Email Address Breach Detection and Analysis
Use this free service to check if an email address is in any hacked data from known breaches. Get a summary of what specific information may be at risk, critical personal identity alerts, a relative exposure rating and more. Results are shown immediately - no verification, upgrades or extra steps are required.
breach data from: Have I Been pwned?
Recent Global Data Breaches
ParkMobile - 20,949,825 breached accountsIn March 2021, the mobile parking app service ParkMobile suffered a data breach which exposed 21 million customers' personal data. The impacted data included email addresses, names, phone numbers, vehicle licence plates and passwords stored as bcrypt hashes. The following month, the data appeared on a public hacking forum where it was extensively redistributed.
Descomplica - 4,845,378 breached accountsIn March 2021, the Brazilian EdTech company Descomplica suffered a data breach which was subsequently posted to a popular hacking forum. The data included almost 5 million email addresses, names, the first 6 and last 4 digits and the expiry date of credit cards, purchase histories and password hashes.
Jefit - 9,052,457 breached accountsIn August 2020, the workout tracking app Jefit suffered a data breach. The data was subsequently sold within the hacking community and included over 9 million email and IP addresses, usernames and passwords stored as either vBulletin or argon2 hashes. Several million cracked passwords later appeared in broad circulation.
bigbasket - 24,500,011 breached accountsIn October 2020, the Indian grocery platform bigbasket suffered a data breach that exposed over 20 million customer records. The data was originally sold before being leaked publicly in April the following year and included email, IP and physical addresses, names, phones numbers, dates of birth passwords stored as Django(SHA-1) hashes.
MangaDex - 2,987,329 breached accountsIn March 2021, the manga fan site MangaDex suffered a data breach that resulted in the exposure of almost 3 million subscribers. The data included email and IP addresses, usernames and passwords stored as bcrypt hashes. The data was subsequently circulated within hacking groups.
ShopBack - 20,529,819 breached accountsIn September 2020, the cashback reward program ShopBack suffered a data breach. The incident exposed over 20 million unique email addresses along with names, phone numbers, country of residence and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by dehashed.com.
ClearVoice Surveys - 15,074,786 breached accountsIn April 2021, the market research surveys company ClearVoice Surveys had a publicly facing database backup from 2015 taken and redistributed on a popular hacking forum. The data included 15M unique email addresses across more than 17M rows of data that also included names, physical and IP addresses, genders, dates of birth and plain text passwords. ClearVoice Surveys advised they were aware of the breach and confirmed its authenticity.
Phone House España - 5,223,350 breached accountsIn April 2021, the Spanish retailer Phone House allegedly suffered a ransomware attack that also exposed significant volumes of customer data. Attributed to the Babuk ransomware, a collection of data alleged to be a subset of a larger corpus was posted to a dark web site and contained 5.2M email addresses along with names, nationalities, genders, dates of birth, phone numbers and physical addresses. Phone House has been threatened with further releases if a ransom is not paid.
Facebook - 509,458,528 breached accountsIn April 2021, a large data set of over 500 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook's subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer.
Unverified Data Source (unverified) - 11,498,146 breached accountsIn January 2021, over 11M unique email addresses were discovered by Night Lion Security alongside an extensive amount of personal information including names, physical and IP addresses, phone numbers and dates of birth. Some records also contained social security numbers, driver's license details, personal financial information and health-related data, depending on where the information was sourced from. Initially attributed to Astoria Company, they subsequently investigated the incident and confirmed the data did not originate from their services.
Liker - 465,141 breached accountsIn March 2021, the self-proclaimed "kinder, smarter social network" Liker suffered a data breach, allegedly in retaliation for the Gab data breach and scraping of data from Parler. The site remained offline after the breach which exposed 465k email addresses in addition to names, dates of birth, education levels, private messages, security questions and answers in plain text, passwords stored as bcrypt hashes and other personal data attributes. Liker did not respond when contacted about the breach.
Travel Oklahoma - 637,279 breached accountsIn December 2020, the Oklahoma state Tourism and Recreation Department suffered a data breach. The incident exposed 637k email addresses across a variety of tables including age ranges against brochure orders and dates of birth against contest entries. Genders, names and physical addresses were also exposed. The data was provided to HIBP by a source who requested it be attributed to "badhou3a".
Oxfam - 1,834,006 breached accountsIn January 2021, Oxfam Australia was the victim of a data breach which exposed 1.8M unique email addresses of supporters of the charity. The data was put up for sale on a popular hacking forum and also included names, phone numbers, addresses, genders and dates of birth. A small number of people also had partial credit card data exposed (the first 6 and last 3 digits of the card, plus card type and expiry) and in some cases the bank name, account number and BSB were also exposed. The data was subsequently made freely available on the hacking forum later the following month.
Ticketcounter - 1,921,722 breached accountsIn August 2020, the Dutch ticketing service Ticketcounter inadvertently published a database backup to a publicly accessible location where it was then found and downloaded in February 2021. The data contained 1.9M unique email addresses which were offered for sale on a hacking forum alongside names, physical and IP addresses, genders, dates of birth, payment histories and in some cases, bank account numbers. Ticketcounter was later held to ransom with the threat of the breached being released publicly. The data was provided to HIBP by a source who requested it be attributed to firstname.lastname@example.org.
SuperVPN & GeckoVPN - 20,339,937 breached accountsIn February 2021, a series of "free" VPN services were breached including SuperVPN and GeckoVPN, exposing over 20M records. The data appeared together in a single file with a small number of records also included from FlashVPN, suggesting that all three brands may share the same platform. Impacted data also included email addresses, the country logged in from and the date and time each login occurred alongside device information including the make and model, IMSI number and serial number. The data was provided to HIBP by a source who requested it be attributed to email@example.com.
Filmai.in - 645,786 breached accountsIn approximately 2019 or 2020, the Lithuanian movie streaming service Filmai.in suffered a data breach exposing 645k email addresses, usernames and plain text passwords.
NurseryCam - 10,585 breached accountsIn February 2021, a series of egregiously bad security flaws were identified in the NurseryCam system designed for parents to remotely monitor their children whilst attending nursery. The flaws led to the exposure of over 10k parent records before the service was shut down. The email addresses alone were provided to Have I Been Pwned to ensure parents were properly notified of the incident.
breach data from: Have I Been pwned? (HIBP)
Identity Theft and Security Resources
Official US Government Sites
- FTC Complaint Assistant
- FBI Internet Crime Complaint Center
- US Postal Inspection Service ID Theft Complaint
- IRS Taxpayer Victim Assistance
- HHS Health Information Breach Portal
- National Do Not Call Registry
Identity Security Tips and Guidelines
- FDIC Cybersecurity Awareness Basics
- FTC Identity Theft Consumer Information
- Identity Theft: What To Do If It Happens To You
- Protect Yourself from Identity Theft
- Protecting Your Social Security
- Spam "Unsubscribe" Services are a Scam
Fraud Information and Assistance Organizations
- ID Theft Resource Center
- Better Business Bureau
- Privacy Rights Clearinghouse
- Charity Watch
Credit Bureaus and Reporting
- Free credit report from annualcreditreport.com