On November 7, a ransomware group threatened to publish stolen data pertaining to 9.7 million Medibank customers if their demands were not met. The Australian health insurer refused to pay the hackers’ ransom, prompting the hackers to post reams of confidential patient data to the darkweb.
Below, you’ll find an overview of the latest data breaches, starting with the most recent. You can also see here for the biggest breaches of 2022 so far.
November 2022: Ransomware Hacker Steals Medibank Data on 9.7m Customers
On November 7th, an unidentified hacking group publicly threatened Medibank, the largest health insurance provider in Australia. Claiming to possess data on 9.7 million current and former customers, the hacker said they would publish the data within 24 hours if their demands were not met. Medibank confirmed that nearly 500,000 health claims had also been unlawfully accessed in the breach.
Medibank ultimately refused to pay the ransom, causing the attackers to leak patient information on the darkweb. Although the attackers have not been officially identified, cybersecurity experts believe they were affiliated with the Russian ransomware group REvil.
October 2022: 2.4 Terabytes of Data Exposed on Microsoft Server
On October 19th, security firm SOCRadar identified over 2.4 terabytes of exposed data on a misconfigured Microsoft endpoint. By SOCRadar’s account, this data pertained to over 65,000 companies and 548,000 users, and included customer emails, project information, and signed documents.
Microsoft acknowledged the data leak in a blog post. They also said they had secured the endpoint and notified the accounts that had been compromised, and elaborated that they found no evidence customer accounts had actually been compromised — only exposed. Microsoft also disputed some key details of SOCRadar’s findings:
After reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.
Read more in our complete timeline of Microsoft data breaches.
September 2022: Kiwi Farms Breached
On September 19, the owner of harassment forum Kiwi Farms acknowledged that the site had been hacked. Per his description, user’s passwords, emails, and IP addresses were exposed in the incident. In this case, it appears the hacker used session hijacking to steal the administrator credentials to the website.
September 2022: American Airlines Discloses Data Breach
On September 16, American Airlines notified customers and legal officials that they had discovered a breach in July of 2022. American Airlines has described the number of people affected as “very small”; per one legal filing, it would appear 1,708 customers and employees’ data exposed in the incident. The breach appears to have been the result of a phishing attack.
September 2022: Hacker Breaches Rockstar Games, Leaks GTA6 Footage
On September 18, a hacker under the alias ‘teapotuberhacker’ leaked roughly 50 minutes of footage of Grand Theft Auto 6, an upcoming game produced by Rockstar Games. They apparently obtained the footage by gaining access to the company’s Slack, where they proceeded to download the video clips. Rockstar acknowledged the leak in a statement released on Twitter.
The same hacker, who appears to be affiliated with the Lapsus$ group, managed to breach Uber in the same week — read on.
September 2022: Lapsus$-Affiliated Hacker Compromises Uber
On September 15, a hacker announced in Uber’s private Slack channel that he had breached the company. One security engineer described it to the New York Times as “a total compromise”, and stated that “They pretty much have full access to Uber.” Uber’s source code, internal databases, communication channels, and more were all compromised in the breach.
This appears to have been a social engineering attack. The hacker, who uses the alias ‘teapotuberhacker,’ was able to successfully get past multi-factor authentication by repeatedly spamming an Uber employee with requests to grant access, claiming to be an IT worker. This same hacker has also claimed credit for the Rockstar Games breach.
In a statement released September 17th, Uber said they had found “no evidence that the incident involved access to sensitive user data (like trip history).” Uber has linked this breach to the Lapsus$ group, which has compromised companies such as Nvidia, Samsung, and Microsoft.
September 2022: U-Haul Discloses Data Breach Including Driver’s License Numbers
On September 12, U-Haul notified customers that they had detected a breach that included customers’ names and driver’s license numbers — but not any credit card information. Apparently, the attackers had access to U-Haul’s rental contracts portal from November 2021 to April 2022. U-Haul discovered the breach in July, and, after investigating the incident, disclosed it in September.
September 2022: Alleged TikTok Breach Appears to Be False Alarm
On September 3rd, a hacker going by the alias “AgainstTheWest” claimed to have breached TikTok on Breach Forums. However, TikTok has disputed the breach, stating that “We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases.”
They aren’t the only ones to dispute this hacker’s claims. Troy Hunt, creator of Have I Been Pwned, investigated the data and deemed it “inconclusive”. And the owner of Breach Forums, the hacker “pompurin”, banned AgainstTheWest for lying about multiple data breaches:
Please note that the breach is not from TikTok, and that he most likely was lying or didn’t even investigate it before making such outrageous claims. AgainstTheWest has had a long history of lying about breaches or other things (Saying he’s a State sponsored hacking group… lol) and this was just the tipping point.
As far as we can tell, the hacker scraped publicly available information from TikTok. But TikTok itself does not appear to have been hacked, and private data does not seem to have been leaked.
August 2022: 130+ Companies Compromised in 0ktapus Phishing Breach
On August 25, the cybersecurity company Group-IB published a report detailing a months-long phishing campaign that has compromised at least 130 companies, including Cloudflare, Doordash, Mailchimp, and Twilio.
The attackers, whom researchers have given the moniker ‘0ktapus’, executed their attack primarily by imitating the authentication service Okta. Via text message, they would direct their targets to a fake authentication page, where the victims would then enter their login credentials, giving the attackers access to their account.
These attackers have often used one compromised service to breach another. They leveraged their access to Twilio’s phone number verification services, for instance, to attempt to compromise 1,900 Signal users.
Money would appear to be the motive behind these attacks; Group-IB noted that many of the companies targeted were financial, providing crypto and investment services.
August 2022: Plex Notifies Users of Data Breach
On August 23, streaming platform Plex notified its users of a data breach and urged them to change passwords. By Plex’s account, the hacker gained access to data including “emails, usernames, and encrypted passwords”, but no payment information. In response the incident, Plex strengthened the algorithm that encrypts account passwords.
August 2022: Apple Identifies and Patches Two Security Vulnerabilities
On August 17, Apple released an update to shore up iOS, iPadOS, and macOS against two security vulnerabilities: one in WebKit, which underpins Safari and other apps, and another in the kernel of the operating system itself.
Per Apple, the Webkit vulnerability could allow malicious web pages to execute code on the device. The operating system vulnerability could allow a malicious app “to execute arbitrary code with kernel privileges”, giving it broad power over the infected device. Apple acknowledged they were “aware of a report this issue may have been actively exploited” by malicious actors, but did not go into greater detail.
Fortunately, it appears the fix is already available. To ensure your devices are secure, go into your settings, check for updates, and update your device if necessary.
For more on Apple security breaches, see our complete timeline.
August 2022: Cisco Shares Report on VPN Breach
On August 10th, Cisco shared its report on a breach that occurred to their network on in May 2022. The attackers gained access to the Cisco VPN via a combination of compromised employee credentials, vishing, and MFA fatigue attacks.
Once they had access, the attackers began preparing for a ransomware attack — but Cisco’s engineers were able to stop them before they could go any further, limiting the scope of this breach. In September, Cisco noted in an update that the attacker may have ties to the Lapsus$, Yanluowang, and UNC2447 attacker groups.
August 2022: QuestionPro Extortion Attempt Goes Public
In May 2022, a hacker under the alias “pompompurin” contacted QuestionPro in an extortion attempt, claiming he had stolen 22 million email addresses and other data from the company. This hacker asked for payment in the form of Bitcoin – but QuestionPro refused his demands.
After QuestionPro declined to pay him, “pompompurin” informed Have I Been Pwned of the breach in August 2022 . So far, QuestionPro has not confirmed whether the breach happened. This hacker has previously pulled off attacks on the FBI and Robinhood, so it is possible he was able to breach QuestionPro.
July 2022: Hacker Posts Data on 5.4 Million Twitter Users For Sale
On July 21st, 2022, a hacker under the alias ‘devil’ posted on BreachForums that they had obtained personal data on 5.4 million Twitter users, including email addresses and phone numbers. The hacker had apparently exploited a vulnerability to scrape this data from Twitter, and posted it for sale with an asking price north of $30,000.
The vulnerability was first identified in January 2022 by the white hat hacker Zhirinovskiy. Twitter apparently patched up the vulnerability – but on August 5th, they acknowledged that it played a part in the July data breach:
In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
Twitter has notified most of the accounts affected – though they also acknowledged that they could not confirm all of the accounts that were compromised in this data breach.
July 2022: Neopets Data Breach Exposes Data on 69 Million Accounts
On July 19, 2022, a hacker posted data on 69 million Neopets users for sale on an online forum. The leak included personal data such as name, email address, date of birth, zip code, and more, as well as 460 MB of compressed source code for the Neopets website. The Neopets team confirmed the data breach via Twitter.
Neopets has been breached numerous times over the years. Several hackers and Neopets users have accessed the source code as well as user databases. If you ever used Neopets, it may be wise to delete your account to protect your data from future data breaches.
July 2022: Marriott Confirms 20 GB Data Breach
In July 2022, Marriott International confirmed that hackers had stolen 20 gigabytes of sensitive data in June 2022. The breach apparently resulted form a social engineering attack, in which an anonymous hacking group tricked an employee into granting them access.
Marriott stated that the hacking group in question only obtained access to a single employee’s computer, and asserted that the scope of the breach was limited. The stolen data included internal business documents, flight information, and corporate credit card numbers.
Following the incident, Marriott said they would notify the 300-400 individuals whose data was implicated in the breach.
June 2022: Up to 2 Million Affected By Shields Health Care Group Breach
In June 2022, the Massachusetts-based Shields Health Care Group disclosed that they detected a breach in March 2022. The records included names, social security numbers, medical records, and other sensitive personal information.
Though Shields Health Care Group asserted they found no evidence the stolen information had been used to commit identity theft or fraud, there is a very real possible this information will be misused in the near future – if the hackers haven’t done so already.
June 2022: Flagstar Bank Notifies Customers of Breach Affecting 1.5m
In June 2022, Michigan-based Flagstar Bank notified customers of a data breach in which hackers stole the social security numbers of 1.5 million customers. The attack itself occurred in early December 2021, and Flagstar discovered the breach in early June 2022. In response, Flagstar notified law enforcement officials of the breach and hired a cybersecurity firm to help handle the incident.
June 2022: Former Amazon Employee Convicted for Capital One Breach
In June 2022, former Amazon employee Paige Thompson was convicted for her role in the 2019 Capital One breach. While working for Amazon Web Services, Thompson exploited her knowledge of cloud server vulnerabilities at Capital One and more than 30 other companies. All told, Thompson stole the personal information of over 100 million people, including names, dates-of-birth, and social security numbers.
The defense portrayed Thompson as an ethical hacker seeking to notify companies of vulnerabilities before bad actors could exploit them. The U.S. Department of Justice argued otherwise, noting that Thompson failed to notify the companies she breached, bragged about the incident on hacker forums under the alias “erratic”, and profited from the breach by installing cryptomining software on many of the servers she hacked. As assistant U.S. attorney Andrew Friedman put it in his closing arguments, “She wanted data, she wanted money, and she wanted to brag.”
After ten hours of deliberation, a Seattle jury found Thompson guilty of wire fraud, as well as five counts of unauthorized access to a protected computer and damaging a protected computer. They found her not guilty of access device fraud and aggravated identity theft. Thompson could face up to 45 years in prison.
Not that Capital One got off easy. Finding their security practices lacking, the Office of the Comptroller of Currency fined Capital One for $80 million, and the company paid out an additional $190 million settlement in a class action lawsuit.
May 2022: Texas Department of Insurance Data Leak Comes to Light
In May 2022, a state audit revealed a data leak at the Texas Department of Insurance, compromising 1.8 million Texans. The data in question, including social security numbers and other sensitive personal information, was widely accessible on the department website from March 2019 to January 2022.
This issue was fixed shortly after it was identified in January. The state audit was completed in March, and only in May did it become known to the public. As far as the auditors could tell, this data was not accessed by unauthorized individuals.
April 2022: Block Confirms Cash App Data Breach
In an SEC filing made on April 4, Block (the company formerly known as Square) acknowledged that Cash App had been breached by a former employee in December of 2021. The leak included customers’ names, brokerage account numbers, and other data, such as portfolio value and stock trading activity.
Block has not been forthcoming about how many customers were affected in total, but the company is contacting over 8 million customers to inform them about the incident. Based on what they’ve said so far, no other personally identifiable information or account credentials were leaked in the incident.
March 2022: Microsoft Breached by Lapsus$ Hacker Group
On March 20, 2022, the hacker group Lapsus$ posted a screenshot to their Telegram channel indicating that they had breached Microsoft. The screenshot was taken within Azure DevOps, a collaboration software created by Microsoft, and indicated that Bing, Cortana, and other projects had been compromised in the breach.
On March 22, Microsoft issued a statement confirming that the attacks had occurred. In it, they asserted that no customer data had been compromised; per Microsoft’s description, only a single account was hijacked, and the company’s security team was able to stop the attack before Lapsus$ could infiltrate any deeper into their organization.
In their statement, Microsoft’s security team described Lapsus$ as “a large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.” They go on to describe the group’s tactics in great detail, indicating that Microsoft had been studying Lapsus$ carefully before the incident occurred.
For their part, Lapsus$ has repeatedly stated that their motivations are purely financial: “Remember: The only goal is money, our reasons are not political.” They appear to exploit insider threats, and recently posted a notice asking tech workers to compromise their employers.
March 2022: Lapsus$ Group Breaches Authentication Company Okta
On March 21, Lapsus$ posted on Telegram that they had breached Okta, an authentication company. The following day, Okta acknowledged the breach and stated that approximately 2.5% of their customers had been exposed in the incident. Per Okta’s description, Lapsus$ infiltrated their company via a third-party customer support provider.
On Telegram, Lapsus$ disputed many points Okta made in their blog post, and fiercely criticized Okta’s security practices, in a number of points such as the following:
For a company that supports Zero-Trust. Support Engineers seem to have excessive access to Slack? 8.6k channels? (You may want to search AKIA* on your Slack, rather a bad security practice to store AWS keys in Slack channels 😉)
March 2022: Ronin Network Breached in $540 million Crypto Heist
On March 23, a group of hackers exploited a security vulnerablity to loot $540 million in cryptocurrency from the Ronin Network. Most of that money was stolen from Axie Infinity, a popular game that uses cryptocurrency and NFTs. The hackers in question appear to have ties to North Korea.
February 2022: Ottawa Freedom Convoy Donors Leaked via Christian Fundraising Platform
In February 2022, hackers hijacked GiveSendGo, a Christian fundraising website. They redirected the site to a page condemning the Canadian Freedom Convoy protestors, and posted personal details on the 90,000 people who had donated to the Freedom Convoy via the website.
January 2022: Over $30 Million Looted in Crypto.com Breach
On January 17, 2022, hackers broke into 483 users’ wallets on Crypto.com, and proceeded to make off with roughly $18 million in bitcoin and $15 million in ethereum, as well as other cryptocurrencies. It appears these hackers were able to bypass two-factor authentication, and then access these users’ wallets.
Immediately following the breach, Crypto.com described the event as an “incident”, not a hack, and reported that no users’ currencies had been stolen. A few days later, they clarified that money had been stolen in the hack, and stated that they had reimbursed the affected users. They also said they had audited their systems and were working to improve their security.
December 2021: FlexBooker Breached, Compromising 3 Million Users
In December 2021, a hacker group identified as “Uawrongteam” broke into FlexBooker, an online booking platform, and made off with data on roughly three million users. After looting the data, they posted it for sale on various hacker forums.
The stolen data included drivers’ licenses and other personally identifying information, as well as password data. The data was apparently accessed by exploiting FlexBooker’s Amazon Web Services configuration.
November 2021: Panasonic Hacked, Exposing Data on Job Candidates & More
In November 2021, Panasonic announced that it was attacked by a hacker. Initially, the company believed that only business partner and specific proprietary data was accessed. However, after investigating further, the company stated in January 2022 that job candidate data, as well as information about interns, was also accessed.
Panasonic did not confirm how many individuals were impacted, though it said it reached out to notify those involved.
November 2021: Email Addresses for 5 Million Robinhood Users Exposed
In November 2021, Robinhood announced that an unauthorized person used a social engineering attack to obtain access to internal systems. The hacker accessed a list that contained the email addresses of 5 million users, the full names of 2 million users, and additional personal information on approximately 310. Around ten customers may have had an extensive amount of information compromised.
After collecting the data, the hacker demanded a payment to prevent the release of the information. Robinhood reach out to local authorities and began working with a security firm. Additionally, the company contacted all impacted account holders, as well as made a public announcement.
October 2021: Twitch Source Code & Other Data Hacked
In October 2021, source code for Twitch – which is owned by Amazon – and an unreleased Amazon Game Studios Steam competitor, along with Twitch creator payout data, began appearing online. A 125 GB torrent was posted on 4chan, with the user claiming it contained the entirety of Twitch. The poster stated they wanted to foster competition in the streaming space and cause disruption with the leak.
In the data cache, there was three years of data relating to Twitch creator payouts. Additionally, the full scope of twitch.tv, along with source code for Twitch clients, proprietary code, details on an unreleased Steam competitor, and more.
Twitch later confirmed that user data like passwords were not involved in the breach, asserting that internal data and creator payouts were the bulk of what’s present. The company also stated that only a small fraction of users were impacted at all and that the effect with minimal.
Later, Twitch stated that a server configuration error was potentially responsible, though it didn’t go into specifics. The company said it reset all stream keys and was continuing to examine the impact of the incident.
September 2021: Neiman Marcus Discovers 2020 Data Breach
In September 2021, Neiman Marcus discovered a data breach that had occurred in May 2020. The hack involved approximately 4.6 million online customer accounts and included data on their payment cards – including expiration dates – as well as other personal information.
Different customer accounts may have been impacted in ways. For example, some may have had their names and contact details compromised, while security questions and answers may have been collected from others.
August 2021: T-Mobile Data Breach Exposes Personal Information of Nearly 48 Million People
In August 2021, information about a data breach involving current and prospective T-Mobile customers began making headlines. The company confirmed that 40 million people who had previously applied for credit with the company were involved in the breach, as well as 7.8 million postpaid customers.
Hackers stole files relating to credit applications, impacting current and prospective users. The dataset contained sensitive information, including first and last names, Social Security numbers, dates of birth, and driver’s license and ID numbers. Phone numbers, account numbers, passwords, and PINs were not compromised.
For active prepaid customers, files containing names, phone numbers, and account PINs were compromised. Data from former prepaid customers was also accessed in the breach, though it isn’t clear how inactive accounts were impacted.
August 2021: 30 Million Records Across 47+ Organizations Exposed Due to Microsoft Power Apps Misconfiguration
In August 2021, news of a large-scale data leak involving misconfigured Microsoft Power Apps portals emerged. In total, the incident involved a minimum of 47 organizations, including companies like Ford Motor Co., the New York Metropolitan Transportation Authority, and American Airlines.
Overall, 38 million records were exposed, though the nature of the data varied depending on the organization. For example, in some cases, it was details from employee files. In others, data sets included COVID-19 testing and vaccine data, including personal information involving associated individuals. For other organizations, the data differed.
The misconfigurations weren’t the fault of Microsoft directly, as certain system changes initiated by users could cause data to become publicly accessible. However, the tech giant failed to include warning notifications in the systems to alert users that could occur, instead only addressing the possibility in technical documentation, leaving some feeling that the tech giant was at least partially to blame.
You can read more in our full timeline of Microsoft Data Breaches.
August 2021: Personal Data on 3+ Million Senior Citizens Exposed by SeniorAdvisor
In August 2021, a group of ethical hackers at WizCase found that SeniorAdvisor – a website – left the personal records of 3+ million senior citizens exposed in an improperly configured Amazon S3 bucket. The dataset included names, phone numbers, and email addresses, and had been collected for sales purposes. As a result, the data contained a mix of customer details and prospects, including individuals who had never had direct contact with the company.
August 2021: Databases and Account Details on Thousands of Microsoft Azure Customers Exposed
In August 2021, Wiz security professionals stated that they gained access to Microsoft Azure account details and customer databases due to a Cosmos DB vulnerability. The flaws created a form of loophole, giving users the ability to access other databases that weren’t theirs. A range of organizations was impacted by the issue, including several Fortune 500 companies.
It isn’t clear if anyone other than the security professionals accessed any information. However, anyone who did access the systems would have been able to download, delete, and alter records unobstructed.
July 2021: 1.6 Million Files Involving 80+ Municipalities by PeopleGIS Service
In July 2021, in another incident involving a misconfigured Amazon S3 bucket, WizCase found a vulnerability relating to MapsOnline, a PeopleGIS software service. Around 1.6 million files across 80+ municipalities were exposed, including personal data on area residents, building plans, and more information on properties in their respective areas.
June 2021: Data on 3.3 Million Audi Customers Exposed in Unsecured Database
In June 2021, Volkswagen revealed that customer data on 3.3 million Audi customers – including current and prospective buyers – was left publicly accessible online. The data cache involved sales and marketing details gathered between 2014 and 2019, including names, email addresses, and phone numbers, as well as specific vehicle-related data.
Around 90,000 of those affected also had more sensitive data stolen. That could include Social Security numbers and birth dates.
The company said that the data was exposed online at some time during the August 2019 to May 2021 timeframe. The company continued to investigate the incident to determine an exact timeline.
April 2021: 500 Million LinkedIn Users’ Data Scraped and Sold
In April 2021, personal data on over 500 million LinkedIn users was posted for sale on a hacker forum. A representative for LinkedIn reported to Business Insider that this data was scraped from publicly available data on the platform. The data included information such as email addresses and phone numbers – all the more reason to keep sensitive details from public profiles.
April 2021: 530 Million Facebook Users’ Data Leaked on Online Hacker Forum
In April 2021, data on more than 530 million Facebook users was posted publicly in an online hacking forum. While the data appears to have been scraped in 2019 – a process involving the use of software to collect details relating to accounts – it contained information gathered when a contact importer vulnerability left certain personal data unprotected. Along with phone numbers, email addresses were obtained on a limited number of users.
You can read more in our full timeline of Facebook breaches.
March 2021: Utah-Based COVID Testing Company Leaks Personal Data on Over 50,000 Customers
In March 2021, misconfigured Amazon S3 buckets left the personal data of over 50,000 customers of Premier Diagnostics, a Utah-based COVID testing company, exposed. The data cache included driver’s license, passport, and insurance card images, along with other data.
February 2021: LogicGate System Breached by Unauthorized Person
In February 2021, an unauthorized person breached LogicGate systems. It isn’t clear how many people were impacted or precisely what information was compromised.
February 2021: COMB Data Leak Exposes Details on 3.2 Billion Accounts
In February 2021, a massive data cache dubbed the Compilation of Many Breaches (COMB) was leaked on an online hacker forum. It contained login details for 3.2 billion accounts, including streaming services, email providers, and more.
The dataset wasn’t based on a single data breach and didn’t contain unique information. Instead, it was a large trove featuring information collected from multiple breaches conducted by various individuals and groups.
January 2021: Scraped Data on 214 Million Social Media Accounts Leaked
In January 2021, a large-scale data leak at SocialArks exposed data from 214 million social media accounts. A misconfigured database operated by the company made the information accessible without a password, and none of the data within was encrypted.
Along with easily viewable information like follower counts and bios, phone numbers and email addresses were in the store of data. The data was collected through a process called scraping, where a company uses software to retrieve publicly accessible information and combine datasets from several sources to learn more about individuals. While that’s not illegal, it is barred on most social media platforms.
January 2021: Microsoft Exchange Server Flaw Leads to 60,000+ Hacks
In January 2021, four zero-day vulnerabilities involving Microsoft Exchange Servers were discovered. Hackers had the ability to access systems, download emails, deploy malware, hijack servers, and take other actions within the systems.
While estimated suggest that 30,000 U.S. businesses and 60,000 companies worldwide were affected, the exact scope and impact aren’t clear. Mainly, this is because the flaw allowed multiple hacker groups to gain access to systems, so there wasn’t a singular event at the center, making it harder to track.
January 2021: 2.28 Million MeetMindful User Records Exposed by Hacker
In January 2021, data on MeetMindful users was released online in a hacker forum. There were approximately 2.28 million records in total, and the data cache contained highly sensitive information. Along with names, emails, and some address information, the dataset contained body details, birth dates, location data, IP addresses, Facebook user IDs, dating preferences, Facebook tokens, and more.