Share this analysis

Tunngle, Wanelo and others fall victim of data leaks.

16 May 2021
BREACHAWARE HQ
Game Zone

A total of 21 breach events were found and analysed resulting in 21,409,783 exposed accounts containing a total of 9 different data types of personal datum . The breaches found publicly and freely available included Tunngle, Wanelo, Job and Talent, Fitbit and Avvo. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Contact Data, Technical Data, Financial Data, Behavioural Data, Locational Data.

Data Breach Analysis

Tunngle, once a popular virtual private network service used primarily for peer-to-peer gaming, presents an interesting case in terms of data exposure. Although the service officially shut down in 2018, the breach data associated with Tunngle continues to circulate. Given that VPN users often seek anonymity or a degree of privacy, the exposure of such information may have had implications beyond routine account access, especially for users operating in jurisdictions with restrictive internet policies or for those using Tunngle to access geo-blocked content.

Wanelo (short for “Want, Need, Love”) is a social shopping platform that blends e-commerce with social media features. Users could create wish lists, follow brands, and shop through curated feeds. While on the surface this may appear to be low-risk data, the aggregation of even basic personal identifiers with retail behaviour can be leveraged for spear-phishing or targeted advertising. Retail breaches often reflect the intersection of consumer identity and commerce, a space that continues to attract attention from both threat actors and data analysts.

Job and Talent, a digital staffing agency operating largely in Europe and Latin America, further illustrates the increasing exposure of employment-related services. The nature of such services also implies a layer of trust between job-seekers and the platform, making breaches particularly impactful. In some jurisdictions, this kind of data may overlap with regulated personal employment records, adding compliance dimensions that are often difficult to trace once the data has escaped into public circulation.

Fitbit, now part of Google's digital health ecosystem, is a well-known manufacturer of fitness tracking devices. Fitbit devices can collect data including step count, heart rate, sleep patterns, and in some cases, geolocation. While it's unclear how much of this biometric data was part of the analysed breach, even just account credentials can represent a gateway into more sensitive areas of users' health profiles. This raises broader issues around the merging of tech and wellness, especially as fitness platforms evolve into lifestyle ecosystems backed by major data aggregators.

Avvo, a legal services marketplace, adds yet another layer of professional sensitivity to the dataset. It connects users with lawyers, provides legal advice forums, and enables reviews and Q&A interactions on legal topics. While it's unlikely that sensitive case information would be included in such a dataset, even metadata linking individuals to legal topics or professionals can be considered sensitive in certain contexts.

The variety of industries affected in these 21 breaches, ranging from online shopping and legal consultation to health tech, job platforms, and gaming networks, highlights a digital environment where data exposure is not limited to traditional tech platforms. Rather, any service that requires user accounts and retains behavioural metadata can become a breach source. Additionally, breaches from now-defunct services like Tunngle remind us that legacy platforms, even those no longer in operation, continue to pose risks through the residual availability of user data.

For threat actors, this kind of varied dataset is particularly valuable. Cross-referencing usernames and email addresses across multiple leaks enables credential stuffing and identity matching. For example, a user who had an account with both Fitbit and Wanelo might reuse the same login credentials across services, or may unknowingly connect behavioural and identity traits across personal and professional domains.

Moreover, the exposure of data in the job recruitment and legal advice sectors adds another layer of vulnerability. In some cases, breached data could be used to impersonate professionals or target individuals with phishing messages tailored to their employment history or legal concerns. Meanwhile, even seemingly mundane retail platform breaches can be exploited for digital profiling or advertising fraud.

While the data types exposed may not all be classified as highly sensitive in isolation, the real concern lies in the aggregation and contextual repurposing of this data. As breaches continue to span a wide range of services, individuals' digital footprints are increasingly constructed not from a single point of failure, but from dozens of loosely connected, fragmented data leaks. This slow accumulation results in comprehensive identity profiles that can be exploited in ways that users rarely anticipate.

The findings from these 21 breaches reinforce the long-term impact of widespread data availability in the public domain. Once personal data is breached and indexed, its reappearance across platforms and its re-use in malicious or analytical contexts can persist indefinitely. For affected users, this often manifests as a continual background presence of low-level digital risk, while for researchers and analysts, it reflects the persistent tension between data utility and privacy erosion.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0