Elanic, Star Tribune and others fall victim of data leaks.

A total of 8 breach events were found and analysed resulting in 5,460,109 exposed accounts containing a total of 10 different data types of personal datum . The breaches found publicly and freely available included Elanic, Star Tribune, California BizHwy, Oregon BizHwy and Rhode Island BizHwy. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

The dataset reveals the presence of ten distinct data types, making this breach cluster notable not for its scale but for its diversity of compromised information. The affected entities include Elanic, Star Tribune, and multiple regional business directories under the BizHwy brand, specifically covering California, Oregon, and Rhode Island. Though the number of accounts is relatively moderate, the wide scope of data types and the cross-sector nature of the affected platforms present a layered and potentially long-term risk.

Elanic is a resale platform originating in India that allows users to buy and sell secondhand fashion and lifestyle products. Its user base includes a mix of individual sellers, buyers, and small business operators who often use the platform informally to supplement their income. The combination of data types presents immediate implications for impersonation, phishing, and the targeting of sellers with fraud schemes or social engineering.

Star Tribune, a prominent newspaper based in Minneapolis, represents a different type of platform exposure. It is likely that the breach here involves subscriber data or accounts linked to comment sections, newsletters, or paywall protected content. Data tied to media outlets can be exploited in multiple ways. For one, subscriber email lists are attractive to those conducting misinformation campaigns or targeting regional audiences with context-aware phishing. Secondly, access to comment systems can be misused for spam injection or for harvesting user behaviour data, particularly in politically sensitive contexts.

The inclusion of three regional BizHwy instances, California, Oregon, and Rhode Island, points to a wider breach of this business listing service. These directories serve as public repositories for small and medium-sized businesses seeking online visibility. While this data is partly intended to be public, its bulk collection and release, especially when combined with platform credentials like usernames and passwords, raises concerns around misuse. Attackers can use this information to spoof businesses, create fraudulent listings, or craft convincing spear-phishing campaigns aimed at business owners or their vendors.

It is important to note that the breach is not confined to just consumer or enterprise data. Given that ten different data types are included in the dataset, the scope may involve lesser seen but still valuable elements such as IP addresses, account creation dates, password hints, geographic coordinates, or system metadata. These secondary data points can be instrumental when cross-referenced with other breaches, helping attackers construct full identity profiles or verify account ownership across platforms.

Another concern with data from business directories is its relevance to supply chain compromise. Small businesses often operate with lean infrastructure and minimal cybersecurity budgets. They may use the same credentials across multiple services or rely on outdated content management systems. The exposure of their administrative contacts or web access details can open the door to targeted attacks, including invoice fraud or insertion into supplier communications. Furthermore, the presence of multiple state specific directories suggests that the breach may have stemmed from a central point of failure or database misconfiguration that allowed multiple BizHwy portals to be compromised simultaneously or in sequence.

Even in the case of Star Tribune, if the breach extended to internal tools, newsroom communication systems, or analytics dashboards, the implications could involve attempts to manipulate narratives, access editorial calendars, or impersonate journalists for insider data. While such uses are not always financially motivated, the social impact of media platform compromise is nontrivial, especially during election cycles or in the context of politically charged reporting.

For Elanic, resale platforms are particularly vulnerable due to the relatively informal nature of user interactions. Many sellers communicate via chat functions or off-platform messaging apps. If attackers use leaked emails or phone numbers to contact users while posing as support or interested buyers, they can elicit payment information or redirect transactions. Moreover, female-dominated platforms such as Elanic face the additional risk of targeted harassment or exploitation, especially when profile photos and names are part of the dataset.

The public nature of these leaked records lowers the barrier for exploitation. Unlike breaches sold privately or held in ransom scenarios, data that is freely distributed often ends up in large credential-stuffing repositories. Attackers use automated tools to run stolen usernames and passwords against banking apps, e-commerce platforms, and email providers. Even if only a fraction of users reuse passwords, the resulting unauthorised access can cascade into financial loss or data theft on unrelated services.

Ten data types across eight breaches means this dataset is likely to be used for enrichment purposes. Individual records from different breaches may be linked together using common identifiers like emails or phone numbers. This allows malicious actors to build more detailed profiles of individuals and businesses, supporting a variety of fraud schemes ranging from identity theft to fraudulent loan applications.

While the overall number of affected accounts here is lower than in many high-profile corporate breaches, the breadth of industries and nature of the data mean that the risk is not easily dismissed. Local business owners, regional media subscribers, and informal digital entrepreneurs all intersect in this set of breaches, reflecting the reality that data exposure today is rarely confined to just one kind of user or one kind of threat.

The long-term consequence of such leaks is the normalisation of aggregated public-private user data collections. As data from professional directories, social media, e-commerce, and publishing continues to leak, even minor datasets can be valuable in specific contexts. A marketing list from a business directory, when combined with a leaked password from an unrelated consumer platform, becomes actionable intelligence. The merging of these contexts enables sophisticated fraud techniques without requiring access to traditionally sensitive sectors like banking or government.

In this case, the relatively small scope in volume is balanced by the variety and granularity of the data involved. Whether through resale account impersonation, small business targeting, or local media manipulation, the potential for misuse remains high.