Latest Breach Information
Below is a list of the last 25 known data breaches and any information we may have about them.
Divine Skins
| Added Date: |
3/15/2026 |
| Breach Date: |
3/13/2026 |
| Updated Date: |
3/15/2026 |
| Breach Count: |
105,814 |
| Content: |
Email addresses, Purchases, Usernames |
| Domain: |
divineskins.gg |
Description:
In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users.
Verified: 
,
Fabricated: 
,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Baydöner
| Added Date: |
3/14/2026 |
| Breach Date: |
3/8/2026 |
| Updated Date: |
3/14/2026 |
| Breach Count: |
1,266,822 |
| Content: |
Dates of birth, Email addresses, Genders, Geographic locations, Government issued IDs, Names, Passwords, Phone numbers, Purchases |
| Domain: |
baydoner.com |
Description:
In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydöner stated that payment and financial data was not affected.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Provecho
| Added Date: |
3/3/2026 |
| Breach Date: |
1/30/2026 |
| Updated Date: |
3/3/2026 |
| Breach Count: |
712,904 |
| Content: |
Email addresses, Usernames |
| Domain: |
provecho.bio |
Description:
In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed. Provecho has been notified and is aware of the claims surrounding the incident.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Lovora
| Added Date: |
3/2/2026 |
| Breach Date: |
2/25/2026 |
| Updated Date: |
3/2/2026 |
| Breach Count: |
495,556 |
| Content: |
Display names, Email addresses, Profile photos |
| Domain: |
n/a |
Description:
In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of the app. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Quitbro
| Added Date: |
3/1/2026 |
| Breach Date: |
2/17/2026 |
| Updated Date: |
3/1/2026 |
| Breach Count: |
22,874 |
| Content: |
Email addresses, Partial dates of birth, Usernames |
| Domain: |
quitbro.app |
Description:
In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
KomikoAI
| Added Date: |
3/1/2026 |
| Breach Date: |
2/25/2026 |
| Updated Date: |
3/1/2026 |
| Breach Count: |
1,060,191 |
| Content: |
AI prompts, Email addresses, Forum posts, Names |
| Domain: |
komiko.app |
Description:
In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Odido
| Added Date: |
2/26/2026 |
| Breach Date: |
2/12/2026 |
| Updated Date: |
2/28/2026 |
| Breach Count: |
6,077,025 |
| Content: |
Bank account numbers, Customer service comments, Dates of birth, Driver's licenses, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Phone numbers, Physical addresses |
| Domain: |
odido.nl |
Description:
In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days. The exposed data includes names, physical addresses, phone numbers, bank account numbers, dates of birth, customer service notes and passport, driver’s licence and European national ID numbers. Odido has published a disclosure notice including an FAQ to support affected customers.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Canadian Tire
| Added Date: |
2/25/2026 |
| Breach Date: |
10/2/2025 |
| Updated Date: |
2/25/2026 |
| Breach Count: |
38,306,562 |
| Content: |
Dates of birth, Email addresses, Genders, Names, Partial credit card data, Passwords, Phone numbers, Physical addresses |
| Domain: |
canadiantire.ca |
Description:
In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
CarGurus
| Added Date: |
2/21/2026 |
| Breach Date: |
2/14/2026 |
| Updated Date: |
2/21/2026 |
| Breach Count: |
12,461,887 |
| Content: |
Email addresses, IP addresses, Names, Phone numbers, Physical addresses |
| Domain: |
cargurus.com |
Description:
In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
CarMax
| Added Date: |
2/19/2026 |
| Breach Date: |
1/24/2026 |
| Updated Date: |
2/19/2026 |
| Breach Count: |
431,371 |
| Content: |
Email addresses, Names, Phone numbers, Physical addresses |
| Domain: |
carmax.com |
Description:
In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Figure
| Added Date: |
2/17/2026 |
| Breach Date: |
1/28/2026 |
| Updated Date: |
2/17/2026 |
| Breach Count: |
967,178 |
| Content: |
Dates of birth, Email addresses, Names, Phone numbers, Physical addresses |
| Domain: |
figure.com |
Description:
In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Canada Goose
| Added Date: |
2/16/2026 |
| Breach Date: |
7/4/2025 |
| Updated Date: |
2/16/2026 |
| Breach Count: |
581,877 |
| Content: |
Device information, Email addresses, IP addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases |
| Domain: |
canadagoose.com |
Description:
In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly. The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card type and last 4 digits. Canada Goose advised that the data "appears to relate to past customer transactions" and stated that it originated from a breach at a third party in August 2025. The most recent transaction date in the data is July 2025.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
University of Pennsylvania
| Added Date: |
2/16/2026 |
| Breach Date: |
10/30/2025 |
| Updated Date: |
2/16/2026 |
| Breach Count: |
623,750 |
| Content: |
Charitable donations, Dates of birth, Email addresses, Genders, Income levels, Job titles, Names, Physical addresses, Religions, Salutations, Spouses names |
| Domain: |
upenn.edu |
Description:
In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand, largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 and included 624k unique email addresses alongside names and physical addresses. For some donor records, additional personal information was exposed, including gender and date of birth. A small subset of records also contained religion, spouse name, estimated income and donation history.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
APOIA.se
| Added Date: |
2/16/2026 |
| Breach Date: |
12/16/2025 |
| Updated Date: |
2/16/2026 |
| Breach Count: |
450,764 |
| Content: |
Email addresses, Names, Physical addresses |
| Domain: |
apoia.se |
Description:
In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum. In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Toy Battles
| Added Date: |
2/9/2026 |
| Breach Date: |
2/6/2026 |
| Updated Date: |
2/9/2026 |
| Breach Count: |
1,017 |
| Content: |
Chat logs, Email addresses, IP addresses, Usernames |
| Domain: |
toybattles.net |
Description:
In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Association Nationale des Premiers Secours
| Added Date: |
2/9/2026 |
| Breach Date: |
1/30/2026 |
| Updated Date: |
2/9/2026 |
| Breach Count: |
5,600 |
| Content: |
Dates of birth, Email addresses, Names, Places of birth, Salutations |
| Domain: |
anps.fr |
Description:
In January 2026, a data breach impacting the French non-profit Association Nationale des Premiers Secours (ANPS) was posted to a hacking forum. The breach exposed 5.6k unique email addresses along with names, dates of birth and places of birth. ANPS self-submitted the data to HIBP and advised the incident was traced back to a legacy system and did not impact health data, financial information or passwords.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Substack
| Added Date: |
2/6/2026 |
| Breach Date: |
10/23/2025 |
| Updated Date: |
2/6/2026 |
| Breach Count: |
663,121 |
| Content: |
Email addresses, Phone numbers |
| Domain: |
substack.com |
Description:
In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as publication names and bios. A subset of records also included phone numbers.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Betterment
| Added Date: |
2/4/2026 |
| Breach Date: |
1/9/2026 |
| Updated Date: |
2/4/2026 |
| Breach Count: |
1,435,174 |
| Content: |
Dates of birth, Device information, Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Physical addresses |
| Domain: |
betterment.com |
Description:
In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an attacker-controlled cryptocurrency wallet. The breach exposed 1.4M unique email addresses, along with names and geographic location data. A subset of records also included dates of birth, phone numbers, and physical addresses. In its disclosure notice, Betterment stated that the incident did not provide attackers with access to customer accounts and did not expose passwords or other login credentials.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
Panera Bread
| Added Date: |
1/30/2026 |
| Breach Date: |
1/7/2026 |
| Updated Date: |
1/30/2026 |
| Breach Count: |
5,112,502 |
| Content: |
Email addresses, Names, Phone numbers, Physical addresses |
| Domain: |
panerabread.com |
Description:
In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses. Panera Bread subsequently confirmed that "the data involved is contact information" and that authorities were notified.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List:
SoundCloud
| Added Date: |
1/26/2026 |
| Breach Date: |
12/15/2025 |
| Updated Date: |
1/26/2026 |
| Breach Count: |
29,815,722 |
| Content: |
Avatars, Email addresses, Geographic locations, Names, Profile statistics, Usernames |
| Domain: |
soundcloud.com |
Description:
In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month.
Verified: ,
Fabricated: ,
Sensitive: ,
Active: ,
Retired: ,
Is Spam List: