Have I Been Pwned latest breaches

Crunchyroll - 1,195,684 breached accounts

Sat, 04 Apr 2026 04:47:29 Z

In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users. The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP.

SongTrivia2 - 291,739 breached accounts

Sat, 04 Apr 2026 01:59:01 Z

In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars.

SUCCESS - 253,510 breached accounts

Wed, 01 Apr 2026 06:51:14 Z

In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders containing physical addresses and the payment method used. In SUCCESS' disclosure notice, they advised their system had also been abused to send offensive newsletters with quotes falsely attributed to contributors.

Cuties AI - 144,250 breached accounts

Tue, 31 Mar 2026 06:52:52 Z

In March 2026, the NSFW AI companion platform Cuties AI suffered a data breach that was subsequently published to a public hacking forum. The incident exposed 144k unique email addresses along with display names, avatars, prompts and descriptions used to generate AI adult images, as well as URLs to the generated content. The data also included the account that created the content and a stated "preference" of either female or trans.

BreachForums Version 5 - 339,778 breached accounts

Fri, 27 Mar 2026 02:19:23 Z

In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed. The incident exposed 340k unique email addresses along with usernames and argon2 password hashes.

Scuf Gaming - 128,683 breached accounts

Thu, 26 Mar 2026 05:31:26 Z

In June 2015, custom gaming controller maker Scuf Gaming suffered a data breach. The incident exposed 129k unique email addresses along with usernames, display names, IP addresses and password hashes.

Sound Radix - 292,993 breached accounts

Thu, 26 Mar 2026 00:06:29 Z

In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP. The incident impacted 293k unique email addresses and names. Sound Radix advised that it is possible that additional data including hashed passwords may have been exposed, and that no financial or credit card information was impacted.

RuneScape Boards - 222,762 breached accounts

Mon, 23 Mar 2026 21:40:06 Z

In around 2011, the now defunct RuneScape Boards forum (also known as RSBoards) suffered a data breach that was later redistributed as part of a larger corpus of data. The vBulletin-based service exposed 223k unique email addresses along with usernames, IP addresses and salted MD5 password hashes.

Aura - 903,080 breached accounts

Wed, 18 Mar 2026 05:29:58 Z

In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exposed data included names, phone numbers, physical and IP addresses, and customer service notes. Aura advised that no Social Security numbers, passwords or financial information were compromised.

Divine Skins - 105,814 breached accounts

Sun, 15 Mar 2026 05:18:40 Z

In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users.

Baydöner - 1,266,822 breached accounts

Sun, 15 Mar 2026 03:36:43 Z

In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydöner stated that payment and financial data was not affected.

Provecho - 712,904 breached accounts

Tue, 03 Mar 2026 06:40:50 Z

In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed. Provecho has been notified and is aware of the claims surrounding the incident.

Lovora - 495,556 breached accounts

Mon, 02 Mar 2026 07:23:06 Z

In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of the app. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident.

Quitbro - 22,874 breached accounts

Mon, 02 Mar 2026 05:27:11 Z

In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident.

KomikoAI - 1,060,191 breached accounts

Mon, 02 Mar 2026 01:31:29 Z

In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.

Odido - 6,077,025 breached accounts

Thu, 26 Feb 2026 23:25:29 Z

In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days. The exposed data includes names, physical addresses, phone numbers, bank account numbers, dates of birth, customer service notes and passport, driver’s licence and European national ID numbers. Odido has published a disclosure notice including an FAQ to support affected customers.

Canadian Tire - 38,306,562 breached accounts

Wed, 25 Feb 2026 06:53:25 Z

In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data.

CarGurus - 12,461,887 breached accounts

Sun, 22 Feb 2026 04:43:54 Z

In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes.

CarMax - 431,371 breached accounts

Fri, 20 Feb 2026 03:48:30 Z

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Figure - 967,178 breached accounts

Wed, 18 Feb 2026 01:11:11 Z

In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.