords stored as straight MD5 hashes.
LinkedIn 164,611,595 May 5, 2012 In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.
Linux Mint 144,989 February 21, 2016 In February 2016, the website for the Linux distro known as Linux Mint was hacked and the ISO infected with a backdoor. The site also ran a phpBB forum which was subsequently put up for sale complete with almost 145k email addresses, passwords and other personal subscriber information.
Lizard Squad 13,451 January 16, 2015 In January 2015, the hacker collective known as "Lizard Squad" created a DDoS service by the name of "Lizard Stresser" which could be procured to mount attacks against online targets. Shortly thereafter, the service suffered a data breach which resulted in the public disclosure of over 13k user accounts including passwords stored in plain text.
Lord of the Rings Online 1,141,278 August 1, 2013 In August 2013, the interactive video game Lord of the Rings Online suffered a data breach that exposed over 1.1M players' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and password hashes.
Lounge Board 45,018 August 1, 2013 At some point in 2013, 45k accounts were breached from the Lounge Board "General Discussion Forum" and then dumped publicly. Lounge Board was a MyBB forum launched in 2012 and discontinued in mid 2013 (the last activity in the logs was from August 2013).
Mac-Torrents 93,992 October 31, 2015 In October 2015, the torrent site Mac-Torrents was hacked and almost 94k usernames, email addresses and passwords were leaked. The passwords were hashed with MD5 and no salt.
mail.ru Dump 4,821,262 September 10, 2014 In September 2014, several large dumps of user accounts appeared on the Russian Bitcoin Security Forum including one with nearly 5M email addresses and passwords, predominantly on the mail.ru domain. Whilst unlikely to be the result of a direct attack again mail.ru, the credentials were confirmed by many as legitimate for other services they had subscribed to.
MajorGeeks 269,548 November 15, 2015 In November 2015, almost 270k accounts from the MajorGeeks support forum were breached. The accounts were being actively sold and traded online and included email addresses, salted password hashes and IP addresses.
Malwarebytes 111,623 November 15, 2014 In November 2014, the Malwarebytes forum was hacked and 111k member records were exposed. The IP.Board forum included email and IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
Manga Traders 855,249 October 6, 2014 In June 2014, the Manga trading website Mangatraders.com had the usernames and passwords of over 900k users leaked on the internet (approximately 855k of the emails were unique). The passwords were weakly hashed with a single iteration of MD5 leaving them vulnerable to being easily cracked.
Mate1.com 27,393,015 February 29, 2016 In February 2016, the dating site mate1.com suffered a huge data breach resulting in the disclosure of over 27 million subscribers' information. The data included deeply personal information about their private lives including drug and alcohol habits, incomes levels and sexual fetishes as well as passwords stored in plain text.
Minecraft Pocket Edition Forum 16,034 May 24, 2015 In May 2015, the Minecraft Pocket Edition forum was hacked and over 16k accounts were dumped public. Allegedly hacked by @rmsg0d, the forum data included numerous personal pieces of data for each user. The forum has subsequently been decommissioned.
Minefield 188,343 June 28, 2015 In June 2015, the French Minecraft server known as Minefield was hacked and 188k member records were exposed. The IP.Board forum included email and IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
Money Bookers 4,483,605 January 1, 2009 Sometime in 2009, the e-wallet service known as Money Bookers suffered a data breach which exposed almost 4.5M customers. Now called Skrill, the breach was not discovered until October 2015 and included names, email addresses, home addresses and IP addresses.
MPGH 3,122,898 October 22, 2015 In October 2015, the multiplayer game hacking website MPGH was hacked and 3.1 million user accounts disclosed. The vBulletin forum breach contained usernames, email addresses, IP addresses and salted hashes of passwords.
mSpy 699,793 May 14, 2015 In May 2015, the "monitoring" software known as mSpy suffered a major data breach. The software (allegedly often used to spy on unsuspecting victims), stored extensive personal information within their online service which after being breached, was made freely available on the internet.
Muslim Directory 37,784 February 17, 2014 In February 2014, the UK guide to services and business known as the Muslim Directory was attacked by the hacker known as @th3inf1d3l. The data was consequently dumped publicly and included the web accounts of tens of thousands of users which contained data including their names, home address, age group, email, website activity and password in plain text.
Muslim Match 149,830 June 24, 2016 In June 2016, the Muslim Match dating website had 150k email addresses exposed. The data included private chats and messages between relationship seekers and numerous other personal attributes including passwords hashed with MD5.
myRepoSpace 252,751 July 6, 2015 In July 2015, the Cydia repository known as myRepoSpace was hacked and user data leaked publicly. Cydia is designed to facilitate the installation of apps on jailbroken iOS devices. The repository service was allegedly hacked by @its_not_herpes and 0x8badfl00d in retaliation for the service refusing to remove pirated tweaks.
MySpace 359,420,698 July 1, 2008 In approximately 2008, MySpace suffered a data breach that exposed almost 360 million accounts. In May 2016 the data was offered up for sale on the "Real Deal" dark market website and included email addresses, usernames and SHA1 hashes of the first 10 characters of the password converted to lowercase and stored without a salt. The exact breach date is unknown, but analysis of the data suggests it was 8 years before being made public.
MyVidster 19,863 August 15, 2015 In August 2015, the social video sharing and bookmarking site MyVidster was hacked and nearly 20,000 accounts were dumped online. The dump included usernames, email addresses and hashed passwords.
Naughty America 1,398,630 March 14, 2016 In March 2016, the adult website Naughty America was hacked and the data consequently sold online. The breach included data from numerous systems with various personal identity attributes, the largest of which had passwords stored as easily crackable MD5 hashes. There were 1.4 million unique email addresses in the breach.
Neopets 26,892,897 May 5, 2013 In May 2016, a set of breached data originating from the virtual pet website "Neopets" was found being traded online. Allegedly hacked "several years earlier", the data contains sensitive personal information including birthdates, genders and names as well as almost 27 million unique email addresses. Passwords were stored in plain text and IP addresses were also present in the breach.
Neteller 3,619,948 May 17, 2010 In May 2010, the e-wallet service known as Neteller suffered a data breach which exposed over 3.6M customers. The breach was not discovered until October 2015 and included names, email addresses, home addresses and account balances.
NextGenUpdate 1,194,597 April 22, 2014 Early in 2014, the video game website NextGenUpdate reportedly suffered a data breach that disclosed almost 1.2 million accounts. Amongst the data breach was usernames, email addresses, IP addresses and salted and hashed passwords.
Nexus Mods 5,915,013 July 22, 2013 In December 2015, the game modding site Nexus Mods released a statement notifying users that they had been hacked. They subsequently dated the hack as having occurred in July 2013 although there is evidence to suggest the data was being traded months in advance of that. The breach contained usernames, email addresses and passwords stored as a salted hashes.
Nival 1,535,473 February 29, 2016 In February 2016, the Russian gaming company Nival was the target of an attack which was consequently detailed on Reddit. Allegedly protesting "the foreign policy of Russia in regards to Ukraine", Nival was one of several Russian sites in the breach and impacted over 1.5M accounts including sensitive personal information.
Nulled 599,080 May 6, 2016 In May 2016, the cracking community forum known as Nulled was hacked and 599k user accounts were leaked publicly. The compromised data included email and IP addresses, weak salted MD5 password hashes and hundreds of thousands of private messages between members.
OwnedCore 880,331 August 1, 2013 In approximately August 2013, the World of Warcraft exploits forum known as OwnedCore was hacked and more than 880k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
Paddy Power 590,954 October 25, 2010 In October 2010, the Irish bookmaker Paddy Power suffered a data breach that exposed 750,000 customer records with nearly 600,000 unique email addresses. The breach was not disclosed until July 2014 and contained extensive personal information including names, addresses, phone numbers and plain text security questions and answers.
Patreon 2,330,382 October 1, 2015 In October 2015, the crowdfunding site Patreon was hacked and over 16GB of data was released publicly. The dump included almost 14GB of database records with more than 2.3M unique email addresses and millions of personal messages.
PHP Freaks 173,891 October 27, 2015 In October 2015, the PHP discussion board PHP Freaks was hacked and 173k user accounts were publicly leaked. The breach included multiple personal data attributes as well as salted and hashed passwords.
Pixel Federation 38,108 December 4, 2013 In December 2013, a breach of the web-based game community based in Slovakia exposed over 38,000 accounts which were promptly posted online. The breach included email addresses and unsalted MD5 hashed passwords, many of which were easily converted back to plain text.
Plex 327,314 July 2, 2015 In July 2015, the discusison forum for Plex media centre was hacked and over 327k accounts exposed. The IP.Board forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
Pokemon Creed 116,465 August 8, 2014 In August 2014, the Pokemon RPG website Pokemon Creed was hacked after a dispute with rival site, Pokemon Dusk. In a post on Facebook, "Cruz Dusk" announced the hack then pasted the dumped MySQL database on pkmndusk.in. The breached data included over 116k usernames, email addresses and plain text passwords.
PS3Hax 447,410 July 1, 2015 In approximately July 2015, the Sony Playstation hacks and mods forum known as PS3Hax was hacked and more than 447k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
PSX-Scene 341,118 February 1, 2015 In approximately February 2015, the Sony Playstation forum known as PSX-Scene was hacked and more than 340k accounts were exposed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
Qatar National Bank 88,678 July 1, 2015 In July 2015, the Qatar National Bank suffered a data breach which exposed 15k documents totalling 1.4GB and detailing more than 100k accounts with passwords and PINs. The incident was made public some 9 months later in April 2016 when the documents appeared publicly on a file sharing site. Analysis of the breached data suggests the attack began by exploiting a SQL injection flaw in the bank's website.
Quantum Booter 48,592 March 18, 2014 In March 2014, the booter service Quantum Booter (also referred to as Quantum Stresser) suffered a breach which lead to the disclosure of their internal database. The leaked data included private discussions relating to malicious activity Quantum Booter users were performing against online adversaries, including the IP addresses of those using the service to mount DDoS attacks.
R2Games 22,281,337 November 1, 2015 In late 2015, the gaming website R2Games was hacked and more than 2.1M personal records disclosed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked. A further 11M accounts were added to "Have I been pwned" in March 2016 and another 9M in July 2016 bringing the total to over 22M.
Seedpeer 281,924 July 12, 2015 In July 2015, the torrent site Seedpeer was hacked and 282k member records were exposed. The data included usernames, email addresses and passwords stored as weak MD5 hashes.
SkTorrent 117,070 February 19, 2016 In February 2016, the Slovak torrent tracking site SkTorrent was hacked and over 117k records leaked online. The data dump included usernames, email addresses and passwords stored in plain text.
Snapchat 4,609,615 January 1, 2014 In January 2014 just one week after Gibson Security detailed vulnerabilities in the service, Snapchat had 4.6 million usernames and phone number exposed. The attack involved brute force enumeration of a large number of phone numbers against the Snapchat API in what appears to be a response to Snapchat's assertion that such an attack was "theoretical". Consequently, the breach enabled individual usernames (which are often used across other services) to be resolved to phone numbers which users usually wish to keep private.
Sony 37,103 June 2, 2011 In 2011, Sony suffered breach after breach after breach — it was a very bad year for them. The breaches spanned various areas of the business ranging from the PlayStation network all the way through to the motion picture arm, Sony Pictures. A SQL Injection vulnerability in sonypictures.com lead to tens of thousands of accounts across multiple systems being exposed complete with plain text passwords.
Spirol 55,622 February 22, 2014 In February 2014, Connecticut based Spirol Fastening Solutions suffered a data breach that exposed over 70,000 customer records. The attack was allegedly mounted by exploiting a SQL injection vulnerability which yielded data from Spirol’s CRM system ranging from customers’ names, companies, contact information and over 55,000 unique email addresses.
StarNet 139,395 February 26, 2015 In February 2015, the Moldavian ISP "StarNet" had it's database published online. The dump included nearly 140k email addresses, many with personal details including contact information, usage patterns of the ISP and even passport numbers.
Stratfor 859,777 December 24, 2011 In December 2011, "Anonymous" attacked the global intelligence company known as "Stratfor" and consequently disclosed a veritable treasure trove of data including hundreds of gigabytes of email and tens of thousands of credit card details which were promptly used by the attackers to make charitable donations (among other uses). The breach also included 860,000 user accounts complete with email address, time zone, some internal system data and MD5 hashed passwords with no salt.
Sumo Torrent 285,191 June 21, 2014 In June 2014, the torrent site Sumo Torrent was hacked and 285k member records were exposed. The data included IP addresses, email addresses and passwords stored as weak MD5 hashes.
Team SoloMid 442,166 December 22, 2014 In December 2014, the electronic sports organisation known as Team SoloMid was hacked and 442k members accounts were leaked. The accounts included email and IP addresses, usernames and salted hashes of passwords.
Telecom Regulatory Authority of India 107,776 April 27, 2015 In April 2015, the Telecom Regulatory Authority of India (TRAI) published tens of thousand of emails sent by Indian citizens supporting net neutrality as part of the SaveTheInternet campaign. The published data included lists of emails including the sender's name and email address as well as the contents of the email as well, often with signatures including other personal data.
Tesco 2,239 February 12, 2014 In February 2014, over 2,000 Tesco accounts with usernames, passwords and loyalty card balances appeared on Pastebin. Whilst the source of the breach is not clear, many confirmed the credentials were valid for Tesco and indeed they have a history of poor online security.
The Fappening 179,030 December 1, 2015 In December 2015, the forum for discussing naked celebrity photos known as "The Fappening" (named after the iCloud leaks of 2014) was compromised and 179k accounts were leaked. Exposed member data included usernames, email addresses and salted hashes of passwords.
ThisHabbo Forum 27,978 January 1, 2014 In 2014, the ThisHabbo forum (a fan site for Habbo.com, a Finnish social networking site) appeared among a list of compromised sites which has subsequently been removed from the internet. Whilst the actual date of the exploit is not clear, the breached data includes usernames, email addresses, IP addresses and salted hashes of passwords.
Tianya 29,020,808 December 26, 2011 In December 2011, China's largest online forum known as Tianya was hacked and tens of millions of accounts were obtained by the attacker. The leaked data included names, usernames and email addresses.
TruckersMP 83,957 February 25, 2016 In February 2016, the online trucking simulator mod TruckersMP suffered a data breach which exposed 84k user accounts. In a first for "Have I been pwned", the breached data was self-submitted directly by the organisation that was breached itself.
tumblr 65,469,298 February 28, 2013 In early 2013, tumblr suffered a data breach which resulted in the exposure of over 65 million accounts. The data was later put up for sale on a dark market website and included email addresses and passwords stored as salted SHA1 hashes.
Uiggy 2,682,650 June 1, 2016 In June 2016, the Facebook application known as Uiggy was hacked and 4.3M accounts were exposed, 2.7M of which had email addresses against them. The leaked accounts also exposed names, genders and the Facebook ID of the owners.
UN Internet Governance Forum 3,200 February 20, 2014 In February 2014, the Internet Governance Forum (formed by the United Nations for policy dialogue on issues of internet governance) was attacked by hacker collective known as Deletesec. Although tasked with "ensuring the security and stability of the Internet", the IGF’s website was still breached and resulted in the leak of 3,200 email addresses, names, usernames and cryptographically stored passwords.
vBulletin 518,966 November 3, 2015 In November 2015, the forum software maker vBulletin suffered a serious data breach. The attack lead to the release of both forum user and customer accounts totalling almost 519k records. The breach included email addresses, birth dates, security questions and answers for customers and salted hashes of passwords for both sources.
Verified 16,919 January 10, 2014 In January 2014, one of the largest communities of Eastern Europe cybercriminals known as "Verified" was hacked. The breach exposed nearly 17k users of the vBulletin forum including their personal messages and other potentially personally identifiable information.
VK 93,338,602 January 1, 2012 In approximately 2012, the Russian social media site known as VK was hacked and almost 100 million accounts were exposed. The data emerged in June 2016 where it was being sold via a dark market website and included names, phone numbers email addresses and plain text passwords.
Vodafone 56,021 December 12, 2013 In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources.
VTech 4,833,678 November 13, 2015 In November 2015, hackers extracted more than 4.8 million parents' and 227k children's accounts from VTech's Learning Lodge website. The Hong Kong company produces learning products for children including software sold via the compromised website. The data breach exposed extensive personal details including home addresses, security questions and answers and passwords stored as weak MD5 hashes. Furthermore, children's details including names, ages, genders and associations to their parents' records were also exposed.
WHMCS 134,047 May 21, 2012 In May 2012, the web hosting, billing and automation company WHMCS suffered a data breach that exposed 134k email addresses. The breach included extensive information about customers and payment histories including partial credit card numbers.
WildStar 738,556 July 11, 2015 In July 2015, the IP.Board forum for the gaming website WildStar suffered a data breach that exposed over 738k forum members' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and passwords.
Win7Vista Forum 202,683 September 3, 2013 In September 2013, the Win7Vista Windows forum (since renamed to the "Beyond Windows 9" forum) was hacked and later had its internal database dumped. The dump included over 200k members’ personal information and other internal data extracted from the forum.
WPT Amateur Poker League 148,366 January 4, 2014 In January 2014, the World Poker Tour (WPT) Amateur Poker League website was hacked by the Twitter user @smitt3nz. The attack resulted in the public disclosure of 175,000 accounts including 148,000 email addresses. The plain text password for each account was also included in the breach.
Xbox-Scene 432,552 February 1, 2015 In approximately February 2015, the Xbox forum known as Xbox-Scene was hacked and more than 432k accounts were exposed. The IP.Board forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.
XSplit 2,983,472 November 7, 2013 In November 2013, the makers of gaming live streaming and recoding software XSplit was compromised in an online attack. The data breach leaked almost 3M names, email addresses, usernames and hashed passwords.
Yahoo 453,427 July 11, 2012 In July 2012, Yahoo! had their online publishing service "Voices" compromised via a SQL injection attack. The breach resulted in the disclosure of nearly half a million usernames and passwords stored in plain text. The breach showed that of the compromised accounts, a staggering 59% of people who also had accounts in the Sony breached reused their passwords across both services.
Yandex Dump 1,186,564 September 7, 2014 In September 2014, news broke of a massive leak of accounts from Yandex, the Russian search engine giants who also provides email services. The purported million "breached" accounts were disclosed at the same time as nearly 5M mail.ru accounts with both companies claiming the credentials were acquired via phishing scams rather than being obtained as a result of direct attacks against their services.
YouPorn 1,327,567 February 21, 2012 In February 2012, the adult website YouPorn had over 1.3M user accounts exposed in a data breach. The publicly released data included both email addresses and plain text passwords. Credit to squeal.net for providing the data breach.
Спрашивай.ру 3,474,763 May 11, 2015 In May 2015, Спрашивай.ру (a the Russian website for anonymous reviews) was reported to have had 6.7 million user details exposed by a hacker known as "w0rm". Intended to be a site for expressing anonymous opinions, the leaked data included email addresses, birth dates and other personally identifiable data about almost 3.5 million unique email addresses found in the leak.

This service is built on top of www.haveibeenpwned.com, created by Troy Hunt. This web application has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information provided by this application without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this application, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this application or for any decision based on it.