'%3e%3cg id='Final-Copy-2_2_' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st0' d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg id='final---dec.11-2020'%3e%3cg id='_x30_208-our-toggle' transform='translate(-1275.000000, -200.000000)'%3e%3cg id='Final-Copy-2' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st1' d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z M1.6,7c0-3.2,2.6-5.8,5.8-5.8 h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath id='x' class='st2' d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0 l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8 c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath id='y' class='st3' d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0 L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Business Email Compromise accounted for roughly $2.4 billion in reported losses.
23 May 2022BREACHAWARE HQ
A total of 11 breach events were found and analysed resulting in 5,767,541 exposed accounts containing a total of 14 different data types of personal datum . The breaches found publicly and freely available included GMX, Pride Room Mates, enparadigm, MysticArt Pictures and Living Nature. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Locational Data, Financial Data, Usage Data, Documentary Data, Socia-Demographic Data.
Data Breach Analysis
Notably, GMX, a free webmail service with millions of users primarily in Europe, was among the breached entities. As an email provider, GMX plays a pivotal role in users' digital identities, often serving as a recovery channel for other services and a repository of personal and professional correspondence. A breach here carries significant consequences. Malicious actors could leverage exposed credentials for phishing campaigns, credential stuffing attacks, or identity theft.MysticArt Pictures, a casting and production company involved in television and film, also appeared in the breach data. While less expected as a target, companies in the entertainment sector often hold a mix of creative, contractual, and personal data on actors, participants, and crew. For individuals seeking casting opportunities, the exposure of contact information, resumes, or audition details can result in reputational harm or exploitation, especially if such data falls into the wrong hands.
The breach of enparadigm, a business consulting and training solutions firm, presents another layer of concern. These types of firms maintain databases of corporate clients, employee performance assessments, and internal strategic documentation. Exposure of such data could potentially be used to profile organisations, conduct competitive intelligence, or target individuals based on their corporate roles.
Also included in this cohort is Living Nature, a brand known for its commitment to organic beauty and wellness products. While seemingly unrelated to high-risk data environments, retail and lifestyle brands, especially those with e-commerce operations, routinely store customer accounts, marketing data, and transaction histories. Breaches involving such platforms may not only reveal purchase behaviours but also provide inroads to broader identity profiling or targeted fraud.
The inclusion of Pride Room Mates, a community-driven housing and roommate-matching platform, raises unique concerns around privacy. Platforms like this often cater to niche audiences, including LGBTQ+ individuals seeking safe and inclusive living arrangements. The exposure of personal data in this context can carry social risks beyond financial loss, such as harassment, outing, or discrimination, making breaches especially damaging to vulnerable groups.
The impacted organisations span a wide range of industries, which emphasises an uncomfortable truth: no sector is immune to data breaches. Whether it’s a legacy email provider, a Hollywood casting firm, or an organic cosmetics company, all organisations that handle user information are potential targets, and many may lack the robust cybersecurity infrastructure necessary to detect, prevent, or respond effectively to breaches.
For affected users, the fallout can include unwanted solicitations, impersonation scams, account takeover attempts, and long-term exposure to fraud risks. For companies, these breaches can erode brand trust, trigger costly regulatory investigations, and lead to long-term reputational damage, especially in sectors where trust and confidentiality are key to customer retention.
These breach events also highlight the persistent issue of data over-collection and under-protection. Too often, organisations gather more information than necessary, store it indefinitely, and fail to invest adequately in protecting it. The result is a growing surface area for attack, one that malicious actors are quick to exploit.
From a regulatory standpoint, these incidents fall under a fragmented global patchwork of privacy and breach notification laws. Entities like GMX, based in Europe, are likely subject to the GDPR, which imposes strict requirements on breach reporting and data minimisation. Others, particularly those operating across international markets, face a more complex compliance landscape, raising questions about user notification, legal accountability, and long-term remediation efforts.
In conclusion, these 11 breaches serve as another reminder that data security must be a foundational priority across every industry. As digital engagement becomes ubiquitous, organisations must move beyond reactive incident management toward proactive risk reduction, through regular security audits, minimal data retention policies, and ongoing user education.
For users, now more than ever, it’s vital to adopt good cyber hygiene practices: use strong, unique passwords, enable two-factor authentication wherever possible, and stay vigilant for any unusual account activity. In today’s interconnected digital world, the fallout from a breach can be both widespread and deeply personal.
Spotlight
This week the Research Team found data from a wide range of industries including cryptocurrency companies, an entertainment channel, a gambling service, a sales software platform, retailers, an accommodation booking service, a product authentication app, a global trade fair events company and numerous more.The first of this week’s highlights is an Indian based digital simulation and learning platform. They are recognised globally as a leading sales enablement with some impressive global clients. Their credentials were dumped online with a variety of datasets, including mobile phone numbers, names, and email addresses. Even though the company did not have passwords within the breach, the data exposed was ideal for criminals to impersonate and take over an account, then use the credentials for BEC (Business Email Compromise) attacks, with the aim to defraud their supply chain or sign off money internally.
Results from the FBI’s Internet Crime Report 2021, reported that “BEC accounted for roughly $2.4 billion USD in reported losses — an increase of 28% from the numbers reported in 2020.” (source: Zvelo).
We found a banking location service, which has a map of all banks in the US tagged in a geolocation style, had their user base leaked online. IP addresses and email addresses were only half of the datasets. Also, a crypto based advertising company database dumped online, which quickly began to circulate around forums. The datasets included crypto balances as well as hashed MD5 passwords with email addresses.
In 2022, $3.1billion worth of crypto currency was bagged by thieves and the first month of 2022 saw over $1.3billion stolen (source Chainalysis).
