Bell Canada's 2017 breach dataset indexed by leaksear.ch has a breach date of May 15, 2017 and contains 3,386,387 records from an internal WEB_USERS table, including searchable email addresses, names, usernames, phone numbers, IP addresses, passwords and hashed passwords (leaksear.ch metadata). Bell publicly announced illegal access to customer information on May 15, 2017, saying the accessed customer data included approximately 1.9 million active email addresses and approximately 1,700 names and active phone numbers (www.newswire.ca).
What happened
Bell described the incident as illegal access by an anonymous hacker and said it had taken steps to secure affected systems, was working with the RCMP cyber crime unit and had informed the Office of the Privacy Commissioner (www.newswire.ca). The company also said at the time that it had no indication that financial information, passwords or other sensitive personal information had been accessed and that the incident was not connected to WannaCry (www.newswire.ca).
Have I Been Pwned records the leaked material as over 2 million unique email addresses, 153,000 survey results from 2011 and 2012, and 162 Bell employee records with names, phone numbers and plaintext passcodes (haveibeenpwned.com). The Hacker News reported that a Pastebin post claimed a significant portion of Bell.ca data had been released and threatened more, while noting that the attacker identity and the meaning of the demanded cooperation were unconfirmed (thehackernews.com).
The public sources reviewed do not confirm the intrusion path. The leaksear.ch metadata identifies the indexed source as an internal WEB_USERS table, not the exploit or access method (leaksear.ch metadata).
What data was exposed
Based on the leaksear.ch indexing metadata, the queryable pivots are email, hashedPassword, ipAddress, name, password, phone and username. Stored context fields include agent names, Bell employee numbers, manager employee numbers, job positions and titles, business unit, company, city, language, active status, outsourcer status, LDAP company code, call dates, survey dates, survey IDs, service-resolution answers, ISP-retention answers and free-text survey comments (leaksear.ch metadata).
In plain terms, the dataset can include contact data, account identifiers, technical identifiers, authentication-related fields, workforce context and customer survey responses. HIBP's public breach entry separately lists compromised data categories including email addresses, IP addresses, names, phone numbers, usernames, passwords, job titles, spoken languages, geographic locations and survey results (haveibeenpwned.com).
Why this matters
For individuals, the most immediate risk is targeted Bell-themed phishing or phone impersonation because email, name, phone and survey context can make messages sound legitimate. For current or former employees, agents and outsourcers, the presence of workforce identifiers, job data and passcodes creates additional account-recovery and internal impersonation risk. Security teams should treat any exposed password or passcode as reusable until proven otherwise and rotate it wherever it may have been reused. To check whether data linked to you appears in this leak, use the exposure lookup below with your email address, phone number, name, username or IP address.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include email, hashed password, ip address, name, password, phone, and username.