Slack has suffered a data breach in which thousands of users have been affected. As a result, the company is resetting passwords of thousands of impacted users.

Plaintext passwords too.

https://thehackernews.co/slack-data-breach-company-resets-thousands-of-passwords/

Through the hack at Mastercard whole card numbers have surfaced online. The company announced that it would pay the costs of exchanging users for the card.

https://www.tellerreport.com/tech/2019-08-22---mastercard--mastercard-data-leak-also-affected-complete-card-numbers-.S1xrgik3EH.html

14 million accounts breached at hostinger.

Data potentially exposed:
- names
- Hostinger usernames
- IP addresses
- home addreses
- emails
- phone numbers
- hashed passwords

https://fossbytes.com/web-host-hostinger-data-breach-14-million-users-password-reset/

Coinmama - 478,824 breached accounts
https://haveibeenpwned.com/PwnedWebsites#Coinmama

In August 2017, the crypto coin brokerage service Coinmama suffered a data breach (https://cointelegraph.com/news/major-crypto-brokerage-coinmama-reports-450-000-users-affected-by-data-breach) that impacted 479k subscribers. The breach was discovered in February 2019 with exposed data including email addresses, usernames and passwords stored as MD5 WordPress hashes. The data was provided to HIBP by white hat security researcher and data analyst Adam Davies.

XKCD - 561,991 breached accounts
https://haveibeenpwned.com/PwnedWebsites#XKCD

In July 2019, the forum for webcomic XKCD (https://forums.xkcd.com/) suffered a data breach that impacted 562k subscribers. The breached phpBB forum leaked usernames, email and IP addresses and passwords stored in MD5 phpBB3 format. The data was provided to HIBP by white hat security researcher and data analyst Adam Davies.

Mastercard Priceless Specials - 89,388 breached accounts
https://haveibeenpwned.com/PwnedWebsites#MastercardPricelessSpecials

In August 2019, the German Mastercard bonus program "Priceless Specials" suffered a data breach (https://www.spiegel.de/netzwelt/web/mastercard-datenleck-bei-bonusprogramm-a-1282697.html). Personal data on almost 90k program members was subsequently extensively circulated online and included names, email and IP addresses, phone numbers and partial credit card data. Following the incident, the program was subsequently suspended.

Poshmark - 36,395,491 breached accounts
https://haveibeenpwned.com/PwnedWebsites#Poshmark

In mid-2018, social commerce marketplace Poshmark suffered a data breach (https://techcrunch.com/2019/08/01/poshmark-confirms-data-breach/) that exposed 36M user accounts. The compromised data included email addresses, names, usernames, genders, locations and passwords stored as bcrypt hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Hundreds of millions of phone numbers linked to Facebook accounts have been found online.

The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.

https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/

Void.to - 95,431 breached accounts
https://haveibeenpwned.com/PwnedWebsites#VoidTO

In June 2019, the hacking website Void.to (https://void.to/) suffered a data breach. There were 95k unique email addresses spread across 86k forum users and other tables in the database. A rival hacking website claimed responsibility for breaching the MyBB based forum which disclosed email and IP addresses, usernames, private messages and passwords stored as either salted MD5 or bcrypt hashes.

The Elasticsearch server contained a total of approximately 20.8 million user records, a number larger than the country's total population count.

https://www.zdnet.com/article/database-leaks-data-on-most-of-ecuadors-citizens-including-6-7-million-children/

Minehut - 396,533 breached accounts
https://haveibeenpwned.com/PwnedWebsites#Minehut

In May 2019, the Minecraft server website Minehut (https://minehut.com/) suffered a data breach. The company advised a database backup had been obtained after which they subsequently notified all impacted users. 397k email addresses from the incident were provided to HIBP.

KiwiFarms - 4,606 breached accounts
https://haveibeenpwned.com/PwnedWebsites#KiwiFarms

In September 2019, the forum for discussing "lolcows" (people who can be milked for laughs) Kiwi Farms suffered a data breach (https://kiwifarms.net/threads/dealing-with-the-compromise.60767/). The disclosure notice advised that email and IP addresses, dates of birth and content created by members were all exposed in the incident.

The records cover more than 5 million patients in the U.S. and millions more around the world. In some cases, a snoop could use free software programs — or just a typical web browser — to view the images and private data, an investigation by ProPublica and the German broadcaster Bayerischer Rundfunk found.

https://www.propublica.org/article/millions-of-americans-medical-images-and-data-are-available-on-the-internet

Lumin PDF - 15,453,048 breached accounts
https://haveibeenpwned.com/PwnedWebsites#LuminPDF

In April 2019, the PDF management service Lumin PDF suffered a data breach (https://www.zdnet.com/article/data-of-24-3-million-lumin-pdf-users-shared-on-hacking-forum/). The breach wasn't publicly disclosed until September when 15.5M records of user data appeared for download on a popular hacking forum. The data had been left publicly exposed in a MongoDB instance after which Lumin PDF was allegedly been "contacted multiple times, but ignored all the queries". The exposed data included names, email. addresses, genders, spoken language and either a bcrypt password hash or Google auth token. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

DoorDash confirms data breach affected 4.9 million customers, workers and merchants

https://techcrunch.com/2019/09/26/doordash-data-breach/?guccounter=1

Wanelo - 23,165,793 breached accounts
https://haveibeenpwned.com/PwnedWebsites#Wanelo

In approximately December 2018, the digital mall Wanelo suffered a data breach (https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/). The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in April 2019. A total of 23 million unique email addresses were included in the breach alongside passwords stored as either MD5 of bcrypt hashes. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Sephora - 780,073 breached accounts
https://haveibeenpwned.com/PwnedWebsites#Sephora

In approximately January 2017, the beauty store Sephora suffered a data breach (https://www.zdnet.com/article/sephora-data-breach-hits-southeast-asia-and-anz-customers/). Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

StreetEasy - 988,230 breached accounts
https://haveibeenpwned.com/PwnedWebsites#StreetEasy

In approximately June 2016, the real estate website StreetEasy suffered a data breach (https://therealdeal.com/2019/02/19/a-million-streeteasy-accounts-hacked/). In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".