FraudWatch annoy a well-known and well skilled threat actor.

A total of 12 breach events were found and analysed resulting in 15,278,874 exposed accounts containing a total of 12 different data types of personal datum . The breaches found publicly and freely available included Hurb, Fraud Watch International, Bahigo, HighExp and Curtea Veche. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

Hurb, a popular travel booking platform based in Brazil, is one of the most notable entries in this set. As with many travel and accommodation providers, Hurb likely holds user information tied to personal identity, travel habits, and payment data. Breaches of such services can lead to real-world consequences, including impersonation, fraudulent bookings, or more targeted phishing campaigns exploiting known travel patterns.

Fraud Watch International, an organisation presumably designed to help prevent fraud, ironically appears among the breached entities. This highlights a concerning trend: even security and fraud-focused companies are not immune to the very threats they aim to counteract. When platforms like this are compromised, it can shake user confidence and may expose details on scam reports, contact submissions, or investigative data if not properly siloed.

Bahigo, an online gambling and betting platform, represents a sector that frequently attracts cyberattacks due to the combination of financial transactions and user data. Breaches in this domain not only jeopardise account balances but also risk exposing users to targeted social engineering, especially if players operate under aliases or use the platform in jurisdictions where gambling carries legal or social stigma.

HighExp and Curtea Veche further illustrate the breach scope across industries. HighExp is associated with high-return investment schemes, which, even when legitimate, tend to attract both investor data and attention from cybercriminals. Curtea Veche, a Romanian publishing house, represents the cultural and educational sector, which, while less frequently spotlighted in breach analysis, may store extensive customer lists, purchase histories, and author communications, all of which have value for data mining and fraud.

The diversity of the sectors involved, from travel and gambling to finance, fraud prevention, and publishing, underscores a critical point: no industry is insulated from digital vulnerabilities. Each handles user data differently, but many collect personal identifiers, contact information, or financial credentials. When exposed, these can cascade into larger privacy and security threats, not only for the individuals affected but for the institutions themselves.

The cumulative exposure of over 15 million accounts adds to the mounting evidence that large-scale breaches no longer require a single catastrophic event. Instead, steady, medium-scale exposures across multiple industries represent an ongoing erosion of user privacy and data control.

For businesses, this should reinforce the need for continuous security investment, not only in reactive breach detection but in proactive defence strategies like access management, encrypted storage, and regular penetration testing. For users, it reiterates the importance of good cyber hygiene: avoiding password reuse, enabling multi-factor authentication, and staying vigilant for suspicious communications tied to services they use.

Ultimately, this cluster of breach events demonstrates how deeply integrated digital services have become in modern life, from booking a vacation to placing a bet, buying a book, or seeking help against fraud. When those services falter in protecting user data, the consequences ripple far and wide.

Spotlight

Straight into what 'The Researchers' have quoted as 'the leak of the week' is the French health insurance company, EMOA Mutuelle du Var. Data associated with the health industry is always rich in data types. Typically with an insurance company, you would see date of birth, full name, account information, physical address, phone number but with this set of data we saw device information, username and IP addresses. Email address and passwords is a given. This breach has not been verified or acknowledged.

A question a team member asked, when is a breach worth recording? Even though the data recorded for the insurance company only amounted to 2.4mb of plain text data, any publicly available data needs to be assessed for risk management purposes, whether to the individual, the impact to the organisation and of course the supply chain.

The most notable breach the researchers identified is FraudWatch, an established threat hunting, intelligence and detection service. It is understood from the forums, FraudWatch took it upon themselves to annoy a well-known and well skilled threat actor. After engaging with said person online, they quickly became the victim of a security breach involving a range of their clients' personal information leaked with a promise of more to come. This incident proves that everyone is vulnerable, even those who are well established in the industry.

Moving on, a Turkish gambling site took a battering after suffering a data breach, The national identity card numbers were among some of the credentials which were included in this leak. We did note that the betting company HQ is in the Isle of Man, UK, where they have seen an increase a 30% increase gambling licenses for companies issued due to as quoted by the Isle of Man authorities, "proposed changes to regulation and structure in some jurisdictions."