Ubiquiti Inc.
January 11, 2021: One of the biggest Internet of Things (IoT) technology vendors, Ubiquiti, Inc., alerted its customers of a data breach caused by unauthorized access to their database through a third-party cloud provider. The email communication advised customers to change passwords and enable multi-factor authentication. The data exposed may include an undisclosed number of customer names, email addresses, hashed and salted passwords, addresses and phone numbers.
SOURCE | TechCrunch
Parler
January 11, 2021: News of the conservative social media app, Parler, having its data scraped by a hacker came to light after Amazon Web Services removed the platform from its servers. The 70TB of leaked information includes 99.9% of posts, messages, and video data containing EXIF data — metadata of date, time and location. Parler’s Verified Citizens, or users who had verified their identity by uploading their driver’s license or other government-issued photo ID, were also exposed.
SOURCE | CyberNews
Facebook, Instagram and LinkedIn
January 11, 2021: A Chinese social media management company, Socialarks, suffered a data leak through an unsecured database that exposed account details and Personally Identifiable Information (PII) of at least 214 million social media users from Facebook and Instagram and LinkedIn. The exposed information for each platform varies but includes users’ names, phone numbers, email addresses, profile links, usernames, profile pictures, profile description, follower and engagement logistics, location, Messenger ID, website link, job profile, LinkedIn profile link, connected social media account login names and company name.
SOURCE | Security Magazine
Mimecast
January 12, 2021: A cybercriminal compromised a certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to Microsoft 365. Mimecast is a cloud-based email management service that provides email security services for Microsoft 365 accounts. According to the company, approximately 10 percent of its customers used the compromised connection, but have since been asked to reinstall a newly issued certificate.
SOURCE | CRN.com
Pixlr
January 20, 2021: A database containing 1.9 million user records belonging to Pixlr, a free online photo-editing application, was leaked by a hacker. The database was stolen at the same time as the attack on 123RF, which exposed over 83 million user records. The leaked records include email addresses, usernames, hashed passwords, user’s country, whether they signed up for the newsletter and other sensitive information.
SOURCE: BleepingComputer
MeetMindful
January 24, 2021: The dating platform, MeetMindful.com, was hacked by a well-known hacker and had its user’s account details and personal information posted for free in a hacker forum. The leaked details of more than 2.28 million users registered included names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs and Facebook authentication tokens.
SOURCE | ZDNet
Bonobos
January 22, 2021: Customer data was stolen from the men’s clothing retailer, Bonobos, was found for free in a hacker forum after a cybercriminal downloaded the company’s backup cloud data. The exposed database contains order information for over 7 million customers, including addresses, phone numbers and account information for 1.8 million registered customers, and 3.5 million partial credit card records.
SOURCE | BleepingComputer
VIPGames
January 26, 2021: VIPGames.com, a free gaming platform, exposed over 23 million records for more than 66,000 desktop and mobile users due to a cloud misconfiguration. The leaked user records include usernames, emails, IP addresses, hashed passwords, Facebook, Twitter and Google IDs, bets and data on players who were banned from the platform.
SOURCE | Threatpost
U.S. Cellular
January 28, 2021: Through a targeted attack on retail employees of U.S. Cellular, the fourth-largest wireless carrier in the U.S., hackers were able to scam employees into downloading malicious software onto company computers. Once downloaded, the software granted remote access to the company devices and to the customer relationship management (CRM) software containing account records for 4.9 million customers. The company states that 276 customers were impacted and notified of the security incident. While viewing a customers’ account in the CRM, the hacker had access to names, addresses, PINs, cell phone numbers, service plans and billing/usage statements.
SOURCE | BleepingComputer
“Compilation of Many Breaches” (COMB)
February 2, 2021: A database containing more than 3.2 billion unique pairs of cleartext emails and passwords belonging to past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin, Yahoo, and more were discovered online. This is the largest compilation of data from multiple breaches, which is where the name “Compilation of Many Breaches” or COMB comes from. The searchable and well-organized database was leaked to a popular hacking forum, giving hackers access to account credentials, including approximately 200 million Gmail addresses and 450 million Yahoo email addresses.
SOURCE | CyberNews
Nebraska Medicine
February 10, 2021: A malware attack allowed a hacker to access and copy files containing the personal and medical information of 219,000 patients of Nebraska Medicine. The health network notified affected individuals that the accessed information includes names, addresses, dates of birth, medical record numbers, health insurance information, physician notes, laboratory results, imaging, diagnosis information, treatment information, and/or prescription information and a limited number of Social Security numbers and driver’s license numbers.
SOURCE | HIPAA Journal
California DMV
February 18, 2021: The California Department of Motor Vehicles (DMV) alerted drivers they suffered a data breach after billing contractor, Automatic Funds Transfer Services, was hit by a ransomware attack. The attack exposed drivers’ personal information from the last 20 months of California vehicle registration records, including names, addresses, license plate numbers and vehicle identification numbers (VINs).
SOURCE | TechCrunch
Kroger
February 20, 2021: A third-party data breach at cloud solutions company, Accellion, allowed hackers to steal human resources data and pharmacy records belonging to the supermarket giant, Kroger. The records disclosed could include names, email addresses, phone numbers, home addresses, dates of birth, Social Security numbers as well as information on health insurance, prescriptions and medical history.
SOURCE | BleepingComputer
T-Mobile
February 26, 2021: An undisclosed number of T-Mobile customers were affected by SIM swap attacks, or SIM hijacking, where scammers take control of and switch phone numbers over to a SIM card they own using social engineering. With access to customer phone numbers, scammers receive messages and calls which allows them to log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts that use two-factor authentication. The attack also exposed customer information including names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information and the number of lines subscribed to their accounts.
SOURCE | BleepingComputer
Microsoft Exchange
March 3, 2021: Cybercriminals have targeted four security flaws in Microsoft Exchange Server email software. The attackers used the bugs on the Exchange servers to access email accounts of at least 30,000 organizations across the United States, including small businesses, towns, cities and local governments. The cyberattack gives the hackers total remote control over affected systems, allowing for potential data theft and further compromise.
SOURCE | ZDNet
SITA
March 4, 2021: The global IT company, SITA, which supports 90% of the world’s airlines confirmed it fell victim to a cyberattack, exposing the personally identifiable information (PII) belonging to an undisclosed number of airline passengers. The stolen information includes names, traveler’s service card numbers and status level.
SOURCE | TechRadar
MultiCare
March 9, 2021: A third-party ransomware attack exposed the personal information of over 200,000 patients, providers and staff of MultiCare Health System, a non-profit health care organization. The attack allowed access to personal information including names, insurance policy numbers, Social Security numbers, dates of birth and bank account numbers.
SOURCE | KOMONews
California State Controller’s Office (SCO)
March 23, 2021: A phishing attack targeting the California State Controller’s Office (SCO) Unclaimed Property Division led to an employee clicking on a malicious link, logging into a fake website and granting a hacker access to their email account. The criminal had access to the account for 24 hours, allowing permission to view Personally Identifying Information (PII) contained in Unclaimed Property Holder Reports and to send more phishing emails to the hacked SCO employee’s contacts. The number of employees affected and the types of personal information impacted have not been disclosed.
SOURCE | Krebs on Security
Hobby Lobby
March 23, 2021: A database containing records of over 300,000 customers of the arts and crafts chain store, Hobby Lobby, was exposed after the company suffered a cloud-bucket misconfiguration. The disclosed information included customer names, phone numbers, physical and email addresses, and the last four digits of their payment card, as well as the source code for the company’s app.
SOURCE | Threatpost
Cancer Treatment Centers of America
March 26, 2021: The Cancer Treatment Centers of America sent out notifications to 104,808 patients, alerting them a compromised email account led to medical information being accessed by an unknown third-party. The compromised account contained patient names, health insurance information, medical record numbers, CTCA account numbers and limited medical information.
SOURCE | HIPAA Journal
April 3, 2021: The personal data of 533 million Facebook users from 106 countries has been posted online for free in a low-level hacking forum. The data was scraped in a vulnerability that the company patched in 2019, and includes users’ phone numbers, full names, location, email address and biographical information.
SOURCE | Washington Post
April 6, 2021: Over 500 million LinkedIn user profiles were discovered on the Dark Web. The hackers shared two million of these LinkedIn records for only $2 total to prove the legitimacy of the information in the stolen data. The LinkedIn account users’ data was scrapped or imported from the website into a database, and includes names, LinkedIn account IDs, email addresses, phone numbers, gender, LinkedIn profile links, connected social media profile links, professional titles and other work-related personal data.
SOURCE | Cybernews
ClubHouse
April 10, 2021: A database containing 1.3 million scraped Clubhouse user records were leaked for free on a popular hacker forum. The leaked database from the audio chat social network includes user ID, name, photo URL, username, Twitter handle, Instagram handle, number of followers, number of people followed by the user, and account creation date – all of which the company claims is public information.
SOURCE | Cybernews
ParkMobile
April 12, 2021: A third-party software vulnerability is responsible for exposing 21 million customer records belonging to ParkMobile, a contactless payment parking app. The stolen data includes email addresses, phone numbers, license plate numbers, hashed passwords and mailing addresses.
SOURCE | Krebs on Security
GEICO
April 19, 2021: The auto insurance company Government Employees Insurance Company, known as GEICO, filed a data breach notice announcing information gathered from other sources was used to “obtain unauthorized access to your driver’s license number through the online sales system on our website.” The total normal of insured drivers affected has not been disclosed but the hackers had access between January 21 and March 1.
SOURCE | TechCrunch
Reverb
April 24, 2021: A database containing the personal details of over 5.6 million users of the popular music instruments online marketplace Reverb was discovered after it was leaked into the Dark Web. The database contained full names, email addresses, postal addresses, phone numbers, listing/order count, PayPal account email, IP address and more.
SOURCE | BleepingComputer
CaptureRX
May 7, 2021: CaptureRx, a healthcare system IT company, exposed almost 2 million patient records belonging to over 100 hospitals and healthcare organizations after it was targeted by a ransomware attack. The sensitive medical information involved in the cyberattack includes names, birthdates and prescription details.
SOURCE | HIPAA Journal
Bailey & Galyen
May 14, 2021: A cyberattack targeting the law offices of Bailey & Galyen exposed the personal information of an undisclosed number of clients and employees. The PII included clients’ names, dates of birth, driver’s license or personal identification card numbers, Social Security Numbers, payment account numbers, payment card information, biometric data including but not limited to medical information and history, medical diagnosis and treatment information, health insurance information and other personal information.
SOURCE | CA Office of Attorney General
Health Plan of San Joaquin
May 17, 2021: Unauthorized access to the business email accounts at Health Plan of San Joaquin allowed the perpetrator to gain access to patients’ sensitive personal and medical information contained in messages and attachments that passed through the affected email accounts. Exposed data types include Social Security numbers, driver’s license numbers, login information, medical records such as lab results and treatment information, and more.
SOURCE | Health Plan of San Joaquin
Bose
May 25, 2021: Audio maker, Bose Corporation, disclosed a data breach following a ransomware attack. During the investigation of the ransomware’s attack impact on its network, they discovered some of its current and former employees’ personal information was accessed by the attackers. The personal information exposed in the attack includes names, Social Security Numbers, compensation information and other HR-related information.
SOURCE | BleepingComputer
Carter’s
June 11, 2021: The personal and shipping information of over 410,000 customers of the baby clothing retailer, Carter’s, were exposed due to a third-party data breach with the company’s online purchases software. The information disclosed in the data leak includes names, email addresses, billing addresses, phone numbers, purchasing details, and shipping tracking IDs and links.
SOURCE | Threatpost
Volkswagen & Audi
June 15, 2021: A third-party marketing services supplier disclosed the personal information of 3.3 million customers of Volkswagen and its Audi subsidiary. The exposed data includes their name, mailing address, email address and phone numbers. The data may also include information about a vehicle that has been purchased, leased or inquired about, including vehicle identification numbers, makes, models, years, colors and trim packages.
SOURCE | Bank Info Security
CVS Health
June 21, 2021: A third-party vendor accidentally posted an unsecured database containing more than a billion search records of CVS Health customers. The 204 GB leaked database was not password protected and included visitor and session IDs, device information, configuration data, as well as multiple records for medications, including COVID-19 vaccines and CVS products.
SOURCE | Health IT Security
Wegmans
June 21, 2021: The U.S. supermarket chain, Wegmans Food Markets, notified an undisclosed number of customers that their data was exposed after two of its cloud-based databases were misconfigured and made publicly accessible online. The personal information in the databases included customer names, addresses, phone numbers, birth dates, Shoppers Club numbers, email addresses and hashed passwords to Wegmans.com accounts.
SOURCE | Threatpost
Forefront Dermatology
July 9, 2021: U.S. healthcare provider, Forefront Dermatology, announced unauthorized access to its IT systems exposed the personal data and medical records of up to 2.4 million patients. The data exposed included patient names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, healthcare provider names and/or medical and clinical treatment information among other sensitive data.
SOURCE | Health IT Security
Guess
July 12, 2021: The fashion retailer, Guess, notified an undisclosed number of customers of a data breach following a ransomware attack that resulted in a data breach. Sensitive information including Social Security numbers, driver’s license numbers, passport numbers and/or financial account numbers may have been accessed or acquired.
SOURCE | BleepingComputer
OneMoreLead
August 4, 2021: A marketing company, OneMoreLead, has exposed the personal records of 126 million individuals through an unsecured database posted online. The database contained names, job titles, email addresses, work email addresses, home device IP address, home address, work address, personal phone number, work phone number and employer.
SOURCE | vpnMentor
SeniorAdvisor
August 13, 2021: Cybersecurity researchers found an unsecured database containing over 3 million personal records of members belonging to a senior living review site, SeniorAdvisor. The database was not password protected and allowed access to information including names, emails, phone numbers and dates contacted.
SOURCE | Infosecurity Group
UNM Health
August 17, 2021: An unauthorized third party gained access to the personal and medical data of over 637,000 patients of UNM Health. The information gathered by the third party includes patient names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information and some clinical information related to the healthcare services provided by UNM Health.
SOURCE | HIPAA Journal
Microsoft Power Apps
August 24, 2021: A misconfiguration within Microsoft Power Apps, a Microsoft product, exposed at least 38 million records. The data leaks impacted American Airlines, Microsoft, J.B. Hunt and governments of Indiana, Maryland and New York City. The disclosed data includes COVID-19 vaccination statuses, social security numbers and email addresses.
SOURCE | Infosecurity Group
GetHealth, FitBit and Apple
September 14, 2021: An unsecured database belonging to GetHealth, a health and wellness data app, exposed over 61 million records of Apple and Fitbit users’ data related to fitness trackers and wearables. The database included names, display names, dates of birth, weight, height, genders and geolocations, the majority of which were from Fitbit devices and Apple Healthkit.
SOURCE | WebsitePlanet
Neiman Marcus
September 30, 2021: An unauthorized third-party actor accessed and obtained personal information associated with 4.6 million Neiman Marcus customers’ online accounts. The chain department store alerted customers that the information affected includes names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords and security questions and answers associated with Neiman Marcus online accounts.
SOURCE | Cision
Whole Foods Market, Skaggs and Others
October 13, 2021: Cybersecurity researchers discovered an unsecured database that contained over 82 million records belonging to the supermarket Whole Foods Market and Skaggs public safety and uniform company that sells uniforms for Police, Fire and Medical customers all over the United States, and others. The exposed records included customer order records, names, physical addresses, email and partial credit card numbers, and more.
SOURCE | CoolTechZone
California Pizza Kitchen
November 22, 2021: The restaurant chain, California Pizza Kitchen (CPK), revealed a data breach that exposed the personal details of over 100,000 current and former employees. The company determined cybercriminals infiltrated its systems and gained access to certain files, including employee names and Social Security numbers.
SOURCE | TechCrunch
