Share this analysis

Wattpad, Dodo New and others fall victim of data leaks.

21 March 2021
BREACHAWARE HQ
Read

A total of 14 breach events were found and analysed resulting in 52,182,934 exposed accounts containing a total of 5 different data types of personal datum . The breaches found publicly and freely available included Wattpad, Dodo New, Alpari, Aipai and Deutsche Fussball Liga (German football league). Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Contact Data, Socia-Demographic Data, Technical Data.

Data Breach Analysis

The breaches, all discovered publicly and made freely available online, span a diverse range of industries and platforms, each presenting its own set of implications. Among the notable organisations and services included were Wattpad, Dodo New, Alpari, Aipai, and the Deutsche Fussball Liga, the governing body of Germany’s professional football leagues.

Starting with Wattpad, this platform is known globally for its large community of writers and readers, allowing users to create, publish, and interact with written content. The breach involving Wattpad is particularly concerning due to the scale of the user base and the nature of its platform. Wattpad users often share personal, creative, and sometimes intimate stories or commentary. While this content may be public-facing, the identity behind it was not necessarily meant to be. Linking usernames with email addresses in a breach could de-anonymise users, exposing them to embarrassment, harassment, or reputational risk depending on the nature of their content.

Moreover, Wattpad’s demographic skews younger, including teenagers and young adults, which adds a layer of ethical concern regarding their data exposure. With weaker cybersecurity habits and greater vulnerability to phishing, this demographic is a prime target for secondary exploitation following a breach.

Dodo New, while lesser-known internationally, may relate to either a content distribution platform or an online media entity. Details are sparse, but media services and publishers tend to collect data tied to subscriber identities, reading preferences, and geographic information. If such attributes were involved in the breach, the risk shifts toward profiling. This type of data could be leveraged for targeted advertising fraud, political manipulation, or even regional disinformation campaigns.

In a similar vein, Alpari is a well-known foreign exchange (forex) broker. Operating in the high-stakes environment of financial trading, Alpari handles sensitive financial details and user credentials. Financial sector breaches are also of particular interest to cybercriminal groups focused on fraud, and the regulatory implications can be significant for platforms like Alpari if exposed data includes customer locations or financial habits. Even if the breach does not directly include transaction records, the reputational and legal impact of customer exposure in the finance sector is always considerable.

Aipai, thought to be associated with media sharing or community driven video content, might be akin to platforms like Bilibili or early YouTube derivatives. Platforms like this often collect user metadata along with basic login information. While it may not seem critical, users tend to reuse email-password combinations across services, and even a breach with minimal data types can enable credential-based attacks elsewhere. Given Aipai’s likely userbase and platform type, there may also be concern over potential de-anonymisation or exposure of user interests, depending on how deeply the breach reached into account metadata.

The inclusion of the Deutsche Fussball Liga (DFL), Germany’s professional football league organiser, introduces an interesting vector. The DFL is responsible for the operation of Bundesliga and Bundesliga 2, and its involvement in a data breach could stem from fan platforms, media distribution systems, or backend corporate services. Football fans are a passionate and often digitally engaged community, and their exposure to email scams, fake ticketing sites, or identity-based fraud could increase following such a breach.

This incident also highlights the increasingly blurred lines between sporting organisations and digital enterprises. As leagues and clubs increasingly embrace direct to consumer models, offering streaming, e-commerce, and fan interaction tools, they also inherit the data management responsibilities typically associated with tech firms. A breach involving such an entity shows how even traditionally non-digital sectors are now responsible for safeguarding large datasets with far-reaching implications.

Across all 14 breaches, five different types of personal data were exposed. The data, while not all deeply sensitive in isolation, becomes far more powerful when aggregated. Combining even basic personal data points can allow malicious actors to triangulate identities, impersonate users, or use breached information to gain access to more sensitive services.

The sheer number of affected accounts, over 52 million, raises concerns not just about the scale but the persistence of such exposed data. Many of these breaches appear to have been accessible for an extended period before discovery. In cases like Wattpad, previous disclosures show that data may have circulated in private forums long before being made public. This long exposure window increases the likelihood that the data has already been reused in phishing attempts or credential stuffing operations.

One of the more insidious outcomes of such breaches is the slow erosion of trust in digital services. While users often accept some degree of risk when signing up for online platforms, repeated large-scale data leaks from seemingly unrelated and diverse platforms contribute to a growing sense of digital fatigue. The cognitive burden of managing dozens of online accounts, frequently changing passwords, and remaining vigilant against scams is high, and with each major breach, that burden becomes heavier.

A broader societal concern emerging from these breach events is the question of forgotten platforms. Users may not even recall signing up for some of these services, yet their information persists. Whether it’s a writing site visited in high school, a financial account opened during a brief trading experiment, or a football portal joined for match schedules, users leave data trails that can become vulnerabilities years later.

These breaches also point to systemic issues in how digital platforms manage long-term data retention. There’s often little incentive to purge inactive accounts or anonymise dormant datasets. For attackers, however, these older accounts are just as valuable, perhaps even more so due to their weaker security.

Altogether, this cluster of breaches serves as another reminder of the fragile state of data security across industries. The affected organisations represent publishing, entertainment, finance, social media, and sports, a spread that reflects the wide net cast by both opportunistic hackers and state aligned actors. The resulting dataset is likely already feeding into broader campaigns involving credential exploitation, identity fraud, and social engineering.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0