# leaksear.ch > Reviewed-access breach research platform for vetted security researchers. ## Site Indexes - [Concise LLM Index](https://leaksear.ch/llms.txt) - [XML Sitemap](https://leaksear.ch/sitemap.xml) - [Blog RSS Feed](https://leaksear.ch/blog/feed.xml) - [Partnerships](https://leaksear.ch/partnerships) --- ## Deep Well Services Leak Exposes 6,223 Salesforce CRM Records Deep Well Services (DWS), a Pennsylvania-rooted oilfield services company whose site describes hydraulic completion and workover services, training, and real-time data analytics, has a newly indexed leak tied to a ShinyHunters-attributed June 16, 2026 breach ([deepwellservices.com](https://deepwellservices.com/), [breachsense.com](https://www.breachsense.com/breaches/deep-well-services-data-breach/)). leaksear.ch indexed 6,223 Salesforce-derived records from the dataset, including contact, account, case, opportunity, and user data (leaksear.ch metadata). ## What happened Public breach listings provide limited but consistent context that Deep Well Services was listed as a breach victim in June 2026. Breachsense lists the victim as deepwellservices.com, names ShinyHunters as the threat actor, and gives June 16, 2026 as the date discovered ([breachsense.com](https://www.breachsense.com/breaches/deep-well-services-data-breach/)). DataBreach lists a Deep Well Services breach page dated June 15, 2026, added June 23, 2026, with 13,297 rows and categories including email, phone number, name, and vehicle plate ([databreach.com](https://databreach.com/breach/deep-well-services-2026)). The public row counts differ by source, while leaksear.ch indexed 6,223 records from the dataset; those figures should be treated as listing or indexing counts, not a confirmed number of unique affected people (leaksear.ch metadata). The public sources cited here do not confirm Deep Well Services' initial access vector or a company-issued breach notice. Because the indexed records are Salesforce-derived, the wider Salesforce threat context is relevant but not proof of the DWS intrusion method. Salesforce warned in March 2026 that malicious actors were exploiting overly permissive Experience Cloud guest user configurations to access data, and FINRA separately warned firms that ShinyHunters had been actively exploiting misconfigured Salesforce Experience Cloud instances ([salesforce.com](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/), [finra.org](https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-salesforce-experience-cloud-security-incident)). ## What data was exposed leaksear.ch indexed searchable fields including names, email addresses, phone numbers, physical addresses, countries, IP addresses, and usernames (leaksear.ch metadata). The dataset also contains CRM and business context that is not directly searchable on leaksear.ch, including account names, company names, job titles and departments, Salesforce contact and user IDs, user profiles, active status, last-login and password-expiration dates, case numbers, case subjects, case statuses, case reasons, case types, case opened dates, owner names, lead sources, opportunity IDs, opportunity names, opportunity stages, opportunity types, opportunity owner titles and departments, source files, source tables, source row numbers, and audit metadata (leaksear.ch metadata). ## Why this matters CRM leaks can make phishing and vishing more credible because attackers can reference real names, phone numbers, accounts, support cases, job roles, and business relationships. Salesforce warned that harvested names and phone numbers from similar activity are often used for targeted social engineering and voice phishing ([salesforce.com](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/)). For affected individuals and organizations, the practical risk is impersonation of employees, vendors, customers, or support staff, especially where oilfield services operations depend on phone and email coordination. Anyone who has interacted with Deep Well Services should verify unusual payment, procurement, support, or credential requests through a trusted channel, and check leaksear.ch to see whether their email, phone number, name, username, address, country, or IP address appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, phone, and username. ## Sources - [Deep Well Services: Home](https://deepwellservices.com/) - [Breachsense: Deep Well Services Data Breach in 2026](https://www.breachsense.com/breaches/deep-well-services-data-breach/) - [DataBreach: Deep Well Services Breach](https://databreach.com/breach/deep-well-services-2026) - [Salesforce: Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/) - [FINRA: Cybersecurity Alert - Salesforce Experience Cloud Security Incident](https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-salesforce-experience-cloud-security-incident) --- ## Huntress Leak Exposes 191K CRM and Salesforce Records leaksear.ch has indexed 191,065 Huntress CRM and Salesforce records, with the leak metadata listing a June 16, 2026 breach date and business contact, pricing, subscription, and sales communications data (leaksear.ch metadata). Public statements from Huntress and Klue tie the exposure to a compromise of Klue integrations in which attackers obtained OAuth tokens and accessed connected customer environments ([www.huntress.com](https://www.huntress.com/blog/klue-breach-investigation), [klue.com](https://klue.com/blog/an-update-on-recent-klue-security-incident)). ## What happened Klue said it identified unauthorized activity on June 12, 2026 affecting part of its integration infrastructure, and that its investigation found an attacker used a compromised legacy credential associated with an integration service to obtain OAuth tokens for third-party platforms, including Salesforce. Klue said the attacker then accessed data in a number of connected customer environments, while its investigation found no evidence that customer content stored inside the Klue platform itself was impacted ([klue.com](https://klue.com/blog/an-update-on-recent-klue-security-incident)). A July 1 Klue summary of CrowdStrike's investigation added that a previously compromised GitHub personal access token was used on June 11 to introduce unauthorized code into Klue's integration service and collect third-party integration credentials, including Salesforce OAuth access and refresh tokens. Klue said CrowdStrike found no evidence of threat actor activity in the Klue environment after June 12 ([klue.com](https://klue.com/blog/crowdstrike-investigation-summary-and-security-improvements)). Huntress reported that its copied data came from Salesforce and included business contacts, price quotes, and other sales-related data and messaging. Huntress also said Icarus listed data for Huntress and several other Klue-impacted companies on June 22, while Dark Reading and Help Net Security reported that Salesforce disabled the Klue Battlecards app connection after detecting unusual activity involving the app, not a Salesforce platform vulnerability ([www.huntress.com](https://www.huntress.com/blog/klue-breach-investigation), [www.darkreading.com](https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise), [www.helpnetsecurity.com](https://www.helpnetsecurity.com/2026/06/19/klue-salesforce-data-breach-huntress/)). ## What data was exposed According to leaksear.ch indexing metadata, the searchable pivots for this leak are address, country, email, name, phone, and username (leaksear.ch metadata). The records also contain CRM context such as company, contact and lead identifiers, Salesforce IDs, lead source, job title, campaign and status fields, opt-out and do-not-call flags, and created or modified dates (leaksear.ch metadata). Huntress described the exposed files as Salesforce data limited to business contact information, business names, products trialed or used, subscription details including units and pricing, sales-related communications, and opportunity notes. Huntress said that, based on current evidence, its products and infrastructure, telemetry, passwords, and payment card data were not impacted ([www.huntress.com](https://www.huntress.com/blog/klue-breach-investigation), [support.huntress.io](https://support.huntress.io/hc/en-us/articles/52699517132435-2026-June-Klue-Security-Incident)). ## Why this matters CRM and Salesforce data can be valuable for targeted phishing because it can reference real companies, products, quotes, subscriptions, job roles, and prior business conversations. Security teams should treat messages that reference Huntress trials, pricing, sales discussions, or support context as higher risk and verify them through known channels. Individuals and organizations that may have interacted with Huntress should check whether their address, country, email, name, phone number, or username appears in this leak before responding to suspicious outreach. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username. ## Sources - [Huntress: Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress](https://www.huntress.com/blog/klue-breach-investigation) - [Huntress Support: 2026 - June Klue Security Incident](https://support.huntress.io/hc/en-us/articles/52699517132435-2026-June-Klue-Security-Incident) - [Klue: An Update on the Recent Klue Security Incident](https://klue.com/blog/an-update-on-recent-klue-security-incident) - [Klue: CrowdStrike Investigation Summary and Security Improvements](https://klue.com/blog/crowdstrike-investigation-summary-and-security-improvements) - [Dark Reading: Salesforce Data Thefts Continue via Klue App Compromise](https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise) - [Help Net Security: Klue breach lead to Salesforce data theft, Huntress affected](https://www.helpnetsecurity.com/2026/06/19/klue-salesforce-data-breach-huntress/) --- ## Council of Europe Leak Exposes 2,093 HR and Payroll Records A Council of Europe breach dataset indexed by leaksear.ch contains 2,093 records tied to ShinyHunters' June 14, 2026 claim of stolen HR, payroll, and personnel files (leaksear.ch metadata). The Council of Europe is the continent's leading human-rights organization, spanning 46 member states, and public reporting said the organization was investigating ShinyHunters' broader breach claim while it had not confirmed the incident ([www.coe.int](https://www.coe.int/en/web/portal/the-council-of-europe-key-facts), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/)). ## What happened On June 15, 2026, SecurityWeek and BleepingComputer reported that ShinyHunters had posted the Council of Europe to a Tor-based leak site and claimed to have stolen more than 297 GB of data and more than 429,000 files from multiple departments ([www.securityweek.com](https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/)). The group claimed the material included HR, payroll, personnel, CV, contract, absence, illness, bank-account, tax, Social Security, and medical information, and threatened publication if the Council did not contact it by June 16, 2026 ([www.securityweek.com](https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/)). The Council of Europe told both outlets it was investigating and assessing the matter and had no further comment at that stage ([www.securityweek.com](https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/)). Based on the public record reviewed here, the confirmed facts are the extortion claim, the Council's investigation statement, and leaksear.ch's indexing of 2,093 records from a dataset connected to that claim, not a full organizational confirmation of ShinyHunters' figures or intrusion method (leaksear.ch metadata). ## What data was exposed The leaksear.ch indexed dataset contains 2,093 records with identity and contact fields, including names, email addresses, phone numbers, physical addresses, countries, dates of birth, and usernames (leaksear.ch metadata). The same indexing metadata also identifies employee IDs, department details, source file/sheet context, and payroll/account context stored with records, but those fields are not all searchable pivots on the platform (leaksear.ch metadata). Public reporting on ShinyHunters' larger allegation described payslips, personnel files, CVs, salary data, bank details, tax and Social Security information, and medical records, but those broader categories should be read as attacker-attributed claims unless separately confirmed ([www.securityweek.com](https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/), [cybernews.com](https://cybernews.com/security/council-of-europe-data-breach-claim/)). ## Why this matters Because the indexed records combine personal identifiers, contact details, and workplace/payroll context, affected individuals could face targeted phishing, HR impersonation, account-recovery attempts, doxxing, and payroll or identity-fraud attempts (leaksear.ch metadata). Security teams should watch for messages that reference Council of Europe employment, payroll, benefits, travel, or personnel details, especially requests to update bank details, share documents, or re-authenticate accounts. If you are a current or former Council of Europe staff member, or anyone who may have had HR or personnel records with the organization, check whether your name, email, phone number, address, date of birth, username, or country appears in this leak (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Council of Europe: The Council of Europe: key facts](https://www.coe.int/en/web/portal/the-council-of-europe-key-facts) - [BleepingComputer: Council of Europe investigates ShinyHunters data breach claims](https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/) - [SecurityWeek: ShinyHunters Claims Council of Europe Hack](https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/) - [Cybernews: Hackers claim massive Council of Europe breach: troves of personal data exposed](https://cybernews.com/security/council-of-europe-data-breach-claim/) --- ## Hitachi Vantara Leak Exposes 2.3M Salesforce CRM Records On July 4, 2026, leaksear.ch indexed a Hitachi Vantara Salesforce CRM export containing 2,325,391 records tied to contact, lead, user, case and account-contact data (leaksear.ch metadata). The dataset is associated in the metadata with Hitachi Data Systems / Hitachi Vantara and the wider 2025 Salesforce customer data-theft and extortion wave, but no breach date is listed for this specific export (leaksear.ch metadata). ## What happened leaksear.ch metadata identifies the material as a Salesforce CRM export, not as a direct confirmation by Hitachi Vantara. Public sources reviewed for this article document a broader 2025 pattern in which Salesforce customer data was taken through social engineering and third-party integration abuse, while Salesforce said there was no indication its platform itself was compromised or that the activity was tied to a known Salesforce vulnerability ([status.salesforce.com](https://status.salesforce.com/generalmessages/20000224), [cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion)). Google Threat Intelligence Group said UNC6040 used vishing to persuade employees to authorize malicious connected apps, enabling access to Salesforce customer environments and subsequent extortion. Google Cloud separately said UNC6395 targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party app between August 8 and August 18, 2025; the FBI also warned on September 12, 2025 that UNC6040 and UNC6395 were compromising Salesforce instances for data theft and extortion ([cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion), [cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift), [www.fbi.gov](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf)). BleepingComputer and TechCrunch reported that Scattered Lapsus$ Hunters launched a data-leak site in October 2025 to pressure Salesforce customers, with claims around roughly 1 billion records; SecurityWeek later reported that only six claimed victims had data leaked in that episode ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/), [techcrunch.com](https://techcrunch.com/2025/10/03/hacking-group-claims-theft-of-1-billion-records-from-salesforce-customer-databases/), [www.securityweek.com](https://www.securityweek.com/extortion-group-leaks-millions-of-records-from-salesforce-hacks/)). Hitachi Vantara also published a separate cybersecurity update saying it experienced a ransomware incident on April 26, 2025, identified suspicious activity that day, and had detected no threat-actor activity since April 27. That public update does not connect the ransomware incident to this Salesforce CRM export, so the exact intrusion path and breach date for the Hitachi Vantara dataset remain unconfirmed (leaksear.ch metadata, [www.hitachivantara.com](https://www.hitachivantara.com/en-us/blog/systems-update)). ## What data was exposed The leaksear.ch index describes 2,325,391 records with contact, lead, user, case and account-contact details (leaksear.ch metadata). Searchable fields in the index include addresses, countries, email addresses, names, phone numbers and usernames; stored context also includes account and contact IDs, case numbers, city/state/postal data, company, country code, department, job function, job title, role, lead source and lead score, Marketo external IDs, website, Salesforce object URLs, source object, record type IDs, status values and CRM timestamps (leaksear.ch metadata). Other stored fields indicate call and email preference or deliverability metadata, including do-not-call, email opt-out, email bounce reason and email bounced status (leaksear.ch metadata). The supplied metadata does not list passwords, payment-card numbers, bank account numbers or government ID numbers, so those data types are not claimed here. ## Why this matters This is business-contact and CRM workflow data, which can make phishing more believable even when no passwords are present (leaksear.ch metadata). A name, employer, title, case number, phone number, address and email address can help attackers impersonate vendors, support teams or sales contacts. Security teams should treat exposed Salesforce metadata and case/account references as potential context for targeted social engineering, and individuals should verify unexpected outreach through known channels. Readers who want to check whether their data appears in this Hitachi Vantara leak should use the leaksear.ch exposure check for this dataset. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username. ## Sources - [Salesforce: Trust Status ID 20000224](https://status.salesforce.com/generalmessages/20000224) - [Google Cloud: The Cost of a Call: From Voice Phishing to Data Extortion](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion) - [Google Cloud: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift](https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift) - [FBI: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf) - [BleepingComputer: ShinyHunters launches Salesforce data leak site to extort 39 victims](https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/) - [TechCrunch: Hacking group claims theft of 1 billion records from Salesforce customer databases](https://techcrunch.com/2025/10/03/hacking-group-claims-theft-of-1-billion-records-from-salesforce-customer-databases/) - [SecurityWeek: Extortion Group Leaks Millions of Records From Salesforce Hacks](https://www.securityweek.com/extortion-group-leaks-millions-of-records-from-salesforce-hacks/) - [Hitachi Vantara: Cybersecurity Incident Update](https://www.hitachivantara.com/en-us/blog/systems-update) --- ## Cbassociations Leak Exposes 2.36M Salesforce Records leaksear.ch has indexed 2,360,633 Salesforce-derived records tied to Cbassociations, a victim name linked to Icarus ransomware and extortion claims reported on June 22, 2026 (leaksear.ch metadata, [www.dexpose.io](https://www.dexpose.io/icarus-targets-cbassociations-in-ransomware-attack/)). The records include names, addresses, countries, IP addresses and usernames as queryable fields, with additional Salesforce-style record metadata stored alongside them (leaksear.ch metadata). ## What happened Public reporting on Cbassociations is limited. DeXpose reported that Icarus publicly claimed an attack targeting Cbassociations on June 22, 2026, and described the threat actor statement as referring to Salesforce data, while also listing the target domain and country as unavailable ([www.dexpose.io](https://www.dexpose.io/icarus-targets-cbassociations-in-ransomware-attack/)). ZeroFox separately lists Cbassociations among alleged ICARUS targets, but describes the entity as unidentified and its sector as unknown ([www.zerofox.com](https://www.zerofox.com/intelligence/zerofox-intelligence-profile-icarus/)). The Cbassociations dataset should be treated as tied to Icarus claims and Salesforce-derived data, not as a fully confirmed public breach notice from the affected organization. No public source reviewed for this article confirms Cbassociations' country, domain, exact intrusion path, or whether the dataset was obtained through the Klue incident. The broader Icarus context matters because the group has been publicly connected to Salesforce-focused extortion activity. Klue disclosed that an attacker used a compromised legacy integration credential to obtain OAuth tokens for third-party platforms, including Salesforce, and then accessed data in connected customer environments ([klue.com](https://klue.com/blog/an-update-on-recent-klue-security-incident/)). Huntress, one affected Klue customer, said Icarus listed stolen data from Klue-related victims on June 22 and warned that sales-specific data could support phishing campaigns ([www.huntress.com](https://www.huntress.com/blog/klue-breach-investigation)). ## What data was exposed The leaksear.ch index covers 2,360,633 Cbassociations records (leaksear.ch metadata). Searchable fields are address, country, IP address, name and username (leaksear.ch metadata). Additional stored fields include account ID, record ID, related ID, created date, last modified date, event time, role, source object, status, title and a details JSON field (leaksear.ch metadata). These supporting fields provide CRM-style context, but they are not listed as direct search pivots on leaksear.ch (leaksear.ch metadata). The supplied indexing metadata does not list passwords, payment card numbers, government identifiers or password hashes for this dataset (leaksear.ch metadata). Based on the available public reporting, the safest description is exposure of Salesforce-derived identifiers, contact context and record metadata tied to Cbassociations. ## Why this matters Names, addresses, usernames and IP addresses can help attackers correlate people, accounts and organizations across other breach data. CRM-style fields such as role, status, title and source object may also make phishing or impersonation attempts more credible if attackers use them to reference business relationships or account context. For security teams, the practical risk is follow-on social engineering, vendor impersonation and targeted outreach to employees, partners or customers. Organizations connected to Cbassociations should review whether any exposed identifiers match their users or business contacts, and individuals who may have interacted with Cbassociations should check whether their name, address, country, IP address or username appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, ip address, name, and username. ## Sources - [DeXpose: Icarus Targets Cbassociations in Ransomware Attack](https://www.dexpose.io/icarus-targets-cbassociations-in-ransomware-attack/) - [ZeroFox: ZeroFox Intelligence Profile - ICARUS](https://www.zerofox.com/intelligence/zerofox-intelligence-profile-icarus/) - [Klue: An Update on the Recent Klue Security Incident](https://klue.com/blog/an-update-on-recent-klue-security-incident/) - [Huntress: Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress](https://www.huntress.com/blog/klue-breach-investigation) --- ## Gms-net Leak Exposes 31K Salesforce CRM Records leaksear.ch has indexed a Gms-net dataset containing 31,249 Salesforce CRM records, with names, emails, phones, addresses, countries, and usernames exposed from a June 22, 2026 breach (leaksear.ch metadata). GMS is a Baar, Switzerland-based communications solutions partner for enterprises and mobile network operators, and public reporting ties the alleged Salesforce data theft to the ICARUS extortion group ([gms.net](https://gms.net/news/gms-in-the-2026-gartner-magic-quadrant-for-communications-platform-as-a-service), [dexpose.io](https://www.dexpose.io/icarus-ransomware-strikes-swiss-firm-gms-net/), [securityweek.com](https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/)). ## What happened DeXpose reported that ICARUS announced a cyberattack on Gms-net on June 22, 2026 and claimed to have exfiltrated Salesforce data from the Swiss firm ([dexpose.io](https://www.dexpose.io/icarus-ransomware-strikes-swiss-firm-gms-net/)). SecurityWeek later reported that ICARUS listed Gms-net on its Tor-based leak site among organizations whose Salesforce data had allegedly been stolen ([securityweek.com](https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/)). The specific intrusion path for Gms-net is not confirmed in the cited public reporting. The broader June 2026 ICARUS activity included attacks against SaaS and CRM environments, and ZeroFox describes ICARUS as using a multitiered extortion model involving supply chain compromise, data exfiltration, and public disclosure threats ([zerofox.com](https://www.zerofox.com/intelligence/zerofox-intelligence-profile-icarus/)). Public reporting on the same ICARUS campaign described abuse of Klue OAuth tokens to access connected Salesforce environments at multiple organizations, but the available sources do not confirm that Gms-net was compromised through Klue or any specific third-party integration ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/), [securitylabs.datadoghq.com](https://securitylabs.datadoghq.com/articles/detecting-the-klue-supply-chain-attack-in-salesforce/)). ## What data was exposed The leaksear.ch indexing metadata lists the directly searchable fields as address, country, email, name, phone, and username (leaksear.ch metadata). Other stored CRM-related fields include account IDs, company, title, website, industry, lead source, email subscription consent, email opt-out and bounce indicators, owner ID, record type, Salesforce IDs, source email fields, source objects, created and last-modified dates, federation identifier, ZoomInfo company ID, and ZoomInfo ID (leaksear.ch metadata). ## Why this matters CRM data can make phishing and social-engineering attempts more convincing because it links contact information with workplace context such as company, title, industry, lead source, and account identifiers (leaksear.ch metadata). The metadata does not support claims about passwords, payment cards, national IDs, or other financial identifiers, so those should not be assumed here. Security teams should treat the exposure as useful for targeted email, phone, and vendor-impersonation activity, especially where exposed contacts had sales or business relationships with GMS. If you may have interacted with GMS, check leaksear.ch using the searchable pivots for this leak: email, name, phone, username, address, or country (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username. ## Sources - [GMS: GMS Positioned in the 2026 Gartner Magic Quadrant for Communications Platform as a Service](https://gms.net/news/gms-in-the-2026-gartner-magic-quadrant-for-communications-platform-as-a-service) - [DeXpose: Icarus Ransomware Strikes Swiss Firm Gms-net](https://www.dexpose.io/icarus-ransomware-strikes-swiss-firm-gms-net/) - [SecurityWeek: BeyondTrust, LastPass Impacted by Klue-Salesforce Incident](https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/) - [ZeroFox: ZeroFox Intelligence Profile - ICARUS](https://www.zerofox.com/intelligence/zerofox-intelligence-profile-icarus/) - [BleepingComputer: Klue OAuth Breach Victim List Grows as Icarus Hackers Claim Attack](https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/) - [Datadog Security Labs: Detecting the Klue Supply Chain Attack in Salesforce Instances](https://securitylabs.datadoghq.com/articles/detecting-the-klue-supply-chain-attack-in-salesforce/) --- ## American Tower Leak Exposes 212,642 Names and Emails American Tower, which describes itself as a global REIT and a leading owner, operator and developer of multitenant communications real estate, is tied to a June 2026 leak indexed by leaksear.ch at 212,642 records, roughly 213,000 rows ([americantower.gcs-web.com](https://americantower.gcs-web.com/static-files/66b0603a-d360-436a-93ec-1e9b3d369a83), leaksear.ch metadata). The breach date is listed as June 12, 2026, and the indexed data includes names, email addresses, phone numbers, physical addresses, and job titles, while leaksear.ch also indexes usernames and IP addresses as searchable pivots (leaksear.ch metadata, [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/AmericanTower)). ## What happened Have I Been Pwned reports that American Tower was targeted in a June 2026 ShinyHunters pay-or-leak campaign and that the group subsequently published data allegedly taken from the company containing more than 200,000 unique email addresses. HIBP describes the affected addresses as belonging to employees, contractors, customers, and leads, while Mozilla Monitor lists June 12, 2026 as the breach date and June 26, 2026 as the database addition date ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/AmericanTower), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/AmericanTower)). The public sources reviewed here do not confirm the initial access path. Hackmanac separately posted a larger ShinyHunters claim of more than 5.2 million records and additional operational and internal corporate data categories, but marked the status as pending verification, so those broader claims are not treated here as confirmed exposure ([linkedin.com](https://www.linkedin.com/posts/hackmanac_cyber-alert-usa-%F0%9D%97%94%F0%9D%97%BA%F0%9D%97%B2%F0%9D%97%BF%F0%9D%97%B6%F0%9D%97%B0%F0%9D%97%AE%F0%9D%97%BB-activity-7471149439055912960-qEX7)). ## What data was exposed Leaksear.ch indexing metadata lists 212,642 records. Searchable pivots are address, country, email, IP address, name, phone, and username (leaksear.ch metadata). Stored but not directly searchable context fields include job title, company and department data, employee number, manager, account status, login timestamps, MFA-enabled status, device and asset identifiers, vendor numbers, case metadata, and site location fields such as city, state, and ZIP code (leaksear.ch metadata). Public breach listings by HIBP and Mozilla also identify email addresses, names, phone numbers, physical addresses, and job titles as compromised. HIBP states the email addresses belonged to employees, contractors, customers, and leads ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/AmericanTower), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/AmericanTower)). ## Why this matters For affected individuals, the combination of contact details, roles, and organizational context can make phishing, callback scams, and impersonation more convincing. For security teams, fields such as usernames, IP addresses, account status, last-login timestamps, and MFA status are useful for exposure review and for prioritizing monitoring, but they also increase the value of the data to social engineers (leaksear.ch metadata). Public breach pages reviewed here do not list passwords as exposed, but contact and workplace data is still enough to support targeted fraud and account-recovery attempts ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/AmericanTower), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/AmericanTower)). If you may have worked with or contacted American Tower, use the exposure check on this page to see whether your identifiers appear in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, phone, and username. ## Sources - [American Tower: 2025 Annual Report](https://americantower.gcs-web.com/static-files/66b0603a-d360-436a-93ec-1e9b3d369a83) - [Have I Been Pwned: American Tower Data Breach](https://haveibeenpwned.com/Breach/AmericanTower) - [Mozilla Monitor: American Tower Data Breach](https://monitor.mozilla.org/en/breach-details/AmericanTower) - [Hackmanac: ShinyHunters Breaches American Tower Corporation](https://www.linkedin.com/posts/hackmanac_cyber-alert-usa-%F0%9D%97%94%F0%9D%97%BA%F0%9D%97%B2%F0%9D%97%BF%F0%9D%97%B6%F0%9D%97%B0%F0%9D%97%AE%F0%9D%97%BB-activity-7471149439055912960-qEX7) --- ## Ralph Lauren Leak Exposes 140K Emails and Phone Numbers leaksear.ch has indexed 140,178 Ralph Lauren records from a June 11, 2026 ShinyHunters pay-or-leak extortion incident involving alleged Salesforce data (leaksear.ch metadata). Have I Been Pwned lists the incident as a June 2026 Ralph Lauren breach affecting about 140,000 accounts, with names, email addresses, phone numbers, genders, and age groups exposed ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/RalphLauren)). ## What happened Cybernews reported on June 11, 2026 that ShinyHunters claimed to have stolen more than 220GB of Ralph Lauren data, including customer PII, transaction information, and unreleased product material. At the time of that report, Cybernews said Ralph Lauren had not confirmed the incident and that no public data sample was available to verify the claim ([cybernews.com](https://cybernews.com/security/ralph-lauren-data-breach-claims/)). Have I Been Pwned later described the incident as a ShinyHunters pay-or-leak campaign in which the group published hundreds of gigabytes of data it claimed came from Ralph Lauren's Salesforce instance ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/RalphLauren)). DeXpose separately reported the June 11 threat-actor claim and said the group threatened publication if negotiations did not begin by June 14, 2026 ([www.dexpose.io](https://www.dexpose.io/shinyhunters-compromise-ralph-lauren-corporation/)). Salesforce had warned in March 2026 about a known threat actor campaign targeting overly permissive Experience Cloud guest user configurations, while stating that the activity related to customer configuration and not a Salesforce platform flaw. That advisory is useful background for Salesforce-linked leak claims, but public reporting on Ralph Lauren does not establish the exact access path used in this incident ([www.salesforce.com](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/)). ## What data was exposed The leaksear.ch index makes the Ralph Lauren dataset searchable by country, email address, name, and phone number (leaksear.ch metadata). Other stored fields include customer gender, age group, store and business-region context, order or transaction dates, survey programs, net promoter score fields, feedback comments, purchase or non-purchase reasons, checkout and delivery satisfaction fields, store identifiers, and transaction or tracking context (leaksear.ch metadata). Have I Been Pwned lists the compromised data categories as age groups, email addresses, genders, names, and phone numbers ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/RalphLauren)). The leaksear.ch metadata does not list passwords, password hashes, national IDs, or full payment-card numbers among the indexed or stored fields (leaksear.ch metadata). ## Why this matters Names, email addresses, phone numbers, demographic details, and shopping or survey context can make phishing and vishing attempts more believable. Salesforce warned that harvested names and phone numbers in related Experience Cloud scanning activity are often used to build follow-on social engineering and voice-phishing campaigns ([www.salesforce.com](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/)). For affected individuals, the practical risk is targeted brand impersonation, fake customer-support outreach, account-recovery scams, and profiling based on purchase or feedback history. Readers who want to check whether their data appears in this leak should search leaksear.ch using email, phone, name, or country. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, email, name, and phone. ## Sources - [Have I Been Pwned: Ralph Lauren Data Breach](https://haveibeenpwned.com/Breach/RalphLauren) - [Cybernews: Hacker group boasts about Ralph Lauren data breach: 220GB allegedly stolen](https://cybernews.com/security/ralph-lauren-data-breach-claims/) - [DeXpose: ShinyHunters Compromise Ralph Lauren Corporation](https://www.dexpose.io/shinyhunters-compromise-ralph-lauren-corporation/) - [Salesforce: Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/) --- ## Madison Square Garden Sports Leak Exposes 9.8M CRM Records Madison Square Garden Sports, the company behind the New York Knicks and New York Rangers, was breached on June 5, 2026 during a ShinyHunters extortion campaign, with leaksear.ch indexing 9,796,326 records from the dataset (leaksear.ch metadata) ([www.msgsports.com](https://www.msgsports.com/our-company/)). The indexed records include customer and staff CRM or support data such as names, email addresses, phone numbers, physical addresses, dates of birth, usernames, and customer-service details (leaksear.ch metadata). ## What happened Public breach listings and reporting describe this as a ShinyHunters pay-or-leak extortion case. Have I Been Pwned says MSG Sports was targeted in June 2026 and that the group later published alleged data, while 404 Media reported on June 16, 2026 that hackers had published stolen Madison Square Garden data online and that a reviewed sample included customer emails and Knicks-related files ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/MadisonSquareGardenSports), [www.404media.co](https://www.404media.co/hackers-publish-knicks-and-madison-square-garden-data-online/)). The exact intrusion path should be treated as reported, not as an official forensic finding. 404 Media later reported that the hackers said they called a low-level employee and tricked them into allowing access, a voice-phishing scenario that 404 Media connected to its review of the stolen data ([www.404media.co](https://www.404media.co/how-hackers-broke-into-madison-square-garden/)). ## What data was exposed The leaksear.ch indexing metadata lists searchable identity fields including name, email address, phone number, physical address, country, date of birth, and username (leaksear.ch metadata). The same metadata also shows stored CRM and support context such as account and organization names, job titles, age, paid amounts, event names, lead source, owner, created and last-modified dates, record type, customer service case status and subject, and source file or table metadata (leaksear.ch metadata). Have I Been Pwned lists the compromised categories as customer service records, email addresses, names, phone numbers, and physical addresses ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/MadisonSquareGardenSports)). Password, payment card, and government ID fields are not listed in the leaksear.ch indexing metadata, but the exposed contact and service-history data is still sensitive when combined with event and CRM context (leaksear.ch metadata). ## Why this matters This leak gives attackers practical phishing material: names, emails, phone numbers, addresses, dates of birth, and support history can make fake ticketing, billing, refund, account-recovery, or VIP-support messages more convincing (leaksear.ch metadata). Security teams should watch for impersonation of MSG Sports, the Knicks, the Rangers, ticketing support, and customer service workflows. Individuals who interacted with MSG Sports, Knicks, Rangers, ticketing, or support channels should check whether their email, phone, name, username, address, or date of birth appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Have I Been Pwned: Madison Square Garden Sports Data Breach](https://haveibeenpwned.com/Breach/MadisonSquareGardenSports) - [404 Media: Hackers Publish Knicks and Madison Square Garden Data Online](https://www.404media.co/hackers-publish-knicks-and-madison-square-garden-data-online/) - [404 Media: How Hackers Broke into Madison Square Garden](https://www.404media.co/how-hackers-broke-into-madison-square-garden/) - [Madison Square Garden Sports: Our Company](https://www.msgsports.com/our-company/) --- ## Nexstar Media Group Leak Exposes 14.6K Salesforce Records A Nexstar Media Group Salesforce dataset indexed by leaksear.ch contains 14,600 person-level contact, user, and opportunity records, including emails, names, phone numbers, addresses, usernames, IP addresses, and CRM context, with a breach date of June 11, 2026 (leaksear.ch metadata). Nexstar says it and its subsidiaries and partners own or operate 265 stations in 132 markets across 44 states ([www.nexstar.tv](https://www.nexstar.tv/stations/)). ## What happened Public reporting described the incident as a ShinyHunters data-extortion claim involving Nexstar.tv or Nexstar Media Group. DeXpose reported that ShinyHunters claimed on June 11, 2026 to have compromised more than 1 million Salesforce records and other internal corporate data, while ClassAction.org described the matter as a possible Nexstar breach and said the company had not confirmed it at the time of publication ([www.dexpose.io](https://www.dexpose.io/shinyhunters-compromises-nexstar-tv-in-major-ransomware-attack/), [www.classaction.org](https://www.classaction.org/data-breach-lawsuits/nexstar-media-group-june-2026)). Class Action U similarly characterized the incident as reported and potentially involving Salesforce records, employee and corporate information, and sensitive personal data, but noted the breach had not been confirmed by Nexstar ([classactionu.org](https://classactionu.org/current-data-breaches/nexstar-media-group/)). RedPacket Security listed Nexstar.tv under ShinyHunters and included a warning that some listings attributed to ShinyHunters have been unverified or fabricated, so the actor's broader claim should be treated as alleged unless corroborated ([www.redpacketsecurity.com](https://www.redpacketsecurity.com/shinyhunters-ransomware-victim-nexstar-tv/)). The leaksear.ch indexed subset is narrower than the actor's public claim: it contains normalized person-level Salesforce contact, user, and opportunity records, excluding standalone business-account rows and cases without an email deduplication key (leaksear.ch metadata). No loaded public source for this article confirmed the initial access vector, a ransom amount, or whether encryption occurred. ## What data was exposed The indexed records include names, email addresses, phone numbers, physical addresses, countries, usernames, and IP addresses as searchable fields (leaksear.ch metadata). The dataset also contains employee and CRM context, source table information, source file names, source row numbers, and source value audit data for row provenance, but those provenance fields are not direct search pivots (leaksear.ch metadata). ## Why this matters Person-level CRM data can give attackers enough context to make phishing, business-email-compromise lures, and impersonation attempts look credible, especially when names, contact details, usernames, and organizational context appear together. For individuals, exposed addresses and phone numbers increase the risk of targeted scams and account-recovery abuse. Anyone affiliated with Nexstar, including current or former employees, customers, vendors, or other CRM contacts, should check whether their email, phone, username, name, address, country, or IP address appears in this leak (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, phone, and username. ## Sources - [Nexstar Media Group: Stations](https://www.nexstar.tv/stations/) - [DeXpose: ShinyHunters Compromises Nexstar.tv in Major Ransomware Attack](https://www.dexpose.io/shinyhunters-compromises-nexstar-tv-in-major-ransomware-attack/) - [ClassAction.org: Nexstar Media Group Data Breach? Lawyers Examining Hackers' Reports](https://www.classaction.org/data-breach-lawsuits/nexstar-media-group-june-2026) - [Class Action U: Nexstar Media Group Data Breach Lawsuit](https://classactionu.org/current-data-breaches/nexstar-media-group/) - [RedPacket Security: ShinyHunters Ransomware Victim Nexstar.tv](https://www.redpacketsecurity.com/shinyhunters-ransomware-victim-nexstar-tv/) --- ## Pathstone Leak Exposes 70K Client and Document Records A Pathstone data leak indexed by leaksear.ch contains 70,038 records, about 70,000, tied to the family-office and wealth-management firm, with a breach date listed as February 27, 2026 (leaksear.ch metadata). Public reporting at the time said ShinyHunters claimed to have taken 641,000 records from Pathstone and issued a March 2, 2026 deadline, while Pathstone had not confirmed the breach in those reports ([cybernews.com](https://cybernews.com/security/shinyhunters-pathstone-data-breach-ransom/), [www.scworld.com](https://www.scworld.com/brief/pathstone-family-office-allegedly-breached-by-shinyhunters)). ## What happened Cybernews reported on February 27, 2026 that ShinyHunters posted a dark-web ultimatum claiming it had breached Pathstone Family Office and stolen records containing personally identifiable information and internal corporate data ([cybernews.com](https://cybernews.com/security/shinyhunters-pathstone-data-breach-ransom/)). SC Media later summarized the claim and noted that, at the time of its report, no sample data had been released to substantiate the allegation and Pathstone had not confirmed a breach ([www.scworld.com](https://www.scworld.com/brief/pathstone-family-office-allegedly-breached-by-shinyhunters)). The indexed leak metadata describes the material as data allegedly stolen by ShinyHunters in February 2026 and says the normalized dataset includes Salesforce CRM exports and document-inventory metadata (leaksear.ch metadata). Public breach trackers also list Pathstone, pathstone.com, ShinyHunters and a February 27, 2026 discovery date, but do not provide a confirmed technical root cause ([www.breachsense.com](https://www.breachsense.com/breaches/pathstone-data-breach/), [www.dexpose.io](https://www.dexpose.io/shinyhunters-strikes-pathstone-family-office-in-major-ransomware-attack/)). Pathstone describes itself as serving individuals and families, family offices and institutions, and its site lists more than $185 billion in aggregate assets as of December 31, 2025, including affiliate firms ([pathstone.com](https://pathstone.com/)). ## What data was exposed The leaksear.ch index lists searchable fields including names, email addresses, phone numbers, physical addresses, countries, dates of birth and usernames (leaksear.ch metadata). The metadata also describes financial profile fields, account and task context, and source audit fields that include Social Security or tax identifiers (leaksear.ch metadata). The stored document-inventory fields include document category, file name, file extension, file size, file modified date, source file, source path, source record type, source row number, source table and source value audit fields (leaksear.ch metadata). The document categories described in the metadata include tax records, passports, driver licenses, wire instructions, trusts, estate documents and financial statements (leaksear.ch metadata). ## Why this matters A leak that combines identity data, contact details, dates of birth, addresses and financial-document context can support targeted phishing, account impersonation and identity-fraud attempts (leaksear.ch metadata). The risk is higher for wealth-management and family-office data because attackers can tailor lures around taxes, estate planning, wire transfers, trusts or investment administration, topics that Pathstone itself identifies as part of the services and client contexts it supports ([pathstone.com](https://pathstone.com/)). Individuals who believe their information may have been handled by Pathstone should use the lookup below to check whether their identifiers appear in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Cybernews: Hackers give Wall Street billionaires 5 days to panic: here's what they're demanding](https://cybernews.com/security/shinyhunters-pathstone-data-breach-ransom/) - [SC Media: Pathstone Family Office allegedly breached by ShinyHunters](https://www.scworld.com/brief/pathstone-family-office-allegedly-breached-by-shinyhunters) - [Breachsense: Pathstone Data Breach in 2026](https://www.breachsense.com/breaches/pathstone-data-breach/) - [DeXpose: ShinyHunters Strikes Pathstone Family Office in Major Ransomware Attack](https://www.dexpose.io/shinyhunters-strikes-pathstone-family-office-in-major-ransomware-attack/) - [Pathstone: Welcome to Pathstone](https://pathstone.com/) --- ## Inter-Con leak exposes 286K Salesforce and OneDrive records A ShinyHunters-linked leak involving Inter-Con Security Systems exposed 285,983 indexed records from Salesforce and OneDrive, with a breach date listed as June 19, 2026 (leaksear.ch metadata). Inter-Con describes itself as a global security services provider with more than 40,000 employees, and public breach trackers list icsecurity.com as a ShinyHunters victim in mid-June 2026 ([icsecurity.com](https://icsecurity.com/), [www.breachsense.com](https://www.breachsense.com/breaches/inter-con-security-systems-data-breach/), [socradar.io](https://socradar.io/free-tools/ransomware-intelligence/victims/icsecurity-com-shinyhunters-be786a4f)). ## What happened Breachsense lists Inter-Con Security Systems as a June 19, 2026 data breach victim with the domain icsecurity.com and ShinyHunters as the threat actor ([www.breachsense.com](https://www.breachsense.com/breaches/inter-con-security-systems-data-breach/)). SOCRadar separately lists icsecurity.com as a ShinyHunters incident discovered on June 18, 2026, with the status “Data Leaked” and a note that data was published on the group’s leak site ([socradar.io](https://socradar.io/free-tools/ransomware-intelligence/victims/icsecurity-com-shinyhunters-be786a4f)). The indexed leak material is described as Salesforce and OneDrive data leaked by ShinyHunters in June 2026 (leaksear.ch metadata). Public sources reviewed for this article do not confirm the initial access path for the Inter-Con incident, so this article does not attribute it to a specific method such as vishing, token theft, or a misconfiguration. The broader context is that Salesforce customer environments have been a recurring target for financially motivated data theft. Google Threat Intelligence Group reported in 2025 that UNC6040 used voice phishing to compromise Salesforce instances and that later extortion activity sometimes claimed the ShinyHunters brand, while Salesforce has warned customers about social engineering, malicious connected apps, and modified Data Loader-style tooling used to exfiltrate data ([cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion), [www.salesforce.com](https://www.salesforce.com/blog/protect-against-social-engineering/)). That context should not be read as confirmation of how the Inter-Con data was obtained. ## What data was exposed The leaksear.ch index contains 285,983 normalized records from Salesforce contacts, leads, users, opportunity-owner contact records, selected case records, and OneDrive file inventory rows for employee identity, training, and certification documents (leaksear.ch metadata). Searchable fields include names, email addresses, phone numbers, physical addresses, countries, and usernames (leaksear.ch metadata). Other stored fields include Salesforce contact and lead attributes, job titles, departments, account and company names, lead source and status, Salesforce user profile information, case numbers, case status and priority, case subjects and comments, and OneDrive file metadata such as document type, filename, extension, modified timestamp, and file size (leaksear.ch metadata). The structured index excludes low-value billing and account exports and the bulk SharePoint business-document archive, according to the supplied indexing metadata (leaksear.ch metadata). ## Why this matters Inter-Con provides security services to public and private-sector clients, including government, utilities, corporate, and critical infrastructure environments, according to the company’s own description ([icsecurity.com](https://icsecurity.com/company/history/)). Contact records, job context, case metadata, and employee document inventories can help attackers craft convincing phishing, vendor-impersonation, recruiting, or help-desk pretexts. For incident responders, the most practical risk is targeted social engineering against employees, customers, vendors, and people named in Salesforce records. Individuals and organizations that have interacted with Inter-Con should check whether their name, email, phone number, username, address, or country appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username. ## Sources - [Breachsense: Inter-Con Security Systems Data Breach in 2026](https://www.breachsense.com/breaches/inter-con-security-systems-data-breach/) - [SOCRadar: icsecurity.com Ransomware Attack by Shinyhunters](https://socradar.io/free-tools/ransomware-intelligence/victims/icsecurity-com-shinyhunters-be786a4f) - [Inter-Con Security: Homepage](https://icsecurity.com/) - [Inter-Con Security: History](https://icsecurity.com/company/history/) - [Google Cloud: The Cost of a Call: From Voice Phishing to Data Extortion](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion) - [Salesforce: Protect Your Salesforce Environment from Social Engineering Threats](https://www.salesforce.com/blog/protect-against-social-engineering/) --- ## JCPenney leak exposes 138K HR records, emails and DOBs JCPenney and associated brands are tied to a June 2026 data leak indexed by leaksear.ch, with 138,226 normalized HR-related records recovered from employee, candidate, payroll, banking, and HR exports and a breach date listed as June 1, 2026 (leaksear.ch metadata). Public reporting and Have I Been Pwned connect the exposure to ShinyHunters' Oracle PeopleSoft extortion campaign, with the published data described as mainly internal HR records affecting current and former employees ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/JCPenney)). ## What happened JCPenney and SPARC Group announced in January 2025 that they had combined to form Catalyst Brands, bringing JCPenney and several retail brands under one organization ([corporate.jcpenney.com](https://corporate.jcpenney.com/2025/01/08/sparc-group-has-merged-with-jcpenney-to-form-catalyst-brands/)). In June 2026, Cybernews and DeXpose reported that ShinyHunters added JCPenney and brands associated with Catalyst Brands and Authentic Brands Group to its leak site, claimed hundreds of thousands of records, and set a mid-June deadline before release; Cybernews noted at the time that no samples had been published and that the scope and authenticity remained unconfirmed pending a company response ([cybernews.com](https://cybernews.com/security/shinyhunters-jcpenney-retail-data-leak-claim/), [www.dexpose.io](https://www.dexpose.io/shinyhunters-breaches-jcpenney-and-catalyst-brands/)). By June 17, BreachNews reported that ShinyHunters had allegedly moved JCPenney and several other victims from extortion listings to release listings. Have I Been Pwned later published a JCPenney breach page stating that data allegedly obtained through exploitation of an Oracle PeopleSoft zero-day was published publicly and primarily related to internal HR systems ([breachnews.com](https://breachnews.com/breaches/shinyhunters-publishes-alleged-data-from-american-tower-jcpenney-ralph-lauren-and-other-victims/), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/JCPenney)). Mandiant and Google Threat Intelligence Group attributed the broader PeopleSoft campaign to UNC6240, ShinyHunters, observed it between May 27 and June 9, 2026, and assessed that CVE-2026-35273 was exploited as a zero-day before Oracle's June 10 advisory. Oracle's alert says CVE-2026-35273 affects PeopleSoft PeopleTools, is remotely exploitable without authentication, and may result in remote code execution ([cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit), [www.oracle.com](https://www.oracle.com/security-alerts/alert-cve-2026-35273.html)). ## What data was exposed leaksear.ch indexed 138,226 normalized records tied to JCPenney and associated brands (leaksear.ch metadata). The searchable fields in this index are address, country, date of birth, email address, name, phone number, and username; stored non-searchable context includes source file references, source row numbers, and source-value audit metadata (leaksear.ch metadata). The source archive is described as employee, candidate, payroll, banking, and HR exports, but the supplied index metadata does not identify a specific bank-account field as a searchable pivot (leaksear.ch metadata). Have I Been Pwned separately lists 368 thousand affected accounts and describes exposed categories including dates of birth, email addresses, government-issued IDs, job titles, names, phone numbers, physical addresses, and usernames; Cybernews reported the threat actor's claim also referenced Social Security numbers, W-2 tax records, payroll information, driver's licenses, and scans of government-issued identity documents ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/JCPenney), [cybernews.com](https://cybernews.com/security/shinyhunters-jcpenney-retail-data-leak-claim/)). ## Why this matters For individuals, a cluster of name, home address, phone number, email address, date of birth, and username can support convincing impersonation, account-recovery attempts, and payroll or benefits-themed phishing. If Social Security numbers, tax records, or government ID material are present in portions of the data as public sources report, impacted people face longer-lived identity and tax-fraud risk because those identifiers cannot be reset like passwords ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/JCPenney), [cybernews.com](https://cybernews.com/security/shinyhunters-jcpenney-retail-data-leak-claim/)). Security teams should treat the exposure as HR-data loss, warn affected populations about targeted phishing, and verify PeopleSoft patch status and incident logs where relevant. If you are a current or former JCPenney or associated-brand employee or job candidate, use the exposure check on this page to see whether your data appears in the leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Have I Been Pwned: JCPenney Data Breach](https://haveibeenpwned.com/Breach/JCPenney) - [Cybernews: ShinyHunters claim JCPenney retail data theft involving SSNs and payroll files](https://cybernews.com/security/shinyhunters-jcpenney-retail-data-leak-claim/) - [DeXpose: ShinyHunters Breaches JCPenney and Catalyst Brands](https://www.dexpose.io/shinyhunters-breaches-jcpenney-and-catalyst-brands/) - [BreachNews: ShinyHunters Publishes Alleged Data From American Tower, JCPenney, Ralph Lauren and Other Victims](https://breachnews.com/breaches/shinyhunters-publishes-alleged-data-from-american-tower-jcpenney-ralph-lauren-and-other-victims/) - [Google Cloud Blog: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit](https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit) - [Oracle: Oracle Security Alert Advisory - CVE-2026-35273](https://www.oracle.com/security-alerts/alert-cve-2026-35273.html) - [JCPenney Newsroom: SPARC Group Has Merged with JCPenney To Form Catalyst Brands](https://corporate.jcpenney.com/2025/01/08/sparc-group-has-merged-with-jcpenney-to-form-catalyst-brands/) --- ## Sysco ShinyHunters Leak Exposes 7.7M Contact Records A published SYSCO ShinyHunters dataset indexed by leaksear.ch contains 7,698,139 records, with the breach date recorded as June 1, 2026 (leaksear.ch metadata). Sysco describes itself as a global foodservice distributor serving restaurants, healthcare and educational facilities, lodging, entertainment venues, and other customers ([investors.sysco.com](https://investors.sysco.com/shareholder-services/shareholder-overview)). ## What happened Cybernews reported on June 16, 2026, and updated the article on July 1, that ShinyHunters claimed to have compromised more than 61 million Salesforce records connected to Sysco across several tables. Cybernews said the claim involved customer data, employee records, and internal corporate data, but also reported that no proof samples accompanied the post at the time and that Sysco had not responded to its inquiry ([cybernews.com](https://cybernews.com/news/sysco-shinyhunters-61-million-salesforce-records/)). Have I Been Pwned later listed the Sysco incident as a June 2026 breach and said published data contained 2.7 million unique email addresses belonging to staff and customers. HIBP characterized the exposed data as largely corporate contact information, including names, phone numbers, physical addresses, internal job titles, usernames, employers, and customer feedback ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Sysco)). leaksear.ch indexes 7.7 million records from the published SYSCO ShinyHunters dataset and records the source as Salesforce-related data from the June 2026 campaign (leaksear.ch metadata). The larger 61 million figure remains a threat-actor claim reported by Cybernews, while the 2.7 million unique email count is the figure published by Have I Been Pwned. ## What data was exposed The indexed records include customer and employee contact data such as email addresses, usernames, names, phone numbers, physical addresses, job and employer details, customer feedback, vehicle identifiers, and internal source context (leaksear.ch metadata). Searchable fields in the leaksear.ch index are address, country, date of birth, email, IP address, name, phone, username, and VIN (leaksear.ch metadata). Additional stored context fields include source file, source payload, source row, and source table metadata. These fields help describe how records appeared in the dataset, but they are not direct search pivots on leaksear.ch (leaksear.ch metadata). ## Why this matters The exposed fields are useful for phishing, business email compromise pretexting, customer impersonation, and targeted scams because they combine contact details with workplace and customer context. For Sysco customers, staff, and business contacts, the presence of names, emails, phone numbers, addresses, usernames, and VINs may help attackers tailor messages that appear operational or vendor-related. Security teams should watch for Sysco-themed lures, credential harvesting attempts, and unusual account activity tied to exposed contact points. If you may have worked for Sysco, done business with Sysco, or used a Sysco-linked account, check whether your email address, phone number, username, name, address, IP address, date of birth, country, or VIN appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, ip address, name, phone, username, and vin. ## Sources - [Have I Been Pwned: Sysco Data Breach](https://haveibeenpwned.com/Breach/Sysco) - [Cybernews: Sysco hit by second extortion claim over 61M records, weeks after Qilin ransomware threat](https://cybernews.com/news/sysco-shinyhunters-61-million-salesforce-records/) - [Sysco: Shareholder Overview](https://investors.sysco.com/shareholder-services/shareholder-overview) --- ## European Commission Leak Exposes 1.8K DIGIT SSO User Records leaksear.ch has indexed 1,798 European Commission DIGIT single sign-on user records linked to a ShinyHunters leak, with names, email addresses, usernames, and internal user IDs, and a breach date of March 22, 2026 (leaksear.ch metadata). DIGIT is the Commission's Directorate-General for Digital Services, the department responsible for digital services supporting Commission departments and EU institutions ([commission.europa.eu](https://commission.europa.eu/about/departments-and-executive-agencies/digital-services_en)). ## What happened The public incident context is the March 2026 breach of the European Commission's Europa.eu cloud-hosted web platform. The Commission said it discovered the cyberattack on March 24, 2026, affecting cloud infrastructure that hosted its Europa.eu web presence, and said early findings suggested data had been taken while Europa websites and internal systems were not disrupted ([ec.europa.eu](https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_26_748/IP_26_748_EN.pdf)). CERT-EU later assessed with high confidence that initial access came through the Trivy supply-chain compromise, after a threat actor obtained an AWS secret on March 19, 2026. CERT-EU said about 91.7 GB of compressed data was exfiltrated from the affected AWS account and that ShinyHunters made the stolen data publicly available on March 28, 2026 ([cert.europa.eu](https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain)). BleepingComputer reported that ShinyHunters claimed to have stolen more than 350 GB of European Commission data and added a European Commission entry to its leak site, while the Commission did not publish detailed field-level exposure at the time of its initial statement ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/european-commission-confirms-data-breach-after-europaeu-hack/)). The 1,798-record DIGIT SSO dataset indexed by leaksear.ch should be treated as a specific exposed subset, not as the full size of the broader Europa cloud incident (leaksear.ch metadata). ## What data was exposed The leaksear.ch indexing metadata lists email, name, and username as searchable fields for this leak (leaksear.ch metadata). Additional fields stored in the indexed records include display name, given name, family name, source name variants, and user ID (leaksear.ch metadata). The metadata supplied for this indexed leak does not list passwords, password hashes, phone numbers, payment data, or national ID numbers (leaksear.ch metadata). CERT-EU's analysis of the broader published dataset also confirmed personal data such as names, last names, usernames, and email addresses, and said some outbound email-related files could contain user-submitted content in bounce-back messages ([cert.europa.eu](https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain)). ## Why this matters Names, work email addresses, and SSO usernames can help attackers tailor phishing, impersonation, and account-enumeration attempts against Commission-linked users and organizations. Security teams should review authentication telemetry for password-spray, reset, and suspicious SSO activity involving exposed identifiers, while individuals should treat unexpected Commission-themed messages with caution. Because public sources describe a broader cloud-platform data theft alongside this smaller indexed SSO subset, affected EU entities should approach the leak as both an identity-exposure issue and a web-platform incident triage matter ([cert.europa.eu](https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain), [ec.europa.eu](https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_26_748/IP_26_748_EN.pdf)). To check whether your own email, name, or username appears in this leak, use the leaksear.ch exposure search for this dataset. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, name, and username. ## Sources - [European Commission: Digital Services](https://commission.europa.eu/about/departments-and-executive-agencies/digital-services_en) - [European Commission: Commission responds to cyber-attack on its Europa web platform](https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_26_748/IP_26_748_EN.pdf) - [CERT-EU: European Commission cloud breach: a supply-chain compromise](https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain) - [BleepingComputer: European Commission confirms data breach after Europa.eu hack](https://www.bleepingcomputer.com/news/security/european-commission-confirms-data-breach-after-europaeu-hack/) --- ## Vodafone Leak Exposes 1K Emails, Passwords and Usernames Vodafone, one of the largest telcos in Europe and Africa, is named in a 1,000-record breach dataset indexed by leaksear.ch, exposing email addresses, passwords and usernames (leaksear.ch metadata, [www.vodafone.com](https://www.vodafone.com/)). The dataset does not include a confirmed breach date, reporter or reference link in the supplied metadata, so the 1,000-record exposure should not be treated as a confirmed full copy of any previously reported Vodafone incident (leaksear.ch metadata). ## What happened leaksear.ch metadata identifies this as a Vodafone breach dataset and records the indexing date as June 30, 2026. No breach date or source links were supplied with the leak metadata (leaksear.ch metadata). Public reporting provides relevant context. Iceland's Post and Telecom Administration said Vodafone Iceland web pages were destroyed shortly after midnight on November 30, 2013, after a break-in into the company's Internet servers, and stolen sensitive data was leaked online ([rafhladan.is](https://rafhladan.is/bitstream/handle/10802/15311/PTA_Annual_Report_2013.pdf?sequence=6)). Have I Been Pwned lists a Vodafone breach from November 2013 affecting 56k accounts, attributed to Vodafone in Iceland, and says the exposed data included usernames, email addresses, social security numbers, SMS messages, server logs and passwords; The Hacker News contemporaneously reported a Vodafone Iceland hack and a data archive that appeared to include 77,000 user accounts ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Vodafone), [thehackernews.com](https://thehackernews.com/2013/11/vodafone-iceland-hacked-and-exposed.html)). Those public sources establish historical Vodafone-related breach context, but the leaksear.ch metadata does not confirm that the 1,000 indexed records came from the 2013 incident or from any other named incident (leaksear.ch metadata). ## What data was exposed The searchable fields for this leak are email, username and password (leaksear.ch metadata). A source\_user\_id is also stored on records, but it is not directly searchable on leaksear.ch (leaksear.ch metadata). No phone numbers, names, financial identifiers, SMS content or national IDs are listed in the supplied metadata for this 1,000-record index. Those broader categories appear in public reporting on the 2013 Vodafone Iceland incident, not in the leaksear.ch metadata for this dataset ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Vodafone), [thehackernews.com](https://thehackernews.com/2013/11/vodafone-iceland-hacked-and-exposed.html), leaksear.ch metadata). ## Why this matters Email, username and password combinations are high-value for account takeover when users reuse passwords. Vodafone UK described a separate 2015 unauthorized-account-access incident as driven by email addresses and passwords acquired from outside Vodafone, and warned that affected customers could be exposed to fraud and phishing ([www.vodafone.co.uk](https://www.vodafone.co.uk/newscentre/press-release/statement-on-unauthorised-account-access/)). For affected individuals, the priority is to change any reused Vodafone-related password, enable multi-factor authentication where available, and treat unexpected account, billing or SIM-related messages as suspicious. Security teams should compare exposed emails and usernames against corporate identity stores and monitor for password reuse alerts and targeted phishing. If you may have used a Vodafone-related account, check whether your data appears in this leak and rotate any matching or reused password immediately. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, password, and username. ## Sources - [Vodafone Group: Vodafone](https://www.vodafone.com/) - [Post and Telecom Administration in Iceland: Annual Report 2013](https://rafhladan.is/bitstream/handle/10802/15311/PTA_Annual_Report_2013.pdf?sequence=6) - [Have I Been Pwned: Vodafone Data Breach](https://haveibeenpwned.com/Breach/Vodafone) - [The Hacker News: Vodafone Iceland hacked and exposed 70000 Users' Personal Information](https://thehackernews.com/2013/11/vodafone-iceland-hacked-and-exposed.html) - [Vodafone UK News Centre: UPDATE: STATEMENT ON UNAUTHORISED ACCOUNT ACCESS](https://www.vodafone.co.uk/newscentre/press-release/statement-on-unauthorised-account-access/) --- ## DentaQuest Leak: 17.5K Records Expose Names and Usernames leaksear.ch has indexed a DentaQuest breach dataset containing 17,462 records tied to a May 1, 2026 breach date, with names and usernames available as search pivots (leaksear.ch metadata). DentaQuest is a U.S. dental benefits administrator, and public reporting says a broader May 2026 ShinyHunters leak involved 2.6 million accounts and hundreds of gigabytes of allegedly stolen data ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/DentaQuest), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/)). ## What happened Public reporting describes the DentaQuest incident as an extortion-driven leak. Have I Been Pwned says DentaQuest was targeted in May 2026 by a ShinyHunters "pay or leak" campaign that resulted in hundreds of gigabytes of data allegedly obtained from the company being published, while BleepingComputer reported that ShinyHunters claimed more than 234 GB of stolen data and leaked it after a reported failure to reach an agreement ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/DentaQuest), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/)). DentaQuest's own security update confirms unauthorized access to a limited portion of its network. The company said it secured the network, completed a comprehensive assessment with independent cybersecurity experts, continued working with forensic data analysts to determine what information may have been compromised, and was making regulatory filings ([www.dentaquest.com](https://www.dentaquest.com/en/security-update-0526)). Security Affairs also reported that DentaQuest was listed on the ShinyHunters leak site in May and that the group published a 234 GB archive allegedly stolen from the company. DentaQuest has not publicly provided technical details about the initial intrusion vector in the sources reviewed for this article ([securityaffairs.com](https://securityaffairs.com/193274/data-breach/dentaquest-breach-shinyhunters-publish-data-impacting-2-6m-people.html)). ## What data was exposed In the leaksear.ch index, the searchable fields for this DentaQuest source are name and username. The indexed records also include document context fields, including document date, document type, file extension, filename, record ID, and source path, but those fields are stored as record context and are not direct search pivots (leaksear.ch metadata). For the broader public DentaQuest breach listing, Have I Been Pwned identifies exposed data types including dates of birth, email addresses, genders, government-issued IDs, health insurance information, names, phone numbers, and physical addresses. HIBP also says much of the data appeared in healthcare enrollment files, with some records containing Medicaid IDs ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/DentaQuest)). ## Why this matters Names and usernames in the indexed dataset can help attackers personalize phishing, account recovery attempts, or impersonation messages. When combined with the broader DentaQuest exposure reported by HIBP and others, including contact details, government ID data, and health insurance information, the risk extends to targeted scams, insurance fraud attempts, and identity verification abuse ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/DentaQuest), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/)). DentaQuest has specifically warned members to remain vigilant against targeted scams and said it will not demand payment, passwords, or sensitive health information via text message, social media, or email ([www.dentaquest.com](https://www.dentaquest.com/en/security-update-0526)). To check whether your data appears in this leak, search leaksear.ch using your name or username (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include name and username. ## Sources - [Have I Been Pwned: DentaQuest Data Breach](https://haveibeenpwned.com/Breach/DentaQuest) - [DentaQuest: Security Update](https://www.dentaquest.com/en/security-update-0526) - [BleepingComputer: DentaQuest data breach exposed info of 2.6 million accounts](https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/) - [Security Affairs: DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People](https://securityaffairs.com/193274/data-breach/dentaquest-breach-shinyhunters-publish-data-impacting-2-6m-people.html) --- ## Loozap leak exposes 6.9M user records and passwords The Loozap leak indexed by leaksear.ch contains 6,895,067 records tied to the online classifieds platform, with a breach date recorded as March 1, 2026 (leaksear.ch metadata). Public company and profile materials describe Loozap/Listings360 as a classifieds and eCommerce marketplace for buying and selling goods and services across African markets ([ch.linkedin.com](https://ch.linkedin.com/company/listings360-galid-africa), [www.abnewswire.com](https://www.abnewswire.com/pressreleases/loozap-classifieds-touted-as-the-largest-car-dealer-in-africa_607332.html)). ## What happened Public breach-tracking sources show a Loozap leak circulating in 2026, but they do not agree on the scale. DataBreach lists a Loozap breach dated March 1, 2026 with 34,250 rows, while LeakRadar lists a file named `loozap.com.tar.gz.zip` indexed on March 1, 2026 with a much larger count; Brinztech separately described an alleged 10GB Loozap database leak ([databreach.com](https://databreach.com/breach/loozap-2026), [leakradar.io](https://leakradar.io/en/leaks/48770), [www.brinztech.com](https://www.brinztech.com/breach-alerts/brinztech-alert-the-alleged-database-of-loozap-is-leaked/)). Because the public reports conflict, the leaksear.ch article uses the indexed leaksear.ch count for this source and treats the external reports as context rather than confirmation of a single definitive total (leaksear.ch metadata). The supplied metadata and loaded public sources do not confirm the initial intrusion method, and there is no substantiated public evidence in these sources identifying the cause as ransomware, scraping, misconfigured storage or exploitation of a specific vulnerability. Brinztech reported that the alleged data dump was in SQL INSERT statement form, which is consistent with a database dump claim, but that report also framed the incident as an allegation rather than a company-confirmed disclosure ([www.brinztech.com](https://www.brinztech.com/breach-alerts/brinztech-alert-the-alleged-database-of-loozap-is-leaked/)). ## What data was exposed The leaksear.ch index lists the following searchable fields for this source: address, country, date of birth, email address, hashed password, IP address, name, phone number and username (leaksear.ch metadata). Additional stored fields in the indexed records include account and profile metadata, registration and login timestamps, verification-related tokens or codes, language and time zone settings, location coordinates, profile images, social profile fields, biography details, school and work fields, wallet or balance-related application fields, and salts (leaksear.ch metadata). These additional fields are stored on records but are not listed as direct search pivots on leaksear.ch. ## Why this matters The combination of names, emails, phone numbers, addresses and dates of birth can support convincing phishing, social engineering and identity-verification abuse. Hashed passwords and salts raise credential risk if users reused weak passwords on Loozap or elsewhere, while usernames and emails can be used for credential stuffing attempts against other services. IP addresses, country values and profile-related fields also give attackers more context for localized scams or impersonation attempts. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, hashed password, ip address, name, phone, and username. ## Sources - [DataBreach: Loozap Breach](https://databreach.com/breach/loozap-2026) - [LeakRadar: loozap.com.tar.gz.zip](https://leakradar.io/en/leaks/48770) - [Brinztech: Brinztech Alert: The Alleged Database of Loozap is Leaked](https://www.brinztech.com/breach-alerts/brinztech-alert-the-alleged-database-of-loozap-is-leaked/) - [ABNewswire: Loozap Classifieds Touted As The Largest Car Dealer In Africa](https://www.abnewswire.com/pressreleases/loozap-classifieds-touted-as-the-largest-car-dealer-in-africa_607332.html) - [LinkedIn: Loozap](https://ch.linkedin.com/company/listings360-galid-africa) --- ## BCD Travel Leak: 232K Records Expose Emails, Cases A BCD Travel leak indexed by leaksear.ch contains 232,540 records tied to Azure user exports and Salesforce leads, contacts, users, agreements and support cases, with the metadata breach date listed as May 29, 2026 (leaksear.ch metadata). BCD Travel is a business travel management company headquartered in Utrecht, the Netherlands, with clients in 170+ countries ([www.bcdtravel.com](https://www.bcdtravel.com/get-to-know-us/)). ## What happened Public reporting links the incident to ShinyHunters' 2026 pay-or-leak extortion activity. DeXpose reported that on May 29, 2026 ShinyHunters claimed an attack against BCD Travel and alleged theft of more than 700,000 Salesforce records plus corporate SharePoint data, with a June 1 deadline for negotiations ([www.dexpose.io](https://www.dexpose.io/shinyhunters-strike-bcd-travel-in-usa-ransomware-attack/)). Cybernews later reported that ShinyHunters published BCD Travel data after the ransom deadline was not met, and that the leaked material included personal information and support tickets; HIBP listed BCD Travel as a May 2026 breach with 396.3 thousand affected accounts and 396,313 unique email addresses ([cybernews.com](https://cybernews.com/security/shinyhunters-400k-bcd-travel-customers-data-online/), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/BCDTravel)). For this article, the scale is the leaksear.ch indexed dataset count, 232,540 records, while HIBP's public page reports affected accounts by unique email address (leaksear.ch metadata, [haveibeenpwned.com](https://haveibeenpwned.com/Breach/BCDTravel)). That public record does not establish the exact initial access method. ICT Magazine reported BCD Travel confirmed an investigation after suspicious activity through an internal account, while Mozilla Monitor lists May 29, 2026 as the breach date and June 5, 2026 as the date the breach was added to its database ([www.ictmagazine.nl](https://www.ictmagazine.nl/nieuws/shinyhunters-claimt-datadiefstal-bij-groot-internationaal-zakenreisbureau-update/), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/BCDTravel)). ## What data was exposed The indexed data includes emails, names, phone numbers, addresses, countries and usernames as searchable fields (leaksear.ch metadata). The stored record context includes Salesforce leads, contacts, user records, agreements and support cases, plus Azure user-export attributes such as display name, company name, user type, identifiers and account status metadata (leaksear.ch metadata). Other stored fields include job titles, employer or account relationships, mailing and street-address fields, department information, Salesforce record identifiers, agreement names/statuses, support case subjects/descriptions/status metadata, contact phones and marketing/tracking fields such as UTM, Google Analytics and click identifiers (leaksear.ch metadata). HIBP's public breach page independently lists email addresses, employers, job titles, names, phone numbers, physical addresses and support tickets, and Mozilla Monitor states that passwords were not exposed in this breach ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BCDTravel), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/BCDTravel)). ## Why this matters Even without passwords, the combination of contact details, employer relationships, job titles and support-ticket context can help attackers craft believable BCD Travel, corporate travel, invoice, itinerary or help-desk phishing lures. For organizations, exposed account and agreement metadata can provide context for impersonating travel coordinators, sales/account contacts or support teams. Individuals should treat unexpected travel-support messages, payment requests or account-verification calls that reference BCD Travel or an employer travel program as suspicious and verify them through known company channels. To check whether your data appears in this leak, use the search option below. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username. ## Sources - [BCD Travel: Get to know us](https://www.bcdtravel.com/get-to-know-us/) - [DeXpose: ShinyHunters Strike BCD Travel in USA Ransomware Attack](https://www.dexpose.io/shinyhunters-strike-bcd-travel-in-usa-ransomware-attack/) - [Cybernews: ShinyHunters dump 400K BCD Travel customers data online](https://cybernews.com/security/shinyhunters-400k-bcd-travel-customers-data-online/) - [Have I Been Pwned: BCD Travel Data Breach](https://haveibeenpwned.com/Breach/BCDTravel) - [ICT Magazine: ShinyHunters claimt datadiefstal bij groot internationaal zakenreisbureau - update](https://www.ictmagazine.nl/nieuws/shinyhunters-claimt-datadiefstal-bij-groot-internationaal-zakenreisbureau-update/) - [Mozilla Monitor: BCD Travel Data Breach](https://monitor.mozilla.org/en/breach-details/BCDTravel) --- ## Baker Distributing Leak Exposes 254K Contact Records leaksear.ch has indexed 253,986 records from a Baker Distributing Company leak dated May 23, 2026, involving Salesforce and SharePoint data with customer and employee contact records, support tickets, and internal account metadata (leaksear.ch metadata). Baker Distributing says it provides HVAC, refrigeration, and foodservice equipment, parts, and supplies through more than 200 sales centers in 26 states ([www.bakerdist.com](https://www.bakerdist.com/about)). ## What happened Public reporting ties the incident to the ShinyHunters group. Have I Been Pwned says Baker Distributing was added to ShinyHunters' pay-or-leak site in May 2026 and that data claimed from Baker's SharePoint and Salesforce infrastructure was publicly published in early June; HIBP lists 102.9k affected accounts, a unique-email metric that differs from leaksear.ch's row-level index ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BakerDistributing)). Cybernews reported on June 5, 2026, and updated on June 17, 2026, that ShinyHunters posted Baker data after alleged negotiations failed, including Salesforce records and SharePoint documents; Cybernews also said it had contacted Baker for comment ([cybernews.com](https://cybernews.com/security/baker-distributing-ransomware-salesforce-sharepoint-leak/)). DeXpose separately reported a May 23, 2026 ShinyHunters claim involving more than 260,000 Salesforce records and a pay-or-leak deadline of May 27, 2026 ([www.dexpose.io](https://www.dexpose.io/shinyhunters-breach-baker-distributing-company/)). Public sources reviewed for this article describe an extortion-site data publication, but do not confirm the initial intrusion method. The exposure should not be read as a confirmed Salesforce or Microsoft SharePoint platform breach unless Baker, Salesforce, Microsoft, or investigators release additional findings. ## What data was exposed The leaksear.ch index describes customer and employee contact records, support tickets, names, email addresses, physical addresses, phone numbers, company and account metadata, and internal Salesforce identifiers (leaksear.ch metadata). Searchable fields in the indexed leak include address, country, date of birth, email, name, phone, and username, where present (leaksear.ch metadata). Additional stored fields provide context from Salesforce-style cases, contacts, leads, and users. Those include account names, case numbers, case status, case comments, case origins, departments, titles, lead status, lead source, account ownership, timestamps, owner and role fields, bounced-email indicators, phone variants, mailing-address components, and source-file or source-row references (leaksear.ch metadata). Public reporting is broadly consistent with that data profile: HIBP lists email addresses, names, phone numbers, physical addresses, and support tickets, while Cybernews reported employee records, sales leads, customer contact records, SharePoint documents, and support-ticket data ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BakerDistributing), [cybernews.com](https://cybernews.com/security/baker-distributing-ransomware-salesforce-sharepoint-leak/)). ## Why this matters The most immediate risk is targeted phishing against Baker customers, HVAC/R contractors, employees, and suppliers. Names, roles, account context, phone numbers, emails, addresses, and ticket details can make impersonation attempts more credible, especially if attackers reference real service issues or business relationships (leaksear.ch metadata). Cybernews reported researchers warning that employee and client information could be used in targeted social engineering and that support tickets may reveal recurring technical issues ([cybernews.com](https://cybernews.com/security/baker-distributing-ransomware-salesforce-sharepoint-leak/)). Individuals should watch for account-recovery fraud, invoice or payment redirection attempts, and suspicious messages claiming to come from Baker support, sales, or account teams. If you are a Baker Distributing customer, employee, lead, contractor, or supplier, check whether your email, name, phone number, username, address, country, or date of birth appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Baker Distributing: About Baker Distributing HVAC, Refrigeration and Foodservice equipment parts and supplies distributor](https://www.bakerdist.com/about) - [Have I Been Pwned: Baker Distributing Data Breach](https://haveibeenpwned.com/Breach/BakerDistributing) - [Cybernews: Hackers publish hundreds of thousands of Salesforce records from Baker Distributing](https://cybernews.com/security/baker-distributing-ransomware-salesforce-sharepoint-leak/) - [DeXpose: ShinyHunters Breach Baker Distributing Company](https://www.dexpose.io/shinyhunters-breach-baker-distributing-company/) --- ## University of Nottingham Leak Exposes 332,810 Student Records The University of Nottingham data leak indexed by leaksear.ch contains 332,810 records, about 333,000, from a June 10, 2026 breach, including student and applicant names, contact details, dates of birth and academic or application data (leaksear.ch metadata). Have I Been Pwned separately lists 454.6 thousand affected accounts for the broader incident, after data tied to current students and alumni was published online in a ShinyHunters pay-or-leak campaign ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/UniversityOfNottingham)). ## What happened Public reporting places the incident inside the university's student record environment. ITV reported that the University identified unauthorized activity on its Campus Solutions system, took affected systems offline, said a significant amount of student record data had been accessed by a cybercriminal group, and reported the incident to Action Fraud and the Information Commissioner's Office ([itv.com](https://www.itv.com/news/central/2026-06-10/university-of-nottingham-student-and-alumni-data-leaked-after-cyberhack)). The Record and SecurityWeek reported that ShinyHunters claimed responsibility and published or listed files from the university, with the group claiming more than 40GB of material. Confirmed facts are narrower: the university said student and alumni data was accessed and that it was still working with investigators and a platform-maintenance third party to verify the exact scope; the initial access vector has not been confirmed in the public reporting reviewed for this article ([therecord.media](https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters), [securityweek.com](https://www.securityweek.com/university-of-nottingham-confirms-breach-after-hackers-leak-data/)). The Record also noted that ShinyHunters has previously misrepresented access in extortion attempts, so its claims about the volume and composition of stolen material should be treated as allegations unless confirmed by the university or a forensic finding ([therecord.media](https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters)). ## What data was exposed leaksear.ch indexing metadata lists searchable values for address, country, date of birth, email address, name, phone number and username. The same metadata lists stored context that includes academic data, applicant and application data, demographic data and institutional identifiers such as applicant IDs, student IDs and UCAS person IDs (leaksear.ch metadata). Public breach sources describe a wider set of categories in the published files, including names, addresses, phone numbers, passport numbers, ethnicity, disability, citizenship status, genders, usernames, academic enrolment and fee-payment data. Recorded Future News also reported that the university was operating on a precautionary assumption that contact information, course information, student or staff IDs, financial information and protected characteristics may have been accessed ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/UniversityOfNottingham), [therecord.media](https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters)). ## Why this matters The risk is not limited to spam: contact details combined with dates of birth, usernames, institutional IDs and course or application context can make targeted phishing, account-recovery abuse and university payment scams more convincing (leaksear.ch metadata). Because public reports include possible financial information and government or passport identifiers, affected people should monitor bank and credit activity where relevant and be cautious of messages about tuition, refunds, visas, housing or account support ([therecord.media](https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/UniversityOfNottingham)). The U.S. FTC advises people exposed in a data breach to watch for unrecognized accounts or charges, consider fraud alerts or credit freezes when appropriate, and report identity theft through IdentityTheft.gov ([consumer.ftc.gov](https://consumer.ftc.gov/articles/what-know-about-identity-theft)). If you have studied at, applied to or otherwise had records with the University of Nottingham, use the exposure check on this page to see whether your own data is present in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Have I Been Pwned: University of Nottingham Data Breach](https://haveibeenpwned.com/Breach/UniversityOfNottingham) - [SecurityWeek: University of Nottingham Confirms Breach After Hackers Leak Data](https://www.securityweek.com/university-of-nottingham-confirms-breach-after-hackers-leak-data/) - [The Record: University of Nottingham confirms cyber incident as Shiny Hunters group claims data theft](https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters) - [ITV News: University of Nottingham student and alumni data accessed in hack by cybercriminal group](https://www.itv.com/news/central/2026-06-10/university-of-nottingham-student-and-alumni-data-leaked-after-cyberhack) - [Federal Trade Commission: What To Know About Identity Theft](https://consumer.ftc.gov/articles/what-know-about-identity-theft) --- ## Salesfloor leak exposes 7.8M names, emails and phones leaksear.ch has indexed a Salesfloor leak containing 7,754,615 records tied to the Canadian retail SaaS platform and retailer customer data, with January 22, 2026 listed as the breach date (leaksear.ch metadata). Salesfloor provides retail customer-engagement tools including clienteling, virtual shopping, and conversational AI; Tulip and Salesfloor announced on March 24, 2026 that they would combine under the Tulip brand ([www.tulip.com](https://www.tulip.com/press/tulip-salesfloor-merger/)). ## What happened Public reporting to date frames this as an alleged dark-web reported compromise, not a detailed company notice. UpGuard reported on January 26, 2026 that the incident was reported on January 22, attributed in those reports to LAPSUS$, and allegedly involved 4 TB of uncompressed data including source code, system logs, development assets, SQL databases, and customer PII ([www.upguard.com](https://www.upguard.com/news/people-powered-e-commerce-data-breach-2026-01-22)). No public source reviewed for this article confirms the initial access path or whether the customer data was exposed through ransomware, scraping, misconfigured storage, or another mechanism. UpGuard's public summary described approximately 1 million user records, while the dataset indexed by leaksear.ch contains 7,754,615 records as of June 30, 2026 (leaksear.ch metadata). Salesfloor's business context matters because it sits between retailers and customer engagement data. In March 2026, Tulip said the merged Tulip-Salesfloor company would support about 100 enterprise retail clients and described Salesfloor as an engagement platform used by enterprise retailers in more than 70 countries and by over 50,000 associates ([www.tulip.com](https://www.tulip.com/press/tulip-salesfloor-merger/)). ## What data was exposed The indexed records contain contact and retail CRM data. The directly searchable fields are name, email address, phone number, postal address, and country (leaksear.ch metadata). Additional stored fields listed in the metadata include alternate email and phone fields, contact preference, customer and CRM IDs, retailer customer and store IDs, employee and user IDs, timestamps for record creation, updates, and last contact, subscription and SMS marketing flags, locale, tags, favorite-contact data, transaction-related structured fields, and source-system metadata (leaksear.ch metadata). ## Why this matters Even without passwords or payment-card fields in the metadata supplied to leaksear.ch, contact data tied to retailer relationships can be useful for convincing phishing, smishing, and account-recovery social engineering (leaksear.ch metadata). Retailers that used Salesfloor should treat exposed CRM and customer identifiers as correlation points that may help attackers tailor lures to specific brands, stores, or customer histories. Individuals should be cautious of messages that reference retail interactions, store appointments, marketing subscriptions, or customer-service follow-ups. If you interacted with a retailer that used Salesfloor, use the leaksear.ch exposure lookup below to check whether your name, email, phone, address, or country appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, and phone. ## Sources - [UpGuard: Salesfloor Suffers Breach According to Dark Web Reports](https://www.upguard.com/news/people-powered-e-commerce-data-breach-2026-01-22) - [Tulip: Retail’s Next Growth Engine Is Human-Centric: Tulip and Salesfloor Unite to Scale AI-Powered Customer Engagement](https://www.tulip.com/press/tulip-salesfloor-merger/) --- ## Allure Clinics Leak Exposes 80K Patient and Staff Records A dataset indexed by leaksear.ch contains 80,498 staff, doctor, and patient records tied to Allure Clinics, with a listed breach date of September 16, 2025 (leaksear.ch metadata). Allure's public site describes the business as cosmetic clinics in Riyadh specializing in dermatology and cosmetic surgery, and DeXpose reported that KillSec claimed responsibility for a cyberattack on Allure Clinics on the same date ([allureclinics.com](https://allureclinics.com/about), [www.dexpose.io](https://www.dexpose.io/killsec-targets-allure-clinics-in-saudi-arabia-ransomware-attack/)). ## What happened Public reporting identifies KillSec as the threat group behind the Allure Clinics incident. DeXpose reported on September 16, 2025 that KillSec claimed responsibility for a cyberattack against Allure Clinics and threatened to release sensitive patient information, while HookPhish also listed an Allure Clinics ransomware entry tied to KillSec and the domain allureclinics.com ([www.dexpose.io](https://www.dexpose.io/killsec-targets-allure-clinics-in-saudi-arabia-ransomware-attack/), [www.hookphish.com](https://www.hookphish.com/blog/ransomware-group-killsec-hits-allure-clinics/)). The leak-source metadata says the indexed dataset was exfiltrated by the KillSec ransomware group from the Saudi Arabia-based healthcare provider and was indexed by leaksear.ch on May 23, 2026 (leaksear.ch metadata). No public source reviewed for this article confirms the initial access method, whether systems were encrypted, a ransom amount, whether a ransom was paid, or whether Allure Clinics issued a public breach notice. ## What data was exposed The leaksear.ch indexed dataset contains 80,498 records described as staff, doctor, and patient records (leaksear.ch metadata). Searchable fields include country, date of birth, email address, hashed password, name, phone number, and username (leaksear.ch metadata). Other stored fields include age, gender, blood group, BMI, height, weight, marital status, patient code, alternate phone details, family-name and Arabic-name fields, branch and department identifiers, designation, specialization, user role, record type, created date, and join date (leaksear.ch metadata). These fields indicate the dataset combines contact identifiers with healthcare, personnel, and clinic-administration context. ## Why this matters The combination of names, dates of birth, email addresses, phone numbers, usernames, and hashed passwords can support targeted phishing, credential-stuffing attempts, and impersonation of clinic staff or patients. Health and clinic-context fields also raise privacy risks because they can reveal sensitive relationships with a medical or cosmetic healthcare provider. For Saudi organizations, the PDPL implementing regulation requires notification to the competent authority within 72 hours in qualifying personal data breach cases that may harm personal data or data subjects' rights or interests ([istitlaa.ncc.gov.sa](https://istitlaa.ncc.gov.sa/en/Transportation/NDMO/IMPLEMENTINGPDPL/Pages/Article_025.aspx)). If you are a patient, doctor, or staff member connected to Allure Clinics, check whether your data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, date of birth, email, hashed password, name, phone, and username. ## Sources - [Allure Clinics: About page](https://allureclinics.com/about) - [DeXpose: KillSec Targets Allure Clinics in Saudi Arabia Ransomware Attack](https://www.dexpose.io/killsec-targets-allure-clinics-in-saudi-arabia-ransomware-attack/) - [HookPhish: Ransomware Group killsec Hits: Allure Clinics](https://www.hookphish.com/blog/ransomware-group-killsec-hits-allure-clinics/) - [Istitlaa: Article 25: Notification of Personal Data Breach](https://istitlaa.ncc.gov.sa/en/Transportation/NDMO/IMPLEMENTINGPDPL/Pages/Article_025.aspx) --- ## Pet Stop Link Leak Exposes 10K Admin Emails and Hashes leaksear.ch has indexed a Pet Stop Link dataset containing 10,052 records from an internal admin/staff table, including account identifiers, contact data, activity timestamps and salted MD5 password hashes, with no breach date listed (leaksear.ch metadata). Pet Stop Link is Pet Stop’s app-connected dog fence platform from Perimeter Technologies, Inc.; public listings describe it as giving users and Pet Stop dealers real-time system information and collar settings ([play.google.com](https://play.google.com/store/apps/details?id=com.petstop.petstop), [petstop.com](https://petstop.com/)). ## What happened leaksear.ch indexed the dataset on May 24, 2026. The leak-source metadata describes the source as an internal admin/staff table, but it does not identify the exposure path, the system where the table was obtained, or any actor attribution (leaksear.ch metadata). Public materials put that table in context: Pet Stop says the LINK system provides real-time monitoring, remote adjustments and smartphone control, while a Rise case study describes Link as a Bluetooth- and Internet-enabled app, web platform and API with customer, dealer and administrator roles ([petstop.com](https://petstop.com/), [rise.co](https://rise.co/works/pet-stop-link)). Because the breach date is unknown, security teams should treat last-login and last-active timestamps as record data, not as a confirmed incident timeline (leaksear.ch metadata). ## What data was exposed The index lists email, username, name, phone, address, country and hashedPassword as searchable fields. The dataset description also includes display names, last-login timestamps and salted MD5 password hashes (leaksear.ch metadata). Additional stored fields include deactivation status, dealer ID, user ID, mobile device manufacturer and model, app version, operating-system information, last-active data, and fields labeled resetcode, token and webtoken. Those additional fields are context in the records, not direct search pivots on leaksear.ch (leaksear.ch metadata). ## Why this matters An internal admin/staff table can help attackers map support, dealer or back-office accounts and craft targeted phishing that references Pet Stop Link usage, account names, devices or recent activity. The salted MD5 hashes are not plaintext passwords, but MD5 is a legacy fast hashing algorithm; OWASP recommends modern, slow password-hashing algorithms such as Argon2id, bcrypt or PBKDF2 and notes older MD5/SHA-1 hashes should be upgraded ([cheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)). People who reused a Pet Stop Link password elsewhere should change it there as well, and security teams should monitor for credential-stuffing and phishing attempts tied to Pet Stop Link, dealer support, pet fencing service or app update themes. Use the leaksear.ch check below to see whether your data appears in this Pet Stop Link leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, hashed password, name, phone, and username. ## Sources - [Google Play: Pet Stop Link](https://play.google.com/store/apps/details?id=com.petstop.petstop) - [Pet Stop: Premium Dog Fence Solutions for Safety](https://petstop.com/) - [Rise Marketing: Pet Stop Link](https://rise.co/works/pet-stop-link) - [OWASP Cheat Sheet Series: Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) --- ## Alert 360 leak exposes 1.9M contact records An Alert 360 dataset indexed by leaksear.ch contains 1,905,385 records leaked by ShinyHunters in April 2026, including Alarm.com dealer customer records and Salesforce exports tied to the U.S. home and business security provider (leaksear.ch metadata). Alert 360 later said an April 4, 2026 unauthorized access incident exposed names, email addresses, mailing addresses, and phone numbers, while public reporting on ShinyHunters claimed a larger 2.5 million-record dump ([alert360.com](https://alert360.com/data-security-incident/), [cybernews.com](https://cybernews.com/news/2-5m-records-leaked-after-shiny-hunters-hits-us-home-security-giant-alert360/)). ## What happened Alert 360 published a company statement on May 4, 2026 saying it was the victim of unauthorized access to company systems on April 4, 2026, that it used third-party cybersecurity forensics experts, and that it took steps to contain, investigate, and resolve the issue ([alert360.com](https://alert360.com/data-security-incident/)). The company said no Social Security numbers, bank account information, credit or debit card data, security system access credentials, or alarm codes were compromised, and said customers' security systems remained operational ([alert360.com](https://alert360.com/data-security-incident/)). Cybernews reported that ShinyHunters listed Alert 360 on its leak site and claimed to have dumped 2.5 million records after ransom talks broke down, while also noting at the time that the exact compromise path and exposed data types were not confirmed by the outlet ([cybernews.com](https://cybernews.com/news/2-5m-records-leaked-after-shiny-hunters-hits-us-home-security-giant-alert360/)). The leaksear.ch indexing metadata describes the indexed leak as 1,905,385 records with a breach date of April 19, 2026, attributed to ShinyHunters, and containing Alarm.com dealer customer records plus Salesforce exports for objects including Contacts, Leads, Emergency Contacts, Users, Accounts, Opportunities, and Cases (leaksear.ch metadata). The Salesforce context is important but should not be overstated for this specific leak. Salesforce warned in March 2026 that a known threat actor campaign was targeting overly permissive Experience Cloud guest user configurations, said the issue was not a Salesforce platform vulnerability, and described mass scanning of public-facing Experience Cloud sites using a modified Aura Inspector tool ([salesforce.com](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/)). BleepingComputer reported that ShinyHunters claimed responsibility for ongoing Salesforce Aura and Experience Cloud data theft attacks, while Salesforce continued to characterize the issue as customer configuration risk rather than a platform flaw ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/)). ## What data was exposed The leaksear.ch-indexed Alert 360 records are searchable by address, country, date of birth, email, name, phone, and username (leaksear.ch metadata). The broader field inventory includes customer and account context such as account numbers, account names, customer IDs, contact and lead IDs, case numbers, opportunity records, billing, mailing, shipping and other address fields, phone and mobile fields, job titles, departments, lead status, case status, service package, panel type, device and monitoring-related fields, and emergency contact record context (leaksear.ch metadata). Alert 360's public statement confirms access to names, email addresses, mailing addresses, and telephone numbers, and says Social Security numbers, bank account information, credit or debit card data, security system access credentials, and alarm codes were not compromised ([alert360.com](https://alert360.com/data-security-incident/)). ## Why this matters The main risk is targeted phishing, vishing, and impersonation using contact details combined with security-provider account context. Alert 360 specifically warned individuals to remain vigilant against phishing attempts, unsolicited communications, and suspicious requests for personal information ([alert360.com](https://alert360.com/data-security-incident/)). Salesforce also warned that names and phone numbers harvested in similar Experience Cloud activity are often used for follow-on social engineering and vishing campaigns ([salesforce.com](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/)). Individuals and organizations that may have dealt with Alert 360, Alarm.com dealers, installers, or related monitoring services should check whether their data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Alert 360: Data Security Incident](https://alert360.com/data-security-incident/) - [Cybernews: 2.5M records leaked after ShinyHunters hits US home security giant Alert 360](https://cybernews.com/news/2-5m-records-leaked-after-shiny-hunters-hits-us-home-security-giant-alert360/) - [Salesforce: Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/) - [BleepingComputer: ShinyHunters claims ongoing Salesforce Aura data theft attacks](https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/) --- ## Gap Salesforce leak exposes 271K user records Gap Inc., the apparel company behind Old Navy, Gap, Banana Republic, and Athleta, is named in a Salesforce-related leak indexed by leaksear.ch containing 271,049 internal Salesforce User records (leaksear.ch metadata, [www.gapinc.com](https://www.gapinc.com/en-us/about)). The dataset carries an October 3, 2025 breach date, the same day public reporting said ShinyHunters and Scattered Lapsus$ Hunters launched a Salesforce data leak site listing Gap among 39 organizations ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/)). ## What happened BleepingComputer reported on October 3, 2025 that an extortion group launched a new leak site for companies affected by a wave of Salesforce breaches, with entries containing samples allegedly stolen from Salesforce instances and a deadline for victims to respond. Gap was included in the list of named organizations ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/)). Help Net Security separately reported that the Scattered Lapsus$ Hunters site listed 39 companies and described the exposed Salesforce data as apparently stolen through social engineering. Public reporting reviewed for this article does not confirm which access method applied to Gap specifically, so the Gap-specific intrusion path should be treated as unconfirmed ([www.helpnetsecurity.com](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/)). The broader campaign context is well documented. The FBI warned in September 2025 that UNC6040 used voice phishing and malicious connected apps to access Salesforce instances, while UNC6395 used compromised OAuth tokens tied to the Salesloft Drift application. Those details explain the Salesforce-focused threat activity, but they do not by themselves prove how the Gap dataset was obtained ([www.fbi.gov](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf)). ## What data was exposed The leaksear.ch indexed dataset is described as Gap Inc. internal Salesforce User records. Searchable fields include name, username, email address, phone number, address, country, and date of birth (leaksear.ch metadata). Additional stored fields in the dataset schema include Salesforce account and contact identifiers, aliases, community nicknames, company and department data, division and title fields, manager and role identifiers, employee numbers, brand, market, store and location fields, shipping and mailing address components, registration fields, reward program fields, and activity or login timestamps (leaksear.ch metadata). These fields provide context about the records but are not all direct search pivots on leaksear.ch. ## Why this matters The combination of names, emails, usernames, phone numbers, addresses, dates of birth, and Salesforce context can support targeted phishing, identity verification abuse, and impersonation attempts. Role, department, store, brand, and manager-related fields may also make social engineering against help desks, retail operations, or account support teams more convincing (leaksear.ch metadata, [www.fbi.gov](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf)). Individuals and organizations concerned about this leak should check whether their data appears in the Gap dataset on leaksear.ch. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Gap Inc.: About](https://www.gapinc.com/en-us/about) - [BleepingComputer: ShinyHunters launches Salesforce data leak site to extort 39 victims](https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/) - [Help Net Security: Hackers launch data leak site to extort 39 victims, or Salesforce](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/) - [FBI: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf) --- ## Engie Resources Leak Exposes 449K Records With PII A dataset attributed to ENGIE Resources contains 449,645 Salesforce-sourced records, about 450,000 entries, with a listed breach date of July 18, 2025 (leaksear.ch metadata). ENGIE Resources describes itself as a licensed U.S. retail energy provider for industrial and commercial customers, and the indexed data includes contact, identity, network, and account-related fields (leaksear.ch metadata) ([www.engieresources.com](https://www.engieresources.com/about-us/)). ## What happened leaksear.ch metadata says the data was exfiltrated from the company’s Salesforce instance and published on October 10, 2025 by the Scattered LAPSUS$ Hunters/ShinyHunters extortion crew after ransom demands were not met (leaksear.ch metadata). Public reporting in October 2025 placed Engie Resources in the broader Salesforce extortion campaign: Help Net Security reported that the leak site listed 39 companies whose data was apparently stolen by compromising corporate Salesforce instances via social engineering, Resecurity listed Engie Resources among the companies on the site, and DataBreaches.net listed Engie Resources with a July 18, 2025 date and a 3 GB claim while warning that the claims were not confirmed ([www.helpnetsecurity.com](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/), [www.resecurity.com](https://www.resecurity.com/blog/article/shinyhunters-launches-data-leak-site-trinity-of-chaos-announces-new-ransomware-victims), [databreaches.net](https://databreaches.net/wp-content/uploads/The-following-entities-appear-on-a-leak-site-by-Scattered-LAPSUS.pdf)). SecurityWeek reported on October 13, 2025 that Scattered LAPSUS$ Hunters had leaked data allegedly pertaining to Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines after Salesforce said the extortion attempt related to past or unsubstantiated incidents and refused to pay ([www.securityweek.com](https://www.securityweek.com/extortion-group-leaks-millions-of-records-from-salesforce-hacks/)). The exact initial access vector for the Engie Resources dataset is not established in the public reports reviewed here. The broader Salesforce data-theft activity around the same period involved at least two patterns: UNC6040 vishing and malicious or abused connected apps, and UNC6395 abuse of compromised Salesloft Drift OAuth tokens ([cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion), [cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift), [www.fbi.gov](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf)). ## What data was exposed leaksear.ch indexes the following fields as searchable in this dataset: address, country, date of birth, email address, IP address, name, phone number, and username (leaksear.ch metadata). Other stored fields in the record schema include Salesforce and customer operations fields such as account balances, account IDs, account source, annual revenue, billing, shipping, and service addresses, bank account and payment reference fields, IBAN, SWIFT, and taxpayer identification field names, utility account data, user agent data, opt-out and status indicators, job title, department, role, and corporate contact details (leaksear.ch metadata). The metadata for this dataset does not identify password or password-hash fields (leaksear.ch metadata). ## Why this matters Energy-provider CRM data can be useful for targeted phishing because it ties people and businesses to utility relationships, addresses, account context, and billing or payment-related field names (leaksear.ch metadata). Security teams should watch for impersonation of ENGIE Resources, invoice redirection attempts, utility-account pretexts, and follow-on credential phishing against exposed email addresses and usernames. Individuals and business contacts should verify unexpected energy billing or account-update messages through known ENGIE Resources channels rather than replying to an inbound message. Readers who may have interacted with ENGIE Resources should check their exposure in this leak on leaksear.ch. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, ip address, name, phone, and username. ## Sources - [ENGIE Resources: Commercial energy provider About ENGIE Resources](https://www.engieresources.com/about-us/) - [Help Net Security: Hackers launch data leak site to extort 39 victims, or Salesforce](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/) - [Resecurity: ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims](https://www.resecurity.com/blog/article/shinyhunters-launches-data-leak-site-trinity-of-chaos-announces-new-ransomware-victims) - [databreaches.net: The following entities appear on a leak site by Scattered LAPSUS$ Hunters](https://databreaches.net/wp-content/uploads/The-following-entities-appear-on-a-leak-site-by-Scattered-LAPSUS.pdf) - [SecurityWeek: Extortion Group Leaks Millions of Records From Salesforce Hacks](https://www.securityweek.com/extortion-group-leaks-millions-of-records-from-salesforce-hacks/) - [Google Cloud: The Cost of a Call: From Voice Phishing to Data Extortion](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion) - [Google Cloud: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift](https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift) - [FBI: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf) --- ## Albertsons leak exposes 623K Salesforce CRM contact records Albertsons Companies, which says it is one of the largest U.S. food and drug retailers and operates stores across 35 states and the District of Columbia ([www.albertsons.com](https://www.albertsons.com/about-us.html)), is tied to a Salesforce CRM leak indexed by leaksear.ch at 623,796 records (leaksear.ch metadata). The dataset is dated October 10, 2025 and includes customer contact and CRM profile data such as names, email addresses, phone numbers and addresses (leaksear.ch metadata). ## What happened Public reporting places Albertsons in the October 2025 Salesforce customer extortion wave associated with Scattered LAPSUS$ Hunters. SecurityWeek and BankInfoSecurity reported that the group leaked data allegedly tied to six organizations, including Albertsons, after Salesforce refused to pay extortion demands, while SC Media also named Albertsons among the victims whose data was said to have been released ([www.securityweek.com](https://www.securityweek.com/extortion-group-leaks-millions-of-records-from-salesforce-hacks/), [www.bankinfosecurity.com](https://www.bankinfosecurity.com/salesforce-extortion-group-leaks-data-after-fbi-disruption-a-29710), [www.scworld.com](https://www.scworld.com/news/scattered-lapsus-hunters-release-stolen-data-from-salesforce-customers)). Albertsons-specific attribution remains narrower than the broader Salesforce campaign reporting. DataBreach.com labeled its Albertsons breach listing unverified and said Albertsons had not confirmed a security incident, while Salesforce said the extortion attempts related to past or unsubstantiated incidents and that there was no indication its platform or a known Salesforce vulnerability had been compromised ([databreach.com](https://databreach.com/breach/albertsons-salesforce-2025), [www.helpnetsecurity.com](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/)). Across the broader campaign, public reporting and an FBI FLASH described attackers targeting Salesforce instances through social engineering and OAuth-based access paths, including malicious connected apps and compromised third-party integration tokens. For this Albertsons dataset, leaksear.ch metadata identifies the source environment as Salesforce CRM but does not establish the initial access vector (leaksear.ch metadata, [www.fbi.gov](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/salesforce-refuses-to-pay-ransom-over-widespread-data-theft-attacks/)). ## What data was exposed leaksear.ch indexes the Albertsons records for address, country, date of birth, email address, name, phone number and username searches (leaksear.ch metadata). Stored fields also include Salesforce object metadata and CRM attributes such as club card enrollment and status, mobile and alternate phone fields, gender, company name, title, employee-number fields, account and supplier group identifiers, created and modified dates, photo URL fields and user profile or role identifiers (leaksear.ch metadata). The metadata does not list passwords, payment card numbers or bank-account details among the exposed fields (leaksear.ch metadata). ## Why this matters Public reporting on the broader Salesforce leak-site campaign highlighted phishing and social engineering risks from customer data ([www.helpnetsecurity.com](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/)). Contact records tied to a grocery and loyalty environment can help attackers craft convincing messages about rewards, delivery issues, account updates or store services. Phone numbers, addresses and date-of-birth fields can also support identity-verification scams and account-recovery attempts. If you think you may be affected, use leaksear.ch to check whether your details appear in this Albertsons leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Albertsons: About Us](https://www.albertsons.com/about-us.html) - [DataBreach.com: Albertsons Breach](https://databreach.com/breach/albertsons-salesforce-2025) - [SecurityWeek: Extortion Group Leaks Millions of Records From Salesforce Hacks](https://www.securityweek.com/extortion-group-leaks-millions-of-records-from-salesforce-hacks/) - [SC Media: Scattered Lapsus$ Hunters release stolen data from Salesforce customers](https://www.scworld.com/news/scattered-lapsus-hunters-release-stolen-data-from-salesforce-customers) - [BankInfoSecurity: Salesforce Extortion Group Leaks Data After FBI Disruption](https://www.bankinfosecurity.com/salesforce-extortion-group-leaks-data-after-fbi-disruption-a-29710) - [Help Net Security: Hackers launch data leak site to extort 39 victims, or Salesforce](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/) - [FBI: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf) - [BleepingComputer: Salesforce refuses to pay ransom over widespread data theft attacks](https://www.bleepingcomputer.com/news/security/salesforce-refuses-to-pay-ransom-over-widespread-data-theft-attacks/) --- ## Qantas Data Leak: 11M Records Expose Customer Contact Data leaksear.ch has indexed 11,086,214 records tied to Australian airline Qantas and a July 2, 2025 breach of a third-party Salesforce-based customer service platform, with names, contact details and loyalty data present in the dataset (leaksear.ch metadata). Qantas said its investigation found 5.7 million unique customers in the compromised system after duplicates were removed ([www.qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-wednesday-9-july-2025)). ## What happened Qantas said a cybercriminal targeted one of its contact centres and gained access to a third-party customer servicing platform. The airline said the affected system was contained, Qantas operations and airline safety were not affected, and roughly 6 million customers had service records in the platform while the investigation was still underway ([www.qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/media-releases/qantas-cyber-incident)). The leak-source metadata identifies the incident as the July 2025 ShinyHunters attack on a third-party Salesforce-based customer service platform used by Qantas (leaksear.ch metadata). Public reporting is more cautious on the platform attribution: BleepingComputer reported that Qantas was among Salesforce-related data-theft attacks linked to the ShinyHunters brand, while Google Threat Intelligence Group described related UNC6040 and UNC6240 activity as Salesforce-focused vishing, data theft and extortion in which actors claimed to be ShinyHunters ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/), [cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion)). Salesforce has said these social-engineering attacks targeted customer environments and were not due to a known vulnerability in the Salesforce platform ([www.salesforce.com](https://www.salesforce.com/blog/protect-against-social-engineering/)). On July 17, 2025, Qantas said it had obtained an interim injunction in the NSW Supreme Court intended to prevent the stolen data from being accessed, released or used ([www.qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-thursday-17-july-2025)). Qantas later said data from the July incident had been released by cybercriminals and that it was investigating what was included in that release ([www.qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/qantas-responds/update-on-july-cyber-incident)). ## What data was exposed The searchable fields in the leaksear.ch index are country, date of birth, email, name and phone (leaksear.ch metadata). Other record fields indicate the dataset can also contain addresses, frequent flyer numbers, frequent flyer tier details, points balances, status credits, gender, meal and seat preferences, travel interests, business contact details and CRM account attributes (leaksear.ch metadata). Qantas said exposed fields varied by customer and reconfirmed that credit card details, personal financial information, passport details, Frequent Flyer account access, passwords, PINs and login details were not accessed in the compromised system ([www.qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-wednesday-9-july-2025)). ## Why this matters The main risk is targeted phishing, phone scams and customer-service impersonation. Names, emails, phone numbers, loyalty identifiers, tiers and travel preferences can make Qantas-themed lures more credible, while dates of birth and addresses raise identity-verification risk for the subset of customers whose records included them. Qantas warned customers to remain alert for emails, texts or calls claiming to be from Qantas and said it would not ask for passwords, booking reference details or sensitive login information ([www.qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-wednesday-9-july-2025), [www.qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-thursday-17-july-2025)). If you may have been affected, use the check below to search the indexed Qantas leak by email, name, phone, date of birth or country. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, date of birth, email, name, and phone. ## Sources - [Qantas Newsroom: Qantas Cyber Incident](https://www.qantasnewsroom.com.au/media-releases/qantas-cyber-incident) - [Qantas Newsroom: Update on Qantas Cyber Incident, Wednesday 9 July 2025](https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-wednesday-9-july-2025) - [Qantas Newsroom: Update on Qantas Cyber Incident, Thursday 17 July 2025](https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-thursday-17-july-2025) - [Qantas Newsroom: Update on July Cyber Incident](https://www.qantasnewsroom.com.au/qantas-responds/update-on-july-cyber-incident) - [BleepingComputer: ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH](https://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/) - [Google Cloud: The Cost of a Call: From Voice Phishing to Data Extortion](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion) - [Salesforce: Protect Your Salesforce Environment from Social Engineering Threats](https://www.salesforce.com/blog/protect-against-social-engineering/) --- ## Ticketmaster Leak Exposes 928K Orders, Masked Card Data A Ticketmaster leak indexed by leaksear.ch contains 928,546 customer order records tied to the May 20, 2024 Snowflake-related breach, including contact details, masked payment-card data, and event, venue, and ticket metadata (leaksear.ch metadata). Live Nation said it identified unauthorized activity in a third-party cloud database environment primarily containing Ticketmaster data on May 20, 2024, and said a criminal threat actor offered alleged company user data for sale on May 27 ([investors.livenationentertainment.com](https://investors.livenationentertainment.com/sec-filings/all-sec-filings/content/0001335258-24-000081/0001335258-24-000081.pdf)). ## What happened Live Nation, Ticketmaster's parent company, disclosed in a May 31, 2024 SEC filing that it had launched an investigation after finding unauthorized activity in a third-party cloud database environment containing company data, primarily from Ticketmaster. Ticketmaster's incident page describes the impacted system as an isolated cloud database hosted by a third-party data services provider, says Ticketmaster accounts remained secure, and says some customers who bought tickets to events in North America were being notified ([investors.livenationentertainment.com](https://investors.livenationentertainment.com/sec-filings/all-sec-filings/content/0001335258-24-000081/0001335258-24-000081.pdf), [help.ticketmaster.com](https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident)). Public reporting tied Ticketmaster to the broader Snowflake customer data-theft campaign. BleepingComputer reported that ShinyHunters advertised alleged Live Nation/Ticketmaster data for 560 million users and that samples it reviewed included names, email addresses, phone numbers, addresses, hashed credit card details, and payment amounts. Mandiant, reporting on the broader UNC5537 campaign, said the actor used stolen customer credentials to access Snowflake customer instances, found no evidence that access stemmed from a breach of Snowflake's enterprise environment, and said about 165 potentially exposed organizations were notified ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/ticketmaster-sends-notifications-about-recent-massive-data-breach/), [cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion)). The 560 million figure is a claim from the public extortion listing and reporting, not the scale of this leaksear.ch index. This article uses 928,546 records as the leak scale because that is the supplied indexing metadata for the dataset covered here (leaksear.ch metadata). ## What data was exposed The leaksear.ch index lists searchable contact and account pivots: name, email address, phone number, postal address, country, IP address, and username (leaksear.ch metadata). Additional stored fields show customer order and ticket context, including street and postal address components, phone numbers, browser or session identifiers, sales order IDs, platform and delivery codes, event names and start times, venue names and addresses, seat and section details, ticket face value, ticket barcode fields, fraud and AVS indicators, and payment-card metadata such as card type, expiration date, last four digits, and masked card value (leaksear.ch metadata). No full payment-card number or CVV field is listed in the supplied metadata (leaksear.ch metadata). ## Why this matters The risk is not limited to payment-card fraud. Contact data combined with real event, venue, order, and seating details can support convincing phishing, fake support calls, refund scams, and account-recovery attempts (leaksear.ch metadata). Ticketmaster itself warned affected users to monitor bank accounts and be cautious of unsolicited emails or requests for personal information over the phone ([help.ticketmaster.com](https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident)). Individuals who bought tickets through Ticketmaster should use the exposure check on this page to see whether their data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, phone, and username. ## Sources - [Live Nation Entertainment: Form 8-K 05/31/2024](https://investors.livenationentertainment.com/sec-filings/all-sec-filings/content/0001335258-24-000081/0001335258-24-000081.pdf) - [Ticketmaster Help: Ticketmaster Data Security Incident](https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident) - [BleepingComputer: Ticketmaster sends notifications about recent massive data breach](https://www.bleepingcomputer.com/news/security/ticketmaster-sends-notifications-about-recent-massive-data-breach/) - [Google Cloud: UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion](https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion) --- ## SF Express Leak Exposes 125.7M Names, Phones, Addresses A ShunFeng/SF Express dataset indexed by leaksear.ch contains 125,712,669 Chinese courier customer records, exposing recipient names, phone numbers, and full shipping addresses (leaksear.ch metadata). The source metadata describes the data as allegedly stolen in 2020 and offered for sale on BreachForums; U.S. prosecutors have separately described BreachForums as a marketplace for cybercriminals to buy, sell, and trade hacked or stolen data (leaksear.ch metadata, [www.justice.gov](https://www.justice.gov/archives/opa/pr/justice-department-announces-arrest-founder-one-world-s-largest-hacker-forums-and-disruption)). ## What happened SF Express, also known as ShunFeng, is a Shenzhen-headquartered logistics provider established in 1993; the company says it operates express, freight, cold chain, pharmaceutical, intra-city, supply chain, and international logistics services ([www.sf-express.com](https://www.sf-express.com/chn/en/about)). leaksear.ch indexed the ShunFeng dataset on May 23, 2026, and its metadata lists January 1, 2020 as the breach date (leaksear.ch metadata). At this stage, the available leak metadata does not identify the intrusion path or confirm whether the records came from a direct SF Express system, a third-party logistics partner, scraping, or aggregation. The BreachForums offering should therefore be read as an allegation unless corroborated by additional public reporting (leaksear.ch metadata). Public reporting confirms that SF Express customer data has been the subject of prior leak allegations: CGTN reported in September 2018 that data for about 300 million SF Express customers was being sold on the dark web and that SF Express said it had reported the matter to authorities, while Yicai reported in February 2023 on broader allegations involving express delivery order data from multiple Chinese platforms ([news.cgtn.com](https://news.cgtn.com/news/3d3d674d7849544f79457a6333566d54/index.html), [www.yicaiglobal.com](https://www.yicaiglobal.com/news/china-courier-shares-dip-after-alleged-massive-data-breach)). Those reports provide context for recurring courier-data exposure claims, but they do not prove the 125.7 million-record dataset is the same as any earlier incident. ## What data was exposed leaksear.ch indexing metadata identifies searchable fields for this dataset as address, country, name, and phone. Other stored fields include city, dist, district, and province (leaksear.ch metadata). In plain English, the records appear to connect a recipient identity to a phone number and a precise delivery location, including province, city, district, and full shipping address data where present (leaksear.ch metadata). Passwords, payment card numbers, parcel contents, tracking numbers, and delivery times are not listed in the leaksear.ch metadata for this dataset (leaksear.ch metadata). ## Why this matters Name-phone-address combinations are enough for believable parcel-delivery phishing, courier impersonation, and social-engineering attempts tied to real addresses. For security teams, the dataset provides pivots for identifying exposed employees, executives, and facilities in China-linked logistics or e-commerce workflows; it should not be treated as evidence of account compromise by itself (leaksear.ch metadata). Organizations should watch for SMS and messaging campaigns that reference missed deliveries, address changes, customs fees, or delivery verification, because the exposed fields are well suited to those lures (leaksear.ch metadata). Readers who may have sent or received SF Express shipments can check leaksear.ch using the searchable phone, name, address, or country fields to see whether their information appears in this leak (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, name, and phone. ## Sources - [U.S. Department of Justice: Justice Department Announces Arrest of the Founder of One of the World’s Largest Hacker Forums and Disruption of Forum’s Operation](https://www.justice.gov/archives/opa/pr/justice-department-announces-arrest-founder-one-world-s-largest-hacker-forums-and-disruption) - [SF: About SF](https://www.sf-express.com/chn/en/about) - [CGTN: SF Express responses to leak of 300 mln customer data](https://news.cgtn.com/news/3d3d674d7849544f79457a6333566d54/index.html) - [Yicai Global: China Courier Shares Dip After Alleged Massive Data Breach](https://www.yicaiglobal.com/news/china-courier-shares-dip-after-alleged-massive-data-breach) --- ## Cushman & Wakefield Leak Exposes 490K CRM Records Cushman & Wakefield, a global commercial real estate services firm that reported $10.3 billion in 2025 revenue and about 53,000 employees, is tied to a May 2026 ShinyHunters leak after an alleged Salesforce CRM dataset was published following a vishing incident ([www.cushmanwakefield.com](https://www.cushmanwakefield.com/en/news/2026/02/financial-results-for-fourth-quarter-and-full-year-2025), [cybernews.com](https://cybernews.com/security/shinyhunters-cushman-wakefield-salesforce-dataset-leak/)). leaksear.ch has indexed 490,755 records from the dataset, with May 1, 2026 listed as the breach date and searchable fields including names, email addresses, phone numbers, addresses, usernames, countries, and dates of birth (leaksear.ch metadata). ## What happened Public reporting says Cushman & Wakefield confirmed a limited data security incident due to vishing, activated response protocols, took steps to contain unauthorized activity, brought in third-party experts, and said systems and operations continued normally ([www.theregister.com](https://www.theregister.com/security/2026/05/05/cushman-wakefield-confirms-vishing-cyberattack/5228718), [cybernews.com](https://cybernews.com/news/cushman-wakefield-shinyhunters-salesforce-breach-claim/)). Cushman & Wakefield did not confirm ShinyHunters' Salesforce theft claim in those reports. The Register reported that ShinyHunters claimed it attacked the company on May 1, 2026 and stole more than 500,000 Salesforce records containing PII and internal corporate data ([www.theregister.com](https://www.theregister.com/security/2026/05/05/cushman-wakefield-confirms-vishing-cyberattack/5228718)). Cybernews later reported that ShinyHunters updated its leak site and published a roughly 50 GB archive tied to Cushman & Wakefield after ransom negotiations allegedly failed ([cybernews.com](https://cybernews.com/security/shinyhunters-cushman-wakefield-salesforce-dataset-leak/)). Public reports also noted a separate Qilin listing for Cushman & Wakefield, but those reports said the Qilin post had fewer details and did not establish a connection to the ShinyHunters claim ([www.theregister.com](https://www.theregister.com/security/2026/05/05/cushman-wakefield-confirms-vishing-cyberattack/5228718), [cybernews.com](https://cybernews.com/news/cushman-wakefield-shinyhunters-salesforce-breach-claim/)). ## What data was exposed The leaksear.ch index identifies the searchable fields as address, country, date of birth, email, name, phone, and username (leaksear.ch metadata). Other stored record fields include company names, Salesforce account and user identifiers, departments, divisions, titles, phone and fax variants, mailing and other address components, locale, language and time zone settings, created, modified, last activity and last login timestamps, manager, profile and role IDs, lead source, and email preference flags (leaksear.ch metadata). Have I Been Pwned separately lists the Cushman & Wakefield breach as affecting 310.4 thousand accounts and describes the compromised data as primarily business information, including email addresses, job titles, names, phone numbers, physical addresses, and salutations ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/CushmanWakefield)). That account count is different from the 490,755 records indexed by leaksear.ch because breach services may deduplicate or scope datasets differently (leaksear.ch metadata). ## Why this matters CRM data is useful for targeted phishing because it connects people to companies, job roles, phone numbers, addresses, and business relationships. The presence of usernames, contact details, Salesforce identifiers, and communication metadata can help attackers make outreach appear legitimate, especially by phone or email (leaksear.ch metadata). Security teams should review email and voice-phishing controls for contacts present in the dataset and watch for lures referencing Cushman & Wakefield, property services, leasing, invoices, or vendor relationships. Individuals and business contacts should treat unexpected calls, password-reset requests, invoice changes, and document-sharing links as higher risk. If you may have dealt with Cushman & Wakefield, use the exposure check below to see whether your details appear in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Cushman & Wakefield: Cushman & Wakefield Reports Financial Results for the Fourth Quarter and Full Year 2025](https://www.cushmanwakefield.com/en/news/2026/02/financial-results-for-fourth-quarter-and-full-year-2025) - [The Register: Cushman & Wakefield confirms vishing cyberattack](https://www.theregister.com/security/2026/05/05/cushman-wakefield-confirms-vishing-cyberattack/5228718) - [Cybernews: Cushman & Wakefield confirms breach as Salesforce hackers ShinyHunters, Qilin stake claims](https://cybernews.com/news/cushman-wakefield-shinyhunters-salesforce-breach-claim/) - [Cybernews: ShinyHunters leaks Cushman & Wakefield Salesforce dataset after failed negotiations](https://cybernews.com/security/shinyhunters-cushman-wakefield-salesforce-dataset-leak/) - [Have I Been Pwned: Cushman & Wakefield Data Breach](https://haveibeenpwned.com/Breach/CushmanWakefield) - [GBHackers: Cushman and Wakefield Confirms Data Breach Impacting Over 310,000 Accounts](https://gbhackers.com/cushman-and-wakefield-confirms-data-breach/) --- ## Vimeo Leak: 74K Records and 119K Emails Exposed A Vimeo leak tied to the company’s April 2026 Anodot third-party security incident has been indexed on leaksear.ch with 74,147 records and roughly 119,000 user email addresses (leaksear.ch metadata). The indexed data includes emails, names, account and customer identifiers, Vimeo plan and business metadata, CRM fields, and request IPs from Google Cloud Storage access logs (leaksear.ch metadata). ## What happened Vimeo published a security notice on April 27, 2026, saying it was aware of an incident affecting Anodot, a third-party analytics vendor used by Vimeo and other companies. Vimeo said an unauthorized actor accessed certain Vimeo user and customer data as a result of the Anodot breach, and said the accessed databases primarily contained technical data, video titles, metadata, and in some cases customer email addresses ([vimeo.com](https://vimeo.com/blog/post/anodot-third-party-security-incident)). The company said the accessed data did not include Vimeo video content, valid user login credentials, or payment card information. Vimeo also said it disabled Anodot credentials, removed the Anodot integration from Vimeo systems, engaged outside security experts, notified law enforcement, and later updated the notice on May 15, 2026, to say its investigation was complete and potentially impacted users and customers had been contacted as appropriate ([vimeo.com](https://vimeo.com/blog/post/anodot-third-party-security-incident)). Public breach reporting linked the incident to ShinyHunters, which had listed Vimeo in a pay-or-leak campaign and claimed data from Snowflake and BigQuery instances. Have I Been Pwned listed the Vimeo breach as affecting 119.2 thousand accounts, with email addresses and sometimes names exposed, while BleepingComputer reported that a 106GB archive was later posted after the extortion attempt failed ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Vimeo), [bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/), [theregister.com](https://www.theregister.com/2026/05/05/shinyhunters_dump_puts_119k_vimeo/)). ## What data was exposed Leaksear.ch metadata describes the indexed material as a BigQuery export of Google Cloud Storage access logs and a Snowflake export of internal analytics tables covering registrants, lead funnel data, JotForm contracts, DFA registrations, and Salesforce opportunities (leaksear.ch metadata). The searchable fields in the indexed leak are email addresses, names, and IP addresses (leaksear.ch metadata). Other stored fields include account IDs, Vimeo user IDs, company and business fields, company size, plan and plan type, project type, deal type, Salesforce opportunity name and stage, source table, video or object request metadata, URI and referrer fields, user agent information, status codes, occurrence counts, and first-seen timestamps (leaksear.ch metadata). Have I Been Pwned separately lists email addresses and names as the compromised data classes for the public Vimeo breach entry, and Vimeo’s own notice states that the data did not include video content, valid login credentials, or payment card information ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Vimeo), [vimeo.com](https://vimeo.com/blog/post/anodot-third-party-security-incident)). ## Why this matters The main risk is targeted phishing and social engineering, especially because names, emails, company context, plan information, CRM fields, and log metadata can give attackers credible details for Vimeo, vendor, or account-support themed lures. The risk is different from a password dump, since Vimeo and Have I Been Pwned both indicate that valid login credentials were not part of the exposed data ([vimeo.com](https://vimeo.com/blog/post/anodot-third-party-security-incident), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/Vimeo)). Security teams should watch for suspicious messages referencing Vimeo accounts, customer plans, projects, contracts, or vendor analytics workflows, and affected individuals should be cautious with unsolicited login or payment prompts. Readers who want to confirm whether they are affected should check this leak using their email address, name, or IP address. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, ip address, and name. ## Sources - [Vimeo: Anodot third-party security incident](https://vimeo.com/blog/post/anodot-third-party-security-incident) - [Have I Been Pwned: Vimeo Data Breach](https://haveibeenpwned.com/Breach/Vimeo) - [BleepingComputer: Vimeo data breach exposes personal information of 119,000 people](https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/) - [The Register: ShinyHunters claims dump puts 119K Vimeo emails in the wild](https://www.theregister.com/2026/05/05/shinyhunters_dump_puts_119k_vimeo/) --- ## Charter Communications 37.5M-record leak exposes CRM data leaksear.ch has indexed 37,501,677 records tied to Charter Communications, the parent company of Spectrum, from an April 1, 2026 ShinyHunters breach of the company Salesforce environment (leaksear.ch metadata) ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/)). The indexed data includes customer and business contacts, CRM and support case data, and internal employee directory fields, while public reporting has separately measured 4.9M unique email addresses and at least 13M exposed individuals after deduplication ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Charter), [cybernews.com](https://cybernews.com/security/charter-spectrum-data-breach-millions-exposed/)). ## What happened BleepingComputer reported on May 26, 2026 that Charter confirmed a data breach after ShinyHunters listed the company on its leak site and threatened to publish stolen data. Charter said it was working with authorities and stated that no sensitive personal information or customer proprietary network information was exfiltrated, while ShinyHunters claimed it had stolen 40M records ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/)). According to the same reporting, ShinyHunters said the April 1 intrusion began with a voice phishing call that compromised an employee Microsoft Entra account, then was used to export consumer and business customer records from Charter Salesforce. SecurityWeek later reported that the data was published on the group Tor-based leak site and that Charter said only sales tools for current, past, and prospective business customers were impacted ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/), [www.securityweek.com](https://www.securityweek.com/charter-communications-data-breach-could-impact-nearly-5-million/)). Record counts remain contested: the threat actor claimed 40M to 42M records, Have I Been Pwned listed 4.9M unique email addresses, Cybernews estimated at least 13M individuals and noted duplicate records, and leaksear.ch indexing metadata lists 37.5M records ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Charter), [cybernews.com](https://cybernews.com/security/charter-spectrum-data-breach-millions-exposed/), [www.securityweek.com](https://www.securityweek.com/charter-communications-data-breach-could-impact-nearly-5-million/)) (leaksear.ch metadata). ## What data was exposed leaksear.ch metadata lists searchable fields including names, email addresses, phone numbers, usernames, physical addresses, country, dates of birth, and IP addresses (leaksear.ch metadata). Stored record context also includes sales and CRM cases, support and service tickets, contact and account IDs, account owner and role data, customer and business account numbers, billing, shipping, site and mailing address fields, company names, lead sources, case subjects and timestamps, and internal employee directory attributes such as employee numbers, job titles, departments, managers, work locations, phone extensions, and active status (leaksear.ch metadata). Public reports align on the core contact data. Have I Been Pwned lists email addresses, job titles, names, phone numbers, and physical addresses, while Cybernews reported full names, email addresses, home and company addresses, support ticket records with subjects and timestamps, customer email addresses and phone numbers, and staff work emails, job titles, and a limited number of home addresses ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Charter), [cybernews.com](https://cybernews.com/security/charter-spectrum-data-breach-millions-exposed/)). Charter disputed ShinyHunters claims that CPNI or sensitive personal information was exfiltrated, so CPNI exposure should be treated as unconfirmed based on current public reporting ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/), [www.securityweek.com](https://www.securityweek.com/charter-communications-data-breach-could-impact-nearly-5-million/)). ## Why this matters CRM leaks are useful for targeted phishing because they tie contact data to company, job, account, support, and service context. For business customers and employees, support-ticket and directory details can make impersonation attempts more credible, especially calls or emails pretending to be Spectrum, a customer contact, an account owner, or internal IT. Security teams should review inbound phishing and vishing reports, warn exposed groups, and monitor for account recovery attempts that use leaked contact details. If you are a current or former Spectrum customer, Charter employee, or business contact, use the exposure check below to see whether your email, phone, name, username, address, date of birth, country, or IP address appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, ip address, name, phone, and username. ## Sources - [BleepingComputer: Charter confirms data breach after ShinyHunters extortion threat](https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/) - [Have I Been Pwned: Charter Data Breach](https://haveibeenpwned.com/Breach/Charter) - [Cybernews: Inside the Charter data breach: hackers leak 13M+ customer data](https://cybernews.com/security/charter-spectrum-data-breach-millions-exposed/) - [SecurityWeek: Charter Communications Data Breach Could Impact Nearly 5 Million](https://www.securityweek.com/charter-communications-data-breach-could-impact-nearly-5-million/) - [Techlicious: Charter confirms Spectrum data breach: 13 million customers exposed](https://www.techlicious.com/blog/spectrum-charter-data-breach-shinyhunters-2026/) --- ## Ashley Madison 35.7M-Record Leak Exposed Emails, Passwords A leaksear.ch indexed dataset tied to Ashley Madison contains 35,737,982 records, about 35.7 million, and leaksear.ch indexes the breach date as July 19, 2015 (leaksear.ch metadata). The records relate to the infidelity-focused dating site operated at the time by Avid Life Media and include profile, contact, credential and transaction-related data (leaksear.ch metadata). ## What happened KrebsOnSecurity reported on July 19, 2015 that a group calling itself Impact Team had posted caches of data from Avid Life Media, the Toronto-based operator of Ashley Madison, and threatened to release customer records unless Ashley Madison and Established Men were taken offline ([krebsonsecurity.com](https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/)). A later Krebs retrospective said the group posted Ashley Madison user data on August 18, 2015, one month after the initial public threat ([krebsonsecurity.com](https://krebsonsecurity.com/2022/07/a-retrospective-on-the-2015-ashley-madison-breach/)). A joint report from Canadian and Australian privacy regulators says ALM detected unusual database activity on July 12, saw an Impact Team notice on employee computers on July 13, and that the attackers published claimed ALM data on August 18 and 20, including approximately 36 million Ashley Madison user-account details ([www.priv.gc.ca](https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2016/pipeda-2016-005/)). The same report said investigators made no conclusion about the cause of the breach, while ALM believed the initial path involved compromised employee credentials and could not fully reconstruct the path because logs had been erased ([www.priv.gc.ca](https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2016/pipeda-2016-005/)). The FTC later alleged that the operators deceived consumers and failed to protect 36 million users' account and profile information. The 2016 settlement required a comprehensive data-security program, third-party assessments and a $1.6 million payment to settle FTC and state actions ([www.ftc.gov](https://www.ftc.gov/news-events/news/press-releases/2016/12/operators-ashleymadisoncom-settle-ftc-state-charges-resulting-2015-data-breach-exposed-36-million)). ## What data was exposed The leaksear.ch index lists searchable fields for addresses, countries, dates of birth, email addresses, hashed passwords, IP addresses, names, phone numbers and usernames (leaksear.ch metadata). The indexed records also contain non-searchable context such as account and membership status, gender, profile attributes, security-question fields, location fields, phone subtypes and payment or transaction metadata, including amounts, authorization fields, confirmation numbers, transaction IDs, card brands and card endings (leaksear.ch metadata). Have I Been Pwned classifies Ashley Madison as a sensitive breach and lists compromised data including dates of birth, email addresses, names, password data, payment histories, physical addresses, phone numbers, security questions and answers, sexual orientations, usernames and website activity ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/AshleyMadison)). Regulators reported that published data included profile data, account data such as email addresses and hashed passwords, and billing information for a subset of purchasers, including real names, billing addresses and the last four digits of credit card numbers ([www.priv.gc.ca](https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2016/pipeda-2016-005/)). ## Why this matters This leak combines ordinary identifiers with adult-dating context, which increases the risk of targeted phishing, harassment, extortion and reputational harm. Canadian and Australian regulators specifically noted extortion attempts in which recipients were threatened with disclosure to family members or employers unless they paid ([www.priv.gc.ca](https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2016/pipeda-2016-005/)). For security teams, exposed emails, usernames, IP addresses and password data can be used as pivots for phishing and account-takeover investigations; for individuals, the priority is replacing any reused passwords and watching for scams that reference Ashley Madison or old billing details. If you may have used Ashley Madison, or if you are checking exposure for your organization, use the exposure checker below to see whether your data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, hashed password, ip address, name, phone, and username. ## Sources - [Krebs on Security: Online Cheating Site AshleyMadison Hacked](https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/) - [Krebs on Security: A Retrospective on the 2015 Ashley Madison Breach](https://krebsonsecurity.com/2022/07/a-retrospective-on-the-2015-ashley-madison-breach/) - [Office of the Privacy Commissioner of Canada: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner Acting Australian Information Commissioner](https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2016/pipeda-2016-005/) - [Federal Trade Commission: Operators of AshleyMadison.com Settle FTC, State Charges Resulting From 2015 Data Breach that Exposed 36 Million Users' Profile Information](https://www.ftc.gov/news-events/news/press-releases/2016/12/operators-ashleymadisoncom-settle-ftc-state-charges-resulting-2015-data-breach-exposed-36-million) - [Have I Been Pwned: Ashley Madison Data Breach](https://haveibeenpwned.com/Breach/AshleyMadison) --- ## Bureau van Dijk Leak Exposes 88.8M Records, Emails and DOBs An 88.8 million-record Bureau van Dijk-related leak indexed by leaksear.ch contains data sourced from a customer of Moody's Analytics' Orbis business intelligence product, with a listed breach date of August 19, 2021 (leaksear.ch metadata). Public breach listings describe the dataset as business data collected from public sources that was obtained around August 2021 and later posted to a popular hacking forum ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BVD), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/BVD)). ## What happened Moody's announced in 2017 that it had completed its acquisition of Bureau van Dijk, describing BvD as a global provider of business intelligence and company information that aggregates and distributes private-company data ([ir.moodys.com](https://ir.moodys.com/press-releases/news-details/2017/Moodys-Completes-Acquisition-of-Bureau-van-Dijk/default.aspx)). The public breach pages do not describe this as unauthorized access to Bureau van Dijk systems; they say the data came from a customer of BvD's Orbis product ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BVD), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/BVD)). Have I Been Pwned and Mozilla Monitor also state that the released corpus contained hundreds of millions of lines about companies and people, including 28 million unique email addresses. They report that BvD systems were not accessed without authorization and that the incident did not expose BvD or Moody's clients; the leaksear.ch metadata does not identify a reporter or threat actor for this dataset (leaksear.ch metadata) ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BVD), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/BVD)). ## What data was exposed leaksear.ch metadata identifies names, dates of birth, email addresses, phone numbers, physical addresses, countries or nationalities, and job titles in the indexed records (leaksear.ch metadata). The platform search pivots are address, country, date of birth, email, name, and phone; additional record context includes job title, nationality, role, entity type, ID type, BvD ID, source ID, and internal source-file metadata (leaksear.ch metadata). That field profile aligns with HIBP and Mozilla Monitor, which list names, dates of birth, emails, phones, job titles, and physical addresses, while Mozilla says passwords were not exposed in this breach ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BVD), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/BVD)). ## Why this matters The risk is less about password reuse and more about identity and contact enrichment. Names tied to DOBs, addresses, phones, email addresses, and job titles can help attackers craft believable phishing, impersonation, account-recovery, and business-contact scams. For organizations, the data may be useful to criminals mapping staff, executives, suppliers, or customers before targeted outreach. If you think you may be affected, check whether your email, phone, name, address, country, or date of birth appears in this Bureau van Dijk leak on leaksear.ch. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, and phone. ## Sources - [Have I Been Pwned: Public Business Data Breach](https://haveibeenpwned.com/Breach/BVD) - [Mozilla Monitor: Public Business Data Data Breach](https://monitor.mozilla.org/en/breach-details/BVD) - [Moody's: Moody’s Completes Acquisition of Bureau van Dijk](https://ir.moodys.com/press-releases/news-details/2017/Moodys-Completes-Acquisition-of-Bureau-van-Dijk/default.aspx) --- ## Bell Canada 2017 Leak Exposed 3.4M Records, Passcodes Bell Canada's 2017 breach dataset indexed by leaksear.ch has a breach date of May 15, 2017 and contains 3,386,387 records from an internal WEB\_USERS table, including searchable email addresses, names, usernames, phone numbers, IP addresses, passwords and hashed passwords (leaksear.ch metadata). Bell publicly announced illegal access to customer information on May 15, 2017, saying the accessed customer data included approximately 1.9 million active email addresses and approximately 1,700 names and active phone numbers ([www.newswire.ca](https://www.newswire.ca/news-releases/bell-canada-statement-about-illegal-access-of-customer-information-622388793.html)). ## What happened Bell described the incident as illegal access by an anonymous hacker and said it had taken steps to secure affected systems, was working with the RCMP cyber crime unit and had informed the Office of the Privacy Commissioner ([www.newswire.ca](https://www.newswire.ca/news-releases/bell-canada-statement-about-illegal-access-of-customer-information-622388793.html)). The company also said at the time that it had no indication that financial information, passwords or other sensitive personal information had been accessed and that the incident was not connected to WannaCry ([www.newswire.ca](https://www.newswire.ca/news-releases/bell-canada-statement-about-illegal-access-of-customer-information-622388793.html)). Have I Been Pwned records the leaked material as over 2 million unique email addresses, 153,000 survey results from 2011 and 2012, and 162 Bell employee records with names, phone numbers and plaintext passcodes ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Bell2017)). The Hacker News reported that a Pastebin post claimed a significant portion of Bell.ca data had been released and threatened more, while noting that the attacker identity and the meaning of the demanded cooperation were unconfirmed ([thehackernews.com](https://thehackernews.com/2017/05/bell-telecom-hacked.html)). The public sources reviewed do not confirm the intrusion path. The leaksear.ch metadata identifies the indexed source as an internal WEB\_USERS table, not the exploit or access method (leaksear.ch metadata). ## What data was exposed Based on the leaksear.ch indexing metadata, the queryable pivots are email, hashedPassword, ipAddress, name, password, phone and username. Stored context fields include agent names, Bell employee numbers, manager employee numbers, job positions and titles, business unit, company, city, language, active status, outsourcer status, LDAP company code, call dates, survey dates, survey IDs, service-resolution answers, ISP-retention answers and free-text survey comments (leaksear.ch metadata). In plain terms, the dataset can include contact data, account identifiers, technical identifiers, authentication-related fields, workforce context and customer survey responses. HIBP's public breach entry separately lists compromised data categories including email addresses, IP addresses, names, phone numbers, usernames, passwords, job titles, spoken languages, geographic locations and survey results ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Bell2017)). ## Why this matters For individuals, the most immediate risk is targeted Bell-themed phishing or phone impersonation because email, name, phone and survey context can make messages sound legitimate. For current or former employees, agents and outsourcers, the presence of workforce identifiers, job data and passcodes creates additional account-recovery and internal impersonation risk. Security teams should treat any exposed password or passcode as reusable until proven otherwise and rotate it wherever it may have been reused. To check whether data linked to you appears in this leak, use the exposure lookup below with your email address, phone number, name, username or IP address. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, hashed password, ip address, name, password, phone, and username. ## Sources - [CNW: Bell Canada statement about illegal access of customer information](https://www.newswire.ca/news-releases/bell-canada-statement-about-illegal-access-of-customer-information-622388793.html) - [Have I Been Pwned: Bell (2017 breach) Data Breach](https://haveibeenpwned.com/Breach/Bell2017) - [The Hacker News: Bell Canada Hacked: Data of 1.9 Million Customers Stolen](https://thehackernews.com/2017/05/bell-telecom-hacked.html) --- ## AstraZeneca Leak Exposes 133K Employee Access Records The AstraZeneca leak is dated March 20, 2026 in leaksear.ch metadata, the same day HackRead reported that LAPSUS$ claimed to have stolen about 3GB of internal data from the pharmaceutical company ([hackread.com](https://hackread.com/hacker-group-lapsus-astrazeneca-data-breach/)) (leaksear.ch metadata). leaksear.ch has indexed 133,196 employee and access records from the leaked archive, centered on emails, names, usernames, country values, and GitHub Enterprise access context (leaksear.ch metadata). ## What happened The incident entered public view through posts on a hacker forum and a LAPSUS$ associated leak site. HackRead reported the group advertised employee-related datasets, source code, secrets and access credentials, and cloud configuration material; SecurityWeek separately reported claims involving internal code repositories, credentials and tokens, cloud infrastructure information, and employee data ([hackread.com](https://hackread.com/hacker-group-lapsus-astrazeneca-data-breach/), [www.securityweek.com](https://www.securityweek.com/extortion-group-claims-it-hacked-astrazeneca/)). The initial access path has not been established in the verified sources reviewed. Public reporting framed the case as an alleged extortion leak, and both SecurityWeek and Bitdefender noted at publication time that AstraZeneca had not publicly confirmed the incident, leaving attribution, scope, and data validity unresolved ([www.securityweek.com](https://www.securityweek.com/extortion-group-claims-it-hacked-astrazeneca/), [www.bitdefender.com](https://www.bitdefender.com/en-au/blog/hotforsecurity/lapsus-astrazeneca-breach)). SOCRadar later updated its March 23 report to say LAPSUS$ claimed it released a roughly 2.66GB zipped dump for free after initially attempting to sell the archive ([socradar.io](https://socradar.io/blog/astrazeneca-data-breach-what-to-know/)). ## What data was exposed Public reports described the broader claimed archive as including source code, cloud infrastructure references, GitHub Enterprise user information, internal API keys, and credential or secret material ([cybernews.com](https://cybernews.com/security/astrazeneca-hackers-claim-source-code-breach/), [socradar.io](https://socradar.io/blog/astrazeneca-data-breach-what-to-know/)). leaksear.ch metadata for this index is narrower: it covers employee and access records, not every file category publicly attributed to the wider archive (leaksear.ch metadata). The searchable fields are country, email, name, and username (leaksear.ch metadata). Stored contextual fields include assignment country, company identifiers and company names, contingent-worker type, cost center ID, employee type, first, last and preferred names, GitHub.com logins, GitHub Enterprise login and roles, GitHub member roles and profiles, organization levels, position title, worker active status, and worker type (leaksear.ch metadata). The leaksear.ch metadata for this indexed employee/access record set does not list fields for patient data, payment card numbers, passwords, or password hashes. The broader archive's reported secrets and source-code material should be treated as separate from the searchable identity pivots available here (leaksear.ch metadata) ([www.bitdefender.com](https://www.bitdefender.com/en-au/blog/hotforsecurity/lapsus-astrazeneca-breach)). ## Why this matters The risk comes from joining corporate identity data with role, contractor, company, and GitHub access context. That combination can support targeted phishing, impersonation of IT or vendor workflows, and account reconnaissance against employees and contractors; public reporting also noted follow-on risk if any reported credentials, tokens, private keys, or cloud configuration data remained valid ([www.securityweek.com](https://www.securityweek.com/extortion-group-claims-it-hacked-astrazeneca/), [cybernews.com](https://cybernews.com/security/astrazeneca-hackers-claim-source-code-breach/)). For security teams, the priority is to validate affected work accounts, review GitHub Enterprise roles and contractor access, rotate any potentially exposed secrets, and watch for phishing that reuses internal role or project context. Individuals who worked for or with AstraZeneca should use the exposure check below to see whether their email, name, username, or country appears in this leak (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, email, name, and username. ## Sources - [HackRead: Hacker Group LAPSUS$ Claims Alleged AstraZeneca Data Breach](https://hackread.com/hacker-group-lapsus-astrazeneca-data-breach/) - [SecurityWeek: Extortion Group Claims It Hacked AstraZeneca](https://www.securityweek.com/extortion-group-claims-it-hacked-astrazeneca/) - [Cybernews: Pharma giant AstraZeneca claimed by hackers, with source code on the table](https://cybernews.com/security/astrazeneca-hackers-claim-source-code-breach/) - [SOCRadar: AstraZeneca Data Breach: What You Need to Know](https://socradar.io/blog/astrazeneca-data-breach-what-to-know/) - [Bitdefender: Lapsus$ claims AstraZeneca breach exposes code and credentials](https://www.bitdefender.com/en-au/blog/hotforsecurity/lapsus-astrazeneca-breach) --- ## Epik leak exposes 20.9M WHOIS and credential records Epik, a U.S. domain registrar and web host, suffered the September 13, 2021 Operation Epik Fail breach now indexed by leaksear.ch at 20,940,708 records, or about 20.9 million records (leaksear.ch metadata, [www.wired.com](https://www.wired.com/story/anonymous-leaked-data-from-right-wing-web-host-epik/)). The indexed dataset spans WHOIS contacts, account credentials, billing and invoice records, payment-card data, login logs, marketing and renewal lists, and fraud records (leaksear.ch metadata). ## What happened Hacktivist collective Anonymous claimed it obtained and released more than 180 GB of Epik data as a torrent, describing the cache as a decade of company data tied to domain ownership and management records ([www.wired.com](https://www.wired.com/story/anonymous-leaked-data-from-right-wing-web-host-epik/)). Epik's later 50-state notification said unauthorized third parties accessed a backup copy of its domain-side service accounts through one or more non-public servers on or before September 13, 2021 ([oag.ca.gov](https://oag.ca.gov/system/files/Epik%2050-State%20Notification%20%28final%29_1.pdf)). The exact initial access path remains unconfirmed in public reporting. TechCrunch reported that a security researcher had warned Epik in January 2021 about a critical vulnerability in a library used on Epik's WHOIS page, but also reported that it was not known whether the Anonymous actors used that issue ([techcrunch.com](https://techcrunch.com/2021/09/17/epik-website-bug-hacked/)). Public reporting also noted that the exposure was broader than Epik customer accounts alone. Avast reported that scraped WHOIS data was included in the breach, meaning some exposed people had no direct connection to Epik ([blog.avast.com](https://blog.avast.com/epik-data-breach-impacts-15-million-users-avast)). ## What data was exposed The leaksear.ch index lists searchable pivots for address, country, domain, email, hashedPassword, ipAddress, name, password, phone, and username. The stored record context includes registrant, administrative, technical, and billing WHOIS contacts; organizations; postal addresses; country fields; account identifiers; billing and invoice records; transaction history; payment-card-related fields; renewal and marketing records; login logs; IP addresses; and fraud records (leaksear.ch metadata). Epik's own notification said potentially obtained information included name, address, email address, username, password, phone number, VAT number if provided, transaction history, domain ownership, and credit card information for a small subset of users ([oag.ca.gov](https://oag.ca.gov/system/files/Epik%2050-State%20Notification%20%28final%29_1.pdf)). The Washington Post separately reported that the leaked files included years of website purchase records, internal company emails, customer account credentials, names, home addresses, email addresses, phone numbers, passwords, and records from an Epik privacy service ([www.washingtonpost.com](https://www.washingtonpost.com/technology/2021/09/21/epik-far-right-hack-anonymous/)). ## Why this matters WHOIS and registrar data can give attackers precise phishing and social-engineering hooks, especially for domain renewals, account recovery, transfer requests, and impersonation of registrars or hosting providers. Exposed credentials and hashed passwords increase credential-stuffing risk when users reused passwords across services, while payment-card and billing data can support fraud and identity-theft attempts. Because public reporting said scraped WHOIS records included non-customers, appearing in this leak should not be treated as proof that a person or organization was an Epik customer ([blog.avast.com](https://blog.avast.com/epik-data-breach-impacts-15-million-users-avast)). If you registered or managed domains through Epik or Intrust Domains, or had WHOIS contact data online before September 2021, check whether your data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, domain, email, hashed password, ip address, name, password, phone, and username. ## Sources - [WIRED: Anonymous Leaked a Bunch of Data From a Right-Wing Web Host](https://www.wired.com/story/anonymous-leaked-data-from-right-wing-web-host-epik/) - [California Office of the Attorney General: Epik 50-State Notification](https://oag.ca.gov/system/files/Epik%2050-State%20Notification%20%28final%29_1.pdf) - [TechCrunch: Web host Epik was warned of a critical security flaw weeks before it was hacked](https://techcrunch.com/2021/09/17/epik-website-bug-hacked/) - [Avast: Epik data breach impacts 15 million users](https://blog.avast.com/epik-data-breach-impacts-15-million-users-avast) - [The Washington Post: Huge hack reveals embarrassing details of who’s behind Proud Boys and other far-right websites](https://www.washingtonpost.com/technology/2021/09/21/epik-far-right-hack-anonymous/) --- ## Facebook Leak: 171.5M Records Expose Phones and Names leaksear.ch has indexed a Facebook data leak containing 171,540,498 records from a scrape dated August 1, 2019, with phone numbers, names, Facebook IDs, location and country fields, dates of birth, profile URLs, locales, hometowns, genders, and some email addresses (leaksear.ch metadata). Public reporting tied the wider 500M-plus Facebook dataset to abuse of a contact-importer function that Facebook said it changed in 2019, and to a leak that circulated freely in April 2021 ([about.fb.com](https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/)). ## What happened Meta said on April 6, 2021 that malicious actors did not hack Facebook's systems for this dataset, but scraped data from the platform before September 2019 using the contact importer, a feature that matched uploaded contact lists to Facebook users. Meta said it changed the feature in 2019 to prevent software from uploading large sets of phone numbers to discover matching profiles, and said the exposed information did not include financial information, health information, or passwords ([about.fb.com](https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/)). Public reporting gives the wider leak a larger footprint than the leaksear.ch-indexed corpus. BleepingComputer reported about 533,313,128 Facebook users in a forum leak that was released for free on April 3, 2021, Business Insider reported more than 533 million users across 106 countries, and Have I Been Pwned lists 509.5 million affected accounts with an August 2019 breach date ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/), [www.businessinsider.com](https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/Facebook)). WIRED later noted that Facebook's explanations left confusion about exactly which earlier scraping events and datasets overlapped, which is why this article treats the 171.5M leaksear.ch record count as the scoped indexed corpus rather than the full public universe of Facebook-scrape data ([www.wired.com](https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/)). The incident also had regulatory consequences. Ireland's DPC announced on November 28, 2022 that it fined Meta Platforms Ireland €265 million after an inquiry into Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer processing between May 25, 2018 and September 2019, finding infringements of GDPR Article 25(1) and 25(2) ([www.dataprotection.ie](https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-in-facebook-data-scraping-inquiry)). ## What data was exposed The leaksear.ch metadata lists queryable fields for this leak as country, date of birth, email, name, phone, and username (leaksear.ch metadata). The same metadata describes exposed Facebook IDs, phone numbers, names, gender, location and country fields, dates of birth, profile URLs, locales, hometowns, and some email addresses (leaksear.ch metadata). Stored context that may appear on records includes gender, hometown, locale, location, and profile URL; those are not the same as direct search pivots on the platform (leaksear.ch metadata). Public sources similarly emphasized that the wider Facebook leak's primary value was linking phone numbers to real identities, while only a smaller portion of the wider corpus contained email addresses ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Facebook)). ## Why this matters Even without passwords, the combination of a phone number, name, Facebook identifier, location, and date of birth can help attackers make phishing and smishing messages more convincing. BleepingComputer warned that mobile numbers and leaked profile details could be used for smishing and SIM-swap attempts, and WIRED noted that the bug helped connect phone numbers with public profile information ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/), [www.wired.com](https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/)). For individuals and security teams, the practical response is to treat unexpected texts, calls, and account-recovery prompts with extra scrutiny, especially where SMS is used for authentication. To check whether your data is in this leak, use leaksear.ch to search the available pivots for this dataset: phone, email, name, username, date of birth, or country (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, date of birth, email, name, phone, and username. ## Sources - [Have I Been Pwned: Facebook Data Breach](https://haveibeenpwned.com/Breach/Facebook) - [Meta: The Facts on News Reports About Facebook Data](https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/) - [BleepingComputer: 533 million Facebook users’ phone numbers leaked on hacker forum](https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/) - [Business Insider: 533 million Facebook users' phone numbers and personal data have been leaked online](https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4) - [WIRED: What Really Caused Facebook's 500M-User Data Leak?](https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/) - [Data Protection Commission: Data Protection Commission announces decision in Facebook Data Scraping Inquiry](https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-in-facebook-data-scraping-inquiry) --- ## Axcera Leak Exposes 677 Records With Passwords and KYC Data On June 30, 2026, leaksear.ch indexed an Axcera dataset containing 677 records, with searchable fields including email addresses, names, phone numbers, usernames, IP addresses, dates of birth, addresses, countries, passwords and hashed passwords (leaksear.ch metadata). Axcera describes itself as a financial technology company providing infrastructure for trading firms, and the indexing metadata does not include a confirmed breach date ([axcera.io](https://axcera.io/about); leaksear.ch metadata). ## What happened Public reporting on April 5, 2026, from HookPhish said AXCERA.IO was listed as a ransomware victim by lapsus$, with a claimed breach date of March 22, 2026, and the claimed stolen material summarized as source code and infrastructure configs ([www.hookphish.com](https://www.hookphish.com/blog/ransomware-group-lapsus-hits-axcera-io/)). Axcera posted an incident update on April 7, 2026, saying it was aware of online claims and that its review found a limited number of internal repositories exposed in connection with a third-party security tooling issue involving Trivy on GitHub ([axcera.io](https://axcera.io/blog/incident-update-third-party-tooling-issue-and-our-response)). Axcera said that exposure did not result in unauthorized access to production systems or live environments, and said no customer data, trading accounts or production systems were affected ([axcera.io](https://axcera.io/blog/incident-update-third-party-tooling-issue-and-our-response)). The leaksear.ch metadata does not identify an exposure method or breach date for the 677-record dataset, and no public source reviewed here confirms whether it is connected to the earlier repository incident (leaksear.ch metadata). ## What data was exposed Searchable fields in the indexed leak include names, email addresses, usernames, a password field, hashed password fields, phone numbers, addresses, countries, dates of birth and IP addresses (leaksear.ch metadata). Other stored fields reference KYC and verification context, including document numbers and document types, KYC status, Veriff identifiers and verification session URL fields, customer IDs, checkout and order IDs, payment providers, payment methods, finance amounts and statuses, platform account IDs, platform usernames, password reset tokens, signup tokens, one-time token fields, salts, TOTP secret fields, timestamps such as account creation and last login, and spending or withdrawal totals (leaksear.ch metadata). Axcera public materials describe automated KYC with SumSub and Veriff integrations, plus payment, trading platform and CRM integrations for prop-trading operations ([axcera.io](https://axcera.io/blog/introducing-axceras-hybrid-model-the-future-of-prop-firms)). ## Why this matters The record count is small, but the field mix is sensitive because credential, reset token, one-time token and TOTP-related fields can create account takeover risk if any values were live when exposed. Contact details, dates of birth, account identifiers and KYC document metadata can also support targeted phishing, identity verification abuse and fraudulent account recovery. For organizations, the dataset raises vendor-review, token-rotation, log-review and notification questions because the fields span account, payment and verification workflows. If you interacted with Axcera or an Axcera-powered trading or onboarding flow, check whether your email, username, phone number, name, address, date of birth, country or IP address appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, hashed password, ip address, name, password, phone, and username. ## Sources - [HookPhish: Ransomware Group lapsus$ Hits: AXCERA.IO](https://www.hookphish.com/blog/ransomware-group-lapsus-hits-axcera-io/) - [Axcera: Incident Update: Third-Party Tooling Issue and Our Response](https://axcera.io/blog/incident-update-third-party-tooling-issue-and-our-response) - [Axcera: About Axcera](https://axcera.io/about) - [Axcera: Introducing Axcera's Hybrid Model: The Future of Prop Firms!](https://axcera.io/blog/introducing-axceras-hybrid-model-the-future-of-prop-firms) --- ## ENI Leak Exposes 58K Records With Emails and Phones leaksear.ch has indexed an ENI customer dataset containing 58,047 records, with a breach date of December 27, 2025, exposing names, email addresses and phone numbers alongside account metadata (leaksear.ch metadata). ENI is an Italian energy company with French retail and business energy operations; Clubic reported that ENI told French customers it had been the victim of an unauthorized disclosure after hackers published client data online ([www.eni.com](https://www.eni.com/en-IT/company.html), [www.eni.com](https://www.eni.com/fr-FR/home.html), [www.clubic.com](https://www.clubic.com/actualite-593956-l-energeticien-eni-confirme-avoir-subi-une-cyberattaque-en-france-des-milliers-de-clients-exposes.html)). ## What happened Public reporting places the exposure at the end of December 2025. Clubic reported that an actor using the Lapsus-Group name posted an ENI file on a cybercrime forum on December 27, 2025, claiming 89,463 lines tied to French customer data. The same report said ENI confirmed in a message to customers that there had been an unauthorized disclosure of professional information ([www.clubic.com](https://www.clubic.com/actualite-593956-l-energeticien-eni-confirme-avoir-subi-une-cyberattaque-en-france-des-milliers-de-clients-exposes.html)). Bonjour la fuite, a public French breach tracker, separately listed ENI on December 27, 2025 with 89,463 clients and data fields including name, email address, profile type, company name and function ([bonjourlafuite.eu.org](https://bonjourlafuite.eu.org/)). leaksear.ch indexed 58,047 records from the ENI dataset; the collection's breach date in the index is December 27, 2025 (leaksear.ch metadata). Neither the supplied metadata nor the public reporting reviewed for this article establishes the initial intrusion vector. The actor name should be treated as a claim from the forum post, not an attribution by leaksear.ch (leaksear.ch metadata). ## What data was exposed According to leaksear.ch metadata, the directly searchable pivots are email, name and phone (leaksear.ch metadata). Other stored fields include client reference, company or organization name, account creation date, last login date, job or function text, profile and account status (leaksear.ch metadata). Public reporting also described business contact data such as company name, customer reference, professional email and professional phone number, and said ENI's customer notice stated that passwords, consumption histories and bank details were not compromised ([www.clubic.com](https://www.clubic.com/actualite-593956-l-energeticien-eni-confirme-avoir-subi-une-cyberattaque-en-france-des-milliers-de-clients-exposes.html)). ## Why this matters Names, professional emails, phone numbers, company names and customer references can be used to make supplier impersonation, payment-change, invoice or account-update messages look credible (leaksear.ch metadata, [www.clubic.com](https://www.clubic.com/actualite-593956-l-energeticien-eni-confirme-avoir-subi-une-cyberattaque-en-france-des-milliers-de-clients-exposes.html)). Account profile/status data and last-login dates can also help attackers prioritize or personalize phishing attempts (leaksear.ch metadata). Security teams should flag affected addresses and phone numbers for phishing monitoring, and individuals should verify ENI-related requests through official channels rather than replying to unsolicited messages. If you want to check whether your email, name or phone appears in this ENI leak, search leaksear.ch for your own exposure. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, name, and phone. ## Sources - [Clubic: L'énergéticien ENI confirme avoir subi une cyberattaque en France : des milliers de clients exposés](https://www.clubic.com/actualite-593956-l-energeticien-eni-confirme-avoir-subi-une-cyberattaque-en-france-des-milliers-de-clients-exposes.html) - [Bonjour la fuite: C’est qui qui a fuité aujourd’hui ?](https://bonjourlafuite.eu.org/) - [Eni: Eni Group: Global energy tech company for a decarbonised future](https://www.eni.com/en-IT/company.html) - [Eni: Eni en France](https://www.eni.com/fr-FR/home.html) --- ## n-d-f.com Leak Exposes 52K Records With Passwords leaksear.ch has indexed an n-d-f.com leak containing 52,322 records with contact, identity, and account fields, including passwords, with a listed breach date of May 28, 2020 (leaksear.ch metadata). Public sources tie n-d-f.com to Japanese pet and animal-health content connected to Merial Japan, Boehringer Ingelheim Animal Health Japan, and Nippon Zenyaku Kogyo, but the dataset is identified in the index only by the n-d-f.com source name ([prtimes.jp](https://prtimes.jp/main/html/rd/p/000000002.000022654.html), [www.zenoaq.com](https://www.zenoaq.com/products/pd-785.html)). ## What happened Public reporting reviewed for this article did not confirm how the n-d-f.com data was exposed. The available incident facts are limited to the dataset name, breach date, record count, indexed fields, and date indexed by leaksear.ch, June 29, 2026 (leaksear.ch metadata). The domain appears in public sources as a destination for pet and veterinary product content. Merial Japan's 2017 PR Times release listed n-d-f.com pages for the Save Pet Project campaign, ZENOAQ product pages link to n-d-f.com animal-health product paths, and a 2019 Benesse dog-owner ranking listed n-d-f.com/nexgard for NexGard by Boehringer Ingelheim Animal Health Japan ([prtimes.jp](https://prtimes.jp/main/html/rd/p/000000002.000022654.html), [www.zenoaq.com](https://www.zenoaq.com/products/pd-785.html), [www.zenoaq.com](https://www.zenoaq.com/products/pd-595.html), [dog.benesse.ne.jp](https://dog.benesse.ne.jp/withdog/content/?id=43828)). Because the verified public sources do not identify a threat actor, ransomware group, storage error, scraping event, or third-party compromise, this report should not be read as attribution of the leak to any specific cause. ## What data was exposed The leaksear.ch index lists the following searchable fields in the dataset: address, country, date of birth, email address, name, password, phone number, and username (leaksear.ch metadata). The records also include an additional structured JSON field, but the metadata does not define the contents of that field (leaksear.ch metadata). No raw records, passwords, or sample values are included here. ## Why this matters The combination of emails, usernames, and passwords creates credential-stuffing risk where people reused passwords on other services (leaksear.ch metadata). Names, phone numbers, addresses, countries, and dates of birth can also support targeted phishing, account recovery abuse, and identity-verification fraud. Security teams should prioritize password reset guidance, monitoring for reused credentials, and phishing lures referencing pet-health or veterinary content. If you may have used n-d-f.com or related pet-health pages, use the leaksear.ch lookup for this leak to check whether your data is present. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, password, phone, and username. ## Sources - [PR Times: 世界初!自身のFacebookを保護犬・保護猫に貸し出す Wall for One あなたのウォールを、貸してください。キャンペーン開始](https://prtimes.jp/main/html/rd/p/000000002.000022654.html) - [ZENOAQ: メタカム2%注射液](https://www.zenoaq.com/products/pd-785.html) - [ZENOAQ: ビュール706](https://www.zenoaq.com/products/pd-595.html) - [いぬのきもちWEB MAGAZINE: 寄生虫駆除剤部門ランキング いぬのきもちユーザー人気ランキング2019](https://dog.benesse.ne.jp/withdog/content/?id=43828) --- ## Ordine Avvocati di Roma Leak Exposes 39K Lawyer Records The Ordine Avvocati di Roma leak indexed by leaksear.ch contains 39,134 records from the Lawyers Order of Rome, tied to a May 7, 2019 breach and including names, email addresses, phones, addresses, dates of birth, countries, usernames, and passwords (leaksear.ch metadata). Public reporting linked the incident to Anonymous Italia's claimed release of data connected to roughly 30,000 Roman lawyers, while Have I Been Pwned lists 42,000 unique addresses in the breach ([roma.repubblica.it](https://roma.repubblica.it/cronaca/2019/05/07/news/roma_anonymus_viola_la_mail_di_30mila_avvocati_c_e_anche_quella_di_raggi-225675248/), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/OrdineAvvocatiDiRoma)). ## What happened La Repubblica reported on May 7, 2019 that Anonymous Italia said it had violated the certified email, PEC, mailboxes of 30,000 lawyers registered with the Rome Order, and that the group posted links to dumps online. The report said Italy's postal police Cnaipic unit was acquiring data and evidence, and that at that time no formal case file had been opened by prosecutors ([roma.repubblica.it](https://roma.repubblica.it/cronaca/2019/05/07/news/roma_anonymus_viola_la_mail_di_30mila_avvocati_c_e_anche_quella_di_raggi-225675248/)). Have I Been Pwned states that data was taken from the breached system and redistributed online, and identifies compromised categories including contact information, email addresses, email messages, geographic locations, passwords, and phone numbers ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/OrdineAvvocatiDiRoma)). Codacons, in a May 9, 2019 notice for affected lawyers, said the attack concerned the database of the certified-email provider for the Rome Order, Lextel S.p.A. with the Infocert service, and said involved PEC boxes were blocked. leaksear.ch metadata does not identify the initial access vector, so that provider-specific account should be treated as a public Codacons claim rather than an independently indexed breach fact ([codacons.it](https://codacons.it/avvocato-mail-anonymous/)). ## What data was exposed According to leaksear.ch indexing metadata, searchable exposure fields include address, country, date of birth, email, name, password, phone, and username (leaksear.ch metadata). Other stored context, not direct search pivots, includes bar order, bar registration number, birth place and province, enrollment date, fax, office and residence address details, tax code, website, request fields, and fields related to custodian, bankruptcy curator, and real estate execution assignments (leaksear.ch metadata). Have I Been Pwned additionally lists email messages among the compromised data categories ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/OrdineAvvocatiDiRoma)). ## Why this matters Because the dataset combines professional identity, contact details, legal-registration details, addresses, dates of birth, tax-code fields, and passwords, affected lawyers face risks beyond ordinary spam. Password exposure can enable account takeover where credentials were reused, and email or phone data can support convincing phishing that references the Order, PEC services, bar registration, or office details. Journalists and incident responders should also treat exposed email-message data as potentially sensitive client and professional correspondence, because HIBP and Italian reporting describe email messages or PEC mailboxes as part of the incident ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/OrdineAvvocatiDiRoma), [roma.repubblica.it](https://roma.repubblica.it/cronaca/2019/05/07/news/roma_anonymus_viola_la_mail_di_30mila_avvocati_c_e_anche_quella_di_raggi-225675248/)). Anyone who was registered with the Rome Order around May 2019, or who communicated with an affected PEC mailbox, should check whether their identifiers appear in this leak and reset any reused passwords. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, password, phone, and username. ## Sources - [Have I Been Pwned: Ordine Avvocati di Roma Data Breach](https://haveibeenpwned.com/Breach/OrdineAvvocatiDiRoma) - [la Repubblica: Roma, Anonymus viola la mail di 30mila avvocati](https://roma.repubblica.it/cronaca/2019/05/07/news/roma_anonymus_viola_la_mail_di_30mila_avvocati_c_e_anche_quella_di_raggi-225675248/) - [Codacons: Sei un avvocato e hai una mail hackerata da Anonymous?](https://codacons.it/avvocato-mail-anonymous/) --- ## Nival Leak Exposed 2.6M Records With Emails and DOBs Nival, an independent game developer focused on strategy games, is associated with a 2016 leak indexed by leaksear.ch at 2,575,282 records, with the breach date listed as February 29, 2016 (leaksear.ch metadata, [nival.com](https://nival.com/about/nival)). Have I Been Pwned describes the incident as a February 2016 attack against Nival that impacted more than 1.5 million accounts ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Nival)). ## What happened Have I Been Pwned says Nival was targeted in an attack in February 2016 and was one of several Russian sites affected. HIBP also states the attack was allegedly tied to protest activity around Russian foreign policy regarding Ukraine, but leaksear.ch metadata does not independently confirm motive or attribution ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Nival)). The technical exposure method is not confirmed in the supplied metadata or in the public HIBP entry. Publicly supported facts are limited to the reported attack, the affected organization, the exposed data categories, and the account or record counts reported by HIBP and leaksear.ch metadata. ## What data was exposed The leaksear.ch index identifies email, username, name, and date of birth as searchable fields for this leak (leaksear.ch metadata). Other stored record context includes gender, locale or spoken language, avatar or photo references, social network identifiers, token fields, forum identifiers, registration data, login and logout timestamps, billing status, and website activity fields (leaksear.ch metadata). HIBP's public breach page lists avatars, dates of birth, email addresses, genders, names, spoken languages, usernames, and website activity as compromised data categories ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Nival)). The reviewed metadata and public HIBP page do not list plaintext passwords or payment card numbers for this breach. ## Why this matters Email addresses, usernames, real names, and dates of birth give attackers stronger material for phishing, account recovery abuse, and identity correlation across gaming, forum, and social platforms. Social identifiers and token fields raise additional concern because they may help connect a game account to external profiles or historical sign-in flows. Activity and locale data can also make phishing lures more credible for affected users. Anyone who used Nival services around 2016 should check whether their email, username, name, or date of birth appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include date of birth, email, name, and username. ## Sources - [Have I Been Pwned: Nival Data Breach](https://haveibeenpwned.com/Breach/Nival) - [Nival: About](https://nival.com/about/nival) --- ## pcTattletale Leak Exposes 119K Records With Emails, IPs pcTattletale, a U.S. consumer spyware service, is tied to a May 25, 2024 data leak indexed by leaksear.ch with 118,951 records containing member, device, IP address, renewal, and location-history data (leaksear.ch metadata). Public reporting at the time said the company's website was defaced and data from its servers was posted online ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/hacker-defaces-spyware-apps-site-dumps-database-and-source-code/), [techcrunch.com](https://techcrunch.com/2024/05/25/spyware-app-pctattletale-was-hacked-and-its-website-defaced/)). ## What happened BleepingComputer reported on May 24, 2024 that a hacker defaced pcTattletale's website and leaked archives containing database and source-code data. Have I Been Pwned later listed pcTattletale as a sensitive breach, with the breach occurring in May 2024 and added to HIBP on May 25, 2024 ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/hacker-defaces-spyware-apps-site-dumps-database-and-source-code/), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/pcTattletale)). TechCrunch reported that the person claiming responsibility said the compromise did not use the previously reported screenshot-access vulnerability, but instead involved pcTattletale's servers exposing access to its cloud operations. TechCrunch also reported that the site briefly displayed links to files from pcTattletale servers, which appeared to include some victims' stolen data ([techcrunch.com](https://techcrunch.com/2024/05/25/spyware-app-pctattletale-was-hacked-and-its-website-defaced/)). Days later, TechCrunch reported that pcTattletale's founder said the company was out of business after the breach. The same report said pcTattletale's website remained offline and that the founder said the company's cloud account and servers had been deleted ([techcrunch.com](https://techcrunch.com/2024/05/28/pctattletale-spyware-shutters-data-breach/)). ## What data was exposed The leaksear.ch index lists the searchable fields as email addresses, hashed passwords, IP addresses, names, and usernames (leaksear.ch metadata). The indexed records also contain stored context that is not directly searchable, including authentication-key references, member IDs, device and computer identifiers, computer names and nicknames, computer descriptions, version values, first and last location latitude and longitude with timestamps, last-login data, location counts, payment gateway, renewal dates and renewal history, signup timestamps, transaction IDs, and related account or device counts (leaksear.ch metadata). The supplied metadata describes the exposed data as member, device, IP address, renewal, and location-history information (leaksear.ch metadata). Public reporting separately described pcTattletale as software that captured screenshots from monitored Android and Windows devices, and TechCrunch reported that pcTattletale was found on several U.S. hotel check-in systems where screenshots exposed guest and reservation details ([techcrunch.com](https://techcrunch.com/2024/05/22/spyware-found-on-hotel-check-in-computers/)). ## Why this matters Emails, usernames, names, IP addresses, device identifiers, renewal data, and location-history fields can give attackers useful context for phishing, doxxing, account-recovery attacks, and targeted social engineering. Hashed passwords should be treated as compromised, especially if the same password was reused on other services. Organizations that may have used pcTattletale or found it on managed devices should review endpoints, logs, and affected user notifications, since public reporting also linked the spyware to exposed hotel check-in data. If you used pcTattletale, managed devices where it may have been installed, or received a breach notice, check whether your data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, hashed password, ip address, name, and username. ## Sources - [BleepingComputer: Hacker defaces spyware app's site, dumps database and source code](https://www.bleepingcomputer.com/news/security/hacker-defaces-spyware-apps-site-dumps-database-and-source-code/) - [TechCrunch: Spyware app pcTattletale was hacked and its website defaced](https://techcrunch.com/2024/05/25/spyware-app-pctattletale-was-hacked-and-its-website-defaced/) - [TechCrunch: Spyware maker pcTattletale says it's out of business and shuts down after data breach](https://techcrunch.com/2024/05/28/pctattletale-spyware-shutters-data-breach/) - [TechCrunch: Spyware found on US hotel check-in computers](https://techcrunch.com/2024/05/22/spyware-found-on-hotel-check-in-computers/) - [Have I Been Pwned: pcTattletale Data Breach](https://haveibeenpwned.com/Breach/pcTattletale) --- ## PlexusMD Leak Exposes 232K Doctor Records and Hashes In November 2020, PlexusMD, an Indian app for doctors and medical students, suffered a data breach exposing 232,346 indexed healthcare professional account and profile records (leaksear.ch metadata). The leaksear.ch index includes contact details, profile information, IP addresses, dates of birth, usernames, password hashes, and salts (leaksear.ch metadata). ## What happened PlexusMD is described in public app listings as a medical app developed by Plexus Professionals Network Private Limited and aimed at doctors and medical students ([www.appbrain.com](https://www.appbrain.com/app/plexusmd-indias-leading-app/com.plexusmd.app)). A company profile lists PlexusMD in Ahmedabad, Gujarat, India, with the legal name Plexus Professionals Network Private Limited ([www.thecompanycheck.com](https://www.thecompanycheck.com/company/b/plexusmd/i683sybce93w0gtyx)). SynScan's public breach page also lists a PlexusMD 2020 breach in India's healthcare category and reports exposure including usernames, email addresses, IP addresses, dates of birth, names, phone numbers, and password data stored in an unknown hash type ([synscan.net](https://synscan.net/breaches/plexusmd)). The leaksear.ch metadata for the indexed dataset records a November 1, 2020 breach date and 232,346 indexed records (leaksear.ch metadata). Public sources reviewed for this article do not identify a root cause, such as ransomware, scraping, misconfigured storage, or third-party compromise. The exposure mechanism and whether any password hashes were cracked should therefore be treated as unconfirmed. ## What data was exposed The leaksear.ch indexing metadata lists the following searchable fields: address, date of birth, email address, hashed password, IP address, name, phone number, and username (leaksear.ch metadata). Additional stored record context includes account creation and modification timestamps, profile status, city and country identifiers, gender, degree and title metadata, profile verification fields, mobile verification fields, last-login data, profile photo references, salts, and other account and profile identifiers. These are stored record fields, not direct search pivots on leaksear.ch (leaksear.ch metadata). ## Why this matters This is more than a contact-list leak because the records combine identity data, contact details, professional profile metadata, IP addresses, and password hashes in the same account records (leaksear.ch metadata). That combination can support targeted phishing, credential-reuse checks against other services, and impersonation attempts aimed at medical professionals or students. The FTC warns that phishing messages often ask for passwords or sensitive information and that shared passwords can give scammers access to other accounts ([www.ftc.gov](https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/phishing)). Its data breach response guidance also notes that exposed personal information can create identity-theft risk and that organizations should clearly identify what information was taken and how affected people should respond ([www.ftc.gov](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business)). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, date of birth, email, hashed password, ip address, name, phone, and username. ## Sources - [SynScan: PlexusMD Data Breach (2020)](https://synscan.net/breaches/plexusmd) - [AppBrain: PlexusMD - India's leading app](https://www.appbrain.com/app/plexusmd-indias-leading-app/com.plexusmd.app) - [The Company Check: PlexusMD Company Profile](https://www.thecompanycheck.com/company/b/plexusmd/i683sybce93w0gtyx) - [Federal Trade Commission: Phishing](https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/phishing) - [Federal Trade Commission: Data Breach Response, A Guide for Business](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business) --- ## vBulletin Leak Exposes 508K Emails, IPs and Hashes vBulletin, the forum software maker, is associated with 508,095 records indexed by leaksear.ch from a November 3, 2015 breach, including email addresses, usernames, IP addresses and MD5 password hashes with salts (leaksear.ch metadata). Public reporting at the time described a defacement of vBulletin.com, a forced password reset, and a hacker's claim that hundreds of thousands of records had been taken ([www.theregister.com](https://www.theregister.com/security/2015/11/03/password-reset-invoked-after-vbulletincom-forum-software-site-defaced/753845)). ## What happened Have I Been Pwned's public breach page describes vBulletin as a forum software maker that suffered a serious data breach in November 2015, affecting forum user and customer accounts ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/VBulletin)). The Register reported on November 3, 2015 that the official vBulletin.com site had been defaced and that vBulletin initiated a password reset after its statement said an attacker may have accessed customer IDs and encrypted passwords ([www.theregister.com](https://www.theregister.com/security/2015/11/03/password-reset-invoked-after-vbulletincom-forum-software-site-defaced/753845)). SecurityWeek later summarized the November 2015 event as involving the official forum and website being shut down after a hacker using the Coldzer0 handle claimed access to user details via a zero-day vulnerability, with password resets following the incident ([www.securityweek.com](https://www.securityweek.com/vbulletin-resets-passwords-after-server-hack/)). The exact exploitation path should be treated as unconfirmed in public reporting: The Register described zero-day and SQL injection claims as reported or unclear, not established fact ([www.theregister.com](https://www.theregister.com/security/2015/11/03/password-reset-invoked-after-vbulletincom-forum-software-site-defaced/753845)). ## What data was exposed The leaksear.ch index for this leak includes email addresses, usernames, IP addresses and MD5 password hashes as searchable fields (leaksear.ch metadata). It also stores salts, homepage or website URLs, source identifiers and other record context, but those additional fields are not direct search pivots (leaksear.ch metadata). ## Why this matters Because the leak combines contact details, account identifiers, IP addresses and password hashes, it can help attackers validate old forum identities and build targeted phishing. The password data is historical but still relevant where users reused credentials; SecurityWeek's contemporaneous coverage advised changing the vBulletin password and any reused password on other sites ([www.securityweek.com](https://www.securityweek.com/vbulletin-resets-passwords-after-server-hack/)). Security teams should treat matches as historical credential exposure and prioritize password rotation, MFA and monitoring for phishing that references vBulletin or forum account details. To check whether your data is in this leak, search leaksear.ch using email, username, IP address or hashed password (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, hashed password, ip address, and username. ## Sources - [Have I Been Pwned: vBulletin Data Breach](https://haveibeenpwned.com/Breach/VBulletin) - [The Register: Password reset invoked after vBulletin.com forum software site defaced](https://www.theregister.com/security/2015/11/03/password-reset-invoked-after-vbulletincom-forum-software-site-defaced/753845) - [SecurityWeek: vBulletin Resets Passwords After Server Hack](https://www.securityweek.com/vbulletin-resets-passwords-after-server-hack/) --- ## Match Group Leak Exposes 8.35M User Records With Emails, IPs Match Group's portfolio includes Tinder, Hinge, Match, OkCupid and Plenty of Fish ([mtch.com](https://mtch.com/ourcompany/)); leaksear.ch has indexed a 2026 Match Group leak containing 8,350,087 records, with the breach date listed as January 17, 2026 (leaksear.ch metadata). The indexed data spans user identifiers, contact details, location data, IP addresses, mobile attribution logs and a subset of Plenty of Fish password fields (leaksear.ch metadata), while public reporting said Match Group confirmed a security incident after ShinyHunters claimed a dating-app data theft ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/)). ## What happened Public reporting in late January 2026 said ShinyHunters claimed more than 10 million records tied to Hinge, Match.com and OkCupid usage data from AppsFlyer, along with internal documents. Match Group confirmed it was investigating a recently identified security incident, said it terminated unauthorized access, and said at the time that it had no indication user login credentials, financial information or private communications were accessed ([www.theregister.com](https://www.theregister.com/security/2026/01/29/shinyhunters-claims-it-stole10m-records-from-dating-apps/4922965), [www.malwarebytes.com](https://www.malwarebytes.com/blog/news/2026/01/match-hinge-okcupid-and-panera-bread-breached-by-ransomware-group), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/)). BleepingComputer reported that the attacker was said to have compromised an Okta SSO account that provided access to Match Group's AppsFlyer marketing analytics instance, and also reported that Match Group disputed claims that Google Drive and Dropbox files were accessed. UpGuard separately summarized the alleged method as vishing against Okta SSO credentials and the AppsFlyer analytics platform ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/), [www.upguard.com](https://www.upguard.com/news/match-data-breach-2026-01-29)). Google Cloud's Mandiant and Google Threat Intelligence Group reported a broader January 2026 expansion of ShinyHunters-branded SaaS data theft that used vishing and victim-branded credential harvesting to obtain SSO credentials and MFA codes, then target cloud SaaS applications for data exfiltration. That context aligns with public reporting that this incident was centered on social engineering and SaaS access rather than a confirmed dating-app software exploit ([cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft)). ## What data was exposed The searchable fields in leaksear.ch for this corpus are country, date of birth, email address, IP address, name, password, phone number and username (leaksear.ch metadata). Other indexed fields indicate a mix of AppsFlyer mobile-attribution events, Plenty of Fish user database exports, support-ticket data and internal corporate documents, including advertising IDs, AppsFlyer IDs, Android IDs, IDFA and IDFV identifiers, device model, OS and app version, carrier, user agent, city, postal code, gender, event timestamps, campaign and media-source fields, subscription-related timestamps, account status flags, support ticket IDs and request metadata (leaksear.ch metadata). The metadata includes password and plain\_password fields for a subset of POF user records (leaksear.ch metadata). That is broader than Match Group's January public statement, as reported at the time, that it had no indication user login credentials were accessed ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/), [www.upguard.com](https://www.upguard.com/news/match-data-breach-2026-01-29)). ## Why this matters For individuals, this combination can support targeted phishing or account-recovery attacks that reference dating-platform context, approximate location, device traits or subscription activity. The presence of passwords in part of the indexed POF data raises password-reuse risk, even if the affected password set is not described in public company statements (leaksear.ch metadata). For security teams, emails, phones, usernames, IPs and device identifiers provide pivots for exposure checks, alert triage and user notification decisions (leaksear.ch metadata). If you used Match Group services, use the exposure check on this page to see whether your data appears in the Match Group 2026 leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, date of birth, email, ip address, name, password, phone, and username. ## Sources - [Match Group: Our Company](https://mtch.com/ourcompany/) - [BleepingComputer: Match Group breach exposes data from Hinge, Tinder, OkCupid, and Match](https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/) - [The Register: ShinyHunters swipes right on 10M records in alleged dating app data grab](https://www.theregister.com/security/2026/01/29/shinyhunters-claims-it-stole10m-records-from-dating-apps/4922965) - [Malwarebytes: Match, Hinge, OkCupid, and Panera Bread breached by ransomware group](https://www.malwarebytes.com/blog/news/2026/01/match-hinge-okcupid-and-panera-bread-breached-by-ransomware-group) - [UpGuard: Match Group Suffers Alleged Breach According to Dark Web Reports](https://www.upguard.com/news/match-data-breach-2026-01-29) - [404 Media: Hackers Say They've Hacked Match Group, Maker of Hinge, OkCupid](https://www.404media.co/match-group-hacked-tinder-okcupid-hinge/) - [Google Cloud: Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft](https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft) --- ## Brand New Tube Breach Exposes 347K Accounts and SHA-1 Hashes Brand New Tube, an alternative video-sharing platform, has 347,388 records indexed by leaksear.ch from a breach dated August 14, 2022, exposing account identifiers, IP addresses, personal profile data and unsalted SHA-1 password hashes (leaksear.ch metadata). Have I Been Pwned lists the same incident as an August 2022 breach affecting almost 350,000 subscribers ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BrandNewTube)). ## What happened Have I Been Pwned reports that Brand New Tube suffered a data breach in August 2022 and that exposed data included email and IP addresses, usernames, genders, passwords stored as unsalted SHA-1 hashes and private messages ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BrandNewTube)). leaksear.ch metadata places the breached date on August 14, 2022 and the index date on June 16, 2026 (leaksear.ch metadata). The HIBP breach entry reports the incident and compromised data classes, but it does not identify an intrusion method such as ransomware, scraping, a third-party compromise, or a misconfigured database. The leaksear.ch metadata also does not identify a compromise vector, so the method of compromise should be treated as unconfirmed (leaksear.ch metadata). ## What data was exposed According to leaksear.ch indexing metadata, searchable pivots in this source include address, email address, hashed password, IP address, name, phone and username (leaksear.ch metadata). The records also carry non-searchable account context such as profile data, account status flags, age and gender fields, avatar and cover fields, country and language fields, device and push-notification token fields, donation PayPal email, social profile fields, registration and last-active timestamps, two-factor and verification flags, wallet and monetization-related fields, and upload/account limits (leaksear.ch metadata). Have I Been Pwned additionally lists private messages as a compromised data class for the breach ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/BrandNewTube)). ## Why this matters The combination of email addresses, usernames, names, phone and address fields, IP addresses and profile metadata gives attackers enough context for targeted phishing or account-recovery scams against people who used the service. The password hashes are also material: OWASP advises that SHA-1 is a legacy, less secure algorithm for password storage, and that fast hashes make large-scale guessing cheaper when password hashing best practices are not followed ([cheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)). Users who reused their Brand New Tube password should change it everywhere it was reused and enable two-factor authentication where possible. If you used Brand New Tube, use the check below to see whether your data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, email, hashed password, ip address, name, phone, and username. ## Sources - [Have I Been Pwned: Brand New Tube Data Breach](https://haveibeenpwned.com/Breach/BrandNewTube) - [OWASP Cheat Sheet Series: Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) --- ## Deezer leak exposes 244.6M records with emails, birth dates A Deezer leak indexed by leaksear.ch contains 244,648,718 records tied to the music-streaming service, with email, name, username, country, and date of birth available as search pivots (leaksear.ch metadata). The indexed breach date is April 22, 2019 (leaksear.ch metadata), a date also shown by Mozilla Monitor, while Have I Been Pwned lists 229 million affected Deezer accounts for an April 2019 breach ([monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/Deezer), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/Deezer)). ## What happened Public sources point to a third-party service provider, not a newly reported compromise of Deezer's own systems. Have I Been Pwned describes the data as a mid-2019 backup exposed by a third-party partner, then sold and redistributed on a hacking forum; Deezer's support article says it was made aware in November 2022 of a leak in systems of a former provider it used until 2020 ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Deezer), [support.deezer.com](https://support.deezer.com/hc/en-gb/articles/7726141292317-Third-Party-Data-Breach)). Deezer says the provider retained data after the contract ended and after confirming destruction in 2020, and says Deezer's systems and databases were not affected ([support.deezer.com](https://support.deezer.com/hc/en-gb/articles/7726141292317-Third-Party-Data-Breach)). CyberInsider's December 2022 report said a forum user published a sample on November 6, 2022 and claimed data for more than 240 million users, but that claim should be treated as a threat-actor claim unless independently corroborated ([cyberinsider.com](https://cyberinsider.com/music-service-deezer-data-breach/)). ## What data was exposed The leaksear.ch index exposes searchable fields for country, date of birth, email, name, and username (leaksear.ch metadata). The stored record schema also contains non-searchable context including city, gender, language, user ID, registration date, platform, product, offer and partner IDs, newsletter and in-app, push, mail, and SMS opt-in fields, and usage counters related to playlists, lyrics clicks, streams, artist and genre mixes, and Sonos streams (leaksear.ch metadata). Public breach notices also identify overlapping and additional data types. Have I Been Pwned lists dates of birth, email addresses, genders, geographic locations, IP addresses, names, spoken languages, and usernames; Deezer's support page says exposed information included first and last names, date of birth, and email address, with no passwords or payment details discovered; Mozilla Monitor lists IP addresses, emails, dates of birth, genders, geographic locations, names, spoken languages, and usernames ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Deezer), [support.deezer.com](https://support.deezer.com/hc/en-gb/articles/7726141292317-Third-Party-Data-Breach), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/Deezer)). ## Why this matters Names, emails, usernames, dates of birth, location fields, language, and subscription or communication-preference context can help attackers craft believable lures, especially subscription-renewal or payment-update phishing. Deezer's own guidance warns that compromised data can be used for phishing and urges users to be vigilant ([support.deezer.com](https://support.deezer.com/hc/en-gb/articles/7726141292317-Third-Party-Data-Breach)). Because passwords and payment details are not reported as exposed by Deezer, the immediate risk is less about direct payment-card compromise and more about phishing, account recovery abuse, and enrichment of other breach data. If you had a Deezer account, check whether your email, name, username, country, or date of birth appears in this leak (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, date of birth, email, name, and username. ## Sources - [Have I Been Pwned: Deezer Data Breach](https://haveibeenpwned.com/Breach/Deezer) - [Deezer Support: Third Party Data Breach](https://support.deezer.com/hc/en-gb/articles/7726141292317-Third-Party-Data-Breach) - [CyberInsider: Music Service Deezer Admits Data Breach via Third Party Affecting 200M+ Users](https://cyberinsider.com/music-service-deezer-data-breach/) - [Mozilla Monitor: Deezer Data Breach](https://monitor.mozilla.org/en/breach-details/Deezer) --- ## mod.gov.il Leak Exposes 8.6K Aharai Participant Records A dataset indexed by leaksear.ch and attributed to mod.gov.il contains 8,603 Aharai participant records, with a listed breach date of November 9, 2021 (leaksear.ch metadata). The official site identifies mod.gov.il as the Israel Ministry of Defense domain, and the Excel files include names, Israeli identity numbers, email addresses, phone numbers, birth dates, addresses, program and group details, family details, status fields, and notes ([mod.gov.il](https://mod.gov.il/en)) (leaksear.ch metadata). ## What happened Breachsense lists a mod.gov.il data breach discovered on November 9, 2021, with Moses Staff as the threat actor ([www.breachsense.com](https://www.breachsense.com/breaches/mod-gov-il/)). Public reporting from October 27, 2021, said Moses Staff claimed it had conducted a cyberattack against the Israeli Defense Ministry and released files and photos it said came from ministry servers ([www.jpost.com](https://www.jpost.com/israel-news/hacker-group-leaks-data-photos-from-defense-ministry-benny-gantz-683278)). The exact exposure path for the indexed Aharai Excel files is not confirmed in the leaksear.ch metadata. In the same public reporting, Israel's National Cyber Directorate was quoted warning that hackers were exploiting a known email-server vulnerability and urging organizations to apply critical updates, but that warning should not be treated as confirmation of how this specific indexed spreadsheet was exposed ([www.jpost.com](https://www.jpost.com/israel-news/hacker-group-leaks-data-photos-from-defense-ministry-benny-gantz-683278)). Security coverage of the wider Moses Staff campaign described a politically motivated leak-and-encrypt operation against Israeli organizations, with no ransom demand. BleepingComputer and The Hacker News, citing Check Point Research, reported that the group leaked stolen data and used public channels such as Telegram or leak sites to amplify its claims ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/moses-staff-hackers-wreak-havoc-on-israeli-orgs-with-ransomless-encryptions/), [thehackernews.com](https://thehackernews.com/2021/11/new-moses-staff-hacker-group-targets.html)). Aharai's public site describes pre-army and leadership frameworks for Israeli youth, including military preparation, technological education, pre-military academies, and a year of service ([aharai.org.il](https://aharai.org.il/enfields-of-action/)). The Ministry of Defense's Defense and Society Department says it coordinates activities with youth movements and NGOs and works on youth military-preparation programs, which provides public context for the type of data described in the leak metadata but does not confirm the source of this leak ([mod.gov.il](https://mod.gov.il/en/departments/defense-and-society-department)). ## What data was exposed The indexed records contain direct identifiers and contact fields: names, email addresses, phone numbers, home phone numbers, usernames, addresses, country values, dates of birth, Hebrew birth dates, ages, gender, and Israeli identity or national ID values (leaksear.ch metadata). The records also include program and administrative context: district, framework, project, group, role, guidance level, recruitment and recruitment source, school class and school type, graduate and status fields, source file and source sheet, and row numbers (leaksear.ch metadata). The metadata also lists sensitive contextual fields such as father and mother names, family background indicators, health fund, injuries, medical approval, criminal history, participant background, scholarship or studies, training potential, additional characteristics, and general notes (leaksear.ch metadata). ## Why this matters This leak combines government-adjacent youth program data with national identifiers, contact details, birth dates, family information, medical and background indicators, and free-form notes, which creates long-lived risk for targeted phishing, doxxing, impersonation, and identity-fraud attempts (leaksear.ch metadata). Because public reporting tied Moses Staff to politically motivated leaking rather than conventional extortion, affected people should assume the exposure risk is not limited to financial fraud and may include harassment or social engineering that references Aharai, pre-military programs, or Ministry of Defense context ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/moses-staff-hackers-wreak-havoc-on-israeli-orgs-with-ransomless-encryptions/), [thehackernews.com](https://thehackernews.com/2021/11/new-moses-staff-hacker-group-targets.html)). Security teams and journalists should avoid circulating samples and should treat national ID, health, background, and family fields as especially sensitive. If you think you were connected to Aharai, a pre-military framework, or a related Ministry of Defense program, check this leak using your name, email address, phone number, username, date of birth, country, or address. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username. ## Sources - [Breachsense: mod.gov.il Data Breach in 2021](https://www.breachsense.com/breaches/mod-gov-il/) - [Israel Ministry of Defense: Homepage](https://mod.gov.il/en) - [Israel Ministry of Defense: Defense and Society Department](https://mod.gov.il/en/departments/defense-and-society-department) - [Aharai!: fields of action](https://aharai.org.il/enfields-of-action/) - [The Jerusalem Post: Hacker group leaks data, photos from Defense Ministry, Benny Gantz](https://www.jpost.com/israel-news/hacker-group-leaks-data-photos-from-defense-ministry-benny-gantz-683278) - [BleepingComputer: Moses Staff hackers wreak havoc on Israeli orgs with ransomless encryptions](https://www.bleepingcomputer.com/news/security/moses-staff-hackers-wreak-havoc-on-israeli-orgs-with-ransomless-encryptions/) - [The Hacker News: New 'Moses Staff' Hacker Group Targets Israeli Companies With Destructive Attacks](https://thehackernews.com/2021/11/new-moses-staff-hacker-group-targets.html) --- ## BestCombo List Exposes 1.6M Emails and Passwords A credential stuffing list labeled BestCombo/GGBestC exposed 1,557,021 records, roughly 1.56 million plaintext email and password entries tied by the listing to gaming and streaming services including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify (leaksear.ch metadata). The dataset is indexed with a breach date of October 28, 2023, and leaksear.ch metadata characterizes it as an aggregated combolist rather than a direct breach of those services (leaksear.ch metadata). ## What happened Leaksear.ch indexed the source on June 29, 2026. The metadata describes the file as a BestCombo/GGBestC combo list advertised as 1.6M Mail:Pass hits for Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify (leaksear.ch metadata). Public forum pages reviewed for context show similarly titled Bestcombo posts, including a Patched.to combolist thread submitted on September 26, 2023, and a HARD-TM database-giveaway thread started on October 28, 2023. In both cases, the visible post content is limited because the body is hidden behind registration or access controls ([patched.to](https://patched.to/Thread-1-6m-hits-netflix-minecraft-uplay-steam-hulu-spotify), [hard-tm.su](https://hard-tm.su/threads/28640/)). The available evidence supports treating this as a credential stuffing combolist, not as confirmation that any of the named gaming or streaming services were directly breached. OWASP describes credential stuffing as the use of stolen username and password pairs against other websites, usually relying on password reuse across services ([owasp.org](https://owasp.org/www-community/attacks/Credential_stuffing)). ## What data was exposed Leaksear.ch indexing metadata lists email, password, and username as exposed searchable fields. The source file contains plaintext email and password pairs, and the metadata does not list additional stored fields (leaksear.ch metadata). Because the passwords are plaintext, affected users should assume any reused password in the dataset is compromised. Security teams should treat matching corporate emails or usernames as an account-takeover signal and prioritize password rotation, login review, and MFA enforcement. ## Why this matters Credential stuffing lists create risk beyond the services named in the listing because attackers can test the same email, username, and password combinations anywhere the affected person reused credentials. The main risks are account takeover, phishing that references gaming or streaming accounts, and secondary compromise of email, payments, game libraries, subscription accounts, or workplace systems. For organizations, matches involving employee accounts should trigger password resets for reused credentials, investigation of suspicious authentication activity, and MFA coverage checks. CISA recommends multifactor authentication because it adds protection when a password is compromised, while OWASP notes that credential stuffing succeeds when exposed credentials are reused across sites ([www.cisa.gov](https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/require-multifactor-authentication), [owasp.org](https://owasp.org/www-community/attacks/Credential_stuffing)). If you may be affected, check your exposure in this leak and rotate any reused passwords immediately. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, password, and username. ## Sources - [Patched.to: 1.6M Hits \[Netflix,Minecraft,Uplay,Steam,Hulu,spotify\]](https://patched.to/Thread-1-6m-hits-netflix-minecraft-uplay-steam-hulu-spotify) - [HARD-TM: 1.6M Hits \[Netflix,Minecraft,Uplay,Steam,Hulu,spotify\]](https://hard-tm.su/threads/28640/) - [OWASP Foundation: Credential Stuffing](https://owasp.org/www-community/attacks/Credential_stuffing) - [CISA: Require Multifactor Authentication](https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/require-multifactor-authentication) --- ## Tout Data Leak Exposes 798K Records and Password Hashes leaksear.ch has indexed 797,968 Tout records from a breach dated to approximately September 2014, involving the now-defunct short-video social networking service (leaksear.ch metadata). Have I Been Pwned lists the Tout incident as a breach that exposed email addresses, names, IP addresses, user locations, bios, usernames, and bcrypt password hashes ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Tout)). ## What happened Tout was a social video service where users could post video messages of up to 15 seconds and reply with their own short videos, according to TechCrunch coverage from 2012 ([techcrunch.com](https://techcrunch.com/2012/03/14/tout-touts-plans/)). Have I Been Pwned says Tout suffered a breach in approximately September 2014 and that the data appeared years later ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Tout)). The leaksear.ch metadata records September 1, 2014 as the breach date and June 29, 2026 as the indexing date (leaksear.ch metadata). The available public sources reviewed for this article do not identify the intrusion vector, such as ransomware, scraping, third-party compromise, or misconfigured storage, so the cause should be treated as unconfirmed. ## What data was exposed The leaksear.ch indexing metadata lists searchable fields for email addresses, bcrypt password hashes, IP addresses, names, and usernames (leaksear.ch metadata). Other record fields include profile and account context such as bios, locations, avatar metadata, sign-in timestamps, last sign-in IP data, follower and following counts, privacy and notification settings, social account identifiers, admin and verified flags, and reset-password-related fields (leaksear.ch metadata). Have I Been Pwned lists the compromised data categories as bios, email addresses, geographic locations, IP addresses, names, passwords, and usernames, and states that the passwords were stored as bcrypt hashes ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Tout)). ## Why this matters Even though the breach is old and the passwords were bcrypt-hashed, the combination of email addresses, usernames, names, IP addresses, profile locations, and bios can still help attackers personalize phishing or account-recovery social engineering. Users who reused a Tout password elsewhere should change it on any other service where it was reused and enable two-factor authentication where available, which aligns with Have I Been Pwned’s recommended actions for this breach ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Tout)). If you used Tout, check whether your email, username, name, IP address, or password hash appears in this leak before responding to suspicious messages tied to that old account. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, hashed password, ip address, name, and username. ## Sources - [Have I Been Pwned: Tout Data Breach](https://haveibeenpwned.com/Breach/Tout) - [TechCrunch: Tout’s Plans For Turning Video Status Updates Into A Business](https://techcrunch.com/2012/03/14/tout-touts-plans/) --- ## Tigo Leak Exposed 10.3M User Records and Profile Data A dataset attributed to Tigo, a video chat and dating platform, has been indexed by leaksear.ch with 10,312,198 records and a listed breach date of March 31, 2023 (leaksear.ch metadata). Tigo is publicly described as a real-time chat app with 10M+ downloads on Google Play and as a 1-on-1 video chat platform on its website ([play.google.com](https://play.google.com/store/apps/details?id=com.tigo.flower), [tigo.chat](https://tigo.chat/)). ## What happened Have I Been Pwned's public Tigo entry says that in mid-2023, 300GB of data containing more than 100 million records from the Chinese video chat platform was discovered, dating back to March 2023 ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Tigo)). HIBP reported 700.4 thousand affected accounts, added the incident on July 24, 2023, and said Tigo did not respond to multiple disclosure attempts ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Tigo)). The leaksear.ch dataset covered here is the 10,312,198-record index described in the supplied metadata, which lists March 31, 2023 as the breach date (leaksear.ch metadata). The public sources reviewed do not confirm a root cause such as ransomware, scraping, a third-party compromise, or misconfigured storage, so the exposure mechanism should be treated as unconfirmed. ## What data was exposed The leaksear.ch indexing metadata lists searchable pivots for country, email address, IP address, name, phone number, and username (leaksear.ch metadata). Stored fields also include account IDs, profile photos or avatars, gender, language, timezone, client IP data, device IDs, phone model, operating-system and platform details, app version, channel information, registration and activity timestamps, login type, and VIP or recharge-related metadata (leaksear.ch metadata). HIBP's public Tigo entry separately lists compromised data categories including device information, email addresses, genders, geographic locations, IP addresses, names, profile photos, usernames, and private messages ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Tigo)). Private messages are not listed in the supplied leaksear.ch searchable or stored field metadata for this indexed dataset. ## Why this matters The combination of contact details, usernames, profile photos, device information, IP addresses, and activity metadata can help attackers build credible phishing lures or link a Tigo profile to accounts on other services. Because Tigo is a video chat and dating context, exposure of names, photos, gender, phone numbers, and usage metadata may also increase harassment, doxxing, and social-engineering risks. Security teams should watch for Tigo-themed phishing, account-recovery abuse, and employee exposure where corporate emails or reused usernames appear. If you used Tigo, search leaksear.ch for your email, username, name, phone number, IP address, or country to check whether your data appears in this leak (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, email, ip address, name, phone, and username. ## Sources - [Have I Been Pwned: Tigo Data Breach](https://haveibeenpwned.com/Breach/Tigo) - [Google Play: Tigo-Live Video Chat&More](https://play.google.com/store/apps/details?id=com.tigo.flower) - [Tigo: Home](https://tigo.chat/) --- ## Dave Breach Exposed 7.4M Records With PII, Password Hashes Dave, a U.S.-based personal finance and mobile banking app, has a leaksear.ch-indexed breach dataset containing 7,387,232 records tied to a breach dated June 28, 2020 (leaksear.ch metadata). The indexed fields include personal identifiers and account security data, while public reporting tied the incident to Dave's former service provider Waydev and a roughly 7.5 million-row dump ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Dave), [www.bankinfosecurity.com](https://www.bankinfosecurity.com/dave-mobile-banking-app-breach-exposes-3-million-accounts-a-14708)). ## What happened Dave disclosed in July 2020 that a malicious party accessed certain user data after a breach at Waydev, a former third-party service provider. Banking Dive reported that Dave said the incident exposed names, emails, birth dates, physical addresses and phone numbers, and that bank account numbers, credit card numbers, financial transaction records and unencrypted Social Security numbers were not affected ([www.bankingdive.com](https://www.bankingdive.com/news/dave-security-breach/582426/)). Have I Been Pwned describes the breach as a June 2020 incident that exposed 7.5 million rows and later appeared for public download on a hacking forum, with 3 million affected accounts listed in HIBP. BankInfoSecurity reported the same distinction: almost 3 million unique email addresses in a dataset with 7.5 million rows, while leaksear.ch metadata lists 7,387,232 indexed records for this dataset (leaksear.ch metadata, [haveibeenpwned.com](https://haveibeenpwned.com/Breach/Dave), [www.bankinfosecurity.com](https://www.bankinfosecurity.com/dave-mobile-banking-app-breach-exposes-3-million-accounts-a-14708)). SecurityWeek reported that the Waydev incident involved compromised GitHub OAuth tokens and that Dave was working with CrowdStrike while notifying customers and resetting passwords. Public reporting supports the third-party compromise narrative, but the exact mapping between rows, users and unique accounts varies by source ([www.securityweek.com](https://www.securityweek.com/digital-banking-service-dave-says-data-stolen-third-party-breach/)). ## What data was exposed The leaksear.ch indexing metadata lists these searchable fields for the Dave dataset: address, date of birth, email, hashed password, name and phone number (leaksear.ch metadata). The metadata description also lists encrypted Social Security numbers and bcrypt-hashed passwords, and HIBP separately lists dates of birth, email addresses, names, passwords, phone numbers, physical addresses and Social Security numbers as compromised categories (leaksear.ch metadata, [haveibeenpwned.com](https://haveibeenpwned.com/Breach/Dave)). Other non-searchable record fields in the metadata include secondary email, account identifiers, verification and subscription status flags, and profile-related fields. Those fields provide context for incident responders, but they are not direct search pivots on leaksear.ch (leaksear.ch metadata). ## Why this matters For affected Dave users, the combination of name, date of birth, address, email and phone number is durable identity data that can support phishing, social engineering and account recovery fraud (leaksear.ch metadata). The reported absence of bank account numbers, card numbers, transaction records and unencrypted Social Security numbers narrows the direct financial-data exposure, but it does not remove credential or identity risk ([www.bankingdive.com](https://www.bankingdive.com/news/dave-security-breach/582426/)). Password hashes reduce immediate plaintext exposure, but reused or weak passwords remain important to rotate anywhere the same credentials were used ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Dave)). If you used Dave, check your exposure with the leaksear.ch lookup for this dataset's supported searchable fields. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, date of birth, email, hashed password, name, and phone. ## Sources - [Have I Been Pwned: Dave Data Breach](https://haveibeenpwned.com/Breach/Dave) - [BankInfoSecurity: Dave: Mobile Banking App Breach Exposes 3 Million Accounts](https://www.bankinfosecurity.com/dave-mobile-banking-app-breach-exposes-3-million-accounts-a-14708) - [Banking Dive: Dave security breach exposes 7.5M users' data](https://www.bankingdive.com/news/dave-security-breach/582426/) - [SecurityWeek: Digital Banking Service Dave Says Data Stolen in Third-Party Breach](https://www.securityweek.com/digital-banking-service-dave-says-data-stolen-third-party-breach/) --- ## Bonobos Leak Exposes 1.85M Customer Records and Password Hashes leaksear.ch has indexed 1,852,880 Bonobos customer account records tied to an August 2020 breach of the US men’s apparel retailer (leaksear.ch metadata). The indexed data includes emails, names, phone numbers, postal addresses, IP addresses, usernames, and salted SHA-512 password hashes (leaksear.ch metadata). ## What happened Public reporting from January 2021 said a Bonobos database backup was downloaded by a threat actor from an external cloud environment, and that Bonobos stated it had not found evidence of unauthorized access to its internal corporate systems ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/bonobos-clothing-store-suffers-a-data-breach-hacker-leaks-70gb-database/)). BleepingComputer reported that ShinyHunters later posted the full Bonobos database to a hacker forum, describing it as a roughly 70 GB SQL file containing internal website tables and customer-related data ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/bonobos-clothing-store-suffers-a-data-breach-hacker-leaks-70gb-database/)). Have I Been Pwned lists the Bonobos breach as occurring in August 2020 and says the broader breach corpus contained 2.8 million unique email addresses, along with names, physical and IP addresses, phone numbers, order histories, salted SHA-512 password hashes, historical passwords, and partial credit-card data ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Bonobos)). The leaksear.ch index described here is scoped to 1,852,880 customer account records (leaksear.ch metadata). ## What data was exposed The leaksear.ch indexed Bonobos records include account and contact fields: email addresses, usernames, names, phone numbers, postal addresses, country values, IP addresses, and hashed passwords (leaksear.ch metadata). The password material in this indexed dataset is described as salted SHA-512 password hashes, not plaintext passwords (leaksear.ch metadata). Additional stored fields in the indexed records include account activity and system metadata such as city, state, ZIP code, sign-in counts, sign-in timestamps, current and last sign-in IPs, password reset timestamps and tokens, remember tokens, salts, address IDs, store IDs, and related internal identifiers (leaksear.ch metadata). These fields provide context inside the stored records but are not all direct search pivots on leaksear.ch (leaksear.ch metadata). ## Why this matters The combination of contact details, IP addresses, account history, and password hashes can support targeted phishing, account-recovery scams, and credential-stuffing risk if affected users reused passwords elsewhere. Bonobos customers should be especially cautious with messages referencing past orders, address details, password resets, or payment issues, because public reporting said the broader database included order and partial card-related information ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Bonobos), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/bonobos-clothing-store-suffers-a-data-breach-hacker-leaks-70gb-database/)). Anyone who created a Bonobos account should check whether their email address, username, phone number, name, or address appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, hashed password, ip address, name, phone, and username. ## Sources - [Have I Been Pwned: Bonobos Data Breach](https://haveibeenpwned.com/Breach/Bonobos) - [BleepingComputer: Bonobos clothing store suffers a data breach, hacker leaks 70GB database](https://www.bleepingcomputer.com/news/security/bonobos-clothing-store-suffers-a-data-breach-hacker-leaks-70gb-database/) --- ## Click.org Leak Exposes 89,889 Accounts and Passwords A dataset indexed by leaksear.ch exposes 89,889 Click.org user account records, including contact details, IP addresses, plaintext passwords, and MD5-hashed passwords (leaksear.ch metadata). Click.org describes itself as a click tracking, URL shortening, redirection, and marketing optimization service for online marketers ([click.org](https://click.org/), [click.org](https://click.org/frequently-asked-questions)). ## What happened leaksear.ch metadata lists the breach date as April 16, 2021 and identifies the exposed dataset as Click.org user account records (leaksear.ch metadata). Public Click.org pages reviewed for this article describe the service and its hosted account model, but do not establish how the dataset became exposed ([click.org](https://click.org/frequently-asked-questions)). No public source reviewed for this article confirms whether the exposure resulted from ransomware, scraping, a misconfigured system, a third-party compromise, or another incident type. The exposure mechanism should therefore be treated as unconfirmed. ## What data was exposed The indexed records include email addresses, usernames, names, IP addresses, postal addresses, phone numbers, countries, plaintext passwords, and MD5-hashed passwords (leaksear.ch metadata). The dataset also contains account, subscription, profile, payment, and integration-related fields, including company and role details, plan and subscription attributes, PayPal email/payment method labels, Stripe subscription identifiers, transaction/payment attributes, account-status flags, verification-related fields, API key fields, token fields, and profile metadata (leaksear.ch metadata). Click.org publicly describes features that involve tracking links, clicks, conversions, email opens, campaign data, IP addresses, country of origin, browser type, operating system, and real-time reporting for marketing campaigns ([click.org](https://click.org/features.htm), [click.org](https://click.org/frequently-asked-questions)). That context matters because exposed account and subscription data may identify marketers, affiliates, businesses, and campaign operators tied to the service. ## Why this matters The presence of plaintext passwords means affected users should treat the listed credentials as fully exposed, especially if the same password was reused on email, advertising, affiliate, payment, or SaaS accounts. MD5-hashed passwords should also be treated as high risk, because password hashes in a leak can become a credential-reuse and account-takeover problem when paired with emails and usernames. Contact details, IP addresses, subscription records, and payment-related identifiers can support targeted phishing, support-desk impersonation, and fraud attempts against Click.org users or their businesses. If you used Click.org, check whether your email, username, phone number, address, IP address, or password appears in this leak and rotate any reused credentials immediately. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, hashed password, ip address, name, password, phone, and username. ## Sources - [Click.org: The #1 Click Tracking Software For Online Marketers](https://click.org/) - [Click.org: Frequently Asked Questions](https://click.org/frequently-asked-questions) - [Click.org: Click.org Has Over 50 Click Tracking Features](https://click.org/features.htm) --- ## Clf09.com Leak Exposes 2.5M Emails, Usernames and Hashes leaksear.ch has indexed a Clf09.com (草榴社區) forum leak containing 2,459,744 records, roughly 2.5 million entries, with usernames, email addresses, and hashed passwords exposed on August 3, 2022 (leaksear.ch metadata). Clf09.com is associated with 草榴社區, a Chinese-language adult forum that Chinese media have described as a well-known adult site with invitation-based registration ([thepaper.cn](https://www.thepaper.cn/newsDetail_forward_3938351)). ## What happened Public reporting about the underlying intrusion is limited. RansomLook has a public Clf09.com leak entry indexed on August 3, 2022 and showing columns for username, email\_address, and password ([ransomlook.io](https://www.ransomlook.io/leak/3565)). That public entry lists 3,282,689 records, which differs from the 2,459,744 records indexed by leaksear.ch. This article uses the leaksear.ch count for the searchable dataset and cites RansomLook only as external public context (leaksear.ch metadata, [ransomlook.io](https://www.ransomlook.io/leak/3565)). The available public sources reviewed for this article do not establish whether the data came from a direct forum compromise, scraping, a misconfigured backup, or another exposure path. No official Clf09.com disclosure was found in the public sources reviewed, so the breach mechanism should be treated as unconfirmed. ## What data was exposed The leaksear.ch index lists three searchable pivots: email addresses, usernames, and hashed passwords (leaksear.ch metadata). The metadata does not list names, phone numbers, government IDs, payment cards, or plaintext passwords as exposed fields (leaksear.ch metadata). ## Why this matters An email address paired with a forum username can support targeted phishing or extortion-themed scams, especially where membership in an adult forum may be sensitive ([thepaper.cn](https://www.thepaper.cn/newsDetail_forward_3938351)). The hashed password field is not the same as a plaintext password, but OWASP notes that password hashes can sometimes be cracked depending on password strength and hashing practices, and reused credentials can then become a credential-stuffing risk across other services ([cheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), [owasp.org](https://owasp.org/www-community/attacks/Credential_stuffing)). Individuals should change any reused Clf09.com password, enable MFA where possible, and consider a password manager, steps NIST recommends for password-protected accounts ([nist.gov](https://www.nist.gov/cybersecurity-and-privacy/how-do-i-create-good-password)). If you want to check whether your email, username, or hashed password appears in this leak, use the exposure-checking option provided with this article. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, hashed password, and username. ## Sources - [RansomLook: Clf09.Com](https://www.ransomlook.io/leak/3565) - [The Paper: 草榴社区4名核心成员被抓!](https://www.thepaper.cn/newsDetail_forward_3938351) - [OWASP Cheat Sheet Series: Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) - [OWASP Foundation: Credential stuffing](https://owasp.org/www-community/attacks/Credential_stuffing) - [NIST: How Do I Create a Good Password?](https://www.nist.gov/cybersecurity-and-privacy/how-do-i-create-good-password) --- ## Business Gazeta 155K-record leak exposes account data leaksear.ch has indexed a Business Gazeta dataset containing 155,663 records, with email addresses, usernames, hashed passwords, names, phone numbers, dates of birth, and IP addresses (leaksear.ch metadata). The metadata lists December 17, 2020 as the breach date (leaksear.ch metadata), and the affected name matches business-gazeta.ru, the site used by the Kazan-based БИЗНЕС Online media outlet ([business-gazeta.ru](https://www.business-gazeta.ru/amp/9650)). ## What happened Business-gazeta.ru is the publishing site for БИЗНЕС Online, which its own about page describes as a business media outlet in Tatarstan launched in 2007. Медиалогия ranked Business-gazeta.ru second among Tatarstan media resources for 2025 ([business-gazeta.ru](https://www.business-gazeta.ru/amp/9650), [mlg.ru](https://www.mlg.ru/ratings/media/regional/14490/)). The leak-source metadata dates the breach to December 17, 2020 and the leaksear.ch indexing date to May 31, 2026. The metadata does not identify an intrusion method, attacker, third-party service, or public disclosure by the organization, so the exposure vector should be treated as unconfirmed rather than attributed to ransomware, scraping, misconfigured storage, or a vendor compromise (leaksear.ch metadata). ## What data was exposed Based on the leaksear.ch indexing metadata, the searchable fields in this dataset are dates of birth, email addresses, hashed passwords, IP addresses, names, phone numbers, and usernames (leaksear.ch metadata). Other fields listed in the records, but not directly searchable on the platform, include profile or biography text, account creation and last-login dates, a second password-hash field, API-token and random-key fields, sex, source, state, user ID, profile image, and work information. The supplied metadata does not list payment card numbers or national identity document numbers (leaksear.ch metadata). ## Why this matters Names, dates of birth, email addresses, phone numbers, and usernames can be used to build convincing phishing and account-recovery scams. Hashed passwords are not plaintext, but they still represent credential material, especially if users reused passwords or if weak hashes are later cracked. IP addresses and login-context fields can also help attackers make social-engineering attempts look more specific. Readers who used Business Gazeta or БИЗНЕС Online should check whether their email, username, phone number, name, date of birth, IP address, or hashed password appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include date of birth, email, hashed password, ip address, name, phone, and username. ## Sources - [БИЗНЕС Online: О газете](https://www.business-gazeta.ru/amp/9650) - [Медиалогия: Республика Татарстан: рейтинг СМИ за 2025 год](https://www.mlg.ru/ratings/media/regional/14490/) --- ## CDEK Leak Exposes 7,445 Customer Emails and Names leaksear.ch has indexed 7,445 records tied to CDEK from a breach dated March 9, 2022, with email addresses and names available as search pivots (leaksear.ch metadata). Public breach listings identify CDEK as a Russian courier service and describe the broader March 2022 incident as an unverified leak of customer names, email addresses, and phone numbers ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/CDEK), [www.twingate.com](https://www.twingate.com/blog/tips/cdek-data-breach)). ## What happened Have I Been Pwned lists CDEK as an unverified breach and says that in early 2022 a collective known as IT Army published more than 30GB of data allegedly sourced from CDEK, containing over 19 million unique email addresses with names and phone numbers ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/CDEK)). Twingate's later summary likewise describes the incident as March 2022, attributed to IT Army, and notes that authenticity could not be independently verified ([www.twingate.com](https://www.twingate.com/blog/tips/cdek-data-breach)). Public reporting on the same period provides context for the attribution: BleepingComputer reported on February 26, 2022 that Ukraine was recruiting a volunteer IT Army to conduct cyberattacks on Russian entities ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/ukraine-recruits-it-army-to-hack-russian-entities-lists-31-targets/)). The public sources reviewed describe publication of the data, but do not confirm the initial access vector. ## What data was exposed The leaksear.ch index exposes email and name as searchable fields (leaksear.ch metadata). The records also include stored context fields listed as customer\_id, id, name\_upper, pickup\_point, and uuid; these are not listed as direct search pivots in the metadata (leaksear.ch metadata). The source metadata and public breach listings identify phone numbers as part of the CDEK exposure, but the leaksear.ch searchable pivots for this index are email and name (leaksear.ch metadata, [haveibeenpwned.com](https://haveibeenpwned.com/Breach/CDEK), [www.twingate.com](https://www.twingate.com/blog/tips/cdek-data-breach)). ## Why this matters Names paired with email addresses and, in the broader leak reporting, phone numbers can support credible parcel-themed phishing, impersonation of courier support, and account-recovery attempts against other services. Customer identifiers and pickup-point references may also help social-engineering messages look more specific. The leaksear.ch metadata does not list passwords or payment-card fields for this indexed dataset, but the contact data alone is still useful for targeted scams (leaksear.ch metadata). People who used CDEK or received deliveries through the service should check whether their email address or name appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email and name. ## Sources - [Have I Been Pwned: CDEK Data Breach](https://haveibeenpwned.com/Breach/CDEK) - [Twingate: What happened in the Cdek data breach?](https://www.twingate.com/blog/tips/cdek-data-breach) - [BleepingComputer: Ukraine recruits "IT Army" to hack Russian entities, lists 31 targets](https://www.bleepingcomputer.com/news/security/ukraine-recruits-it-army-to-hack-russian-entities-lists-31-targets/) --- ## Atmeltomo Leak Exposes 579,885 Records With MD5 Hashes Atmeltomo, a Japanese email-friend and pen-pal service at atmeltomo.com, has a 2021 data leak indexed by leaksear.ch with 579,885 records containing emails, usernames, IP addresses, profile details, optional birthdates, and unsalted MD5 password hashes (leaksear.ch metadata). The breach date in the index is April 16, 2021 (leaksear.ch metadata), the same date listed by Mozilla Monitor, which says the breach was added to its database on August 22, 2023 ([monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/Atmeltomo)). ## What happened Public reporting describes Atmeltomo as a Japanese e-mail friend search service. Have I Been Pwned says the data was later sold on a popular hacking forum and described the public breach set as 1.3 million records with about 580,000 unique email addresses, plus usernames, IP addresses, and unsalted MD5 password hashes ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Atmeltomo)). SOCRadar reported that on August 25, 2022, an announcement in a hacker forum it monitors advertised a leaked Atmeltomo database containing 1.3 million users' information, and RedPacket Security republished HIBP's August 2023 Atmeltomo breach notice ([socradar.io](https://socradar.io/the-week-in-dark-web-29-august-2022-access-sales-and-data-leaks/), [redpacketsecurity.com](https://www.redpacketsecurity.com/atmeltomo-580-177-breached-accounts/)). None of the cited public sources or the supplied metadata identify the initial access path, so leaksear.ch is not attributing this to ransomware, scraping, a third-party compromise, or a misconfigured system (leaksear.ch metadata) ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Atmeltomo), [socradar.io](https://socradar.io/the-week-in-dark-web-29-august-2022-access-sales-and-data-leaks/)). ## What data was exposed leaksear.ch indexed the Atmeltomo leak with searchable fields for date of birth, email, hashed password, IP address, name, and username (leaksear.ch metadata). The records also include non-searchable context fields for bio text, registration date, stated location or from field, interests, and occupation (leaksear.ch metadata). Have I Been Pwned and Mozilla Monitor publicly list email addresses, IP addresses, passwords, and usernames as compromised, while HIBP's description specifies unsalted MD5 password hashes ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Atmeltomo), [monitor.mozilla.org](https://monitor.mozilla.org/en/breach-details/Atmeltomo)). No raw leaked records or sample values are included here. ## Why this matters The exposed fields create practical risks rather than only account-reset risk: email and username pairs can help attackers target credential-reuse attempts, while IP addresses, locations, birthdates, and profile text can make phishing more credible. Unsalted MD5 hashes are especially sensitive because OWASP recommends unique salts and slow password hashing algorithms, and describes MD5 as a less secure legacy hash that should be upgraded ([cheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)). Individuals who reused an Atmeltomo password elsewhere should change those passwords and enable MFA, and security teams should watch for targeted lures using Atmeltomo profile details. To check whether your data is in this leak, search your own identifiers, such as email or username, through the leaksear.ch exposure check. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include date of birth, email, hashed password, ip address, name, and username. ## Sources - [Have I Been Pwned: Atmeltomo Data Breach](https://haveibeenpwned.com/Breach/Atmeltomo) - [Mozilla Monitor: Atmeltomo Data Breach](https://monitor.mozilla.org/en/breach-details/Atmeltomo) - [SOCRadar: The Week in Dark Web - 29 August 2022 - Access Sales and Data Leaks](https://socradar.io/the-week-in-dark-web-29-august-2022-access-sales-and-data-leaks/) - [RedPacket Security: Atmeltomo - 580,177 breached accounts](https://www.redpacketsecurity.com/atmeltomo-580-177-breached-accounts/) - [OWASP: Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) --- ## ArmA 3 Life Leak Exposes 125K Emails and Password Hashes leaksear.ch has indexed an ArmA 3 Life user database leak containing 125,358 records, with a listed breach date of May 29, 2018 (leaksear.ch metadata). ArmA 3 Life was a roleplay community built around an Arma 3 modification, while Bohemia Interactive describes Arma 3 as a tactical shooter with single-player, multiplayer, and content-creation features ([arma-3-life.fandom.com](https://arma-3-life.fandom.com/wiki/Arma_3_Life_Wiki), [www.bohemia.net](https://www.bohemia.net/games/arma3)). ## What happened Public community pages reviewed for this article identify ArmA 3 Life as a roleplay modification and community, and its Steam group lists the group as founded on September 7, 2013, with a notice that the community is no longer active ([steamcommunity.com](https://steamcommunity.com/groups/a3l), [arma-3-life.fandom.com](https://arma-3-life.fandom.com/wiki/Arma_3_Life_Wiki)). The supplied leak metadata identifies a breached user database, but does not specify an exposure vector, threat actor, ransomware claim, third-party compromise, or misconfigured storage source (leaksear.ch metadata). ## What data was exposed The indexed dataset contains user database records with email addresses, usernames, names, hashed passwords, IP addresses, and dates of birth as searchable fields (leaksear.ch metadata). The records also include join dates, member IDs, password salts, and Steam IDs as stored fields (leaksear.ch metadata). No raw records, password hashes, salts, IP addresses, or Steam IDs are included here. ## Why this matters The combination of email addresses, usernames, dates of birth, IP addresses, and Steam IDs can support targeted phishing, account-recovery abuse, impersonation, and harassment against former community members. Salted password hashes are not plaintext passwords, but affected users should treat them as sensitive, especially if they reused the same password on gaming, email, Steam, or forum accounts. Anyone who used ArmA 3 Life should reset reused passwords, enable two-factor authentication where available, and check whether their own data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include date of birth, email, hashed password, ip address, name, and username. ## Sources - [Bohemia Interactive: Arma 3](https://www.bohemia.net/games/arma3) - [Fandom: Arma 3 Life Wiki](https://arma-3-life.fandom.com/wiki/Arma_3_Life_Wiki) - [Steam Community: Arma 3 life Official](https://steamcommunity.com/groups/a3l) --- ## Air Miles España Leak Exposes 5.1M Names, Emails A leak tied to Air Miles España, operator of the Travel Club loyalty program, exposes 5,120,597 records, including names, emails, usernames, and dates of birth (leaksear.ch metadata). The leak-source metadata attributes the dataset to Everest ransomware and lists November 25, 2025 as the breach date, consistent with public reporting that Everest claimed an intrusion against Air Miles España in late November 2025 ([cybernews.com](https://cybernews.com/security/travel-club-spain-everest-ransomware/), [www.scworld.com](https://www.scworld.com/brief/cybersecurity-threat-everest-ransomware-group-targets-iberia-and-air-miles-espana)). ## What happened Air Miles España describes itself as the company that manages Travel Club and Inloyalty, with Repsol, Iberia, and Eroski as shareholders. The company says Travel Club has more than 6.8 million members and more than 10,000 associated establishments ([www.travelclub.es](https://www.travelclub.es/trabaja_con_nosotros.cfm)). Cybernews reported on November 25, 2025 that the Everest ransomware group listed Air Miles España on its leak portal and claimed to have exfiltrated 131GB of data, including millions of customer records. Cybernews also reported at the time that Everest’s claim had not been publicly confirmed by the company, so the incident should be treated as attacker-attributed public reporting unless Air Miles España issues confirmation ([cybernews.com](https://cybernews.com/security/travel-club-spain-everest-ransomware/)). SC Media separately summarized the incident as an Everest claim against Air Miles España, the operator of Spain’s Travel Club rewards program, with potentially exposed personal details and loyalty account information. Breachsense also lists travelclub.es as the victim, Everest as the threat actor, November 25, 2025 as the discovery date, and 131GB as the leak size ([www.scworld.com](https://www.scworld.com/brief/cybersecurity-threat-everest-ransomware-group-targets-iberia-and-air-miles-espana), [www.breachsense.com](https://www.breachsense.com/breaches/travel-club-data-breach/)). ## What data was exposed The leaksear.ch index for this leak contains directly searchable names, email addresses, usernames, and dates of birth (leaksear.ch metadata). Additional stored fields in the indexed records include membership and program metadata, such as affiliation channel, signup dates, email signup dates, physical cancellation dates, email blocking dates, account or member status indicators, gender or sex, program flags, an email-block flag, and an internal loyalty household or member identifier (leaksear.ch metadata). These additional fields are stored with records but are not listed as searchable pivots on leaksear.ch. ## Why this matters Names, emails, usernames, and dates of birth give attackers enough context to craft convincing Travel Club, retail, airline, or fuel-program phishing lures. Dates of birth can also increase identity-verification and account-recovery risk when organizations use them as weak knowledge checks. For security teams, the loyalty-program context matters because exposed account lifecycle and program metadata can help attackers distinguish active members from inactive or blocked accounts. Individuals who used Travel Club should check whether their data appears in this leak and treat unexpected loyalty-point, password-reset, or partner-promotion messages with caution. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include date of birth, email, name, and username. ## Sources - [Cybernews: Everest Claims Travel Club, Spain’s Largest Coalition Loyalty Program](https://cybernews.com/security/travel-club-spain-everest-ransomware/) - [SC Media: Everest Ransomware Group Targets Iberia and Air Miles España](https://www.scworld.com/brief/cybersecurity-threat-everest-ransomware-group-targets-iberia-and-air-miles-espana) - [Breachsense: Travel Club Data Breach in 2025](https://www.breachsense.com/breaches/travel-club-data-breach/) - [Travel Club: Conócenos, Programa](https://www.travelclub.es/trabaja_con_nosotros.cfm) --- ## Zara Leak: 151.4M Records Include Emails and Purchase Data leaksear.ch has indexed 151,368,047 records from a Zara data leak dated April 22, 2026, involving emails, country data and purchase related fields (leaksear.ch metadata). Public reporting and Have I Been Pwned describe a narrower confirmed people count, about 197,400 unique email addresses, and say Inditex told media that passwords and payment information were not affected ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Zara), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/)). ## What happened Inditex, Zara's parent company, said on April 16, 2026 that it had identified unauthorized access to third-party-hosted databases containing information on customer transactions. The company said the breach stemmed from a security incident at a former technology provider, that it had started notifying authorities, and that the databases did not contain addresses, passwords or bank card details ([www.marketscreener.com](https://www.marketscreener.com/news/zara-owner-inditex-reports-unauthorised-access-to-transaction-databases-ce7e50ddda89f320)). ShinyHunters later claimed the Zara leak and Hackread reported that the group published Zara and 7-Eleven listings on April 22, 2026 as part of a pay-or-leak campaign. Hackread said the Zara listing referenced BigQuery instances and Anodot as an entry point, while Have I Been Pwned also described Zara as one of several organizations targeted in a ShinyHunters pay-or-leak campaign tied to an alleged Anodot analytics platform compromise ([hackread.com](https://hackread.com/shinyhunters-leak-udemy-zara-7-eleven-data-breach/), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/Zara)). The leaksear.ch metadata attributes the indexed set to ShinyHunters' April 22 publication and describes compromised Anodot analytics-platform authentication tokens used to exfiltrate about 140 GB of customer support tickets, ecommerce orders, newsletter subscriptions and product-catalog data from Zara BigQuery instances (leaksear.ch metadata). BleepingComputer separately reported that ShinyHunters claimed a 140 GB archive was taken from BigQuery instances using compromised Anodot authentication tokens, while noting that Inditex had not publicly attributed the incident to a specific threat actor or named the provider ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/)). ## What data was exposed In the leaksear.ch index, the searchable pivots are country and email (leaksear.ch metadata). Other stored fields are purchase or merchandising fields, including first purchase date and month, fiscal year of first purchase, date and country IDs, euro amount, ranking and units (leaksear.ch metadata). Public breach descriptions add unique email addresses, geographic locations, purchases and support ticket data, including product SKUs, order IDs and the market where the support ticket originated ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Zara), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/)). The public sources reviewed here do not support claims that names, phone numbers, postal addresses, passwords or payment card data were included in this leak ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/), [www.marketscreener.com](https://www.marketscreener.com/news/zara-owner-inditex-reports-unauthorised-access-to-transaction-databases-ce7e50ddda89f320)). ## Why this matters Email addresses paired with order, product and support-ticket context can make fake refund, delivery, account-support and loyalty-program messages more convincing. Cybernews similarly noted that the breach could give attackers a sharper phishing playbook by tying customer identities to real orders and complaints ([cybernews.com](https://cybernews.com/security/zara-confirms-200000-customers-data-exposed-in-alleged-ransomware-attack/)). For security teams, the practical work is customer-facing: monitor brand impersonation, validate support and notification domains, and prepare guidance for people who may receive messages referencing Zara orders. If you have used Zara online, use the check below to see whether your email or country appears in this indexed leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country and email. ## Sources - [Have I Been Pwned: Zara Data Breach](https://haveibeenpwned.com/Breach/Zara) - [BleepingComputer: Zara data breach exposed personal information of 197,000 people](https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/) - [Hackread: ShinyHunters Leaks Data of Udemy, Zara, 7-Eleven in Salesforce Linked Breach](https://hackread.com/shinyhunters-leak-udemy-zara-7-eleven-data-breach/) - [MarketScreener: Zara owner Inditex reports unauthorised access to transaction databases](https://www.marketscreener.com/news/zara-owner-inditex-reports-unauthorised-access-to-transaction-databases-ce7e50ddda89f320) - [Cybernews: Zara data breach exposes 200K customers after alleged ransomware attack](https://cybernews.com/security/zara-confirms-200000-customers-data-exposed-in-alleged-ransomware-attack/) --- ## Charter Communications Leak Exposes 84.8K CRM Records This leaksear.ch source covers 84,818 indexed Charter Communications records tied to an April 1, 2026 Salesforce data exfiltration attributed to ShinyHunters, including customer contact details, sales and CRM cases, support tickets, and internal Spectrum employee directory entries (leaksear.ch metadata). The dataset sits within a broader publicly reported Charter incident in which Have I Been Pwned lists 4.9 million affected email addresses, while Charter has disputed claims that sensitive personal information or CPNI was taken ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Charter), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/)). ## What happened ShinyHunters claimed it compromised an employee Microsoft Entra account through voice phishing on April 1, 2026, then used that access to export data from Charter's Salesforce instance ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/)). Charter did not attribute the attack in public reporting reviewed here; the company said it was following security protocols, working with authorities, and that sensitive PI or CPNI was not exfiltrated ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/), [cybernews.com](https://cybernews.com/security/charter-spectrum-data-breach-millions-exposed/)). Public scale reporting has varied. ShinyHunters claimed tens of millions of records, Cybernews reported at least 13 million exposed individuals and nearly 10 million support ticket records, and Have I Been Pwned lists 4.9 million unique email addresses plus an approximately 85,000-record internal employee directory subset with job titles ([cybernews.com](https://cybernews.com/security/charter-spectrum-data-breach-millions-exposed/), [haveibeenpwned.com](https://haveibeenpwned.com/Breach/Charter)). Those public figures are distinct from the 84,818 records indexed in this leaksear.ch source (leaksear.ch metadata). ## What data was exposed The leaksear.ch metadata lists name, email, phone, country, and address as searchable fields in the indexed Charter dataset (leaksear.ch metadata). The same metadata describes exposed customer contact details, sales and CRM cases, support tickets, and internal Spectrum employee directory entries (leaksear.ch metadata). Stored non-searchable context fields include business unit, department, desk phone, location code, management area, preferred name fields, job title, UUID, and image path fields (leaksear.ch metadata). Public sources separately report names, email addresses, phone numbers, physical addresses, and job titles in the broader Charter breach, with Cybernews also reporting support ticket subjects, timestamps, customer emails, and phone numbers in the posted data ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Charter), [cybernews.com](https://cybernews.com/security/charter-spectrum-data-breach-millions-exposed/)). ## Why this matters Contact details combined with workplace context can support targeted phishing, vishing, support impersonation, and business email compromise pretexts. For enterprise customers and employees, department names, job titles, desk phones, and support ticket context can help attackers make fraudulent outreach look more credible. Charter has disputed claims that CPNI or sensitive PI was exfiltrated, so affected parties should separate confirmed contact and directory exposure from threat-actor claims about additional telecom data ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/)). If you are a Charter or Spectrum customer, employee, or enterprise contact, check whether your name, email, phone, country, or address appears in this leak before responding to unsolicited account or support messages. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, and phone. ## Sources - [BleepingComputer: Charter confirms data breach after ShinyHunters extortion threat](https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/) - [BleepingComputer: Charter Communications data breach affects 4.9 million accounts](https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/) - [Have I Been Pwned: Charter Data Breach](https://haveibeenpwned.com/Breach/Charter) - [Cybernews: Inside the Charter data breach: hackers leak 13M+ customer data](https://cybernews.com/security/charter-spectrum-data-breach-millions-exposed/) - [Techlicious: Charter confirms Spectrum data breach: 13 million customers exposed](https://www.techlicious.com/blog/spectrum-charter-data-breach-shinyhunters-2026/) --- ## NBS Trading Leak Exposes 10 User Records and Password Hashes A leaksear.ch-indexed dataset tied to NBS Trading contains 10 user records from the company's e-commerce site, with the breach date listed as December 29, 2024 (leaksear.ch metadata). NBS Trading describes itself as a local FMCG distributor in Doha, Qatar, and its website functions as an online shop for personal-care product categories and brand pages ([nbs-doha.qa](https://nbs-doha.qa/)). ## What happened leaksear.ch metadata says the dataset was sourced from the e-commerce site of NBS Trading and indexed on May 24, 2026 (leaksear.ch metadata). The metadata does not identify the exposure mechanism, and this article does not attribute the incident to ransomware, scraping, misconfigured storage, or a specific application flaw. Publicly available NBS Trading pages confirm the business context: the site lists shop categories, product pages, cart functions, contact information, and a Doha address ([nbs-doha.qa](https://nbs-doha.qa/)). No source link or breach notice was included with the leak metadata (leaksear.ch metadata). ## What data was exposed leaksear.ch indexing metadata lists the exposed searchable fields as address, country, email, bcrypt hashed password, name, phone, and username (leaksear.ch metadata). Other stored record context includes joining date, location, source identifiers, source table, and subject, but those fields are not direct search pivots on leaksear.ch (leaksear.ch metadata). ## Why this matters At 10 records, this is a small leak, but the combination of email, username, phone, name, and address data is enough for targeted phishing or account-recovery impersonation against affected people (leaksear.ch metadata). The listed passwords are bcrypt hashes rather than plaintext, but OWASP warns that password hashes can be attacked by guessing candidate passwords and comparing hashes, especially when users chose weak or reused passwords ([cheatsheetseries.owasp.org](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)). Organizations handling personal data in Qatar should also consider local privacy obligations; NCSA says it regulates and enforces the Personal Data Privacy Protection Law ([academy.ncsa.gov.qa](https://academy.ncsa.gov.qa/en/privacy-notice)). If you used NBS Trading, check whether your details appear in this leak through leaksear.ch. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, hashed password, name, phone, and username. ## Sources - [NBS Trading: Home Page](https://nbs-doha.qa/) - [OWASP Cheat Sheet Series: Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) - [NCSA: Privacy Notice](https://academy.ncsa.gov.qa/en/privacy-notice) --- ## Flywell Bowling Leak Exposes 14 Records With Emails, Hashes Flywell Bowling, a Pakistan-based manufacturer and exporter whose public site lists bowling accessories, bowling bags, bowling gloves, golf products, and mechanic gloves, is tied to a small leak indexed by leaksear.ch ([www.flywellbowling.com.pk](https://www.flywellbowling.com.pk/)). The dataset contains 14 records and includes names, usernames, email addresses, phone data, addresses, countries, and hashed passwords, with a listed breach date of December 31, 2024 (leaksear.ch metadata). ## What happened leaksear.ch metadata identifies a Flywell Bowling breach dataset indexed on May 24, 2026, with 14 records and a breach date of December 31, 2024 (leaksear.ch metadata). The metadata does not identify an intrusion method, threat actor, vulnerable system, or whether the records originated from an account system, contact form, inquiry workflow, or another source. Public pages reviewed for this article confirm Flywell Bowling's web presence, product categories, and contact page, including a Sialkot, Pakistan address and company contact information ([www.flywellbowling.com.pk](https://www.flywellbowling.com.pk/), [www.flywellbowling.com.pk](https://www.flywellbowling.com.pk/contact-us.php)). No public incident report or breach notice was found during verification, so the exposure mechanism should be treated as unconfirmed. ## What data was exposed The indexed records contain account and contact data: names, usernames, email addresses, phone numbers, mobile numbers, physical addresses, countries, and hashed passwords (leaksear.ch metadata). The metadata also includes a `source_table` field as record context, but it is not listed as a searchable pivot (leaksear.ch metadata). The searchable fields for this leak are address, country, email, hashedPassword, name, phone, and username (leaksear.ch metadata). The presence of hashed passwords does not mean raw passwords were exposed in the index, but password hashes can still create risk if they are weakly protected or reused across accounts. ## Why this matters Even at 14 records, the combination of names, emails, usernames, phone numbers, and addresses can support targeted phishing, impersonation, and account-recovery abuse. Affected individuals should change any reused passwords associated with the exposed email or username and enable multi-factor authentication where available. Security teams should treat the hashed password field as a credential-risk signal and review related accounts for reuse, suspicious login activity, or contact-data misuse. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, hashed password, name, phone, and username. ## Sources - [Flywell Bowling: Home Pages](https://www.flywellbowling.com.pk/) - [Flywell Bowling: Contact us](https://www.flywellbowling.com.pk/contact-us.php) --- ## Cairo University FGSE Leak Exposes 7 Credential Records leaksear.ch has indexed a small credential leak tied to the Faculty of Graduate Studies for Education at Cairo University, with 7 records dated January 26, 2025 and attributed in the metadata to the GDLockerSec ransomware group (leaksear.ch metadata). The faculty's own site describes it as a graduate education faculty offering diploma, master's, and PhD programs, which makes the exposed account data relevant to people who used FGSE systems ([www.fgse.cu.edu.eg](https://www.fgse.cu.edu.eg/)). ## What happened Ransomware.live lists [www.fgse.cu.edu.eg](http://www.fgse.cu.edu.eg) as a GDLockerSec victim, with discovery and estimated attack dates of January 26, 2025, and a leak description of 7MB ([www.ransomware.live](https://www.ransomware.live/id/d3d3LmZnc2UuY3UuZWR1LmVnQEdETG9ja2VyU2Vj)). UNDERCODE NEWS reported the same day that GDLockerSec added Cairo University's Faculty of Graduate Studies for Education to its victim list and that the FGSE website had been compromised, while noting that the extent of damage and any demands were unclear ([undercodenews.com](https://undercodenews.com/gdlockersec-ransomware-strikes-again-egyptian-university-targeted-in-latest-cyber-attack/)). The public reporting reviewed here does not establish whether Cairo University confirmed the incident, whether a ransom was demanded or paid, or whether the leak extends beyond the small credential dataset indexed here. ## What data was exposed The leaksear.ch indexing metadata identifies 7 records containing names, usernames, and passwords. The indexed record context also includes account status, internal IDs, roles, and source table information, but those context fields are not listed as searchable fields in this index (leaksear.ch metadata). ## Why this matters Credential records can be high impact even at small scale because one reused password can become an entry point into related university, email, or personal accounts. Names and usernames also give attackers believable context for phishing and password-reset scams. Anyone who had an FGSE account or reused an FGSE password should check whether their data appears in this leak and rotate reused passwords promptly. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include name, password, and username. ## Sources - [Ransomware.live: Victim www.fgse.cu.edu.eg](https://www.ransomware.live/id/d3d3LmZnc2UuY3UuZWR1LmVnQEdETG9ja2VyU2Vj) - [UNDERCODE NEWS: GDLockerSec Ransomware Strikes Again: Egyptian University Targeted in Latest Cyber Attack](https://undercodenews.com/gdlockersec-ransomware-strikes-again-egyptian-university-targeted-in-latest-cyber-attack/) - [Faculty of Graduate Studies for Education: كلية الدراسات العليا للتربية](https://www.fgse.cu.edu.eg/) --- ## Vercel Leak Exposes 230 Customer Account Metadata Records A leaksear.ch-indexed Vercel leak contains 230 customer account metadata records, with the breach date listed as April 19, 2026 (leaksear.ch metadata). Vercel said the April 2026 incident involved unauthorized access to internal systems after a compromise at Context.ai was used to take over a Vercel employee's Google Workspace account ([vercel.com](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident)). ## What happened Vercel's security bulletin says the incident originated with Context.ai, a third-party AI tool used by a Vercel employee. According to Vercel, the attacker used that access to take over the employee's Vercel Google Workspace account, then pivoted into Vercel environments and enumerated and decrypted non-sensitive environment variables ([vercel.com](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident)). Context.ai's incident statement says OAuth tokens belonging to some AI Office Suite users were compromised, and that one token was used to access Vercel's Google Workspace. Context.ai also said the AI Office Suite OAuth application had been taken down ([context.ai](https://context.ai/security-update)). Public reporting described customer data as stolen, but Vercel did not publish a total affected-customer count and TechCrunch reported that Vercel had not received a ransom demand. Vercel also said its review with GitHub, Microsoft, npm, and Socket found no evidence that npm packages published by Vercel were compromised ([techcrunch.com](https://techcrunch.com/2026/04/20/app-host-vercel-confirms-security-incident-says-customer-data-was-stolen-via-breach-at-context-ai/), [vercel.com](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident)). The Hacker News separately reported that Vercel described the exposed credentials as affecting a limited subset of customers and said Vercel was notifying those customers directly ([thehackernews.com](https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html)). ## What data was exposed The indexed records contain customer account metadata: email addresses, names, usernames, account activity and status fields, flags including active, admin, and guest, internal IDs, created, updated, and last-seen timestamps, and timezone values (leaksear.ch metadata). The fields searchable on leaksear.ch are email, name, and username; the remaining account metadata is stored for context but is not a direct search pivot (leaksear.ch metadata). Those indexed fields should not be read as a complete list of everything Vercel investigated in the April incident. Vercel's own bulletin separately focused on non-sensitive environment variables and credentials that affected customers were told to rotate ([vercel.com](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident)). ## Why this matters For individuals and organizations in the 230-record dataset, the immediate risk is targeted phishing and account enumeration using developer identities rather than broad consumer identity theft (leaksear.ch metadata). Names, usernames, email addresses, admin or guest status, and last-seen details can make impersonation or help-desk lures more believable, especially against engineering and platform teams (leaksear.ch metadata). Teams that used Vercel should follow Vercel's guidance for potentially affected accounts: enable MFA, review account and environment activity, rotate secrets that were stored as non-sensitive environment variables, and investigate suspicious deployments ([vercel.com](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident)). To check whether this leak includes your details, search for your email, name, or username (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, name, and username. ## Sources - [Vercel: Vercel April 2026 security incident](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident) - [Context: Security Incident Response Statement](https://context.ai/security-update) - [TechCrunch: App host Vercel says it was hacked and customer data stolen](https://techcrunch.com/2026/04/20/app-host-vercel-confirms-security-incident-says-customer-data-was-stolen-via-breach-at-context-ai/) - [The Hacker News: Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials](https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html) --- ## Sun Moon University leak exposes 617 email, username records A leaksear.ch-indexed dataset tied to Sun Moon University contains 617 records from a May 28, 2025 Nova ransomware leak, including email addresses and usernames (leaksear.ch metadata). Public ransomware tracking lists SunMoon university under Nova with a discovered date of May 29, 2025 and an estimated attack date of May 28, 2025 ([www.ransomware.live](https://www.ransomware.live/group/nova)). ## What happened Ransomware.live lists SunMoon university under Nova and describes Nova, formerly RALord, as an active Ransomware-as-a-Service group that uses file encryption and double-extortion pressure around stolen-data disclosure ([www.ransomware.live](https://www.ransomware.live/group/nova)). RedPacket Security also published a May 29, 2025 automated, redacted item identifying the victim as SunMoon university and saying the information was scraped from the Nova Tor leak blog ([www.redpacketsecurity.com](https://www.redpacketsecurity.com/nova-ransomware-victim-sunmoon-university/)). The cited public reporting does not confirm the initial access vector, ransom demand, or whether Sun Moon University systems were encrypted in this specific incident. The specific exposed fields below come from leaksear.ch indexing metadata, not from public sample records (leaksear.ch metadata). ## What data was exposed The indexed dataset contains 617 records (leaksear.ch metadata). The searchable fields are email address and username, which means those values can be used to check for a match on leaksear.ch (leaksear.ch metadata). Other stored fields in the indexed records include department, email-verification status, organization, student ID, and user type (leaksear.ch metadata). No raw leaked values are included in this article. ## Why this matters Even at 617 records, an education-sector identity dataset can support targeted phishing, account-enumeration attempts, and impersonation of students, faculty, or staff. The combination of emails, usernames, departments, user types, and student IDs gives attackers context for believable messages, especially if victims reused usernames or exposed addresses across other services. The metadata does not list passwords, password hashes, or financial data, so those categories should not be assumed present (leaksear.ch metadata). If you used a Sun Moon University account or communicated through the university portal, check your email address and username against this leak on leaksear.ch. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email and username. ## Sources - [Ransomware.live: Nova](https://www.ransomware.live/group/nova) - [RedPacket Security: NOVA - Ransomware Victim: SunMoon university](https://www.redpacketsecurity.com/nova-ransomware-victim-sunmoon-university/) --- ## Lloyd Motor Group Mercedes-Benz Leak Exposes 69K Customer Records A leaksear.ch-indexed Lloyd Motor Group Mercedes-Benz dataset contains 69,281 records tied to UK dealership customers, vehicle records, and service history, with a listed breach date of 14 April 2016 (leaksear.ch metadata). Lloyd Motor Group describes itself as one of the UK's largest independently owned, family-run car retailer groups, with locations across Cumbria, the North East, Lancashire, North Yorkshire, and the Scottish Borders ([www.lloydmotorgroup.com](https://www.lloydmotorgroup.com/About-Us)). ## What happened Confirmed from the indexing metadata: the dataset is named Lloyd Motor Group Mercedes-Benz, was indexed on 24 May 2026, and carries a 14 April 2016 breach date (leaksear.ch metadata). The metadata does not identify how the data was exposed, and no supplied reference link attributes it to ransomware, scraping, a misconfigured system, or a third-party provider (leaksear.ch metadata). Lloyd Motor Group's public site says the group provides vehicle sales, aftersales support, servicing, repairs, and MOTs, which is relevant context for a dataset that includes both customer contact fields and vehicle service fields ([www.lloydmotorgroup.com](https://www.lloydmotorgroup.com/About-Us)). ## What data was exposed The leaksear.ch metadata lists searchable customer pivots for address, email, name, and phone (leaksear.ch metadata). Additional stored fields include salutations and titles, customer and vehicle identifiers, vehicle registration-related fields including REGNO and Date reg, delivery and date fields, MOT-related fields including Last MOT and MOT due, last and next service fields, status and location codes, quote/order-related fields, and other dealership system fields (leaksear.ch metadata). ## Why this matters Contact data combined with vehicle and service-history fields can support convincing phishing, smishing, or phone scams, especially where a message references a real dealership relationship, vehicle, MOT, or service event. The NCSC warns that criminals can use breach data to make scam messages appear legitimate, and that exposed phone numbers can also lead to suspicious calls ([www.ncsc.gov.uk](https://www.ncsc.gov.uk/guidance/data-breaches)). The ICO advises affected people to ask the organisation what happened, what information was affected, and what steps are planned, while also watching for suspicious messages and unusual financial transactions ([ico.org.uk](https://ico.org.uk/for-the-public/i-m-worried-about-how-an-organisation-has-handled-my-information/what-steps-should-i-take-if-i-have-experienced-a-data-breach/)). Anyone who previously dealt with Lloyd Motor Group Mercedes-Benz should check whether their name, email, phone number, or address appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, email, name, and phone. ## Sources - [Lloyd Motor Group: About Us](https://www.lloydmotorgroup.com/About-Us) - [National Cyber Security Centre: Data breaches: guidance for individuals and families](https://www.ncsc.gov.uk/guidance/data-breaches) - [Information Commissioner's Office: What steps should I take if I have experienced a data breach?](https://ico.org.uk/for-the-public/i-m-worried-about-how-an-organisation-has-handled-my-information/what-steps-should-i-take-if-i-have-experienced-a-data-breach/) --- ## DarkForums 45K-Record Leak Exposes IPs and Usernames leaksear.ch has indexed a DarkForums leak containing 45,122 records tied to an alleged July 2025 SSRF exploit by a user calling themselves “test55” (leaksear.ch metadata). The indexed data includes IP addresses, usernames, hostnames, and post IDs associated with users loading posts on darkforums.st (leaksear.ch metadata). ## What happened Cybernews reported on July 3, 2025 that it had received an email from “test55,” who claimed to have exploited DarkForums.st using server-side request forgery, or SSRF ([cybernews.com](https://cybernews.com/cybercrime/darkforums-ssrf-exploit-leak/)). OWASP describes SSRF as a flaw where an attacker abuses server-side functionality to make the server read or submit data to unintended locations ([owasp.org](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)). According to Cybernews, its researchers checked the claims and said they “might be legitimate,” while noting that DarkForums had launched a Tor service after the incident to protect users from leaking IP addresses. Cybernews also reported that DarkForums administrators had not commented on the alleged vulnerability, and that it was unclear whether the attacker caused additional damage beyond collecting IP addresses from people who viewed posts ([cybernews.com](https://cybernews.com/cybercrime/darkforums-ssrf-exploit-leak/)). DarkForums is not a conventional consumer service. Security firms describe it as a cybercrime forum used for data leaks, credentials, stealer logs, malware, and account-checking tools, with Flare reporting that former BreachForums members migrated there after BreachForums was taken down and SOCRadar describing it as a major English-language successor forum in 2026 ([flare.io](https://flare.io/learn/resources/blog/dark-web-forums), [socradar.io](https://socradar.io/blog/top-5-surface-web-hacker-forums/)). ## What data was exposed The leaksear.ch metadata for this source lists 45,122 records. The searchable fields are IP address and username (leaksear.ch metadata). Other stored fields include hostname and post\_id. In practical terms, the dataset can associate a DarkForums handle and network identifier with a host value and a specific post context, but the supplied metadata does not identify passwords, email addresses, payment card data, or private messages among the indexed fields (leaksear.ch metadata). ## Why this matters For people who used DarkForums expecting anonymity, the exposure of IP addresses linked to usernames creates a correlation risk. Cybernews noted that IP leaks can undermine anonymity and may be useful to rival hackers, scammers, or investigators seeking to connect forum activity to a person or network ([cybernews.com](https://cybernews.com/cybercrime/darkforums-ssrf-exploit-leak/)). Security teams should treat any match as an investigative lead, not standalone proof of identity. Readers who used DarkForums or are investigating forum activity should check whether an IP address or username appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include ip address and username. ## Sources - [Cybernews: DarkForums rushes to hide after hacker exposes user IPs](https://cybernews.com/cybercrime/darkforums-ssrf-exploit-leak/) - [OWASP Foundation: Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) - [Flare: Key Dark Web Forums to Monitor](https://flare.io/learn/resources/blog/dark-web-forums) - [SOCRadar: Top 5 Surface Web Hacker Forums in 2026](https://socradar.io/blog/top-5-surface-web-hacker-forums/) --- ## Stripchat Leak: 10M User Records Exposed With Emails and IPs leaksear.ch has indexed a Stripchat leak containing 10,002,085 user records from the adult live-streaming platform, with email addresses, usernames, IP addresses, country data, ISP data, and browser fingerprints present in the dataset (leaksear.ch metadata). Public reporting tied the 2021 exposure to an unsecured Elasticsearch cluster discovered on November 5, 2021, and Stripchat later described the incident as a temporary server breach during server reconfiguration ([comparitech.com](https://www.comparitech.com/blog/information-security/stripchat-data-leak/), [stripchat.com](https://stripchat.com/blog/temporary-server-breach-identified/)). ## What happened Comparitech reported that its cybersecurity research team, led by Bob Diachenko, found a database that appeared to belong to Stripchat on November 5, 2021, alerted Stripchat that day, and found the database was no longer available on November 7. The report said the database was accessible on the internet without a password or other authentication and that it was unclear how long it had been exposed before being indexed by search engines ([comparitech.com](https://www.comparitech.com/blog/information-security/stripchat-data-leak/)). Stripchat acknowledged the issue in a November 12, 2021 blog post, saying a temporary data breach was detected during routine server reconfiguration and that the company had secured the servers. Stripchat said its assessment at the time found that passwords, payment details, account verification documents, and private live sex chat messages were not accessed ([stripchat.com](https://stripchat.com/blog/temporary-server-breach-identified/)). Have I Been Pwned lists Stripchat as a sensitive breach, says several databases were left exposed and unsecured in November 2021, and says more than 10 million Stripchat records appeared on a popular hacking forum in June 2022. Threatpost reported at the time that it was unclear whether anyone with malicious intent accessed the exposed data before it was secured ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Stripchat), [threatpost.com](https://threatpost.com/adult-cam-model-user-records-exposed-stripchat-breach/176372/)). ## What data was exposed According to the leaksear.ch indexing metadata, the searchable pivots in this Stripchat dataset are country, email address, IP address, and username (leaksear.ch metadata). Other fields stored with records include a browser fingerprint, an internal ID, and the ISP associated with the IP address, but those fields are not direct search pivots on leaksear.ch (leaksear.ch metadata). Public reports on the broader 2021 exposure described additional categories in the unsecured cluster, including user account data, model records, transaction information about tokens and tips, and moderation data. Stripchat's own statement said passwords, payment details, account verification documents, and private live sex chat messages were not accessed, so those should not be assumed to be present in this indexed dataset unless confirmed by the metadata ([comparitech.com](https://www.comparitech.com/blog/information-security/stripchat-data-leak/), [stripchat.com](https://stripchat.com/blog/temporary-server-breach-identified/)). ## Why this matters Stripchat is an adult platform, so linkage between an email address, username, IP address, country, ISP, and browser fingerprint can create privacy risk even without passwords or payment cards. HIBP flags the breach as sensitive, meaning the fact that an account appears in the breach can itself be harmful if exposed to the wrong person ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Stripchat)). The practical risks are targeted phishing that references Stripchat, attempts to connect pseudonymous usernames to real identities, and harassment or extortion threats using location clues derived from IP and country data. Comparitech warned that exposed data from the incident could put viewers and models at risk of phishing, stalking, harassment, humiliation, and extortion ([comparitech.com](https://www.comparitech.com/blog/information-security/stripchat-data-leak/)). Anyone who may have used Stripchat should check whether their email address, username, IP address, or country appears in this leak using the exposure check on this page. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include country, email, ip address, and username. ## Sources - [Have I Been Pwned: Stripchat Data Breach](https://haveibeenpwned.com/Breach/Stripchat) - [Comparitech: Sex cam site Stripchat exposes user, model info on the web: report](https://www.comparitech.com/blog/information-security/stripchat-data-leak/) - [Stripchat: Temporary Server Breach Identified](https://stripchat.com/blog/temporary-server-breach-identified/) - [Threatpost: 200M Adult Cam Model, User Records Exposed in Stripchat Breach](https://threatpost.com/adult-cam-model-user-records-exposed-stripchat-breach/176372/) - [HackRead: Stripchat database mess up exposes 200M adult cam models, users' data](https://hackread.com/stripchat-database-adult-cam-models-users/) - [DeHashed: StripChat Data Breach November 2021: 10 Million User Records Leaked](https://dehashed.com/insights/stripchat-data-breach-2021-november) --- ## Sport 2000 Leak Exposes 4.3M Loyalty Records Sport 2000, the French sporting goods retailer, is tied to a 2024 customer loyalty database leak now indexed by leaksear.ch with 4,276,740 records (leaksear.ch metadata). Have I Been Pwned lists the incident as an April 2024 breach with 3.2 million affected accounts and says the exposed data included names, physical addresses, phone numbers, dates of birth, and purchases by store name ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Sport2000)). ## What happened Clubic reported that Sport 2000 announced on its website that it had suffered a cyberattack on April 19, 2024, and that personal data for more than 4 million customers was suspected to be for sale on the dark web. The same report cited Zataz reporting that the data was obtained through an infostealer campaign, while describing attribution to the francophone Epsilon group as suspected rather than officially confirmed ([www.clubic.com](https://www.clubic.com/actualite-525045-sport-2000-victime-d-une-cyberattaque-un-gang-de-pirates-francais-soupconne-de-vendre-les-donnees-de-4-millions-de-clients.html)). Have I Been Pwned says the Sport 2000 data was subsequently put up for sale on a hacking forum and included 4.4 million rows with 3.2 million unique email addresses ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Sport2000)). CyberInsider reported that the database was advertised for sale in April 2024 and later reposted in June 2024, making the data more broadly accessible to malicious actors ([cyberinsider.com](https://cyberinsider.com/sport-2000-data-breach-exposes-info-of-3-2-million-customers/)). ## What data was exposed The leaksear.ch index contains searchable identity and contact pivots: names, email addresses, phone numbers, postal addresses, and dates of birth (leaksear.ch metadata). Additional non-search fields stored with records include loyalty card numbers, store names or IDs, first and last purchase dates, recent purchase totals and ticket counts, opt-in flags for email, SMS and postal mail, behavioral and RFM segmentation, points balances, credit amounts, wallet status, and contact-validity indicators (leaksear.ch metadata). Public breach listings align with the core exposure categories. Have I Been Pwned lists dates of birth, email addresses, names, phone numbers, physical addresses, purchases, and salutations as compromised data, while CyberInsider also reported purchase details linked to specific Sport 2000 stores ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Sport2000), [cyberinsider.com](https://cyberinsider.com/sport-2000-data-breach-exposes-info-of-3-2-million-customers/)). ## Why this matters This is not just an email list. A record combining a person's name, date of birth, address, phone number, loyalty account context, store history, and purchase behavior can support convincing phishing, account-recovery scams, SIM-swap pretexts, and retail-themed fraud (leaksear.ch metadata). Security teams should watch for Sport 2000-themed lures, especially messages that reference store locations, loyalty points, refunds, or recent purchases. If you used Sport 2000's loyalty program or shopped in its stores, use the exposure check below to search the supported pivots before responding to unsolicited messages or calls. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, date of birth, email, name, and phone. ## Sources - [Have I Been Pwned: Sport 2000 Data Breach](https://haveibeenpwned.com/Breach/Sport2000) - [CyberInsider: Sport 2000 Data Breach Exposes Info of 3.2 Million Customers](https://cyberinsider.com/sport-2000-data-breach-exposes-info-of-3-2-million-customers/) - [Clubic: Sport 2000 victime d'une cyberattaque, un gang de pirates français soupçonné de vendre les données de 4 millions de clients](https://www.clubic.com/actualite-525045-sport-2000-victime-d-une-cyberattaque-un-gang-de-pirates-francais-soupconne-de-vendre-les-donnees-de-4-millions-de-clients.html) --- ## Kik.name Leak Exposes 144,565 Profiles With Emails and IPs Kik.name, described in leaksear.ch metadata as a public Kik Messenger username-sharing site, was indexed from a leaked MySQL database dump containing 144,565 user profiles and carrying a breach date of February 14, 2018 (leaksear.ch metadata). The exposed records include usernames, email addresses, registration IP addresses, ages, genders, and location-related profile data (leaksear.ch metadata). ## What happened Leaksear.ch metadata identifies the incident as a leaked MySQL database dump from Kik.name, with no reporter or public reference links attached to the source record (leaksear.ch metadata). The metadata does not identify the exposure path beyond the dump itself, so ransomware, scraping, misconfigured storage, and threat-actor attribution should be treated as unconfirmed. Public Kik documentation provides context for why usernames are sensitive in this dataset: Kik describes itself as an iOS and Android app for messaging, chatting, groups, and live streaming ([help.kik.com](https://help.kik.com/hc/en-us/articles/16716480138907-What-is-Kik)). Kik also says usernames are unique, cannot be changed, and must be exact for another user to find an account in search ([help.kik.com](https://help.kik.com/hc/en-us/articles/4402344189339-Kik-usernames-vs-display-names)). Kik warns that sharing a username or Kik Code publicly can make it visible to people the user does not know, who may then be able to message them ([help.kik.com](https://help.kik.com/hc/en-us/articles/4402351911835-Keep-your-Kik-account-private)). ## What data was exposed According to leaksear.ch indexing metadata, the searchable fields for this leak are address, country, email, IP address, and username (leaksear.ch metadata). The records also include age, avatar, country name, dislikes, gender, internal ID, likes, post time, validated status, and view count as additional fields stored on records (leaksear.ch metadata). That mix is notable because Kik says people a user has talked to in the app can see display name, username, and profile picture, but not email address, phone number, or birthday ([help.kik.com](https://help.kik.com/hc/en-us/articles/4402358257819-Can-people-see-my-email-address-and-phone-number)). In this leak, email addresses and registration IP addresses appear alongside Kik-related profile data in the Kik.name records (leaksear.ch metadata). ## Why this matters Phishing risk is strongest where an attacker can pair a recognizable Kik username with an email address, age, gender, or location field and make a lure look personal. Registration IP addresses and location fields can also help correlate the profile with other leaked datasets or identify likely geography for social engineering. Individuals who used Kik.name or reused the same Kik username elsewhere should check this leak using the supported search fields, especially email, username, IP address, address, and country. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, and username. ## Sources - [Kik: What is Kik?](https://help.kik.com/hc/en-us/articles/16716480138907-What-is-Kik) - [Kik: Kik usernames vs. display names](https://help.kik.com/hc/en-us/articles/4402344189339-Kik-usernames-vs-display-names) - [Kik: Keep your Kik account private](https://help.kik.com/hc/en-us/articles/4402351911835-Keep-your-Kik-account-private) - [Kik: Can people see my email address and phone number?](https://help.kik.com/hc/en-us/articles/4402358257819-Can-people-see-my-email-address-and-phone-number) --- ## Addka72424 3.3B Email Leak Exposes 61.3M Indexed Records The Addka72424 3.3 Billion Emails Compilation is an email-only corpus posted to BreachForums on September 21, 2024, with 61,296,276 records indexed by leaksear.ch (leaksear.ch metadata). Public reporting described the wider collection as a 3.3 billion-address compilation gathered from earlier breaches and forums, rather than a newly disclosed compromise of one organization ([hackerdose.com](https://hackerdose.com/privacy/massive-3-3-billion-emails-leaked/), [www.cloaked.com](https://www.cloaked.com/post/3-3-billion-emails-exposed---is-your-email-exposed-what-should-you-do)). ## What happened The leak is best understood as a compilation incident. leaksear.ch metadata attributes the BreachForums post to the user Addka72424 and describes the source as an aggregation of email addresses from prior public data breaches and combolists (leaksear.ch metadata). HackerDose reported that the poster said the data came from public breaches and forums, while Cloaked described the set as a cleaned compilation of previous leaks ([hackerdose.com](https://hackerdose.com/privacy/massive-3-3-billion-emails-leaked/), [www.cloaked.com](https://www.cloaked.com/post/3-3-billion-emails-exposed---is-your-email-exposed-what-should-you-do)). The BreachForums venue is relevant context for defenders. BleepingComputer reported in May 2024 that the FBI seized BreachForums, describing it as a forum used to leak and sell stolen corporate data, and The Register later reported that BreachForums returned online weeks after that takedown ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/), [www.theregister.com](https://www.theregister.com/security/2024/05/28/breachforums-returns-just-weeks-after-fbi-led-takedown/828339)). What is confirmed for this leaksear.ch source is narrower than the public 3.3 billion label: 61,296,276 records from the corpus are indexed here, with email as the searchable field (leaksear.ch metadata). ## What data was exposed The leaksear.ch indexing metadata lists one searchable field: email (leaksear.ch metadata). No names, phone numbers, passwords, password hashes, national IDs, financial identifiers, or other stored fields are listed for this source (leaksear.ch metadata). Public coverage of the wider compilation also characterized the dataset as primarily email addresses, with Cloaked stating that passwords were not directly included in the reported compilation ([www.cloaked.com](https://www.cloaked.com/post/3-3-billion-emails-exposed---is-your-email-exposed-what-should-you-do)). ## Why this matters Email-only exposure can still be operationally useful to attackers because addresses are durable identifiers for phishing, spam targeting, password-reset probes, and credential-stuffing workflows when combined with older credential leaks. The risk is higher for corporate domains, reused personal addresses, and accounts that lack multifactor authentication. Security teams should treat matches as a prompt to review phishing telemetry, watch for password-spray attempts against exposed domains, and make sure affected users are not reusing passwords tied to older breaches. Individuals who want to assess their own exposure should check the email addresses they control against this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email. ## Sources - [HackerDose: Hacker Leaks 3.3 Billion Emails and Yes Every Single One Is Unique](https://hackerdose.com/privacy/massive-3-3-billion-emails-leaked/) - [Cloaked: 3.3 Billion Emails Exposed - Is Your Email Exposed? What Should You Do?](https://www.cloaked.com/post/3-3-billion-emails-exposed---is-your-email-exposed-what-should-you-do) - [BleepingComputer: FBI seize BreachForums hacking forum used to leak stolen data](https://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/) - [The Register: BreachForums returns just weeks after FBI-led takedown](https://www.theregister.com/security/2024/05/28/breachforums-returns-just-weeks-after-fbi-led-takedown/828339) --- ## Telegram 1 Billion Leak Exposes 1.6M User Records A Telegram-related compilation named “Telegram 1 Billion” has been indexed with 1,572,230 records tied to emails, names, phone numbers, usernames and Telegram identifiers, with a listed breach date of July 1, 2024 (leaksear.ch metadata). The dataset is described as an aggregated multi-source package scraped from public channels, contact-list dumps and CRM-style exports, not as a confirmed compromise of Telegram’s core systems (leaksear.ch metadata). ## What happened The leaksear.ch metadata describes this leak as a mid-2024 aggregated compilation of Telegram user IDs, usernames, display names and phone numbers drawn from multiple source types, including public channel scraping, contact-list dumps and CRM-style exports (leaksear.ch metadata). The available metadata does not identify a single intruder, ransomware group, exposed database, or Telegram server compromise. Public reporting on other Telegram-labeled datasets shows why that distinction matters. Cybernews reported a separate leak-forum post claiming more than 200 million Telegram user records, while noting uncertainty over whether the data represented a new breach or a collection of previously scraped or stolen details; Telegram told Cybernews the records appeared to result from contact importing and did not expose private user data ([cybernews.com](https://cybernews.com/security/200m-telegram-user-records-shared-on-a-data-leak-forum/)). A separate 2024 incident indexed by Have I Been Pwned involved combolists posted to Telegram channels, not a Telegram account database: HIBP listed 361.5 million affected accounts, and Troy Hunt wrote that the 122GB set contained 1.7k files with 2 billion lines and 361 million unique email addresses sourced from existing combolists and infostealer malware ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/TelegramCombolists), [www.troyhunt.com](https://www.troyhunt.com/telegram-combolists-and-361m-email-addresses/)). ## What data was exposed The indexed leak includes searchable pivots for email, name, phone and username (leaksear.ch metadata). Records also contain contact\_owner\_id, last\_seen, source\_format and telegram\_id fields that are stored as context but are not listed as direct search pivots (leaksear.ch metadata). In plain terms, this means the dataset can connect Telegram-style identifiers and usernames with names, phone numbers, emails and account-related metadata (leaksear.ch metadata). Telegram’s own FAQ notes that users can be found through public usernames and that phone-number visibility depends on privacy settings and whether another user already has the number saved ([telegram.org](https://telegram.org/faq)). ## Why this matters A dataset that links Telegram IDs, usernames, names, phone numbers and emails can help attackers pivot between Telegram, SMS and email when crafting phishing or impersonation attempts. The risk is higher where a phone number or username can be tied to a real identity, workplace, public channel activity, or other breach data. For individuals, the practical concern is targeted contact rather than account takeover by itself. Review Telegram username and phone-number privacy settings, be cautious of unsolicited Telegram or SMS messages that reference personal details, and check whether your email, name, phone number, or username appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, name, phone, and username. ## Sources - [Cybernews: 200M+ Telegram user records shared on a data leak forum](https://cybernews.com/security/200m-telegram-user-records-shared-on-a-data-leak-forum/) - [Have I Been Pwned: Combolists Posted to Telegram Data Breach](https://haveibeenpwned.com/Breach/TelegramCombolists) - [Troy Hunt: Telegram Combolists and 361M Email Addresses](https://www.troyhunt.com/telegram-combolists-and-361m-email-addresses/) - [Telegram: Telegram FAQ](https://telegram.org/faq) --- ## Russian National Tourist Office Leak Exposed 728 Visa Records Leaksear.ch has indexed 728 booking and visa application records tied to Russian National Tourist Office Ltd, also referred to as RNTO UK, with the breach date recorded as January 25, 2022 (leaksear.ch metadata). The dataset description says the records were scraped from an exposed directory on an RNTO UK server and include applicant names, passport numbers, postal addresses, visa dates, booking references, and pricing (leaksear.ch metadata). ## What happened Leaksear.ch metadata attributes the exposure to an exposed server directory. The metadata does not identify ransomware, a third-party processor compromise, or credential theft as the cause (leaksear.ch metadata). Companies House records show IBS VP Limited was named Russian National Tourist Office Limited from March 30, 2004 to March 17, 2022, so the January 25, 2022 breach date falls during the RNTO company-name period ([find-and-update.company-information.service.gov.uk](https://find-and-update.company-information.service.gov.uk/company/03376738)). The public Visit Russia site describes the Russian National Tourist Office as a travel business founded in 1997 with London operations, and its visa page says the London-based Russian visa processing centre handles tourist, private, business, work, and student visa applications ([visitrussia.org.uk](https://visitrussia.org.uk/about-us/), [visitrussia.org.uk](https://visitrussia.org.uk/visas/)). The exposure method, scale, breach date, and field list in this article come from leaksear.ch indexing metadata. Public sources cited here provide organizational and risk context. ## What data was exposed According to the leaksear.ch index, the searchable fields are address, name, and username (leaksear.ch metadata). Other stored fields include booking reference, cardholder name, delivery method, entries and processing time, first name, request date, service requested, source file, surname, total price, and visa start and end dates (leaksear.ch metadata). The dataset description also lists passport numbers and postal addresses among the exposed applicant data (leaksear.ch metadata). The indexed field list includes cardholder names and total prices, but it does not list passwords, password hashes, payment card numbers, or CVVs (leaksear.ch metadata). ## Why this matters For affected individuals, full names plus addresses, passport numbers, visa windows, and booking references can make phishing or phone scams look specific and credible. The UK NCSC warns that criminals use breached personal information to craft phishing messages that appear legitimate, and the ICO says stolen names and addresses can be used in identity theft and fraud ([www.ncsc.gov.uk](https://www.ncsc.gov.uk/guidance/data-breaches), [ico.org.uk](https://ico.org.uk/for-the-public/identity-theft/)). Security teams should treat this as exposure of travel-document and visa-process data, especially where applicants are employees, executives, journalists, or people whose travel history is sensitive. If you may have applied through RNTO UK or Visit Russia, check whether your name, address, or username appears in this leak before responding to unexpected visa, travel, or payment messages. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, name, and username. ## Sources - [Companies House: IBS VP LIMITED overview](https://find-and-update.company-information.service.gov.uk/company/03376738) - [Visit Russia: About us](https://visitrussia.org.uk/about-us/) - [Visit Russia: Russian visa from UK | Apply for tourist & business visas](https://visitrussia.org.uk/visas/) - [National Cyber Security Centre: Data breaches: guidance for individuals and families](https://www.ncsc.gov.uk/guidance/data-breaches) - [ICO: Identity theft](https://ico.org.uk/for-the-public/identity-theft/) --- ## AT&T 2023 Leak: 5M Records Expose Phones, Emails, CPNI leaksear.ch has indexed an AT&T 2023 leak containing 4,999,826 records, about 5 million, from a threat-actor sample dated January 6, 2023, tied in the metadata to a third-party marketing vendor breach that ultimately affected approximately 9 million wireless accounts (leaksear.ch metadata). Public reporting at the time said AT&T notified customers after a January vendor incident exposed years-old Customer Proprietary Network Information, or CPNI, linked largely to device upgrade eligibility ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/)). ## What happened AT&T said a marketing vendor experienced a security incident in January 2023 and that an unauthorized person accessed CPNI from some wireless accounts. The company told reporters that its own systems were not compromised and that approximately 9 million wireless accounts had CPNI accessed ([therecord.media](https://therecord.media/att-says-nine-million-exposed-in-data-breach), [www.securityweek.com](https://www.securityweek.com/millions-of-att-customers-notified-of-data-breach-at-third-party-vendor/)). AT&T did not publicly identify the vendor in the reporting reviewed for this article ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/), [www.theregister.com](https://www.theregister.com/security/2023/03/09/att-confirms-9m-accounts-exposed-via-third-party/976350)). CSO Online reported that on January 6, 2023, a threat actor claimed to have found a third-party vendor's unsecured cloud storage containing 37 million AT&T client records and shared a sample of 5 million records ([www.csoonline.com](https://www.csoonline.com/article/574759/att-informs-9m-customers-about-data-breach.html)). leaksear.ch metadata identifies the indexed data as 4,999,826 records from a January 6 threat-actor sample, but the platform's indexing should not be read as independent verification of the vendor, storage environment, or the broader threat-actor claim (leaksear.ch metadata). Publicly confirmed information is narrower: AT&T said the exposed information did not include credit card numbers, Social Security numbers, account passwords, or other sensitive personal information. Some reporting also said customer notifications stated the issue was resolved and that federal law enforcement was notified ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/), [www.securityweek.com](https://www.securityweek.com/millions-of-att-customers-notified-of-data-breach-at-third-party-vendor/)). ## What data was exposed The leaksear.ch index is searchable by email, name, and phone number (leaksear.ch metadata). The indexed records also contain first names, wireless phone numbers, email addresses, billing account numbers, ZIP codes, device manufacturer and model details, current and recommended device information, device color details, upgrade-eligibility indicators, installment status and dates, amounts such as MSRP, paid, installment, monthly or past-due figures, account or family account labels, contract schedule dates, and past-due flags (leaksear.ch metadata). That field list aligns with public reporting that the exposed CPNI included first names, account numbers, wireless phone numbers, email addresses, and in some cases rate-plan, payment, monthly charge, minutes-used, or installment-related data ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/), [www.securityweek.com](https://www.securityweek.com/millions-of-att-customers-notified-of-data-breach-at-third-party-vendor/)). The metadata and public reporting state that SSNs, payment cards, and passwords were not included (leaksear.ch metadata, [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/)). ## Why this matters CPNI is regulated telecom data, and the FCC describes it as sensitive information carriers and providers hold because of their customer relationships, including call-related and usage details ([consumercomplaints.fcc.gov](https://consumercomplaints.fcc.gov/hc/en-us/articles/8824334151572-Privacy-Complaints)). In this leak, the practical risk is not password reuse from exposed passwords, since passwords are not listed, but targeted phishing, billing or device-upgrade impersonation, and account-support social engineering using real AT&T customer context. Security teams can use the data as a customer or employee exposure signal for suspicious carrier-themed email lures, phone-number risk reviews, and help-desk awareness. Individuals who may be affected should treat AT&T-themed upgrade or billing messages with caution, review AT&T account security settings such as passcodes and contact information, and use the lookup below to check whether their email, name, or phone appears in this leak ([www.att.com](https://www.att.com/support/article/my-account/KM1159574/)). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, name, and phone. ## Sources - [BleepingComputer: AT&T alerts 9 million customers of data breach after vendor hack](https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/) - [The Record: AT&T says 9 million customers exposed in January vendor breach](https://therecord.media/att-says-nine-million-exposed-in-data-breach) - [SecurityWeek: Millions of AT&T Customers Notified of Data Breach at Third-Party Vendor](https://www.securityweek.com/millions-of-att-customers-notified-of-data-breach-at-third-party-vendor/) - [The Register: AT&T blames marketing bods for exposing 9M accounts](https://www.theregister.com/security/2023/03/09/att-confirms-9m-accounts-exposed-via-third-party/976350) - [CSO Online: AT&T informs 9M customers about data breach](https://www.csoonline.com/article/574759/att-informs-9m-customers-about-data-breach.html) - [Dark Reading: AT&T Vendor Breach Exposes Data on 9M Wireless Accounts](https://www.darkreading.com/application-security/att-vendor-breach-exposes-data-9m-wireless-accounts) - [FCC Complaints: Privacy Complaints](https://consumercomplaints.fcc.gov/hc/en-us/articles/8824334151572-Privacy-Complaints) - [AT&T Support: Protect Your AT&T Account](https://www.att.com/support/article/my-account/KM1159574/) --- ## Facebook Combo List Exposes 1.3M Emails and Passwords A credential-stuffing combo list labeled '1 Billion UserPass Facebook' has been indexed by leaksear.ch with 1,326,644 email or username and plaintext password pairs tied to Facebook login targeting (leaksear.ch metadata). The dataset is described as an aggregation of prior public breaches and infostealer logs, not a discrete breach of Facebook itself, and no breach date is known (leaksear.ch metadata). ## What happened The list's name is misleading: leaksear.ch metadata records about 1.3 million rows, not one billion, and says the corpus circulated on hacking forums and Telegram as a credential-stuffing combo list (leaksear.ch metadata). Combo lists are bulk sets of stolen logins compiled from sources such as stealer logs, URL-login-password files, and older leaks, and Group-IB notes they are commonly used for credential stuffing and account takeover ([www.group-ib.com](https://www.group-ib.com/resources/knowledge-hub/password-combolists/)). The public context matches that pattern. Have I Been Pwned describes stealer log breaches as large, aggregated datasets whose parsable entries often combine a website, an email address, and a password, while Microsoft reports that infostealers harvest credentials and tokens at scale for resale and downstream compromise ([support.haveibeenpwned.com](https://support.haveibeenpwned.com/hc/en-au/articles/13514459783311-I-had-an-alert-that-emails-on-my-domain-were-in-a-stealer-log-breach-but-I-don-t-see-any-stealer-log-entries), [www.microsoft.com](https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025)). OWASP defines credential stuffing as automated use of stolen username and password pairs against login forms, especially when people reuse the same credentials across services ([owasp.org](https://owasp.org/www-community/attacks/Credential_stuffing)). Confirmed by the indexing metadata: the dataset is Facebook-targeted, contains plaintext credential pairs, and aggregates earlier exposure sources. Not confirmed: a new Facebook or Meta breach, a breach date, the original source of each pair, or whether any listed password still works (leaksear.ch metadata). ## What data was exposed The indexed fields are email addresses, usernames, and plaintext passwords (leaksear.ch metadata). The metadata lists no additional stored fields, so this should be treated as a credential exposure rather than a broader profile-data leak containing phone numbers, IDs, payment cards, messages, or Facebook profile attributes (leaksear.ch metadata). ## Why this matters For affected individuals, the main risk is account takeover where the same password was reused on Facebook or elsewhere. Credential stuffing can also give attackers a foothold for phishing, spam, impersonation, and attempts to reset accounts by abusing recovery information, risks OWASP calls out for reused credentials and leaked account data ([owasp.org](https://owasp.org/www-community/attacks/Credential_stuffing)). For security teams, the practical response is to look for exposed employee domains, require password changes where reuse is suspected, review recent login activity, and prioritize MFA or passkeys. Meta says password, two-factor authentication, and account email settings are managed centrally in Meta Account, and Meta compromised-account guidance recommends unique passwords and two-factor authentication for Facebook users ([about.fb.com](https://about.fb.com/news/2026/04/meta-account/), [ag.nv.gov](https://ag.nv.gov/uploadedFiles/agnvgov/Content/Complaints/Meta%20Facebook%20Compromised%20Account%20Resources.pdf)). Readers who want to assess their own exposure should check whether their email, username, or password appears in this leak on leaksear.ch, then change any reused password immediately. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, password, and username. ## Sources - [Group-IB: How Attackers Use Password Combolists In Brute-Force Campaigns](https://www.group-ib.com/resources/knowledge-hub/password-combolists/) - [Have I Been Pwned: I had an alert that emails on my domain were in a stealer log breach, but I don't see any stealer log entries](https://support.haveibeenpwned.com/hc/en-au/articles/13514459783311-I-had-an-alert-that-emails-on-my-domain-were-in-a-stealer-log-breach-but-I-don-t-see-any-stealer-log-entries) - [Microsoft Security Insider: Microsoft Digital Defense Report 2025](https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025) - [OWASP Foundation: Credential stuffing](https://owasp.org/www-community/attacks/Credential_stuffing) - [Meta Newsroom: Meta Account: The Simpler Way to Access Your Apps and Devices](https://about.fb.com/news/2026/04/meta-account/) - [Nevada Attorney General: Compromised Account Resources](https://ag.nv.gov/uploadedFiles/agnvgov/Content/Complaints/Meta%20Facebook%20Compromised%20Account%20Resources.pdf) --- ## Israeli Defense Ministry Leak Exposes 8,865 Trainee Records An Israeli Ministry of Defense dataset indexed by leaksear.ch contains 8,865 records tied to pre-military trainees and enlistment candidates, with names, contact details, Israeli national IDs, dates of birth, addresses, and program metadata (leaksear.ch metadata). The dataset is marked as breached on October 27, 2021, and its description is consistent with public reporting that Moses Staff leaked Defense Ministry files and Excel data involving soldiers and mechina pre-military students ([www.jpost.com](https://www.jpost.com/israel-news/hacker-group-leaks-data-photos-from-defense-ministry-benny-gantz-683278)). ## What happened The Jerusalem Post reported on October 27, 2021, that a hacker group called Moses Staff claimed it had carried out a cyberattack on Israel's Defense Ministry and released files and photos it said were taken from ministry servers ([www.jpost.com](https://www.jpost.com/israel-news/hacker-group-leaks-data-photos-from-defense-ministry-benny-gantz-683278)). JNS, citing Israeli reporting, said the leaked material was posted on the dark web and in Telegram groups and included information about IDF reserve officers, military units, and thousands of Israeli teens set to enlist ([www.jns.org](https://www.jns.org/iranian-hacker-group-leaks-israeli-ministry-of-defense-files/)). The exact access path for this specific dataset has not been confirmed in the open sources reviewed. Check Point Research later analyzed MosesStaff campaigns against Israeli organizations and found a pattern of stealing and leaking sensitive data, then encrypting victim networks without a ransom demand, but the firm also said attribution of politically motivated cyberattacks is complicated and it could not draw definitive conclusions from the evidence available ([research.checkpoint.com](https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/)). ## What data was exposed leaksear.ch indexing metadata lists searchable data including names, email addresses, phone numbers, addresses, countries, and dates of birth (leaksear.ch metadata). The records also contain Israeli national IDs and contextual fields such as age, gender, father and mother names, health fund, medical approval, school grade and school type, framework, recruitment source, enlistment status, supervision level, trainee background, training potential, and related program metadata (leaksear.ch metadata). That field profile aligns with The Jerusalem Post's contemporaneous report that leaked Excel files allegedly included names, ID numbers, emails, addresses, phone numbers, and socioeconomic status for soldiers, mechina pre-military students, and people connected to the Defense Ministry ([www.jpost.com](https://www.jpost.com/israel-news/hacker-group-leaks-data-photos-from-defense-ministry-benny-gantz-683278)). ## Why this matters The exposed data combines stable identifiers with contact information and military or pre-military context, which can make phishing, impersonation, harassment, and identity-fraud attempts more credible (leaksear.ch metadata). Family, education, health, and enlistment-related fields increase the sensitivity because they give attackers personal context for social engineering. Security teams should watch for spear-phishing that references enlistment, military service, government benefits, medical approvals, or training programs. If you may have been enrolled in an Israeli pre-military framework or enlistment process around this period, use the exposure check below to see whether your data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, and phone. ## Sources - [The Jerusalem Post: Hacker group leaks data, photos from Defense Ministry, Benny Gantz](https://www.jpost.com/israel-news/hacker-group-leaks-data-photos-from-defense-ministry-benny-gantz-683278) - [JNS: Iranian hackers leak ‘Israeli Defense Ministry files’ online](https://www.jns.org/iranian-hacker-group-leaks-israeli-ministry-of-defense-files/) - [Check Point Research: Uncovering MosesStaff techniques: Ideology over Money](https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/) --- ## Chinese Banks Leak Exposes 64.9K Customer Records leaksear.ch indexed 64,885 records from a Chinese Banks Customer Data Leak dataset tied to clients of major Chinese banks, with a breach date listed as December 1, 2023 (leaksear.ch metadata). Public reporting said a threat actor offered files for sale on a cybercriminal forum and alleged they contained personal and financial data for Chinese bank customers ([cybernews.com](https://cybernews.com/news/major-chinese-banks-data-leak/)). ## What happened Cybernews reported on May 6, 2024, that a threat actor had posted files for sale on a cybercriminal forum, claiming the data belonged to customers of multiple banks in China. The report named ICBC, Bank of China, Agricultural Bank of China, China CITIC Bank, Shanghai Pudong Development Bank, China Merchants Bank, and China Construction Bank among the banks referenced in the listing ([cybernews.com](https://cybernews.com/news/major-chinese-banks-data-leak/)). The public forum listing cited by Cybernews claimed a broader dataset of 2,314,340 records and dated the database to December 2023. Cybernews said phone numbers in the sample were valid, but it could not independently verify the full claims about the leak ([cybernews.com](https://cybernews.com/news/major-chinese-banks-data-leak/)). leaksear.ch is indexing 64,885 records from the dataset described in the supplied metadata (leaksear.ch metadata). ## What data was exposed The indexed records include searchable address, country, date of birth, name, and phone fields (leaksear.ch metadata). Additional record fields include age bucket, bank account number, bank name, gender, and national ID card number (leaksear.ch metadata). Cybernews reported that the forum listing also described mobile numbers, full names, ID numbers, account numbers, bank details, and demographic information such as province, city, mobile carrier, sex, and dates of birth ([cybernews.com](https://cybernews.com/news/major-chinese-banks-data-leak/)). ## Why this matters The combination of name, phone, address, date of birth, bank name, national ID, and account-number fields can make phishing, bank-impersonation calls, and account-takeover attempts more convincing. Security teams monitoring Chinese banking exposure should treat matches as high-context identity and financial-risk leads, while affected individuals should be alert to bank-themed messages that reference personal details. To check whether your data appears in this leak, use the leaksear.ch lookup for the searchable fields associated with this dataset (leaksear.ch metadata). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, name, and phone. ## Sources - [Cybernews: Customer data from major Chinese banks allegedly up for sale](https://cybernews.com/news/major-chinese-banks-data-leak/) --- ## Telecom Egypt Leak Exposes 32 Broadband Session Records leaksear.ch has indexed a Telecom Egypt, TE Data, dataset containing 32 FreeRADIUS accounting records tied to broadband subscriber sessions, with the breach date listed as April 4, 2025 (leaksear.ch metadata). The exposed records include usernames, framed IP addresses, MAC address fields, session timestamps, network access identifiers, and traffic counters (leaksear.ch metadata). ## What happened Telecom Egypt describes itself as Egypt's first total telecom operator, providing fixed and mobile voice and data services ([ir.te.eg](https://ir.te.eg/en/)). Its WE site lists home internet and fixed broadband services for consumers ([beta.te.eg](https://beta.te.eg/personal/home/we-internet)). The available leak metadata describes the material as a TE Data FreeRADIUS accounting database extract, not a password dump or a public customer profile scrape (leaksear.ch metadata). No public report reviewed for this article confirmed the intrusion path, attacker, ransom demand, or company notice, so those points remain unconfirmed. ## What data was exposed The indexed records are searchable on leaksear.ch by `ipAddress` and `username` (leaksear.ch metadata). Other stored fields include session IDs, start, stop, and update timestamps, framed protocol, NAS IP and port data, called and calling station identifiers, accounting authentication and termination fields, session duration, and inbound and outbound traffic counters (leaksear.ch metadata). FreeRADIUS documentation describes the `radacct` table as per-session accounting data keyed by `acctuniqueid`, with rows containing session start and stop times plus input and output octet counters ([www.freeradius.org](https://www.freeradius.org/documentation/freeradius-server/4.0~alpha1/howto/modules/sql/data-usage-reporting.html)). In this leak, that means the sensitive value is not a reusable password, but the linkage of a broadband username to network-session metadata such as assigned IP address, device or station identifiers, and usage timing (leaksear.ch metadata). ## Why this matters Even at 32 records, RADIUS accounting data can link subscriber usernames to assigned IP addresses, device or network identifiers, timestamps, and usage volumes. That can support targeted phishing, account or billing impersonation, and correlation of a subscriber's activity windows. Egypt's telecom regulator says telecom users have a right to have personal data safeguarded and privacy protected, and publishes complaint channels for users who need to escalate issues with an operator ([www.tra.gov.eg](https://www.tra.gov.eg/en/regulations/charter-of-consumers-rights-and-duties/), [www.tra.gov.eg](https://www.tra.gov.eg/en/consumers/telecom-services-complaints/contact-methods/)). Readers who used TE Data broadband should check whether their broadband username or IP address appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include ip address and username. ## Sources - [ir.te.eg: Telecom Egypt Investor Relations](https://ir.te.eg/en/) - [beta.te.eg: We Internet](https://beta.te.eg/personal/home/we-internet) - [www.freeradius.org: Periodic Data Usage Reporting](https://www.freeradius.org/documentation/freeradius-server/4.0~alpha1/howto/modules/sql/data-usage-reporting.html) - [www.tra.gov.eg: Charter of Consumers Rights and Duties](https://www.tra.gov.eg/en/regulations/charter-of-consumers-rights-and-duties/) - [www.tra.gov.eg: Contact Methods](https://www.tra.gov.eg/en/consumers/telecom-services-complaints/contact-methods/) --- ## Universidad del Quindío Leak Exposes 30,991 Login Records leaksear.ch indexed a Universidad del Quindío leak on May 23, 2026, containing 30,991 records tied to the Colombian public university’s intranet, with a breach date listed as May 19, 2026 (leaksear.ch metadata). The exposed material includes user accounts, staff directory and portal records, COVID-19 entry logs, file-server credential data, CVs, complaint records, and campus\_virtual login material (leaksear.ch metadata). ## What happened Universidad del Quindío operates public web properties at uniquindio.edu.co and publishes institutional news and services through that domain ([www.uniquindio.edu.co](https://www.uniquindio.edu.co/)). The university reported in 2022 that Colombia’s Ministry of Education renewed its institutional high-quality accreditation for six years ([www.uniquindio.edu.co](https://www.uniquindio.edu.co/noticias/publicaciones/1794/es-un-hecho-universidad-del-quindio-renueva-la-acreditacion-institucional/)). The leak-source metadata describes the exposed material as originating from the university’s intranet, not from a named third-party processor. The metadata identifies several source categories, including Joomla user accounts, staff directory entries, citizen portal registrations, COVID-19 entry logs, Pydio file-server credentials, CVs, complaint records, and a stealer-log credentials file for campus\_virtual logins (leaksear.ch metadata). The available metadata does not include a public notification, attacker name, ransom claim, malware family, or confirmed initial-access path. Because no reference links were supplied, this article does not attribute the leak to ransomware, scraping, misconfigured storage, or any specific intrusion method (leaksear.ch metadata). ## What data was exposed leaksear.ch indexed 30,991 records for this leak. Searchable fields include names, email addresses, usernames, phone numbers, addresses, countries, dates of birth, IP addresses, passwords, and hashed passwords (leaksear.ch metadata). Other stored, non-searchable fields include capture timestamp, job or role, department or dependency, document number and type, registration date, campus or site, sex, source table, and URL (leaksear.ch metadata). The dataset description also lists CVs, complaint records, COVID-19 entry logs, Pydio credential material, and campus\_virtual login material as part of the exposure (leaksear.ch metadata). ## Why this matters The combination of contact details, dates of birth, document identifiers, roles, IP addresses, and credential material can support targeted phishing, account-takeover attempts, identity-verification fraud, and pressure against students, staff, applicants, or complainants (leaksear.ch metadata). Colombia’s Law 1581 sets general rules for personal data and gives data subjects rights including knowing, updating, correcting, and accessing their personal data, while SIC guidance describes security incidents as events involving unauthorized or fraudulent access, use, loss, or alteration of personal data and sets reporting timelines in covered cases ([www.funcionpublica.gov.co](https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=49981), [sedeelectronica.sic.gov.co](https://sedeelectronica.sic.gov.co/publicaciones/boletin-juridico/concepto/cumplimiento-de-la-obligacion-del-reporte-de-incidentes-de-seguridad)). If you are a student, employee, applicant, portal user, or otherwise connected to Universidad del Quindío, check whether your data appears in this leak on leaksear.ch. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, hashed password, ip address, name, password, phone, and username. ## Sources - [Universidad del Quindío: Universidad del Quindío](https://www.uniquindio.edu.co/) - [Universidad del Quindío: ¡Es un hecho! Universidad del Quindío renueva la Acreditación Institucional](https://www.uniquindio.edu.co/noticias/publicaciones/1794/es-un-hecho-universidad-del-quindio-renueva-la-acreditacion-institucional/) - [Función Pública: Ley 1581 de 2012 - Gestor Normativo](https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=49981) - [Superintendencia de Industria y Comercio: Cumplimiento de la obligación del reporte de incidentes de seguridad](https://sedeelectronica.sic.gov.co/publicaciones/boletin-juridico/concepto/cumplimiento-de-la-obligacion-del-reporte-de-incidentes-de-seguridad) --- ## Bank of Brazil Leak: 202 Contact and Bank Records Exposed leaksear.ch indexed a dataset labelled Bank of Brazil on May 23, 2026 containing 202 records with exposed emails, names, addresses, countries, phone numbers, and bank information (leaksear.ch metadata). Public sources identify Banco do Brasil S.A. as a Brasília-headquartered Brazilian bank, founded in 1808 and operating primarily in Brazil, but the leak metadata does not state a breach date, source system, or exposure method ([www.britannica.com](https://www.britannica.com/money/Banco-do-Brasil), [stockanalysis.com](https://stockanalysis.com/quote/bvmf/BBAS3/company/)). ## What happened The available leak metadata is limited to an indexed dataset: 202 records, indexed on May 23, 2026, with no reporter, no reference links, and no listed breach date (leaksear.ch metadata). Because the metadata does not identify ransomware, scraping, third-party compromise, misconfigured storage, or a direct bank-system compromise, those vectors should be treated as unconfirmed. For incident responders, the important distinction is that this is an exposure notice for a small dataset carrying bank-related context, not a public attribution of how the data was obtained. Brazil's ANPD says security incidents involving personal data that may cause relevant risk or damage must be communicated to the authority and affected data subjects, and that communication to affected people is a key mitigation step ([www.gov.br](https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/comunicado-de-incidente-de-seguranca-cis)). ## What data was exposed leaksear.ch indexing metadata lists the exposed fields as address, country, email, name, and phone (leaksear.ch metadata). The records also include a bank field stored with the records, but the metadata does not identify account numbers, card data, passwords, transaction histories, CPF numbers, or document images (leaksear.ch metadata). ## Why this matters A record set of 202 entries is small, but names combined with emails, phones, addresses, and bank context can be enough for targeted phishing, voice scams, and identity verification abuse. Individuals should be cautious with unsolicited Bank of Brazil or Banco do Brasil-themed messages, and ANPD advises people not to use suspicious leak-check sites, to monitor potentially related accounts, and to report fraudulent use to providers and police ([www.gov.br](https://www.gov.br/anpd/pt-br/canais_atendimento/assuntos/noticias/meus-dados-vazaram-e-agora)). Security teams should treat the combination of contact details and bank context as a phishing pivot and monitor for support tickets, fraud reports, or look-alike domains using this branding. If you are concerned your information appears in this leak, use leaksear.ch to check your exposure. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, and phone. ## Sources - [Britannica: Banco do Brasil](https://www.britannica.com/money/Banco-do-Brasil) - [StockAnalysis: Banco do Brasil Company Description](https://stockanalysis.com/quote/bvmf/BBAS3/company/) - [ANPD: Comunicação de Incidente de Segurança](https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/comunicado-de-incidente-de-seguranca-cis) - [ANPD: Meus dados vazaram, e agora?](https://www.gov.br/anpd/pt-br/canais_atendimento/assuntos/noticias/meus-dados-vazaram-e-agora) --- ## Cryptofalka leak exposes 2,317 emails and password hashes leaksear.ch has indexed a Cryptofalka breach dataset containing 2,317 records, with the breach date listed as June 5, 2023 (leaksear.ch metadata). Cryptofalka describes itself as a Hungarian Bitcoin and cryptocurrency education, news, and trading community, and its privacy notice identifies Elysium 22 Invest Kft. as the data controller for CRYPTOFALKA.HU and SHOP.CRYPTOFALKA.HU ([cryptofalka.hu](https://cryptofalka.hu/cryptofalka-magyar-kriptovaluta-kereskedes-oktatas-2018-ota), [cryptofalka.hu](https://cryptofalka.hu/privacy)). ## What happened The dataset was indexed on May 23, 2026, but the leak metadata does not identify the exposure mechanism. There is no listed ransomware group, misconfigured storage service, scraping source, third-party provider, or exploited system in the supplied metadata (leaksear.ch metadata). Public Cryptofalka pages establish the service context, including crypto news, education, memberships, consultations, and shop properties ([cryptofalka.hu](https://cryptofalka.hu/cryptofalka-magyar-kriptovaluta-kereskedes-oktatas-2018-ota), [cryptofalka.hu](https://cryptofalka.hu/privacy)). The confirmed leak facts are therefore limited to the dataset name, record count, indexed fields, breach date, and indexing date, while the initial access path remains unconfirmed (leaksear.ch metadata). ## What data was exposed leaksear.ch lists email, hashedPassword, name, and username as searchable fields in the Cryptofalka dataset (leaksear.ch metadata). The records also store display\_name, user\_id, user\_nicename, and user\_registered, but those fields are not listed as direct search pivots (leaksear.ch metadata). The password field is described as hashed, so the metadata does not support a claim that cleartext passwords were exposed. Hashed password databases can still trigger credential-response actions: NIST says password changes should be forced when there is evidence of compromise, including a breach of a verifier's hashed password database ([pages.nist.gov](https://pages.nist.gov/800-63-FAQ/)). ## Why this matters An exposed combination of email address, name, username, and account-registration metadata gives attackers enough context for credible phishing and account-recovery lures. The dataset metadata does not list wallet addresses, payment card data, bank details, or government IDs (leaksear.ch metadata). For a crypto-focused audience, phishing messages can be more convincing when they reference wallet security, exchange activity, paid education, or account support. The FBI's 2023 cryptocurrency fraud guidance warns that criminals use urgency, impersonation, and lookalike domains in crypto schemes, which makes a niche audience dataset more useful for targeted phishing ([fbi.gov](https://www.fbi.gov/contact-us/field-offices/philadelphia/news/fbi-releases-2023-cryptocurrency-fraud-report)). Security teams should watch for credential-stuffing attempts using exposed emails or usernames, and affected individuals should reset reused passwords and be cautious with unsolicited crypto-support messages. If you used Cryptofalka or a related Cryptofalka service, check whether your data appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include email, hashed password, name, and username. ## Sources - [Cryptofalka: Cryptofalka: Magyar kriptovaluta kereskedés és oktatás 2018-óta](https://cryptofalka.hu/cryptofalka-magyar-kriptovaluta-kereskedes-oktatas-2018-ota) - [Cryptofalka: Cryptofalka Adatvédelmi Tájékoztató: Személyes Adatok Kezelése](https://cryptofalka.hu/privacy) - [NIST: NIST SP 800-63 Digital Identity Guidelines FAQ](https://pages.nist.gov/800-63-FAQ/) - [FBI: FBI Releases 2023 Cryptocurrency Fraud Report](https://www.fbi.gov/contact-us/field-offices/philadelphia/news/fbi-releases-2023-cryptocurrency-fraud-report) --- ## The Crypto Merchant Leak: 1,326 Records Expose Emails, Addresses The Crypto Merchant leak indexed by leaksear.ch contains 1,326 records from an alleged database leak involving the hardware wallet reseller, which describes itself as a New York City based company founded in 2017 ([www.thecryptomerchant.com](https://www.thecryptomerchant.com/pages/about-us-guarantee)) (leaksear.ch metadata). The metadata lists February 26, 2026 as the breach date and says the dataset includes customer emails, usernames, phone numbers, shipping addresses, hashed passwords, IP addresses, and order details (leaksear.ch metadata). ## What happened Public reporting remains limited. Brinztech published a February 26, 2026 alert saying a threat actor claimed to have exfiltrated a comprehensive e-commerce database from The Crypto Merchant, with alleged contents including personal information, shipping addresses, product purchase details, prices, order dates, and order status ([www.brinztech.com](https://www.brinztech.com/breach-alerts/brinztech-alert-alleged-database-of-the-crypto-merchant-for-sale)). The Brinztech page frames the item as an alleged listing and states that it does not warrant the validity of external claims, so the public details should be treated as claims rather than a confirmed incident report from The Crypto Merchant ([www.brinztech.com](https://www.brinztech.com/breach-alerts/brinztech-alert-alleged-database-of-the-crypto-merchant-for-sale)). The leaksear.ch metadata does not identify an intrusion vector, so whether the exposure came from direct compromise, a third-party platform, scraping, misconfigured storage, or another cause remains unconfirmed (leaksear.ch metadata). ## What data was exposed Leaksear.ch indexed searchable pivots for address, country, email, hashed password, IP address, phone number, and username (leaksear.ch metadata). Other stored but non-searchable record context includes business\_name, created\_at, id, last\_user\_agent, message, source\_table, and subject, and the dataset description references order details (leaksear.ch metadata). No raw records are included here. ## Why this matters Contact and shipping data tied to hardware-wallet purchases can support highly targeted phishing, fake support outreach, delivery lures, and account-recovery scams. The combination of addresses, phone numbers, usernames, IP addresses, hashed passwords, and order context also gives defenders concrete pivots for credential-risk review and fraud monitoring (leaksear.ch metadata). Ledger warns that recovery-phrase theft attempts can arrive through email, phone, text, fake apps, websites, or postal letters, and Trezor tells users not to share or digitally store their wallet backup ([www.ledger.com](https://www.ledger.com/phishing-campaigns-status), [trezor.io](https://trezor.io/guides/backups-recovery/general-standards/how-to-use-a-wallet-backup)). Readers who believe they may have ordered from The Crypto Merchant should check leaksear.ch for their searchable details before responding to any unsolicited wallet-related contact. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, hashed password, ip address, phone, and username. ## Sources - [Brinztech: Brinztech Alert: Alleged Database of The Crypto Merchant for Sale](https://www.brinztech.com/breach-alerts/brinztech-alert-alleged-database-of-the-crypto-merchant-for-sale) - [The Crypto Merchant: About Us & Our Guarantee](https://www.thecryptomerchant.com/pages/about-us-guarantee) - [Ledger: Ongoing phishing campaigns](https://www.ledger.com/phishing-campaigns-status) - [Trezor: How to use a wallet backup](https://trezor.io/guides/backups-recovery/general-standards/how-to-use-a-wallet-backup) --- ## Vietnam Airlines Leak Exposes 9.8M CRM Customer Records Vietnam Airlines customer CRM data has been indexed by leaksear.ch as a 9,792,201-record leak tied to a June 2025 breach and an October 2025 public release (leaksear.ch metadata). Have I Been Pwned separately lists Vietnam Airlines as affected in a June 2025 Salesforce-environment breach involving 7.3 million unique email addresses, with names, phone numbers, dates of birth, and loyalty program membership numbers also exposed ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/VietnamAirlines)). ## What happened Vietnam Airlines confirmed on October 14, 2025, that it had identified a data breach involving a third-party customer service platform operated by a global technology partner, and said unauthorized access may have occurred to certain customer data processed through that platform ([www.vietnamairlines.com](https://www.vietnamairlines.com/bh/en/vietnam-airlines/press-room/press-release/2025/1014-EN-Information-Regarding-Customer-Data-Breach)). The airline said its internal IT systems were not affected, and that payment information, passwords, travel itineraries, Lotusmiles balances, and passport details remained secure ([www.vietnamairlines.com](https://www.vietnamairlines.com/bh/en/vietnam-airlines/press-room/press-release/2025/1014-EN-Information-Regarding-Customer-Data-Breach)). Public reporting tied the incident to a broader Salesforce extortion campaign. Help Net Security reported that Scattered LAPSUS$ Hunters launched a data leak site listing 39 companies, including Vietnam Airlines, and BleepingComputer reported that Salesforce said it would not pay an extortion demand after threat actors claimed nearly 1 billion records from Salesforce customers ([www.helpnetsecurity.com](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/), [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/salesforce-refuses-to-pay-ransom-over-widespread-data-theft-attacks/)). Hackread reported that data for six companies, including Vietnam Airlines, was made public on October 10, 2025, and described the Vietnam Airlines archive as JSON data from the Salesforce campaign. Outpost24 reported that Vietnam Airlines data was among six victim datasets publicly released in the October 11 to October 13 window ([hackread.com](https://hackread.com/shinyhunters-leak-data-qantas-vietnam-airlines-others/), [outpost24.com](https://outpost24.com/blog/salesforce-breach-qantas-vietnam-airlines/)). ## What data was exposed The leaksear.ch indexing metadata lists the directly searchable fields as address, country, date of birth, email address, name, and phone number (leaksear.ch metadata). The same metadata also includes record fields for Lotusmiles or frequent flyer identifiers, account and contact IDs, CRM status fields, age or year of birth, gender, preferred language, last travel date, business account details, cargo-related contact fields, tax-related fields, and Salesforce timestamps or system metadata (leaksear.ch metadata). HIBP's entry for the breach lists dates of birth, email addresses, loyalty program details, names, and phone numbers as compromised data ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/VietnamAirlines)). Vietnam Airlines has publicly stated that payment information, passwords, travel itineraries, Lotusmiles balances, and passport details remained secure ([www.vietnamairlines.com](https://www.vietnamairlines.com/bh/en/vietnam-airlines/press-room/press-release/2025/1014-EN-Information-Regarding-Customer-Data-Breach)). ## Why this matters For affected customers, the main risk is targeted social engineering, especially phishing emails, fake airline support calls, loyalty-program scams, and attempts to use known personal details to bypass account checks. Vietnam Airlines specifically warned customers to watch for suspicious emails or phone calls impersonating the airline and not to share OTPs or login credentials with unverified sources ([www.vietnamairlines.com](https://www.vietnamairlines.com/bh/en/vietnam-airlines/press-room/press-release/2025/1014-EN-Information-Regarding-Customer-Data-Breach)). Security teams should treat this as CRM-derived customer PII exposure rather than a confirmed password or payment-card dump unless their own investigation shows otherwise. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, and phone. ## Sources - [Have I Been Pwned: Vietnam Airlines Data Breach](https://haveibeenpwned.com/Breach/VietnamAirlines) - [Vietnam Airlines: Information Regarding Customer Data Breach](https://www.vietnamairlines.com/bh/en/vietnam-airlines/press-room/press-release/2025/1014-EN-Information-Regarding-Customer-Data-Breach) - [Help Net Security: Hackers launch data leak site to extort 39 victims, or Salesforce](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/) - [BleepingComputer: Salesforce refuses to pay ransom over widespread data theft attacks](https://www.bleepingcomputer.com/news/security/salesforce-refuses-to-pay-ransom-over-widespread-data-theft-attacks/) - [Hackread: ShinyHunters Leak Data from Qantas, Vietnam Airlines and Other Major Firms](https://hackread.com/shinyhunters-leak-data-qantas-vietnam-airlines-others/) - [Outpost24: Salesforce breach escalates: Qantas & Vietnam Airlines data leaked on dark web](https://outpost24.com/blog/salesforce-breach-qantas-vietnam-airlines/) --- ## Fujifilm Leak Exposes 222K Salesforce Account Records A Fujifilm leak indexed by leaksear.ch contains 222,058 Salesforce account records, including names, emails, phone numbers, billing and shipping addresses, and Salesforce account metadata, with a breach date recorded as October 10, 2025 (leaksear.ch metadata). Fujifilm Holdings is headquartered in Tokyo and operates across healthcare, electronics, business innovation, and imaging ([holdings.fujifilm.com](https://holdings.fujifilm.com/en/about/companyprofile)). ## What happened leaksear.ch metadata attributes the dataset to ShinyHunters and says it was published on the ShinyHunters/Scattered Lapsus$ Hunters Trinity of Chaos extortion leak site after a voice-phishing campaign that abused a malicious OAuth app connected to corporate Salesforce instances (leaksear.ch metadata). Public reporting in October 2025 described Scattered Lapsus$ Hunters launching a data leak site to pressure 39 organizations whose Salesforce databases had reportedly been stolen, with Fujifilm named among the listed companies ([www.helpnetsecurity.com](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/), [www.resecurity.com](https://www.resecurity.com/blog/article/shinyhunters-launches-data-leak-site-trinity-of-chaos-announces-new-ransomware-victims)). Google Threat Intelligence Group and the FBI documented the broader UNC6040 Salesforce campaign: callers impersonated IT support, persuaded employees to authorize malicious connected apps or modified Data Loader apps, and then used Salesforce access to query and exfiltrate data. GTIG said observed cases relied on manipulating end users, not exploiting a vulnerability inherent to Salesforce, while the FBI warned that OAuth-based connected app authorization can make malicious access look like trusted integration activity ([cloud.google.com](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion), [www.fbi.gov](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf)). Public reporting later said only six of the original 39 named organizations had data released, including Fujifilm. DataBreaches.net reported Fujifilm was among the first six releases, and Hackread reported the Fujifilm file was a 155 MB CSV with around 224,000 records made public on October 10, 2025 ([databreaches.net](https://databreaches.net/2025/10/12/from-sizzle-to-drizzle-to-fizzle-the-massive-data-leak-that-wasnt/), [hackread.com](https://hackread.com/shinyhunters-leak-data-qantas-vietnam-airlines-others/)). No public source reviewed here shows a Fujifilm notice confirming the intrusion or the exact forensic path, so the Fujifilm-specific record count and fields below are anchored to leaksear.ch metadata. ## What data was exposed leaksear.ch indexes the Fujifilm dataset as Salesforce account records. Searchable exposure pivots are address, country, email, name, and phone (leaksear.ch metadata). Stored record context includes account IDs and customer codes, billing and shipping address objects, fax numbers, websites, industries, employee counts, account types, owner and parent IDs, record type IDs, created and modified dates, last viewed dates, system timestamps, customer satisfaction fields, outstanding balance fields, and other Salesforce metadata (leaksear.ch metadata). The metadata does not identify passwords, payment-card numbers, or government ID numbers in this dataset (leaksear.ch metadata). ## Why this matters CRM contact data is valuable because it links people, organizations, phone numbers, emails, addresses, and account context. That can support phishing, vendor impersonation, business email compromise preparation, and follow-on social engineering against Fujifilm customers, partners, or staff whose records were in Salesforce. Security teams should correlate suspicious email and phone activity with the October 2025 Salesforce extortion wave and review whether exposed CRM metadata creates customer, supplier, or regulatory notification obligations. If you may have dealt with Fujifilm, use leaksear.ch to check whether your email, name, phone, address, or country appears in this leak. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, and phone. ## Sources - [FUJIFILM Holdings Corporation: Company Profile](https://holdings.fujifilm.com/en/about/companyprofile) - [Help Net Security: Hackers launch data leak site to extort 39 victims, or Salesforce](https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/) - [Resecurity: ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims](https://www.resecurity.com/blog/article/shinyhunters-launches-data-leak-site-trinity-of-chaos-announces-new-ransomware-victims) - [Google Cloud: The Cost of a Call: From Voice Phishing to Data Extortion](https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion) - [FBI: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion](https://www.fbi.gov/file-repository/cyber-alerts/cybercriminal-groups-unc6040-and-unc6395-compromising-salesforce-instances-for-data-theft-and-extortion-091225.pdf) - [DataBreaches.net: From sizzle to drizzle to fizzle: The massive data leak that wasnt](https://databreaches.net/2025/10/12/from-sizzle-to-drizzle-to-fizzle-the-massive-data-leak-that-wasnt/) - [Hackread: ShinyHunters Leak Data from Qantas, Vietnam Airlines and Other Major Firms](https://hackread.com/shinyhunters-leak-data-qantas-vietnam-airlines-others/) --- ## ADT Leak Exposes 8.66M Customer PII Records ADT disclosed unauthorized access to cloud-based environments after detecting activity on April 20, 2026, and leaksear.ch has indexed 8.66 million related customer, prospective-customer, and support-case records (leaksear.ch metadata, [www.sec.gov](https://www.sec.gov/Archives/edgar/data/1703056/000170305626000038/0001703056-26-000038.txt)). Have I Been Pwned lists the ADT breach as affecting 5.5 million unique email addresses, with names, phone numbers, physical addresses, dates of birth, and partial government IDs among the exposed data ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/ADT)). ## What happened ADT's April 24, 2026 Form 8-K says the company became aware of unauthorized access to certain cloud-based environments on April 20, terminated the access, activated its incident-response plan, engaged third-party cybersecurity experts, and notified law enforcement. ADT said limited customer and prospective-customer data was accessed, and that it did not believe the incident was reasonably likely to materially affect its financial condition, results, or ongoing operations ([www.sec.gov](https://www.sec.gov/Archives/edgar/data/1703056/000170305626000038/0001703056-26-000038.txt)). Public reporting tied the incident to ShinyHunters. BleepingComputer reported that the group listed ADT on its leak site, claimed to have stolen more than 10 million records, set an April 27, 2026 deadline, and said it accessed ADT through a vishing attack that compromised an employee Okta SSO account before pivoting into Salesforce ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/)). BankInfoSecurity later reported that ShinyHunters posted a zip file it said contained more than 10 million records, while also noting Have I Been Pwned's count of 5.5 million unique email addresses ([www.bankinfosecurity.com](https://www.bankinfosecurity.com/home-security-firm-adt-breach-55m-customers-data-exposed-a-31511)). leaksear.ch metadata identifies the indexed dump as an 11 GB archive named `shouldve_paid_the_ransom`, combining Salesforce Account, Contact, Case, and AI-outreach Lead objects (leaksear.ch metadata). ADT did not publicly confirm the attackers' claimed record volume in the reporting reviewed here ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/)). ## What data was exposed The leaksear.ch index includes searchable names, email addresses, phone numbers, physical addresses, countries, and dates of birth (leaksear.ch metadata). The indexed records also contain account, contact, lead, and support-case context, including account names and status fields, billing, shipping, mailing, and other address components, case numbers, case notes and comments, chat history, lead outreach replies, product-interest fields, customer and system identifiers, credit-check consent and scoring references, balance and invoice fields, and tax or SSN-related field names (leaksear.ch metadata). Public reporting says ADT described the exposed information as names, phone numbers, and addresses, with dates of birth and the last four digits of Social Security numbers or Tax IDs present in a small percentage of cases. ADT also told BleepingComputer that payment information, including bank accounts and credit cards, was not accessed, and that customer security systems were not affected or compromised ([www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/)). ## Why this matters The exposed combination of contact details, home addresses, account context, and support-case history can support targeted phishing, customer-support impersonation, and social-engineering attempts that reference ADT service history. Dates of birth and partial government identifiers can also increase identity-verification and fraud risk for affected people. For security teams, the Salesforce and support-case context makes this useful for pretexting against customers, dealers, support desks, and account-recovery workflows. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, password, and phone. ## Sources - [SEC: ADT Inc. Form 8-K, April 24, 2026](https://www.sec.gov/Archives/edgar/data/1703056/000170305626000038/0001703056-26-000038.txt) - [BleepingComputer: ADT confirms data breach after ShinyHunters leak threat](https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/) - [Have I Been Pwned: ADT Data Breach](https://haveibeenpwned.com/Breach/ADT) - [BankInfoSecurity: Home Security Firm ADT Breach: 5.5M Customers' Data Exposed](https://www.bankinfosecurity.com/home-security-firm-adt-breach-55m-customers-data-exposed-a-31511) --- ## Aman Resorts Leak Exposes 283K CRM Records and PII Aman Resorts CRM data is indexed by leaksear.ch as 283,251 records tied to an April 2026 breach, exposing guest and contact profile data including emails, names, addresses, phone numbers, dates of birth, nationalities, and VIP status (leaksear.ch metadata). Public reporting and breach-notification records link Aman to a ShinyHunters pay-or-leak extortion campaign involving Salesforce CRM data, with Have I Been Pwned listing 215.6 thousand affected accounts and more than 200,000 unique email addresses ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Aman), [cybernews.com](https://cybernews.com/security/zara-carnival-7eleven-ransomware-shinyhunters-leak-warning/)). ## What happened Aman Group describes itself as a hospitality, residential development, and lifestyle company with 36 hotels and resorts in 20 destinations, which helps explain why exposed CRM records could contain both contact and guest-profile data ([www.aman.com](https://www.aman.com/aman-group)). In April 2026, Cybernews reported that ShinyHunters listed multiple brands in a pay-or-leak warning with an April 21 deadline, including Aman Resorts as an ultra-luxury hospitality brand tied to a claimed 500k Salesforce records containing PII ([cybernews.com](https://cybernews.com/security/zara-carnival-7eleven-ransomware-shinyhunters-leak-warning/)). The record counts differ by source and stage of reporting: the attacker claim cited in public reporting was 500k Salesforce records, Have I Been Pwned lists 215.6 thousand affected accounts, and leaksear.ch indexed 283,251 records (leaksear.ch metadata, [haveibeenpwned.com](https://haveibeenpwned.com/Breach/Aman)). No public source reviewed here provides an Aman-issued breach notice or confirms the exact Salesforce configuration involved. Salesforce separately published March 7 guidance about a campaign abusing overly permissive Experience Cloud guest user configurations, stating that the issue was not an inherent Salesforce platform vulnerability but a customer-configured guest user setting. That Salesforce-wide guidance provides context for the broader 2026 campaign, but it should not be read as confirming the precise path used against Aman ([www.salesforce.com](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/), [www.finra.org](https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-salesforce-experience-cloud-security-incident)). ## What data was exposed leaksear.ch indexed searchable fields for address, country, date of birth, email, name, and phone. The stored record metadata also lists account identifiers and account numbers, account region, source, status and type, billing, mailing, shipping, and residence country or address components, secondary emails, gender, home and other phone fields, language preference, salutation, title, department, source fields, and VIP status (leaksear.ch metadata). Have I Been Pwned independently lists compromised data categories including dates of birth, email addresses, genders, language preferences, names, nationalities, phone numbers, physical addresses, spouse names, and VIP statuses ([haveibeenpwned.com](https://haveibeenpwned.com/Breach/Aman)). The available leaksear.ch metadata and HIBP categories do not list passwords or payment card numbers. ## Why this matters This is customer and prospect CRM exposure, not just a list of email addresses. Names, email addresses, phone numbers, postal addresses, dates of birth, nationality context, and VIP status can support credible hotel reservation, concierge, loyalty, invoice, or travel-security phishing. FINRA warned in its alert on the broader Salesforce Experience Cloud incident that stolen data from the campaign was being used for targeted phishing, vishing, and extortion, which makes follow-on fraud and impersonation the practical risk to watch ([www.finra.org](https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-salesforce-experience-cloud-security-incident)). ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, and phone. ## Sources - [Have I Been Pwned: Aman Data Breach](https://haveibeenpwned.com/Breach/Aman) - [Cybernews: Zara, Carnival, 7-Eleven hit by ShinyHunters, 9M+ records at risk in pay or leak warning](https://cybernews.com/security/zara-carnival-7eleven-ransomware-shinyhunters-leak-warning/) - [Aman: Worldwide Retreats, Residences, & Lifestyle - Aman Group](https://www.aman.com/aman-group) - [Salesforce: Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access](https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/) - [FINRA: Cybersecurity Alert - Salesforce Experience Cloud Security Incident](https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-salesforce-experience-cloud-security-incident) - [leaksear.ch: Request access](https://leaksear.ch/request-access) - [leaksear.ch: Sign in](https://leaksear.ch/login) --- ## B1ack's Stash Dumps 4.6M Stolen Credit Cards on Dark Web B1ack's Stash, a dark-web carding marketplace active since at least 2023, released approximately 4.6 million stolen credit card records for free on May 18, 2026 ([securityweek.com](https://www.securityweek.com/b1acks-stash-marketplace-gives-away-4-6-million-stolen-credit-cards/)). leaksear.ch has indexed 4,162,208 entries from the dump, each containing full payment card details alongside cardholder contact information and source IP addresses (leaksear.ch metadata). ## What happened According to public reporting, the operators of B1ack's Stash published the trove as a punitive measure after suspending sellers who were caught reselling marketplace inventory on competing carding forums ([securityweek.com](https://www.securityweek.com/b1acks-stash-marketplace-gives-away-4-6-million-stolen-credit-cards/), [socradar.io](https://socradar.io/blog/b1acks-stash-releases-4-million-credit-cards-for-free/)). The release marks the third large free dump from the shop, following a roughly 1 million card giveaway in April 2024 and a roughly 4 million card release in February 2025 ([cyberint.com](https://cyberint.com/blog/other/b1acks-stash-a-comprehensive-analysis-of-the-free-1-million-card-leak/), [cybersecuritynews.com](https://web.archive.org/web/20250723121504/https://cybersecuritynews.com/4-million-stolen-credit-cards-to-be-released/)). SOCRadar analysts who validated samples from the May 2026 dump estimated that around 4.3 million of the records remain usable, with the remainder either expired or duplicate entries ([socradar.io](https://socradar.io/blog/b1acks-stash-releases-4-million-credit-cards-for-free/)). Approximately 70 percent of the affected cards were issued in the United States, with Canada, the United Kingdom, France and Malaysia rounding out the top five issuing countries ([socradar.io](https://socradar.io/blog/b1acks-stash-releases-4-million-credit-cards-for-free/)). SOCRadar attributed the underlying data collection to "multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets," rather than to any single corporate breach. ## What data was exposed Each record in the leaksear.ch index combines payment-card data with cardholder contact information: - Full primary account number (PAN), expiration month and year, and CVV2 verification code - Cardholder name, billing street address, and issuing country - Email address, phone number and source IP address captured at the time of the original compromise The indexed schema lists 4,162,208 records after deduplication against the source file's 4,668,889 rows. ## Why this matters Unlike credential dumps that only enable account takeover, this dataset is directly usable for card-not-present fraud and synthetic-identity setup because each record bundles a payable card with the cardholder's matching billing identity. Affected cardholders should expect targeted phishing and SMS smishing pivots that reference real billing addresses or recent transaction patterns, since attackers can cross-reference the leaked email and phone number with the card data to make outreach more convincing. Issuers face elevated chargeback exposure on cards that have not yet been reissued, and merchants serving the affected geographies (especially the US, Canada and UK) should expect higher fraud attempts against any account whose billing email or phone appears in the dump. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, and phone. ## Sources - [SecurityWeek: B1ack's Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards](https://www.securityweek.com/b1acks-stash-marketplace-gives-away-4-6-million-stolen-credit-cards/) - [SOCRadar: B1ack's Stash Releases 4 Million Credit Cards for Free](https://socradar.io/blog/b1acks-stash-releases-4-million-credit-cards-for-free/) - [Cyberint: B1ack's Stash Free 1 Million Card Leak Analysis](https://cyberint.com/blog/other/b1acks-stash-a-comprehensive-analysis-of-the-free-1-million-card-leak/) - [Cybersecurity News: 4 Million Stolen Credit Cards to Be Released](https://web.archive.org/web/20250723121504/https://cybersecuritynews.com/4-million-stolen-credit-cards-to-be-released/) --- ## Zurich Insurance Spain Leak Exposes 4.3M Policy Records leaksear.ch has indexed a Zurich Insurance Spain dataset containing 4,321,100 insurance policy records from a leaked MySQL dump, roughly 4.3 million records tied to Spanish policyholder data (leaksear.ch metadata). The dataset metadata lists June 29, 2021 as the breach date; in public reporting, Zurich said it informed affected customers on August 15, 2021 after a Spain incident ([handelszeitung.ch](https://web.archive.org/web/20251116120907/https://www.handelszeitung.ch/unternehmen/zurich-bestatigt-datenleck-in-spanien)). ## What happened Public reporting in October 2021 said Zurich confirmed a data leak in Spain after a hacker reported a security vulnerability and customer data was later published on the dark web. Handelszeitung reported criticism that Zurich had not communicated the issue, but Zurich told the publication it notified customers on August 15, 2021, met legal and regulatory requirements, and reported the incident to police and the Spanish data protection authority ([handelszeitung.ch](https://web.archive.org/web/20251116120907/https://www.handelszeitung.ch/unternehmen/zurich-bestatigt-datenleck-in-spanien)). Zurich also told Handelszeitung that the incident did not originate in its own systems. Atlas Magazine separately reported that Zurich said an attacker accessed some customer data, that passwords and banking data were not accessed, and that the perpetrator announced a darknet disclosure on September 4, 2021 ([atlas-mag.net](https://www.atlas-mag.net/en/articles/zurich-insurance-victim-cyberattack-0)). The leaksear.ch metadata for the indexed dataset describes a leaked MySQL dump, specifically the ZURICH\_POLIZAS table, with 4,321,100 insurance policy records and a breach date of June 29, 2021 (leaksear.ch metadata). Public reports do not establish whether this table is the complete set of affected records, and leaksear.ch does not attribute the intrusion beyond indexing the dataset. ## What data was exposed The searchable fields indexed for this leak are names, email addresses, phone numbers, physical addresses, and dates of birth (leaksear.ch metadata). The stored record schema also includes insurance policy details such as policy codes, status, start and end dates, cancellation dates, receipt fields, product and business codes, intermediary names and phone numbers, and policyholder indicators. Additional stored fields include Spanish DNI/NIF document-code fields, first-driver identity and address fields, vehicle registration numbers, vehicle make, model, type, weight, seats, power, and first-registration dates (leaksear.ch metadata). The metadata also lists an Account number IBAN field; because a field list does not prove every record contains every value, responders should treat those fields as possible exposure indicators rather than assume uniform coverage across all 4.3 million records. ## Why this matters Insurance data can support credible phishing and social-engineering lures when names, dates of birth, phone numbers, addresses, policy details, intermediaries, and vehicle information align. DNI/NIF-related fields, vehicle registration fields, and any populated IBAN/account-number values raise identity-verification, fraud, and claims-pretexting risks. Security teams should monitor for Zurich-themed phishing, customer-support impersonation, and attempts to misuse Spanish identity or vehicle details. ## Check your exposure Vetted researchers and incident-response teams can [request access](https://leaksear.ch/request-access) or [sign in](https://leaksear.ch/signin) if they already have access to check this dataset. Searchable pivots for this leak include address, date of birth, email, name, and phone. ## Sources - [Cybernews: Zurich Insurance Group secures data leak](https://web.archive.org/web/20250624161147/https://cybernews.com/zurich-insurance-data-leak/) - [Marc Ruef post on X (Oct 2021)](https://x.com/mruef/status/1444540856564867077) - [Handelszeitung: Zurich bestätigt Datenleck in Spanien](https://web.archive.org/web/20251116120907/https://www.handelszeitung.ch/unternehmen/zurich-bestatigt-datenleck-in-spanien) - [Atlas Magazine: Zurich Insurance, victim of a cyber attack](https://www.atlas-mag.net/en/articles/zurich-insurance-victim-cyberattack-0)