The dataset catalog.

A breach of Mexican wireless telecommunications company Telcel, approximately in 2010, exposing sensitive information on over 36 million customers. Compromised data includes full names, phone numbers, and physical addresses (street, neighborhood, city, state). The dataset contains 36,653,022 records in semicolon-delimited CSV format.

In November 2019, the fan forum for Vietnamese football club Thanh Hóa FC (forum.thanhhoafc.vn) was breached via CVE-2019-16759 (a critical vBulletin remote code execution vulnerability). The breach exposed approximately 339,364 records including usernames, email addresses, vBulletin-hashed passwords, password salts, and IP addresses. The data was originally obtained by threat actor @donjuji and later circulated on BreachForums.

Database dump from THCtalk (thctalk.com), a cannabis-themed discussion forum running vBulletin software. The breach contains user account data including usernames, MD5-hashed passwords, salts, email addresses, IP addresses, birthdates, join dates, and extensive forum activity metadata. The data appears to cover users from approximately 2007 onward.

A dataset containing Texas vital records compiled up to 2014, including birth records (1950–1995), death records (1965–1999), marriage records (1966–2014), and divorce records (1968–2014). Data includes full names, dates, counties, sexes, and marital statuses. Likely sourced from the Texas Department of State Health Services vital statistics unit. Circulated on BreachForums.

Breach of SvenskaMagic.com, a Swedish Magic: The Gathering community website. The dataset contains email addresses paired with what appear to be bcrypt/DES-crypt password hashes, indicating user account credentials were compromised. The data was shared on BreachForums.

A database dump from Stayful.com, a hotel booking/bidding platform, dated January 2016. The data is in JSON/CSV format exported from a MongoDB database and contains user account records including usernames, names, email addresses, salted SHA-256 hashed passwords, roles, organization affiliations, and hotel listing data including addresses, descriptions, and third-party booking links.

In November 2019, the webcomic platform StripCreator (stripcreator.com) suffered a data breach exposing 456,183 user records. The breach was carried out by exploiting CVE-2019-16759 and was attributed to threat actors 'Winter' or '@donjuji'. Compromised data includes email addresses and MD5-hashed passwords. The dataset was later verified and shared on RaidForums.

In November 2019, the now-defunct Canadian sports forum SportsFreaksOnline (sportsfreaksonline.com) was breached via CVE-2019-16759 (vBulletin RCE vulnerability). The breach exposed approximately 110,534 user records including usernames, email addresses, vBulletin-hashed (MD5) passwords, salt values, and IP addresses. The data was originally obtained by threat actor @donjuji and later shared on BreachForums.

Breach of CNZZ (China's major web analytics platform, cnzz.com), containing owner account credentials (usernames, MD5-hashed passwords, email addresses) and a large website registry table with over 1.4 million tracked domains. Data was shared on BreachForums.

Breach of the Comic Book Resources (CBR) community forum database, exposing usernames, email addresses, IP addresses, MD5 password hashes, and plaintext passwords. The data includes both staff accounts (e.g., @comicbookresources.com addresses) and general forum member accounts.

Breach of Catho (catho.com.br), a major Brazilian online job board. The dataset contains user account records including full names, usernames/email logins, plaintext passwords, employer IDs, job titles, and template paths. Passwords appear to be stored in plaintext, representing a significant credential exposure for Brazilian job seekers and recruiters.

Breach of CalcioShop, an Italian sports/football equipment e-commerce site. Contains order data exported from an Elasticsearch index, including customer names, email addresses, billing and shipping addresses, phone numbers, tax/fiscal codes (Italian codice fiscale), VAT numbers, payment methods, order totals, product details, and IP addresses. Data spans at least October 2019 through April 2021.

A dataset containing Chainlink (LINK) cryptocurrency holders' data, including Ethereum wallet addresses, email addresses, and LINK token balances/USD values. The data appears to be sourced from Chainlink's token distribution or user database, with records sorted by holdings value ranging from $0 to over $57 million. Posted to BreachForums.

A breach of BookCrossing, the online book-sharing community, containing member data including usernames, plaintext passwords, names, email addresses, dates of birth, zip codes, geographic IDs, IP addresses, profile information, newsletter preferences, and other account metadata.

This archive contains the leaked source code of osu!, the popular free-to-play rhythm game developed by ppy. The archive includes C# source files, localisation tools, submission services, resources, and test files from what appears to be an internal or private repository named 'osu-master'. This is a source code exposure rather than a user data breach.

Database dump from AbuseWithUs (abusewith.us), a credential lookup/combo-list tool site that aggregated data from multiple gaming/RSPS (RuneScape Private Server) community databases. The archive contains search results from several underlying databases including WP_RuneLocus (a RuneScape fansite), ipb_Rskingdom, ipb_WAD, ipb_Zybez, ipb_parabot, and ipb_rs2006. Data includes email addresses, plaintext passwords, MD5/bcrypt hashed passwords, IP addresses, and usernames. The files are split alphabetically (aaa, aab, etc.) representing a full database lookup export.

A credential dump containing Yahoo email addresses paired with plaintext passwords. All records use @yahoo.com addresses. The file appears to be a compiled or aggregated credential list targeting Yahoo users, though the exact breach event or year cannot be determined from the file alone. It may be a subset or compilation derived from one of the known Yahoo breaches (2013/2014) or a credential stuffing list.

A collection of Twitch account credentials in the format username:password:oauth:token. Each record contains a Twitch username, a plaintext password, and an OAuth access token, suggesting either a credential-stuffing campaign against Twitch or a dump of harvested session tokens. The file is small (~130 records) and may be a subset or sample from a larger dataset.

A small credential dump containing usernames and passwords for multiple adult content websites including tiny4k.com, povd.com, passion-hd.com, puremature.com, and castingcouch-x.com. The file contains approximately 20 plaintext username/password pairs in two different formats. This appears to be a credential stuffing list or a small combo list rather than a formal breach dump from a single source.

In November 2019, the now-defunct Iranian music forum BehMusic (behforum.com & behmusic.com) was breached via CVE-2019-16759 (vBulletin RCE vulnerability), compromising 257,628 records. The leaked data includes usernames, email addresses, MD5-hashed passwords with salt, and IP addresses. The site is no longer active.

A credential dump associated with Redbox, containing plaintext email and password pairs. The data appears to be a compilation of user credentials primarily from Gmail, Yahoo, Comcast, and other common email providers. The file contains thousands of email:password pairs in plaintext format.

A text file named 'snaplist.txt' containing a list of Snapchat video file references (MP4 files with numeric IDs followed by 'r'). The file appears to be a manifest or index of Snapchat video content, likely scraped or leaked from Snapchat's platform. No personally identifiable information is directly visible in the sample — only video asset IDs.

A database dump from what appears to be Topsy, a social media analytics platform acquired by Apple in 2013. The data contains user account records including names, email addresses, usernames, OAuth tokens for Google and Facebook, profile photo URLs, and account metadata. Records are dated around March 2014. The data includes live OAuth access tokens for Google and Facebook at the time of breach.

A breach of PicsArt, the photo editing and social platform, containing user account records from March 2014. The data includes usernames, email addresses, profile photo URLs (hosted on cdn.picsart.com and cdn28.picsart.com), OAuth tokens (Google), provider information, account creation timestamps, and internal user metadata. This appears to be a MongoDB dump of the user collection. OAuth tokens present in some records represent a significant security risk.

A compiled credential stuffing list of approximately 700,000 email:password pairs labeled as targeting PayPal. The data appears to be a cross-source compilation rather than a direct PayPal breach — credentials are repeated across gmail, hotmail, and yahoo variants of the same username, and many entries contain plaintext passwords sourced from multiple prior breaches. This is characteristic of a combo list assembled for credential stuffing attacks against PayPal accounts.

A breach of PicsArt, the photo editing and social platform, containing user account data from around March 2014. Records include internal MongoDB IDs, usernames, names, profile photo URLs (hosted on cdn.picsart.com and cdn23.picsart.com), email addresses (many null), OAuth tokens for Twitter and Facebook (including access tokens and secrets), provider type (twitter/facebook/site), account creation and update timestamps, and various account flags. The presence of OAuth tokens makes this particularly sensitive.

Database dump from AvitoMa (avito.ma), a Moroccan classifieds/marketplace website. Contains user records including names, email addresses, phone numbers, Moroccan regions, account status, and login timestamps. Data appears to originate from 2014 onward with last login dates as recent as 2022. Shared on BreachForums.

This archive contains the leaked source code of osu!web (version 10), the web backend for the osu! rhythm game platform. The leak includes server configuration files (nginx, PHP, MySQL), database schema and backup scripts, forum email templates, and infrastructure configuration. This appears to be a source code leak rather than a user data breach, though it exposes sensitive server configuration and database structure details for the osu! platform.

Leaked source code for osu!Bancho, the backend server software powering the osu! rhythm game's multiplayer and chat infrastructure. The archive contains C# source files implementing the Bancho server protocol, IRC client handling, BanchoBot logic, MySQL database interactions, user authentication (including MD5 and BCrypt password verification), multiplayer lobby management, and GeoIP lookups. This is proprietary server-side code for the osu! game by ppy, not user data.

A credential combo list of approximately 2.6 million email:password pairs sourced from or associated with Nulled.IO, a hacking and cracking forum. The data contains plaintext passwords alongside email addresses from a variety of providers (Gmail, Yahoo, Hotmail, etc.).

Database breach of AtlasRSPS, a RuneScape Private Server (RSPS) community. Contains approximately 12,000 user records including usernames, email addresses, bcrypt-hashed passwords with salts, and IP addresses. Data was leaked and circulated on BreachForums.

A data breach from Nulled.cr, a hacking/cracking forum. The dataset contains user records including user IDs, usernames, email addresses, IP addresses, MD5-hashed passwords, and password salts. The presence of the staff email '[email protected]' confirms the target domain.

This archive contains the full source code repository of osu!stream, the iOS rhythm game by peppy (Dean Herbert) and the osu! team. The repository includes game source code (C#/Mono), artwork, localization files in multiple languages, App Store submission screenshots, and third-party libraries like OpenTK. This appears to be the GitHub repository for osu!stream which was made open-source. It does not appear to be a malicious breach but rather a public or leaked source code release.

MongoDB database dump from thegreattipoff.com, an Australian horse racing tipping/selections platform. The leaked data consists of email logs including welcome emails, password reset emails, tip alert notifications, and purchased tips receipts. Records expose user email addresses, usernames/login IDs, user IDs, email subjects and bodies, and BCC recipient lists revealing other registered users' email addresses. Data spans approximately January 2015 through October 2015.

Database breach of ArtificialAiming, a gaming cheat/hack community forum running vBulletin. Contains user records including usernames, MD5-hashed passwords with salts, email addresses, IP addresses, join dates, and forum activity data. The dump includes vBulletin user tables, session data, and settings. Last activity timestamps suggest data was captured around late January 2012.

A credential dump file containing email address and plaintext password pairs. The filename 'LOTrEmail' suggests a connection to a Lord of the Rings themed website or fan community. Contains several hundred credentials from various free email providers (Yahoo, Hotmail, Gmail, AOL, etc.) with plaintext passwords. One entry contains '[email protected]' suggesting the source is LOTR-related. Exact breach origin is unknown.

A small plaintext credential list of approximately 100 username:password pairs labeled as an 'Instagram database'. The file is only 2.4 KB and contains cleartext passwords, suggesting this is likely a credential stuffing list, phishing harvest, or community-compiled combo list rather than a direct breach of Instagram's systems. No hashes are present — all passwords are plaintext.

A compiled list of approximately 1,000,000 email addresses purportedly associated with Facebook accounts, with a notable concentration of users linked to the Facebook game 'Mafia Wars'. The file was sold commercially (references a purchase) and contains only email addresses with no passwords or other credentials. This appears to be a scraped or aggregated email list rather than a traditional breach dump.

A breach of Adecco's candidate database, containing Cassandra (CQL) database dumps from their 'aecandidatos' system. The exposed data includes candidate records with names, email addresses, hashed passwords, country information, job application history (avisos_postulados), and saved job listings (avisos_guardados). The keyspace 'aecandidatos' suggests this is Adecco's Latin American candidate portal. Data was shared on BreachForums.

A full server-side archive of Demon Forums, a MyBB-based hacking/underground forum. The breach includes the entire web root: PHP source files, configuration files with plaintext database credentials (username 'demonfor_DemonX', password 'sherlocklucy1996xx'), error logs, uploaded avatars, post attachments, and MyBB forum software files. Error log timestamps indicate activity through late October/early November 2016. The database name is 'demonfor_DemonForums'.

A credential dump from what appears to be a Bleach anime fan forum (bleachanime.org). The file contains plaintext email:password pairs. The presence of '[email protected]' and numerous usernames referencing Bleach anime characters strongly suggests this originated from bleachanime.org. Passwords appear to be stored or recovered in plaintext.

Breach of 247Hire, a headhunting/recruitment platform. The leaked data includes candidate resume records stored in an Elasticsearch index, containing full names, email addresses, visa status, geographic region, job designations, candidate IDs, and full resume documents in XML/DOCX format. Data appears to originate from a 'headhunting' index with candidate_resumes type, suggesting a database or Elasticsearch export.

In December 2011, 178.com, a Chinese gaming website, was hacked and approximately 9 million user records were exposed. The breached data was stored in plaintext and contained only usernames and passwords (no email addresses or other PII). The data format appears to be ID:username:password.

This archive contains a cracked/leaked build of NanoCore RAT (Remote Access Trojan) version 1.2.2.0, cracked by 'Alcatraz3222'. It includes the NanoCore server executable, plugin files (surveillance, management, network, security, tools), SQLite databases for victim tracking (connections, geolocation, ports), and a server log showing usage on June 18, 2016. This is not a traditional data breach of a company but rather a leaked malware tool with its associated infrastructure databases. The main database schema includes columns for tracking infected victims: IP address, country, OS, CPU, RAM, active window, antivirus status, etc.

A credential dump from CrackingForum, a cracking/hacking community forum. The file contains plaintext email:password pairs from what appears to be the forum's user database or a compilation posted on the forum. Several entries reference 'crackingforum' as a password, and the forum's own email address ([email protected]) appears in the data, suggesting this is the forum's own user database leak.

Breach of boardgamelevelup.com, a board game community/leveling website. Contains user records with user IDs, email addresses, bcrypt-hashed passwords, and BoardGameGeek (BGG) usernames.

Database dump from CVV2.su, a Russian-language carding/fraud forum. Contains user account records including usernames, MD5-hashed passwords, email addresses, registration timestamps, and Drupal CMS session/block data. The earliest account creation timestamps date to around mid-2010.

Database dump from BuzzMachines.com, a music production community forum. Contains user records including usernames, email addresses, hashed passwords (SHA-1), real names, country, city, music gear, software, and various profile fields. Data appears to originate from early 2000s registrations. Dumped by threat actor 'SonnySpooks'.

Database dump of Awesome Forums (awesomeforums.net), a MyBB-based online forum. The breach contains user records including usernames, hashed passwords (MD5 with salt), email addresses, IP addresses, registration dates, and various profile/preference fields. Registration timestamps cluster around late November 2012, consistent with the site's launch or breach date.

Database dump from pccongress.org.uk containing 586 user records including email addresses and MD5-hashed passwords. The membership base appears to consist largely of UK healthcare professionals (NHS, hospice, palliative care, medical schools) suggesting this is a UK-based palliative care or medical congress/conference organisation.

A compilation file containing Hotmail email addresses paired with full names and US physical mailing addresses. The filename suggests this is a 'biz op' (business opportunity) marketing list targeting Hotmail users, likely compiled or scraped from multiple sources rather than a single breach. The 'jan' suffix may indicate January of an unknown year. Data fields include email, full name, and street address.

Breach of DifferenceGames.com, an online puzzle/games website. The exposed data includes account IDs, salted passwords stored in plaintext, email addresses, usernames, timezones, account creation timestamps, login timestamps, privilege levels, and newsletter preferences. The latest record timestamps suggest the breach occurred around early March 2016.

Database dump from Rage Booter, a DDoS-for-hire (booter/stresser) service. Contains user account data including usernames, SHA1-hashed passwords, email addresses, membership/rank levels, expiration timestamps, and activation keys. The timestamps suggest activity around 2012-2014.

A small collection of 10 purported working Minecraft account credentials (email:password pairs) sourced from various email providers. This appears to be a credential stuffing list or combolist fragment targeting Minecraft accounts, not a direct breach of Mojang/Microsoft infrastructure.

A compilation of approximately 10,000 random credential records in the format username:email:md5hash. The usernames and handles strongly suggest a RuneScape gaming community origin (references to 'rs-enzo', 'rsipodskateboard', 'warrior_ll', 'PvP', 'Kc:Mo:Range' and other RS-style names). The data contains plaintext usernames, email addresses across multiple providers (hotmail, yahoo, aim, aol, gmail), and MD5-hashed passwords. The filename '10Krandom' suggests this is a random sample of 10,000 records from a larger dump, possibly a gaming forum or fan site database.

A small credential dump (email:password pairs) claiming to be Verizon account credentials, published by a threat actor referencing 'SecTeamSix'. The file contains approximately 100 unique email/password pairs in plaintext. The data is heavily duplicated and only 1.4 KB in size, suggesting it is a very small, possibly fabricated or aggregated sample rather than a direct Verizon systems breach. Emails span many providers (Gmail, Yahoo, AOL, Hotmail, etc.) rather than exclusively Verizon addresses, raising authenticity concerns.

A credential dump associated with VIPHackForums, containing username:email:plaintext password combinations. The data appears to be a compilation of forum user credentials, possibly leaked from or shared on the VIPHackForums hacking community platform. Contains approximately 200+ records in username:email:password format with plaintext passwords.

A compilation of Minecraft account credentials in mixed formats, containing email addresses, usernames, and plaintext passwords. The data appears to be a credential stuffing list or aggregated dump of Minecraft account logins, with entries in various formats (email:password:username, username:password:email, etc.).

Breach of milq.com containing usernames, email addresses, and SHA-1 hashed passwords. Milq was a music discovery and social platform. The dataset is small (~100 records) and includes both internal milq.com addresses and external user emails from various providers.

A credential dump associated with the domain migalki.pw, containing email:password pairs from a wide variety of global email providers (Gmail, Yahoo, Hotmail, AOL, Mail.ru, etc.). The file appears to be a combolist or credential stuffing list rather than a targeted breach of a single company. Some entries use semicolons as separators instead of colons, suggesting data aggregated from multiple sources. Some passwords appear to be plaintext IP addresses, possibly indicating proxy or bot-related accounts.

Breach of israhelp.com, a French-language Israeli community/help website. Contains user registration data including full names, addresses, gender, email addresses, MD5-hashed passwords, usernames, phone numbers, postal codes, cities, countries, dates of birth, security questions, referral info, and registration dates. Users appear to be primarily French-speaking Jewish diaspora and Israeli residents. Registration dates span roughly 2005–2014.

A credential dump from what appears to be a Dutch RuneScape community forum (RSN.nl - RuneScape Nederland), using phpBB3 software. Contains usernames, password hashes (mix of MD5 and phpBB3 $H$ format), and email addresses. The Dutch email domains (.nl, hotmail.com, etc.) and RuneScape-themed usernames are consistent with a Dutch RS fan community forum.

A dump of user records from what appears to be a Hungarian-language online forum or gaming/RPG community (RSHun). The file contains user IDs, usernames, and MD5-hashed passwords. Usernames are predominantly Hungarian (e.g., hunpapa, retkes_otto, Feher_Lovag, Csillagzafir), suggesting a Hungarian-language platform. Several well-known weak passwords are visible via recognizable MD5 hashes (e.g., e10adc3949ba59abbe56e057f20f883e = '123456').

Database dump from RuneCrypt, a RuneScape-related fan site or private server community. The file is named with 'ipb' indicating it used Invision Power Board forum software. Contains usernames, email addresses, IP addresses, MD5 password hashes, and plaintext passwords. User handles and email domains suggest a gaming/RuneScape community audience circa mid-2000s.

Database dump from CDEK (СДЭК), a major Russian logistics and courier delivery company. The data contains customer and shipment records including full names in Russian/Cyrillic, internal IDs, order/shipment numbers (ИМ-prefixed), email addresses, branch/pickup point codes, and UUIDs. The dataset is approximately 18 GB and contains hundreds of millions of records spanning senders, recipients, and corporate clients.

In October 2025, the publishing platform Substack suffered a data breach attributed to threat actor @w1kkid. The breach exposed approximately 689,756 records (663,145 unique email addresses) containing user account data including names, email addresses, bios, profile photos, usernames/handles, phone numbers, Stripe customer IDs, account creation timestamps, and various account settings. The data was subsequently circulated more widely in February 2026 and added to Have I Been Pwned.

In December 2025, Brightpark (brightpark.ru), an official LADA car dealership in Russia operated by AvtoVAZ, suffered a data breach attributed to the '4B1D' hacking group. The breach exposed approximately 999,491 customer and user records including ~7,833 unique email addresses, names, dates of birth, genders, job titles, phone numbers, physical addresses, usernames, hashed passwords, and website activity data. The data was extracted from a Bitrix CMS database and included CRM contact and lead records.

In November 2025, Beckett Collectibles (beckett.com), a collectibles grading and marketplace platform, suffered a data breach accompanied by website defacement. Over 1 million user records were exfiltrated and later published on hacking forums. The compromised data includes email addresses, usernames, first and last names, phone numbers, physical addresses, invoice/grading records, and collectibles ownership data. The breach was attributed to threat actor @FutureSeeker and has been listed on HaveIBeenPwned.

In October 2025, the TISZA Világ platform (tiszavilag.hu), operated by the Hungarian opposition political party TISZA, suffered a data breach exposing approximately 200,000 records. The compromised data includes email addresses, full names, phone numbers, physical addresses (including postal codes, cities, and street addresses), usernames, mothers' names, birth places, geolocation data, and political role/affiliation information within the party platform. The breach was verified by Have I Been Pwned.

In August 2025, French telecommunications company Bouygues Telecom suffered a cyber attack resulting in the exposure of approximately 6.32 million customer records, including 5.69 million unique email addresses. The breach exposed highly sensitive personal and financial data including full names, physical addresses, phone numbers, dates of birth, email addresses, and IBAN bank account numbers.

In June 2025, data from TheSqua.re, a serviced apartment booking platform, was allegedly obtained by threat actor @888 and posted on BreachForums. The breach exposed approximately 128,058 user records containing 107,111 unique email addresses, full names, phone numbers, cities, account creation dates, user types (leisure/corporate), and rewards points. The breach was subsequently added to HaveIBeenPwned and confirmed legitimate by multiple impacted subscribers.

In June 2025, Behrman House — a leading publisher specializing in Jewish educational materials — suffered a data breach affecting approximately 298,722 users and exposing over 302,218 unique email addresses. The leaked data includes usernames, email addresses, and hashed passwords (scrypt / Drupal $S$ and $P$ variants). The breach was carried out by threat actor @donjuji and subsequently leaked on BreachForums by @Sphere.

In April 2025, AUTOSUR, a French technical vehicle inspection (contrôle technique) service, suffered a data breach exposing approximately 10.7 million records. The compromised data includes names, email addresses, phone numbers, physical addresses, vehicle details, license plate numbers, and vehicle identification numbers (VINs). The breach was attributed to threat actors @placenta and @Angel_Batista and was published on BreachForums.

In 2025, French multi-brand automobile distributor and broker Auto-ici was breached and leaked on BreachForums. The breach exposed approximately 190,783 customer records including ~185,946 unique email addresses, full names, genders, phone numbers, and physical addresses (city and postcode). Data was stored in JSON format with structured account objects.

In November 2024, the Norwegian electricity provider Tibber was breached by threat actor @888. Over 50,000 German customers were exposed, with data including full names, email addresses, geographic locations (city, postal code), order history, and spend amounts. The data was sourced from Tibber's online store and contained approximately 126,160 lines of records with 50,003 unique email addresses. The breach was reported by German media outlets including Heise and PV Magazine.

In September 2024, over 1 million customer records from Bazooka (bazookaegy.com), a prominent restaurant chain in Egypt, were breached and publicly leaked on BreachForums. The dataset contains 1,065,042 user records including 752,032 unique email addresses, names, phone numbers, and registration source (iOS, Android, web). The data was posted by threat actor @MrMeeseeks.

In September 2024, French electronics retailer Boulanger suffered a data breach exposing over 27 million rows of customer data (approximately 13.8 million after deduplication), affecting nearly 5.4 million customers. The leaked data included full names, email addresses, phone numbers, physical addresses, zip codes, city, country, and geographic coordinates (latitude/longitude). Approximately 2.3 million unique email addresses were exposed. The data was published on BreachForums and has been indexed by Have I Been Pwned.

In approximately June 2024, French sports retailer Sport2000 suffered a data breach posted on BreachForums by threat actor @anonyme1456. The breach exposed approximately 4.37 million records containing over 3.2 million unique email addresses, along with names, dates of birth, phone numbers, physical addresses, account balances, loyalty card numbers, store information, purchase history, and marketing opt-in preferences.

In April 2024, T2 Tea (t2tea.com), an Australian specialty tea retailer, suffered a data breach affecting approximately 94,739 customer records including over 85,891 unique email addresses. The compromised data includes names, email addresses, dates of birth, genders, phone numbers, physical addresses, scrypt-hashed passwords, partial credit card data (masked card numbers and card types), payment methods, order history, and website activity. The data files reference April 2021 exports from a Salesforce Commerce Cloud (Demandware) platform. The breach was attributed to threat actor 'doubl' and leaked by '@emo' on BreachForums.

In April 2024, approximately 15 million records from Blooms Today, an online florist, were listed for sale and leaked on BreachForums by threat actor @KryptonZambie. The breach contained data as recent as November 2023 and exposed approximately 3.2 million unique email addresses, names, phone numbers, physical addresses, and partial credit card data (card type, last 4 digits, and expiry date). Blooms Today did not respond to disclosure inquiries. The breach is indexed on Have I Been Pwned.

In March 2024, the @Oorca group leaked the Peruvian national vehicle registry database obtained from SUNARP (Superintendencia Nacional de los Registros Públicos). The dataset contains approximately 3.9 million records of all vehicles registered in Peru up to 2019, including owner names, vehicle technical details (make, model, engine/chassis numbers), license plates, vehicle status, color, and location (city/region).

In March 2024, Indian consumer electronics brand boAt Lifestyle suffered a data breach affecting approximately 7.5 million customers. The data was exfiltrated from their Shopify Plus store and includes customer email addresses, full names, phone numbers, physical addresses, order history, and purchase amounts. The breach was carried out by a threat actor known as @ShopifyGUY and published on BreachForums.

In March 2023, Bank Syariah Indonesia (BSI), an Indonesian state-owned Islamic bank, was breached by the LockBit 3.0 ransomware group. After the bank refused to pay the ransom, attackers publicly released over 7.4 million customer records containing names, phone numbers (MSISDN), activation codes, registration metadata, and approximately 3.1 million unique email addresses.

In April 2021, US-based game development studio Spacetime Studios suffered a data breach affecting approximately 7.8 million user accounts. The breach was carried out by threat actor @donjuji using a multi-stage attack chain involving Local File Inclusion, Log Poisoning for Remote Code Execution, AWS credential theft via SSRF, and multiple pivots through the internal network exploiting a vulnerable Atlassian instance. Exposed data includes email addresses, first and last names, bcrypt-hashed passwords (cost factor 6), account IDs, registration timestamps, and deletion status.

Breach of 123RF, a stock photo and image website. The dataset contains member records including usernames, MD5-hashed passwords, names, addresses, phone numbers, email addresses, IP addresses, registration dates, payment methods, and linked social account IDs (Google, Facebook). The data was circulated on BreachForums.

Data breach of Bhinneka.com, a major Indonesian e-commerce platform. The dataset contains user profile and account data including names, email addresses, birthdates, mobile/phone numbers, gender, addresses, hashed passwords with salts, and account metadata. The breach was reportedly disclosed on BreachForums and contains both profile and member/user tables.

In November 2019, the New Zealand-based contest and competitions website contest.co.nz was breached via CVE-2019-16759 (vBulletin exploit). The breach exposed approximately 320,871 records including usernames, email addresses, MD5-hashed passwords with salt, and IP addresses. The data was originally obtained by @Winter on RaidForums.

In November 2019, the Turkish educational forum website Acikogretim (acikogretim.gen.tr) was breached via CVE-2019-16759 (vBulletin RCE vulnerability). The breach exposed 213,192 records including email addresses, usernames, vBulletin-hashed (MD5) passwords, and IP addresses. The data was initially obtained by threat actor @donjuji and later circulated on BreachForums.

In April 2019, the e-commerce platform Storenvy was hacked, exposing personal data of approximately 1.88 million users. The breach included usernames, email addresses, plaintext passwords, IP addresses, dates of birth, names, genders, and geographic locations. The data was subsequently leaked on hacker forums for free download.

Database dump from Appen (formerly CrowdFlower), a data annotation and AI training data company. The breach contains user account records including names, email addresses, bcrypt-hashed passwords, authentication tokens, phone numbers, company affiliations, sign-in metadata, and account creation timestamps. The data file is named after CrowdFlower, the company that Appen acquired in 2016. Data records span from approximately 2014 to early 2019.

In June 2016, the New York real estate website StreetEasy suffered a data breach affecting approximately 990,000 user records. The compromised data includes email addresses, names, usernames, and SHA-1 hashed passwords. The data appeared for sale on a dark web marketplace in February 2019 and has been indexed by Have I Been Pwned.

Database breach of Thegioididong.com (Mobile World JSC), Vietnam's largest mobile phone retailer. The dataset contains approximately 5.4 million records including 172,401 email addresses, partial credit card numbers (masked), transaction history from 2016, and internal employee email data. Also includes data from sister brand Dienmayxanh.com. Originally posted on RaidForums and later redistributed on BreachForums.

A customer database export from what appears to be an e-commerce platform serving Venezuelan customers, dated October 17, 2016. The data contains email addresses, hashed passwords (MD5), full names, physical addresses, phone numbers, and national ID numbers. Multiple addresses are in Venezuela (country code VE), with references to Instapago (a Venezuelan payment processor) domain emails. The file structure matches a Magento-style customer export (_website, _store, _address_* columns).

Leaked NSA Tailored Access Operations (TAO) cyberweapons and exploitation tools published by the Shadow Brokers threat actor group. Contains offensive hacking tools including BANANAGLEE (a persistent implant for Cisco PIX/ASA firewalls), BANANAUSURPER, and numerous other exploit frameworks with configuration data files targeting specific firmware versions of network devices. The .dat files contain memory address tables and implant configuration data for Cisco PIX firewall versions.

A 1.5 million record extract of Facebook user data containing email addresses, first names, last names, and profile URLs. This file was distributed as part of a larger multi-part compilation of over 100GB of leaked databases traded on dark web markets (Hansa Market onion link referenced). The compilation index lists dozens of major breaches across social media, gaming, dating, and other sectors. The Facebook-specific CSV contains plaintext email-to-profile mappings with no passwords.

A collection of 92 WWE Network subscriber account credentials captured via credential stuffing or session hijacking against secure.net.wwe.com. Each entry contains an email:password pair used to authenticate to the WWE Network streaming service, along with captured session cookies, user GUIDs, first/last names, internal user UUIDs, and in some cases subscription details including next billing dates.

Breach of the official fan forum for Italian rapper J-AX (j-ax.it), exposing 31,251 user email addresses from the phpBB forum database. The dump was performed via SQL injection against a MySQL database and contains the phpbb_users table. The majority of emails are Italian domains (libero.it, hotmail.it, virgilio.it, etc.).

Yahoo Voices (formerly Associated Content) database breach executed via Union-based SQL injection by the D33Ds Company. Approximately 450,000 plaintext email and password credentials were exposed. The dump includes MySQL server variables, database schema details, and the full email:password dump.

Breach of Stickam, a live streaming and social networking platform. Contains usernames, MD5 password hashes, and email addresses. The data format (username:::md5hash:::email) is consistent with the well-known Stickam database breach that circulated on hacking forums.

Data from RuneHead, a RuneScape clan management website. The file contains username-to-MD5-hash-to-email mappings for hundreds of clan members. Each record follows the format: username: md5_hash: email_address. The usernames correspond to RuneScape clan names and player handles, suggesting this is a dump of RuneHead's user/clan registration database. Data includes MD5-hashed passwords and email addresses from international users.