SQL injection vulnerability causes consumer advocacy organisation breach.

A total of 7 breach events were found and analysed resulting in 1,988,189 exposed accounts containing a total of 17 different data types of personal datum . The breaches found publicly and freely available included 670 Websites (Anonymous), 360 Icons, Kari, Public Citizen and OpeningOdds. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

The breach attributed to 670 anonymous websites illustrates the risks of mass scraping or aggregated leaks that span multiple digital properties, many of which may no longer be actively maintained or monitored. The inclusion of Public Citizen, a trusted advocacy organisation, underscores the reputational and operational risks even for nonprofit entities that handle large volumes of supporter or donor information.

In the case of Kari, customer trust could be undermined if transactional or account-based data were part of the exposure, especially in markets where digital retail continues to expand. 360 Icons, a creative asset provider, and OpeningOdds, operating in the highly regulated sports betting industry, are also notable given the potential for credential misuse or phishing attacks leveraging these brands.

For individuals, the fallout could include targeted scams, spam, or compromised online identities. For the organisations involved, particularly those in the public and nonprofit spheres, the breach represents a significant risk to user confidence, possible regulatory scrutiny, and a need to reassess data hygiene practices, even in legacy systems or less conspicuous services.

This collection of incidents highlights the need for constant vigilance across the web, whether managing a multinational e-commerce brand or a specialised platform for creative or betting content.

Spotlight

An American consumer advocacy organisation has suffered a data breach after an SQL injection vulnerability was found. The company, founded in 1971, has over 500,000 members and now unfortunately has several of their files in circulation on the darker side of the internet. A range of data types were in the breach for example partial credit card information, as well as names and physical addresses. So far there has been no comment from the organisation in question.

The recent news that the 911 residential proxy service closed up shop has had threat actors and cyber criminals scrambling to find an alternative. 911 has been a proxy service for the past 7 years, a few days ago, they posted on their site "We regret to inform you that we have permanently shut down 911 and all its services" and that a hacker had broken into their system and essentially trashed the back end, making a recovery impossible.

Cybercriminals love proxies. Being able to route your traffic near to the location of your target to make purchases on their bank cards without triggering anything suspicious has definitely made things easier. In the past year, the other two big proxy services, VIP72 and Luxsocks have also shut down, and now that 911 is gone, clean, fast proxies are in high demand.

A member of the team noted that the a file sharing platform/application, which markets itself as a free flexible file sharing web app and was breached several years ago, is now doing the rounds as a free download on the dark web. Names, hashed SHA-256 passwords and over 2.5 million email addresses are among a few of the datasets in the breach.