Data breach originating from a Swiss eco Christmas tree site leaked.

A total of 11 breach events were found and analysed resulting in 3,255,511 exposed accounts containing a total of 8 different data types of personal datum . The breaches found publicly and freely available included TNA Flix, Minube, Football Guys, Allo Internet and Capital Games Forum. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

Among the affected sources was TNA Flix, an adult video streaming platform. Breaches of such sites pose high reputational risks for users due to the sensitive nature of the content and account associations, often leading to blackmail or harassment when data is leaked.

Minube, a Spanish travel planning platform, was also impacted. Travel platforms often collect location histories, itineraries, and booking-related information, adding a layer of context that attackers can exploit for social engineering or identity theft.

In the sports and gaming space, platforms like Football Guys, known for fantasy football analytics, and Capital Games Forum, a likely discussion hub for gaming enthusiasts, were breached. These communities typically store email addresses, usernames, hashed passwords, and forum activity logs, which can be reused in credential stuffing attacks or to profile user interests.

Allo Internet, a smaller online entity, was also listed among the breached. While details are sparse, its inclusion reflects the continued vulnerability of niche platforms with under-resourced security practices.

With over 3.2 million accounts exposed, the event highlights the ongoing need for robust password practices and privacy awareness, even on sites perceived as non-critical.

Spotlight

Within the past couple of weeks we've noticed a big surge in the number of identity cards in circulation online, from driving licences to passports. We know we should all be fans of KYC (know your customer) and AML (anti money laundering) for the obvious reason that it helps cut down on crime. However, it is very concerning that in the attempt to flush out the criminals, KYC could be actually assisting them.

KYC is used for a variety of different things for example crypto currency exchanges, but when these sites are hacked, they are dumped onto the internet, ready for another threat actor to commit identity fraud and potentially use the information to sign up via online KYC tools in another person's name. Is there a need for an equivalent to PCI DSS (safeguarding cardholder data online) for KYC?

An Indonesian online college and career preparation platform was found by the team. There's no comment from the company in question regarding a data breach, but a member of the team picked up a file containing 400k email addresses and dehashed passwords. It's always worrying when we don’t see a comment from a company acknowledging that there's been a data leak/breach because there’s a very high chance that these 400k users won’t know that this information is floating around the internet.

If you're feeling festive, there's a small data breach originating from a Swiss eco Christmas tree site, with plenty of datasets to get into, ranging from mobile numbers to physical addresses, employees' names and email addresses, and hashed Bcrypt passwords. The Swiss tend to be meticulous about rules and security, but maybe not so much this time.