Apr 2025
SynthientCredentialStuffingThreatData Logo

Synthient Credential Stuffing Threat Data

During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords. Working to turn breached data into awareness, Synthient partnered with HIBP to help victims of cybercrime understand their exposure.

Compromised data:

  • Email addresses
  • Passwords

--------------------------------------------------

Mar 2024
Life360 Logo

Life360

In July 2024, data scraped from a misconfigured Life360 API was posted online after being obtained several months earlier. The records included 443k unique email addresses and in most cases, corresponding names and phone numbers (some records were null or obfuscated). Life360 promptly notified impacted users after the incident was discovered.

Compromised data:

  • Email addresses
  • Names
  • Phone numbers

--------------------------------------------------

Aug 2021
OpenSubtitles Logo

Open Subtitles

In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers' personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

Compromised data:

  • Email addresses
  • Geographic locations
  • IP addresses
  • Passwords
  • Usernames

--------------------------------------------------

Apr 2021
LinkedInScrape Logo

LinkedIn Scraped Data (2021)

During the first half of 2021, LinkedIn was targeted by attackers who scraped data from hundreds of millions of public profiles and later sold them online. Whilst the scraping did not constitute a data breach nor did it access any personal data not intended to be publicly accessible, the data was still monetised and later broadly circulated in hacking circles. The scraped data contains approximately 400M records with 125M unique email addresses, as well as names, geographic locations, genders and job titles. LinkedIn specifically addresses the incident in their post on An update on report of scraped data.

Compromised data:

  • Education levels
  • Email addresses
  • Genders
  • Geographic locations
  • Job titles
  • Names
  • Social media profiles

--------------------------------------------------

Jan 2021
Twitter200M Logo

Twitter (200M)

In early 2023, over 200M records scraped from Twitter appeared on a popular hacking forum. The data was obtained sometime in 2021 by abusing an API that enabled email addresses to be resolved to Twitter profiles. The subsequent results were then composed into a corpus of data containing email addresses alongside public Twitter profile information including names, usernames and follower counts.

Compromised data:

  • Email addresses
  • Names
  • Social media profiles
  • Usernames

--------------------------------------------------

Nov 2020
Cit0day Logo

Cit0day

In November 2020, a collection of more than 23,000 allegedly breached websites known as Cit0day were made available for download on several hacking forums. The data consisted of 226M unique email address alongside password pairs, often represented as both password hashes and the cracked, plain text versions. Independent verification of the data established it contains many legitimate, previously undisclosed breaches. The data was provided to HIBP by dehashed.com.

Compromised data:

  • Email addresses
  • Passwords

--------------------------------------------------

Oct 2020
Gravatar Logo

Gravatar

In October 2020, a security researcher published a technique for scraping large volumes of data from Gravatar, the service for providing globally unique avatars . 167 million names, usernames and MD5 hashes of email addresses used to reference users' avatars were subsequently scraped and distributed within the hacking community. 114 million of the MD5 hashes were cracked and distributed alongside the source hash, thus disclosing the original email address and accompanying data. Following the impacted email addresses being searchable in HIBP, Gravatar release an FAQ detailing the incident.

Compromised data:

  • Email addresses
  • Names
  • Usernames

--------------------------------------------------

Jun 2020
Ledger Logo

Ledger

In June 2020, the hardware crypto wallet manufacturer Ledger suffered a data breach that exposed over 1 million email addresses. The data was initially sold before being dumped publicly in December 2020 and included names, physical addresses and phone numbers. The data was provided to HIBP by Alon Gal, CTO of cybercrime intelligence firm Hudson Rock.

Compromised data:

  • Email addresses
  • Names
  • Phone numbers
  • Physical addresses

--------------------------------------------------

Feb 2020
db8151dd Logo

Covve

In February 2020, a massive trove of personal information referred to as "db8151dd" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. Later identified as originating from the Covve contacts app, the exposed data included extensive personal information and interactions between Covve users and their contacts. The data was provided to HIBP by dehashed.com.

Compromised data:

  • Email addresses
  • Job titles
  • Names
  • Phone numbers
  • Physical addresses
  • Social media profiles

--------------------------------------------------

Oct 2019
PDL Logo

Data Enrichment Exposure From PDL Customer

In October 2019, security researchers Vinny Troia and Bob Diachenko identified an unprotected Elasticsearch server holding 1.2 billion records of personal data. The exposed data included an index indicating it was sourced from data enrichment company People Data Labs (PDL) and contained 622 million unique email addresses. The server was not owned by PDL and it's believed a customer failed to properly secure the database. Exposed information included email addresses, phone numbers, social media profiles and job history data.

Compromised data:

  • Email addresses
  • Employers
  • Geographic locations
  • Job titles
  • Names
  • Phone numbers
  • Social media profiles

--------------------------------------------------

Jan 2019
Collection1 Logo

Collection #1

In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.

Compromised data:

  • Email addresses
  • Passwords

--------------------------------------------------

Dec 2018
Dubsmash Logo

Dubsmash

In December 2018, the video messaging service Dubsmash suffered a data breach. The incident exposed 162 million unique email addresses alongside usernames and PBKDF2 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly.

Compromised data:

  • Email addresses
  • Geographic locations
  • Names
  • Passwords
  • Phone numbers
  • Spoken languages
  • Usernames

--------------------------------------------------

Jul 2018
Apollo Logo

Apollo

In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned. The data left exposed by Apollo was used in their "revenue acceleration platform" and included personal information such as names and email addresses as well as professional information including places of employment, the roles people hold and where they're located. Apollo stressed that the exposed data did not include sensitive information such as passwords, social security numbers or financial data. The Apollo website has a contact form for those looking to get in touch with the organisation.

Compromised data:

  • Email addresses
  • Employers
  • Geographic locations
  • Job titles
  • Names
  • Phone numbers
  • Salutations
  • Social media profiles

--------------------------------------------------

Jun 2018
TrikSpamBotnet Logo

Trik Spam Botnet

In June 2018, the command and control server of a malicious botnet known as the "Trik Spam Botnet" was misconfigured such that it exposed the email addresses of more than 43 million people. The researchers who discovered the exposed Russian server believe the list of addresses was used to distribute various malware strains via malspam campaigns (emails designed to deliver malware).

Compromised data:

  • Email addresses

--------------------------------------------------

Aug 2017
OnlinerSpambot Logo

Onliner Spambot

In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data:

  • Email addresses
  • Passwords

--------------------------------------------------

Dec 2016
AntiPublic Logo

Anti Public Combo List

In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.

Compromised data:

  • Email addresses
  • Passwords

--------------------------------------------------

Oct 2016
Dailymotion Logo

Dailymotion

In October 2016, the video sharing platform Dailymotion suffered a data breach. The attack led to the exposure of more than 85 million user accounts and included email addresses, usernames and bcrypt hashes of passwords.

Compromised data:

  • Email addresses
  • Passwords
  • Usernames

--------------------------------------------------

Oct 2016
ExploitIn Logo

Exploit.In

In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.

Compromised data:

  • Email addresses
  • Passwords

--------------------------------------------------

Aug 2016
GSMHosting Logo

GSM Hosting

In August 2016, breached data from the vBulletin forum for GSM-Hosting appeared for sale alongside dozens of other hacked services. The breach impacted 2.6M users of the service and included email and IP addresses, usernames and salted MD5 password hashes.

Compromised data:

  • Email addresses
  • IP addresses
  • Passwords
  • Usernames

--------------------------------------------------

Feb 2016
LinuxMint Logo

Linux Mint

In February 2016, the website for the Linux distro known as Linux Mint was hacked and the ISO infected with a backdoor. The site also ran a phpBB forum which was subsequently put up for sale complete with almost 145k email addresses, passwords and other personal subscriber information.

Compromised data:

  • Avatars
  • Dates of birth
  • Email addresses
  • Geographic locations
  • IP addresses
  • Passwords
  • Time zones
  • Website activity

--------------------------------------------------

Jan 2016
MoDaCo Logo

MoDaCo

In approximately January 2016, the UK based Android community known as MoDaCo suffered a data breach which exposed 880k subscriber identities. The data included email and IP addresses, usernames and passwords stored as salted MD5 hashes.

Compromised data:

  • Email addresses
  • IP addresses
  • Passwords
  • Usernames

--------------------------------------------------

Jul 2015
iPmart Logo

iPmart

During 2015, the iPmart forum (now known as Mobi NUKE) was hacked and over 2 million forum members' details were exposed. The vBulletin forum included IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked. A further 368k accounts were added to "Have I Been Pwned" in March 2016 bringing the total to over 2.4M.

Compromised data:

  • Dates of birth
  • Email addresses
  • Passwords
  • Usernames

--------------------------------------------------

Dec 2013
TorrentInvites Logo

Torrent Invites

In December 2013, the torrent site Torrent Invites was hacked and over 352k accounts were exposed. The vBulletin forum contained usernames, email and IP addresses, birth dates and salted MD5 hashes of passwords.

Compromised data:

  • Dates of birth
  • Email addresses
  • IP addresses
  • Passwords
  • Usernames
  • Website activity

--------------------------------------------------

Oct 2013
Adobe Logo

Adobe

In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

Compromised data:

  • Email addresses
  • Password hints
  • Passwords
  • Usernames

--------------------------------------------------

Jul 2012
Dropbox Logo

Dropbox

In mid-2012, Dropbox suffered a data breach which exposed the stored credentials of tens of millions of their customers. In August 2016, they forced password resets for customers they believed may be at risk. A large volume of data totalling over 68 million records was subsequently traded online and included email addresses and salted hashes of passwords (half of them SHA1, half of them bcrypt).

Compromised data:

  • Email addresses
  • Passwords

--------------------------------------------------

Jul 2012
Disqus Logo

Disqus

In October 2017, the blog commenting service Disqus announced they'd suffered a data breach. The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced. The breach contained over 17.5 million unique email addresses and usernames. Users who created logins on Disqus had salted SHA1 hashes of passwords whilst users who logged in via social providers only had references to those accounts.

Compromised data:

  • Email addresses
  • Passwords
  • Usernames

--------------------------------------------------

May 2012
LinkedIn Logo

LinkedIn

In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

Compromised data:

  • Email addresses
  • Passwords
