PwnedWebsites - Data Security

Pwned websites

Breached websites that have been loaded into Have I Been Pwned

The various breaches

Here's an overview of the various breaches that have been consolidated into this Have I Been Pwned. These are accessible programmatically via the HIBP API and also via the RSS feed.

17173

In late 2011, a series of data breaches in China affected up to 100 million users, including 7.5 million from the gaming site known as 17173. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains usernames, email addresses and salted MD5 password hashes and was provided with support from dehashed.com. Read more about Chinese data breaches in Have I Been Pwned.
Breach date: 28 December 2011
Date added to HIBP: 28 April 2018
Compromised accounts: 7,485,802
Compromised data: Email addresses, Passwords, Usernames

Abandonia (2015)

In November 2015, the gaming website dedicated to classic DOS games Abandonia suffered a data breach resulting in the exposure of 776k unique user records. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.
Breach date: 1 November 2015
Date added to HIBP: 5 June 2017
Compromised accounts: 776,125
Compromised data: Email addresses, IP addresses, Passwords, Usernames

17

In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.
Breach date: 19 April 2016
Date added to HIBP: 8 July 2016
Compromised accounts: 4,009,640
Compromised data: Device information, Email addresses, IP addresses, Passwords, Usernames

8fit

n July 2018, the health and fitness service 8fit suffered a data breach. The data subsequently appeared for sale on a dark web marketplace in February 2019 and included over 15M unique email addresses alongside names, genders, IP addresses and passwords stored as bcrypt hashes. The data was provided to HIBP by dehashed.com.
Breach date: 1 July 2018
Date added to HIBP: 21 March 2019
Compromised accounts: 15,025,407
Compromised data: Email addresses, Genders, Geographic locations, IP addresses, Names, Passwords

The various breaches

Here's an overview of the various breaches that have been consolidated into this Have I Been Pwned. These are accessible programmatically via the HIBP API and also via the RSS feed.

000webhost

In approximately March 2015, the free web hosting provider 000webhost suffered a major data breach that exposed almost 15 million customer records. The data was sold and traded before 000webhost was alerted in October. The breach included names, email addresses and plain text passwords. Breach date: 1 March 2015 Date added to HIBP: 26 October 2015 Compromised accounts: 14,936,670 Compromised data: Email addresses, IP addresses, Names, Passwords

123RF

In March 2020, the stock photo site 123RF suffered a data breach which impacted over 8 million subscribers and was subsequently sold online. The breach included email, IP and physical addresses, names, phone numbers and passwords stored as MD5 hashes. The data was provided to HIBP by dehashed.com. Breach date: 22 March 2020 Date added to HIBP: 15 November 2020 Compromised accounts: 8,661,578 Compromised data: Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Usernames

126

In approximately 2012, it's alleged that the Chinese email service known as 126 suffered a data breach that impacted 6.4 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains email addresses and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned. Breach date: 1 January 2012 Date added to HIBP: 8 October 2016 Compromised accounts: 6,414,191 Compromised data: Email addresses, Passwords

2,844 Separate Data Breaches

In February 2018, a massive collection of almost 3,000 alleged data breaches was found online. Whilst some of the data had previously been seen in Have I Been Pwned, 2,844 of the files consisting of more than 80 million unique email addresses had not previously been seen. Each file contained both an email address and plain text password and were consequently loaded as a single "unverified" data breach. Breach date: 19 February 2018 Date added to HIBP: 26 February 2018 Compromised accounts: 80,115,532 Compromised data: Email addresses, Passwords

500px

In mid-2018, the online photography community 500px suffered a data breach. The incident exposed almost 15 million unique email addresses alongside names, usernames, genders, dates of birth and either an MD5 or bcrypt password hash. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]". Breach date: 5 July 2018 Date added to HIBP: 25 March 2019 Compromised accounts: 14,867,999 Compromised data: Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords, Usernames

7k7k

n approximately 2011, it's alleged that the Chinese gaming site known as 7k7k suffered a data breach that impacted 9.1 million subscribers. Whilst there is evidence that the data is legitimate, due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified". The data in the breach contains usernames, email addresses and plain text passwords. Read more about Chinese data breaches in Have I Been Pwned. Breach date: 1 January 2011 Date added to HIBP: 26 September 2017 Compromised accounts: 9,121,434 Compromised data: Email addresses, Passwords, Usernames