DoorDash confirms data breach affected 4.9 million customers, workers and merchants

https://techcrunch.com/2019/09/26/doordash-data-breach/?guccounter=1

Wanelo - 23,165,793 breached accounts
https://haveibeenpwned.com/PwnedWebsites#Wanelo

In approximately December 2018, the digital mall Wanelo suffered a data breach (https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/). The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in April 2019. A total of 23 million unique email addresses were included in the breach alongside passwords stored as either MD5 of bcrypt hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Sephora - 780,073 breached accounts
https://haveibeenpwned.com/PwnedWebsites#Sephora

In approximately January 2017, the beauty store Sephora suffered a data breach (https://www.zdnet.com/article/sephora-data-breach-hits-southeast-asia-and-anz-customers/). Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

StreetEasy - 988,230 breached accounts
https://haveibeenpwned.com/PwnedWebsites#StreetEasy

In approximately June 2016, the real estate website StreetEasy suffered a data breach (https://therealdeal.com/2019/02/19/a-million-streeteasy-accounts-hacked/). In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

In mid-2019, the Indian interactive online tutoring platform Vedantu suffered a data breach which exposed the personal data of 687k users. The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored as bcrypt hashes. When contacted about the incident, Vedantu advised that they were aware of the breach and were in the process of informing their customers.

https://haveibeenpwned.com/PwnedWebsites#Vedantu

ToonDoo - 6,002,694 breached accounts
https://haveibeenpwned.com/PwnedWebsites#ToonDoo

In August 2019, the comic strip creation website ToonDoo suffered a data breach (https://www.zataz.com/6-000-000-de-donnees-personnelles-piratees-pour-le-site-toondoo/). The data was subsequently redistributed on a popular hacking forum in November where the personal information of over 6M subscribers was shared. Impacted data included email and IP addresses, usernames, genders, the location of the individual and salted password hashes.

Hacker Publishes 2TB of Data from Cayman National Bank
https://twitter.com/DDoSecrets/status/1195899716653010945

GPS Underground - 669,584 breached accounts
https://haveibeenpwned.com/PwnedWebsites#GPSUnderground

In early 2017, GPS Underground was amongst a collection of compromised vBulletin websites that were found being sold online (https://www.hackread.com/vbulletin-forums-hacked-accounts-sold-on-dark-web/). The breach dated back to mid-2016 and included 670k records with usernames, email and IP addresses, dates of birth and salted MD5 password hashes.

EpicBot - 816,662 breached accounts
https://haveibeenpwned.com/PwnedWebsites#EpicBot

In September 2019, the RuneScape bot provider EpicBot suffered a data breach that impacted 817k subscribers (https://arstechnica.com/information-technology/2019/11/password-data-dumped-online-for-2-2-million-users-of-currency-and-gaming-sites/). Data from the breach was subsequently shared on a popular hacking forum and included usernames, email and IP addresses and passwords stored as either salted MD5 or bcrypt hashes. EpicBot did not respond when contacted about the incident.

GateHub - 1,408,078 breached accounts
https://haveibeenpwned.com/PwnedWebsites#GateHub

In October 2019, 1.4M accounts from the cryptocurrency wallet service GateHub were posted to a popular hacking forum (https://arstechnica.com/information-technology/2019/11/password-data-dumped-online-for-2-2-million-users-of-currency-and-gaming-sites/). GateHub had previously acknowledged a data breach in June (https://gatehub.net/blog/gatehub-update-investigation-continues/), albeit with a smaller number of impacted accounts. Data from the breach included email addresses, mnemonic phrases, wallet hashes and passwords stored as bcrypt hashes.

Data Enrichment Exposure From PDL Customer - 622,161,052 breached accounts
https://haveibeenpwned.com/PwnedWebsites#PDL

In October 2019, security researchers Vinny Troia and Bob Diachenko identified an unprotected Elasticsearch server holding 1.2 billion records of personal data (https://www.troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses). The exposed data included an index indicating it was sourced from data enrichment company People Data Labs (PDL) and contained 622 million unique email addresses. The server was not owned by PDL and it's believed a customer failed to properly secure the database. Exposed information included email addresses, phone numbers, social media profiles and job history data.

Some of OnePlus users' order information was accessed by an unauthorized party. They state that all payment information, passwords and accounts are safe, but certain users' name, contact number, email and shipping address may have been exposed.

https://forums.oneplus.com/threads/security-notification.1144088/

Disclaimer: That is more of a collection, rather than a leak.

Still worth mentioning.

https://www.dataviper.io/blog/2019/pdl-data-exposure-billion-people/