'%3e%3cg id='Final-Copy-2_2_' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st0' d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg id='final---dec.11-2020'%3e%3cg id='_x30_208-our-toggle' transform='translate(-1275.000000, -200.000000)'%3e%3cg id='Final-Copy-2' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st1' d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z M1.6,7c0-3.2,2.6-5.8,5.8-5.8 h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath id='x' class='st2' d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0 l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8 c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath id='y' class='st3' d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0 L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Kubii, Cerebriti and others fall victim of data leaks.
10 January 2021BREACHAWARE HQ
A total of 4 breach events were found and analysed resulting in 302,409 exposed accounts containing a total of 8 different data types of personal datum . The breaches found publicly and freely available included Kubii, Cerebriti, Click.org and Cracking Italy. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Socia-Demographic Data.
Data Breach Analysis
Despite the comparatively small number of affected users, the presence of eight different data types in the breach dataset makes it a relevant incident for observers tracking the evolution of multi-source exposure risks. The breached entities in this set include Kubii, Cerebriti, Click.org, and Cracking Italy, each representing distinct domains, from e-commerce and education to digital marketing and underground forums.Kubii is a France-based online retailer specialising in Raspberry Pi components, electronic kits, and accessories for makers and DIY tech enthusiasts. The nature of this platform means that many of its customers are technically proficient users, educators, or small-scale developers.
The exposure of data has a dual concern. First, the combination of purchase information and contact details creates a high-quality profile for phishing, particularly if attackers frame their messages around past transactions or shipping issues. Second, Kubii users may include academic institutions or educators operating in STEM fields, whose leaked details could be used to impersonate or mislead educational bodies or even to socially engineer access into institutional systems via follow-up correspondence.
Cerebriti is an educational gaming platform based in Spain, offering users, especially students and teachers, the ability to create and play educational games across a variety of subjects. Its user base consists largely of minors and educators, introducing a different sensitivity to the breach. Educational platforms that serve underage users are governed by stricter data protection obligations in many regions, including the EU’s General Data Protection Regulation (GDPR) and, where applicable, child-specific data laws such as COPPA in the United States.
The exposure of data, particularly if connected to school email domains or institutional affiliations, poses a risk not only to individual students but also to educators who might reuse login credentials across platforms. Furthermore, if any analytics or usage metadata was included, such information could be used to infer the academic interests, cognitive patterns, or even performance metrics of individual students, data that should remain confidential under all circumstances.
Click.org represents another dimension in this breach set. It is a marketing and analytics platform focused on link tracking and conversion optimisation. Users of Click.org typically include marketers, small businesses, influencers, and entrepreneurs who manage ad campaigns or affiliate programs.
Given that Click.org manages redirection links and conversion tracking, any compromise of user data could enable attackers to hijack marketing campaigns, alter redirection paths, or exploit known link structures in phishing campaigns. Additionally, email addresses associated with active marketing accounts can be targeted for business email compromise (BEC) attempts, especially if they are tied to revenue-generating strategies or monetised social channels.
Finally, Cracking Italy, a lesser-known online forum, appears to be associated with the trading of pirated software, credential leaks, and other grey or black hat activities. Though such sites typically attract users familiar with digital privacy, the breach of an underground forum reveals an irony: users seeking tools to exploit others are sometimes themselves exposed in turn.
The inclusion of Cracking Italy in this breach set introduces unique considerations. First, the identities of users on such forums may be pseudonymous, but their association with the platform can still carry legal or reputational consequences, particularly in jurisdictions with strong anti-piracy laws or cybersecurity enforcement. Second, leaked forum databases often contain private messages that may disclose trade methods, transaction histories, or more personal information than expected. The breach of a site like this is not just an embarrassment to its user base; it can also serve as a source of intelligence for law enforcement or private sector threat analysts mapping cybercrime networks.
Across all four breaches, the eight data types gives attackers room to manoeuvre across different threat vectors. For example, IP addresses and geolocation data may be used to correlate activity across platforms. Hashed passwords, especially if weakly hashed, are often cracked and reused elsewhere in credential stuffing campaigns. And the intersection of marketing platforms with e-commerce and education opens the possibility of cross-domain impersonation or fraud.
The modest number of affected accounts compared to major headline breaches belies the relevance of this incident. In fact, small and medium sized platforms are increasingly being targeted because they lack enterprise-grade security but hold high-value or unique datasets. Moreover, the public nature of these breaches means that even if the raw data is not immediately weaponised, it will likely be used for enrichment or training purposes by malicious actors looking to improve the accuracy of future campaigns.
This breach set offers a microcosm of contemporary data risk, where education, e-commerce, digital marketing, and underground spaces all feed into the same data ecosystem. Users who appear in more than one of these platforms could face layered attacks. An educator on Cerebriti could also be a customer on Kubii. A digital marketer on Click.org might be unaware that their personal email was also used to register on a less secure site like Cracking Italy. The merging of such identities across contexts allows for greater precision in both fraud and manipulation efforts.
This breach scenario, while numerically limited, reinforces the importance of understanding data breaches not just by the size of the exposure, but by the interconnectedness of the platforms involved and the types of data that have been compromised. The implications here range from privacy violations to fraud risks, all underscored by the public accessibility of the leaked data.
