Taringa, 8 Tracks and others fall victim of data leaks.

A total of 17 breach events were found and analysed resulting in 143,619,128 exposed accounts containing a total of 18 different data types of personal datum . The breaches found publicly and freely available included American Citizen Database (Pompompurin), Taringa, 8 Tracks, Aptoide and Psyonix. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

Perhaps the most immediately striking among the breaches was the so-called “American Citizen Database,” attributed in online communities to the actor known as Pompompurin. This dataset is alleged to contain comprehensive personal records of millions of U.S. citizens, and while the exact origin remains ambiguous, its depth has sparked considerable concern. While not officially confirmed, the presence of such data online highlights how large compilations of public and semi-public records can be aggregated into centralised, breach-like datasets.

Taringa, a once-popular Latin American social network known for sharing content and discussions on technology, memes, and tutorials, represents another significant breach in this collection. Due to its large user base in Spanish-speaking countries, the dataset may hold cultural relevance for threat actors seeking to craft regionally tailored attacks or social engineering campaigns. The breach may also offer insights into early social network user behaviours that persist across newer platforms today.

8tracks, a music playlist sharing site that operated heavily during the early to mid 2010s, also experienced a breach that impacted millions. While the site is no longer as active, the 8tracks incident illustrates a key trend seen across older platform breaches: even after services decline in popularity or shut down, their user data continues to circulate and be reused. Many users may have signed up with email addresses and passwords they still use elsewhere, making these records valuable for credential stuffing attacks.

Aptoide, an independent Android app store, adds another layer of technical relevance. This service, operating outside of Google Play’s ecosystem, appealed to users looking for alternative applications or region-restricted apps. With millions of users and developers relying on Aptoide, any breach affecting both consumers and contributors raises concerns about trust within open-source and third-party app markets.

Psyonix, the game developer behind Rocket League, rounds out the better-known entities on the breach list. Game developers are frequently targeted due to the large, active communities they maintain and the value of in-game assets or accounts on grey markets.

When taken together, the data points allow for extensive profiling. Even seemingly innocuous information like music preferences (from 8tracks) or app usage patterns (from Aptoide) can be pieced together with more sensitive data to develop an individual’s digital fingerprint. The blending of cultural, technical, commercial, and even civic data makes these breach datasets particularly rich in context, enabling a range of potential misuses.

Importantly, the presence of a dataset like the American Citizen Database further complicates the classification of what constitutes a “breach.” If this information was aggregated from publicly available records or scraped from multiple sources, it may not be a breach in the traditional sense of unauthorised access to a secure system. However, its availability in breach forums or leak archives, alongside other confirmed incidents, effectively gives it the same consequence: uncontrolled public dissemination of personal information.

The inclusion of platforms across multiple sectors, social networking, music streaming, gaming, alternative app distribution, and open citizen data, highlights the ongoing risk that digital identities face in the interconnected online ecosystem. While many affected platforms have either ceased operations or transitioned to new ownership models, the data they collected during their peak remains vulnerable and persistent.

This dataset also reveals how threat actors value historical data. Even when a platform like 8tracks or Taringa is no longer a major player, its legacy user base may overlap with other current services. A single email address from a 2013 registration could still be in active use today, and if accompanied by a known password hash, it presents a useful vector for intrusion.

In a broader sense, this analysis emphasises how the cumulative exposure of diverse data types contributes to the erosion of personal privacy. With 143 million accounts affected and 18 different attributes exposed, this breach group contributes meaningfully to the large, distributed risk environment of the modern internet. For individuals, the risk is often passive and long-term, surfacing as identity correlation in online advertising, phishing campaigns, or credential misuse. For organisations, it complicates everything from customer trust to compliance with regional privacy laws.

Even with increased awareness of cybersecurity and stronger authentication practices, the legacy of past breaches continues to shape the digital identity landscape. As with all freely available breach data, its potential utility for research, adversarial action, or even academic study is enormous. The challenge remains in how to interpret and respond to such visibility once the data has left the confines of its original context.