Public Data Breaches
Flagstar, the US bank and mortgage lender with locations in New Jersey, disclosed a data breach in which threat actors behind the Clop ransomware group exploited a vulnerability in Accellion FTA servers in January 2021. They gained access to sensitive customer and employee information, such as Social Security numbers, ...
T-Mobile discovered a breach in which threat actors gained access to account information and may have used that information to port lines to a different mobile carrier without the user’s authorization in SIM-swapping attacks . Information may include full name, address, email address, account number, Social Security number, customer ...
Pixlr , a popular photo editing application owned by Inmagine, suffered a data breach affecting upwards of 1.9 million users. The stolen database was advertised for free on a hacking forum by threat actor ShinyHunters , who claims to have stolen the data from the company’s AWS bucket during ...
Ubiquiti, a major vendor of cloud-enabled IoT devices, discovered a breach involving one of its IT systems hosted by a third-party cloud provider. The incident may have exposed user data, including name, email address, one-way encrypted password, address, and phone number. An email was sent to customers to inform ...
The streaming service Spotify inadvertently exposed user data to business partners as a result of a vulnerability in its system. This vulnerability existed as of April 9, 2020, was discovered on November 12, 2020, and fixed immediately. Though the data was not publicly accessible, affected data may include information ...
A hacked database belonging to Fax Express, an office equipment supply store based in Ocean County, NJ was exposed , revealing approximately 560,000 compromised usernames and dehashed passwords. The breached database is connected to the domain shredderstoo[.]com and is assessed to be owned by Fax Express. The leaked data ...
Cybersecurity firm FireEye disclosed this week that they were the victim of a sophisticated cyberattack, which they are investigating with the Federal Bureau of Investigation and partners, including Microsoft. The threat actor targeted and accessed red team tools used by FireEye to test their customers’ security. As a result, ...
Luxottica, the world’s largest eyewear company – which also operates the EyeMed vision benefits company and partners with eye care professionals such as LensCrafters, Target Optical, and other eye care practices – disclosed a data breach affecting 829,454 patients in their appointment scheduling application. The exposed data includes personally ...
Summary Prestige Software’s Cloud Hospitality exposed 24.4 GB worth of data due to a misconfigured Amazon Web Service (AWS) S3 bucket. Cloud Hospitality is a widely-used software solution that integrates reservations systems with online booking websites such as Booking.com, Expedia.com, and Hotels.com. Exposed data includes guests’ full names, email addresses, ...
Barnes and Noble suffered a cyber-attack that may have allowed threat actors to access its customers' personal information. Barnes and Noble took its systems offline during remediation. The company has begun notifying impacted customers.
Shopify, the Canadian multi-national e-commerce company with locations in New York and San Francisco, reported a security breach caused by two rogue employees who accessed and attempted to obtain transaction details from Shopify shop merchants. The transaction data obtained may include basic contact information (name, address, email address) and ...
The network of software technology company Tyler Technologies was accessed by an unauthorized third party. The company, a provider of emergency management programs and whose platforms are used by US state and local election officials to display voting results, sent an email to its clients informing them of the ...
The US Department of Veterans Affairs (VA) disclosed a data breach affecting approximately 46,000 veterans. The breach appears to be the result of a successful social engineering attempt in which an unauthorized third-party exploited authentication protocols and accessed a Financial Services Center (FSC) application. VA payments intended for healthcare ...
The office retail giant, Staples, notified affected customers of a data breach related to their orders. The data accessed by an unauthorized party includes customers’ name, address, email, phone number, last four digits of payment cards used, and information about the cost, delivery, and products ordered. Account credentials and ...
Razer, the gaming hardware manufacturer, exposed data of approximately 100,000 customers who made purchases from their online store. The exposed data includes name, email address, phone number, order numbers, order details, and billing and shipping addresses. No other sensitive data was exposed, such as credit card numbers or passwords. ...
User data from over 70 dating and e-commerce websites totaling 320 million records was leaked via an unsecured Elasticsearch database. The information in the leak includes full name, age and date of birth, gender, email address, location, IP address, profile pictures, and bio description. The data breach impacts users ...
Artech, one of the largest IT staffing firms, disclosed a data breach after suffering a ransomware attack. The breach purportedly occurred in early January 2020, after the company’s network was infected with the ransomware variant Sodinokibi , or REvil, a ransomware-as-a-service (RaaS) operation known to exfiltrate sensitive data prior ...
Digital Point, one of the largest webmaster marketplaces, exposed over 62 million records of roughly 850,000 users due to an unsecure ElasticSearch database. Revealed data includes usernames, internal user identification numbers, internal records, and user posts. The exposure of this data may allow threat actors to conduct future attacks ...
Social Data, a social media marketing and advertising company known for selling scraped data and based in Hong Kong, recently exposed roughly 235 million users via an unsecured database. Breached data includes names, profile names and photos, contact information, and followers’ statistics, and affects 42 million TikTok users, 192 million ...
On August 6, 2020, the SANS Institute – an organization that offers information security training, certification, and research – discovered a suspicious forwarding rule during a review of email configuration and rules. SANS identified a single phishing email impacting a single employee's email account. The forwarded emails, sent to ...
According to ZDNet , 20GB of internal documents from technology company Intel was released online by an anonymous cyber threat actor. While it does not appear that customer or employee data has been revealed, the data does include intellectual property such as designs, technical specs, product guides, and manuals. ...
An extraordinary number of breaches have been disclosed this week. At least eighteen of these breaches were exposed after companies’ databases were leaked and offered for free on a hacker forum by a threat actor known as ShinyHunters. So far, 386 million user records have been exposed in this ...
A large data leak was discovered exposing virtual private network (VPN) logs of approximately 20 million users worldwide. Affected VPN services include UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, largely available through Google Play Store and Apple App Store. All seven ...
As the NJCCIC previously reported , MGM Resorts suffered a data breach in 2019 that was publicly disclosed in February 2020. At the time, it was believed that approximately 10.6 million guests had their personal information exposed. However, a hacker is selling the personal details of nearly 142.5 million ...
An unsecured AWS S3 bucket belonging to an online fitness company, V Shred, was discovered by vpnMentor researchers. The publicly accessible bucket contained approximately 1.3 million individual files, including three CSV files that stored various forms of personally identifiable information (PII), as well as sensitive photos from as recently ...
Researchers at vpnMentor discovered an unsecured Elasticsearch database belonging to OneClass exposing 27 GB of user data. OneClass is an online learning platform used by colleges nationwide in which instructors can post study guides, and provide learning materials and tutoring to students as young as age thirteen. Exposed data ...
On June 19, 2020, the Twitter account of a group known as “DDoSecrets” posted a tweet with the hashtag #blueleaks and a link to a website containing 269 GB of compromised data that includes sensitive internal information from approximately 200 fusion centers, law enforcement agencies, and government agencies throughout ...
Oracle’s BlueKai, a cloud-based web tracking data platform used by marketers to target consumers, suffered an extensive data breach exposing billions of user records. The breach occurred due to an unsecured server that was not password-protected. BlueKai uses various tracking technology such as website cookies to track a user’s ...
Researchers discovered an exposed database containing 845 gigabytes of photos, chats, and other sensitive information from users of various dating apps. The sensitive nature of the data could allow a threat actor to utilize personally identifiable information, also included in the database, to extort or otherwise harass users. It ...
An unsecured Amazon S3 data bucket belonging to the student loan relief group, Student Advocates Group, has exposed over 55,000 Social Security numbers and other forms of identifying information. The group was previously identified and charged by the Federal Trade Commission (FTC) as a debt relief scheme , which ...
Personal and account information for some of Amtrak’s Guest Rewards members was accessed by an unauthorized party, including usernames and passwords. Amtrak has reset user passwords and offered a free one-year membership for Experian IdentityWorks identity theft protection. Impacted users are advised to also change passwords for any other ...
Mathway, an educational tool used to assist students in understanding and solving math problems, has reported a breach affecting roughly 25 million users. Breached information includes email addresses and hashed passwords – many of which may belong to school-age children. The hacking group known as ShinyHunters claims that the ...
EasyJet disclosed that the personal information – including email addresses and travel details – of nine million customers and credit card details of 2,208 customers were accessed in a cyber-attack early this year. Customers whose credit card details were revealed have been notified and all other customers will be ...
GoDaddy identified that a security incident occurred on October 19, 2019, affecting approximately 28,000 customers. The breach was discovered on April 23, 2020 after the security team was alerted to suspicious activity in which an altered Secure Socket Shell (SSH) file was discovered in GoDaddy’s hosting environment. The unauthorized ...
Nintendo is restricting logins and resetting passwords for up to 160,000 Nintendo Network ID (NNID) accounts that may have been accessed by unauthorized third parties. Potentially exposed information may have included name, date of birth, gender, country/region, and email address. Users are advised to establish strong passwords and refrain ...
The Small Business Association (SBA) disclosed that approximately 8,000 business owners who applied for an Economic Injury Disaster Loan (EIDL) may have had their information exposed, including various forms of personally identifiable information such as Social Security numbers, addresses, dates of birth, and financial data. An error in the ...
Information from a database of the NJ-based Find a Doctor website was stolen on April 11, 2020 and is being sold on a hacker forum. The website provides an online service to search for healthcare professionals, book appointments, and consult with doctors online. The stolen data does not include ...
Researchers at vpnMentor discovered misconfigured Amazon Web Services (AWS) S3 buckets owned by Key Ring that publicly exposed over 44 million various images to include forms of identification, credit and debit cards, and membership cards. Key Ring , a popular digital wallet, was designed to store scanned images of ...
Summary General Electric (GE), a global Fortune 500 company, has acknowledged a breach affecting present and former employees and their beneficiaries. Between February 3-14, 2020, an unauthorized user gained access to the email account of Canon Business Process Services, which GE contracts with to process employee documents. Exposed sensitive documents ...
Summary US radio giant Entercom, owner of the Radio.com platform, reported a data breach occurring in August 2019 when an unauthorized party accessed database backup files containing Radio.com user credentials and personal information stored in third-party cloud hosting services. Since the breach, Entercom implemented password rotations, multi-factor authentication for cloud ...
Summary RailWorks Corporation, a North American track and transit system, fell victim to a ransomware attack and data breach . The company has 45 offices, including one in Sewell, New Jersey, and approximately 3,500 employees. Exposed information includes various forms of personally identifiable information (PII) – names, addresses, driver’s license ...
Summary A vulnerability that was present in the Walgreens mobile app exposed personal details of some users including names, prescription details, store number, and shipping addresses. In a breach notification letter , the company stated that the bug was present in the app between January 9 – January 15 and ...
Summary T-Mobile disclosed a data breach impacting its employees and customers. Threat actors gained access to certain T-Mobile employee emails accounts, which contained account information for T-Mobile customers and employees. The information exposed may include names and addresses, phone numbers, account numbers, rate plans and features, and billing information. For ...
Summary The Defense Information Systems Agency (DISA), an agency of the Department of Defense (DOD), acknowledged that a network they host suffered a data breach between May and July 2019. DISA oversees communications and information technology (IT) support for US military services, the Secretary of Defense, the Vice President, and ...
Summary A security researcher found an exposed database belonging to New York-based cosmetic company Estée Lauder. The unprotected data included an estimated 440 million records comprised of IP and email addresses, audit logs, ports, pathways, storage info, reports and internal documents, as well as CMS (content management system) and middleware ...
Summary Security researchers from Palo Alto Networks discovered some organizations—including research institutes, retailers, news media organizations, and technology companies—have improperly configured Docker registries. They found 117 unsecured Docker registries accessible over the public web that permitted image downloads, authorized uploads, and image deletions. The misconfiguration and permitted commands can allow ...
Summary Google has acknowledged that a breach occurred between November 21-25, 2019 involving users who have both Google Photos and Google Takeout accounts. When users downloaded their data using Google Takeout, the flaw caused users’ photos and videos to be inadvertently exported to other Google Photos data archives when transferred. ...
Summary Just one week before Super Bowl LIV, multiple social media accounts of the National Football League (NFL) and approximately 15 NFL teams were compromised . Hacked accounts included the New York Giants and the Philadelphia Eagles, as well as Superbowl competitors, the Kansas City Chiefs and San Francisco 49ers. ...
Summary Microsoft disclosed a security breach affecting five Elasticsearch servers that stored an internal customer support database. The servers contained approximately 250 million entries; however, some personally identifiable information (PII) had been redacted. Exposed data included: customer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support ...
Summary Front Rush, a technology company providing recruiting software for over 850 US colleges and approximately 9,500 teams, confirmed that they suffered a data breach exposing roughly 700,000 student athletes’ files. Compromised data includes personal addresses, dates of birth, driver’s licenses, physical evaluations, performance reports, financial aid agreements, and SAT ...
Summary A public-facing database containing personal details of approximately 56 million US residents was discovered on a server with a Chinese IP address and linked to the web-hosting company Alibaba, located in Hangzhou, China. The NoSQL database included metadata that associates the archive to CheckPeople[.]com, a people search directory that, ...
Summary A security researcher identified an unsecured Amazon S3 bucket while using Vistaprint’s logomaker service. Approximately 638,000 files containing both default and user-created logos were displayed, exposing some personalized information. While the database was secured within a few hours of notification and is not a great risk to personal data, ...
Point-of-sale (POS) malware was found on Wawa’s payment processing systems on December 10, 2019 and is believed to have first been installed on March 4, 2019...
Security Discovery researcher Bob Diachenko discovered an open and unprotected Elasticsearch cluster on December 11, 2019 containing personally identifiable information (PII) of Honda customers...
A phishing campaign has been observed targeting Netflix customers in an attempt to obtain user credentials and payment information...
Researchers discovered an unsecured Elasticsearch server containing 1.2 billion unique records...
Researchers at Greenbone Networks discovered a data breach of Picture Archiving and Communication Systems (PACS) servers used globally by healthcare providers to store images of medical scans...
Cyber-criminals conducting ransomware attacks frequently threaten victims with releasing stolen data if the ransom is not paid; in most cases, these threats are not credible...
The Disney+ video streaming service, launched on November 12, 2019, has suffered a data breach affecting thousands of accounts...
The largest US independent supplier of insulin pumps and Continuous Glucose Monitors (CGMs), Solara Medical Supplies, disclosed a data breach involving a number of employees’ Office 365 accounts between April 2, 2019 and June 20, 2019, after several phishing attacks...
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.