'%3e%3cg id='Final-Copy-2_2_' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st0' d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg id='final---dec.11-2020'%3e%3cg id='_x30_208-our-toggle' transform='translate(-1275.000000, -200.000000)'%3e%3cg id='Final-Copy-2' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st1' d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z M1.6,7c0-3.2,2.6-5.8,5.8-5.8 h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath id='x' class='st2' d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0 l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8 c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath id='y' class='st3' d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0 L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
We Heart It, XAT and others fall victim of data leaks.
21 February 2021BREACHAWARE HQ
A total of 10 breach events were found and analysed resulting in 24,555,322 exposed accounts containing a total of 6 different data types of personal datum . The breaches found publicly and freely available included We Heart It, XAT, USA Business and Investor Database (Anonymous), Bonobos and Rooter. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data.
Data Breach Analysis
The entities affected range from social media platforms and online communities to e-commerce brands and business directories. Among the most notable were We Heart It, XAT, an anonymous USA Business and Investor Database, Bonobos, and Rooter.We Heart It, a visual discovery and social bookmarking platform popular among teenagers and young adults, was among the breached services. The platform functions similarly to Pinterest, with users collecting and sharing images around mood, style, and inspiration. The youthful demographic and visually expressive nature of the site means that, even though financial data may not have been involved, there remains a risk of account hijacking and identity abuse, particularly if users linked We Heart It with other social media identities or reused their credentials.
Because platforms like We Heart It often attract young users, the breach also highlights concerns around the digital safety of minors and younger adults. Even hashed passwords, depending on the algorithm used, may be vulnerable to cracking, and young users are more likely to recycle credentials across multiple platforms. As a result, exposure here could lead to indirect access to other services where stronger protections may be in place.
XAT, a chat and messaging platform that gained popularity in the early 2000s for embedding live chat boxes on forums and websites, represents a more legacy platform. The breach here likely affected older user accounts. While its popularity has waned, many accounts created during the heyday of such platforms still exist in dormant forms. As with other legacy services, the most pressing concern is that users may still use the same email-password combinations elsewhere today.
The idea of “forgotten accounts” becomes more relevant in breaches like this. Many users may not even recall that they had a XAT account, yet the credentials tied to them could remain part of their digital fingerprint. This makes these breaches valuable for attackers performing credential stuffing or attempting to trace user behaviour across multiple services over time.
One of the more intriguing inclusions in this breach analysis is the USA Business and Investor Database, listed as anonymous. These types of compilations typically consist of scraped or commercially traded data. The anonymity of the data source suggests it was possibly made available through dark web forums or open paste sites and might not be tied to a single recognisable company.
Data of this nature is particularly valuable to spammers and fraudsters targeting high-net worth individuals or professionals in finance. With names, company affiliations, and contact details, attackers can craft highly specific phishing campaigns, posing as potential partners, financial advisers, or regulators. In the wrong hands, such datasets can be used to target decision-makers at organisations or manipulate investment channels.
Bonobos, the online menswear retailer, was also part of this breach set. The e-commerce context adds a layer of risk, especially as online shopping is often tightly integrated with saved payment details, account recovery flows, and promotional tracking.
Attackers with access to Bonobos data could easily impersonate the brand in spear-phishing emails, offering fake discounts or order confirmations. Moreover, if order history was part of the dataset, individuals could be profiled based on their purchasing behaviour, an often overlooked facet of breach data. Clothing preferences, sizing information, and even geographic buying patterns all become part of a larger digital identity, which can then be monetised or misused.
Rooter, a mobile platform focused on live sports commentary and fan interaction, rounds out the more recognisable names in this group. With a focus on engagement through competitions, rewards, and chat functions. A breach from this platform could expose not just identity details but also how users interact with sports content, what games they follow, and how often they participate in platform events.
While such data may not seem sensitive at first glance, the aggregation of preferences and behavioural signals is increasingly valuable in targeting users. Sports fans may be subject to betting scams, fake contest invitations, or social engineering attempts, especially if the attacker has access to their personal details and engagement history.
The remaining breaches in this set, while unnamed, account for a significant portion of the over 24 million exposed accounts. The pattern across all ten incidents is one of data fragmentation and profile stitching. Though each platform may not hold complete identity records, the overlap between datasets allows for high-confidence linking of user profiles across the web. Email addresses serve as the primary key across most breaches, with usernames and location data providing additional context.
This combined dataset reflects a recurring theme in breach analysis: the mosaic of personal data scattered across the internet, where even minor platforms or legacy services can become weak points in the overall security of a user’s digital identity. The presence of six data types raises concerns about downstream impacts such as account takeover, identity impersonation, and targeted advertising.
Additionally, many of the affected platforms reflect secondary or non-core activities in users’ digital lives: social bookmarking, fashion shopping, freelance outreach, and sports commentary. Yet these peripheral platforms are increasingly part of the everyday web experience and are often overlooked in terms of security hygiene. Their breaches suggest that risk is not always proportional to a platform’s visibility or perceived importance.
In an environment where breached data continues to circulate for years, the most insidious threats may come from aggregated and recompiled records like those in this analysis. Even if each breach on its own seems manageable, together they provide enough context to create enduring digital risks.
