Threat actor has a spat with Intelligence X.

A total of 15 breach events were found and analysed resulting in 5,465,343 exposed accounts containing a total of 15 different data types of personal datum . The breaches found publicly and freely available included Simple Treasure Box, DivX Subtitles, Yandex Practicum, Crakians Leaks and Lending Tree. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Analysis

Notable among the breached entities is Yandex Practicum, the educational arm of one of Russia’s largest technology companies. Exposure here is especially troubling due to the potential compromise of student records, course progress, and login credentials, representing a clear risk to both privacy and institutional trust.

Lending Tree, a well-known American financial services marketplace, also featured in the breach set. Breaches involving financial platforms often signal the exposure of high-value personal identifiers or contact information that can lead to phishing, credit fraud, or loan scams, even if direct financial details are not part of the dataset.

Another inclusion was Simple Treasure Box, a less prominent but widely trafficked digital platform, alongside DivX Subtitles, which caters to a global community of media enthusiasts. Data from these sources may seem low-risk, but even usernames and hashed credentials from such sites can be cross-referenced across databases to compromise other accounts through credential stuffing.

Also notable was Crakians Leaks, an underground leak-sharing community. When data from such sources becomes available, it often means the datasets have circulated multiple times across black markets, further amplifying exposure risk and making takedown or remediation efforts nearly impossible.

As digital footprints grow, breaches like these remind us that user data, even from unexpected or seemingly low-stakes platforms, can be used maliciously when aggregated or combined with other exposed records. Even 5.4 million accounts, a modest number compared to mega-breaches, can create wide-reaching risk when they involve personal context, trust, and system access.

The public availability of this data emphasises the urgent need for detection, disclosure, and layered security, especially as attackers increasingly exploit forgotten platforms or overlooked systems.

Spotlight

We’ve seen a few interesting breaches floating around the web this week. First a leak which is making the rounds from a website were users upload films with subtitles in. Over 783k users were exposed, The data breach dates back to 2011 however it has just come into circulation. Dataset sets include username, email address and plain text passwords.

A strange little breach which is doing the rounds is a blog site located in Singapore. It seems to be one guy contributing to his own page with not much activity, however I bring up this breach because of the fairly large user-base.

An Australian furniture company suffered a data breach when a 100k of their credentials, which included email addresses, were dumped on a hacking forum. A range of datasets were compromised in the breach, such as hashed brycpt passwords and physical addresses. Apparently, their AWS services had been targetted resulting in this breach.

And finally, a threat actor has had a spat with Intelligence X when a complaint was sent to the registrar of the hacking forum which the threat actor is the administrator for. Apparently someone hacked his wife's Nike account with information they had gathered off said forum.