'%3e%3cg id='Final-Copy-2_2_' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st0' d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg id='final---dec.11-2020'%3e%3cg id='_x30_208-our-toggle' transform='translate(-1275.000000, -200.000000)'%3e%3cg id='Final-Copy-2' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st1' d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z M1.6,7c0-3.2,2.6-5.8,5.8-5.8 h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath id='x' class='st2' d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0 l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8 c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath id='y' class='st3' d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0 L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
MangaDex, Youth Movements and others fall victim of data leaks.
18 April 2021BREACHAWARE HQ
A total of 13 breach events were found and analysed resulting in 6,188,673 exposed accounts containing a total of 6 different data types of personal datum . The breaches found publicly and freely available included MangaDex, Youth Movements, Short Quotes, Mega Date and Fone Me. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Locational Data, Technical Data.
Data Breach Analysis
The services affected were diverse in both function and audience, including MangaDex, Youth Movements, Short Quotes, Mega Date, and Fone Me. The nature of the platforms involved highlights the broad terrain of digital interaction, ranging from fan communities to dating services, each carrying their own implications when it comes to data compromise.MangaDex, a community-driven manga repository and reading platform, has a global base of users passionate about Japanese comics and graphic storytelling. As a hub for fan-translated manga, it occupies a niche space that depends heavily on registered community contributions, discussion forums, and upload histories. For many users, participation on such platforms may be under a pseudonym, but tied to a real email or re-used password. For individuals who translate or comment on sensitive or copyrighted content, a breach could pose reputational or even legal risk depending on regional laws.
Youth Movements, while not a well-known name in global digital infrastructure, suggests a platform associated with activism, youth engagement, or political organising. Activist networks and politically engaged communities are often prime targets not only for financially motivated attackers but also for surveillance and profiling by state or ideological actors. Even if the data leaked was limited to contact details, it could be exploited for intimidation, doxxing, or tailored misinformation campaigns.
Short Quotes, presumably a site or app dedicated to sharing quotations, may appear trivial at first glance. However, like many lifestyle platforms, such services often collect more data than their core function requires. Users might register to save favourites, leave comments, or receive notifications, meaning the site could hold names, emails, user bios, or device details. The significance of this type of breach lies less in what was shared on the platform and more in how the account data can be repurposed elsewhere. A threat actor could, for example, use quote preferences or liked content to inform social engineering attacks that leverage tone, themes, or worldview alignment.
Mega Date appears to be a dating platform, though the name is generic enough that it could encompass several types of relationship services, ranging from traditional dating to casual encounters. Dating services are among the most sensitive platforms to suffer breaches. The personal nature of the data makes it highly valuable for blackmail, impersonation, and psychological manipulation. Even if passwords are hashed and personal messages excluded, exposure of account registration data alone can lead to profound embarrassment or reputational harm, especially in regions with conservative cultural norms.
Fone Me seems to suggest a mobile-based communication or VoIP application, where users connect via phone numbers, messaging, or video calls. Breaches in such environments may compromise both contact details and metadata: call history, location data, device identifiers, and user-agent strings. This type of information, particularly when linked to phone numbers, facilitates identity spoofing, SIM-swapping attacks, or tracking across multiple apps and services. Users who signed up with real phone numbers and used weak authentication methods may now find themselves targets of phishing campaigns tailored with unusually precise data.
With six types of data compromised across these 13 incidents, the cumulative risk expands considerably. Even though the number of affected accounts (6.1 million) is relatively moderate compared to high-profile mega-breaches, the diversity of platforms ensures that the exposed data touches different areas of users’ online lives.
This assortment of breaches also illustrates the ease with which a person’s online footprint can be cross-referenced. A user with an account on MangaDex, another on Short Quotes, and a profile on Mega Date may not think of these as related entities, but when their credentials or identifying markers show up in more than one breach, threat actors can begin to build a unified profile. This is especially true if reused usernames, passwords, or email addresses link multiple accounts. The risk here isn’t just that an individual service is compromised, but that the mosaic of a user’s online identity becomes more visible and more exploitable.
Moreover, smaller platforms like those mentioned in this cluster often lack the infrastructure to detect, respond to, and communicate about breaches effectively. Many operate on tight budgets, rely on community contributions, and lack dedicated security personnel. As a result, breaches may go unnoticed for long periods or, worse, be detected but not publicly disclosed. This undermines user trust and increases the window of opportunity for malicious exploitation.
It is also important to consider the motivations behind the release of this data. If these datasets were found publicly and freely available, it suggests that the intent may not have been direct financial profit via dark web sale but rather disruption, notoriety, or ideological expression. Openly leaked datasets are sometimes used by hacktivists to draw attention to vulnerabilities or mismanagement, but more commonly they serve as bait for credential-stuffing campaigns or serve as source material for more targeted phishing operations.
In total, this batch of breaches represents a cross-section of the modern internet: fandoms, lifestyle publishing, activist circles, dating culture, and communication platforms. Each domain holds its own cultural weight and emotional significance for its users. When data from these spaces is spilled, the consequences aren’t only digital, they can be psychological, social, and in some cases, even physical. The low visibility of these services in public discourse does not mean the data they held was insignificant. On the contrary, it is often these less visible breaches that escape scrutiny and endure in circulation the longest.
