Data Breaches#
Reference catalog of consequential data breaches an operator should recognize. The list isn’t exhaustive, public trackers (haveibeenpwned.com, DataBreaches.net, Privacy Rights Clearinghouse) catalog thousands more, but each entry below shaped how the industry talks about breach response, regulation, or attacker tradecraft.
For lookup of a specific breach by company / date, use the
references at the end. For a search of credentials in known
breaches, haveibeenpwned.com is the standard interactive
tool.
Largest by record count#
Breach |
Year |
Records (approx.) |
|---|---|---|
Yahoo |
2013-14 |
3 billion accounts (all users). |
Aadhaar |
2018 |
1.1 billion Indian biometric IDs. |
First American Financial |
2019 |
885 million records (real estate). |
2019/21 |
533 million users (scraped + leaked). |
|
2021 |
700 million scraped profiles. |
|
Marriott / Starwood |
2018 |
500 million guest records. |
Adult FriendFinder |
2016 |
412 million accounts. |
MySpace |
2013/16 |
360 million accounts. |
Exactis |
2018 |
340 million consumer records. |
2022 |
200 million email-to-handle pairs. |
|
Friend Finder Networks |
2016 |
412 million accounts. |
NetEase |
2015 |
234 million accounts. |
LinkedIn (original) |
2012 |
165 million accounts. |
Dubsmash |
2018 |
162 million. |
Adobe |
2013 |
153 million accounts. |
MyHeritage |
2018 |
92 million accounts. |
T-Mobile USA |
2021 |
77 million customer records. |
Equifax |
2017 |
147 million U.S. consumers. |
Most consequential#
Breach |
Year |
Why it mattered |
|---|---|---|
TJX Companies |
2007 |
86M cards via WEP-broken WiFi; first mega-breach in public consciousness. |
Heartland Payment Systems |
2008 |
130M cards via SQLi; PCI DSS overhaul. |
RSA SecurID |
2011 |
APT seeded with stolen seeds; entered Lockheed Martin. |
Sony PSN |
2011 |
77M PSN accounts; PS network down 23 days. |
Target |
2013 |
40M cards via HVAC vendor compromise; vendor risk becomes board-level topic. |
Sony Pictures |
2014 |
Lazarus Group; full corp wipe + leak; The Interview fallout; Wiper malware mainstream. |
JPMorgan Chase |
2014 |
76M households / 7M small businesses. |
OPM |
2015 |
22M U.S. govt clearance records (SF-86 forms); attributed to China. |
Anthem |
2015 |
78.8M health records; HIPAA enforcement spike. |
Ashley Madison |
2015 |
Affair-site breach; suicides; lessons in encryption-at-rest and breach response. |
Mossack Fonseca (Panama) |
2016 |
11.5M docs; Panama Papers; ICIJ. |
Yahoo |
2016 disc. |
3B accounts (all of Yahoo); Verizon $350M discount. |
Equifax |
2017 |
147M US consumers via unpatched Apache Struts; one of the first major CFPB / FTC breach settlements. |
WannaCry |
2017 |
200K systems / 150 countries via EternalBlue; NHS England impacted. |
NotPetya |
2017 |
Sandworm via M.E.Doc supply chain; Maersk, Merck, FedEx; ~$10B damages. |
Uber |
2016 / 2022 |
cover-up + ransom; CISO criminally convicted (US v. Sullivan). |
Equifax (CFPB) |
2017 |
set the regulatory tempo for breaches. |
Marriott / Starwood |
2018 |
500M guests; APT-attributed (China). |
Capital One |
2019 |
100M cards via SSRF + IAM misconfig in AWS; ex-AWS engineer convicted. |
SolarWinds (SUNBURST) |
2020 |
APT29 supply-chain compromise; ~18K customers downloaded backdoored Orion; US gov + Microsoft. |
Microsoft Exchange ProxyL. |
2021 |
HAFNIUM; ~250K servers; mass-exploitation event. |
Colonial Pipeline |
2021 |
DarkSide ransomware; East Coast fuel; $4.4M ransom (much later recovered). |
Kaseya VSA |
2021 |
REvil supply-chain ransomware; ~1,500 downstream MSPs. |
Log4Shell |
2021 |
CVE-2021-44228; “every Java app in the world”; multi-year tail of compromise. |
Microsoft / Storm-0558 |
2023 |
Forged tokens; US gov mailboxes accessed; key exfiltrated from a crash dump. |
MOVEit |
2023 |
Cl0p mass-exploitation of CVE-2023-34362; thousands of orgs (BBC, Shell, BA, U.S. agencies). |
LastPass |
2022 |
Source code + customer vault data; long-tail crypto theft. |
T-Mobile US |
2021-2024 |
multiple incidents; SIM-swap risk surface. |
Optus (Australia) |
2022 |
9.8M Australians; API auth bug; nation-scale fallout. |
Medibank (Australia) |
2022 |
9.7M; ransom refused; full leak. |
Microsoft signing key (CN) |
2023 |
Storm-0558 token forgery scandal. |
Change Healthcare |
2024 |
ALPHV; ~$22M ransom; massive US prescription / claims outage; congressional scrutiny. |
Snowflake customer set |
2024 |
Stolen creds without MFA on 100+ tenants (AT&T, Ticketmaster, Santander, etc.). UNC5537. |
Salt Typhoon (US telecoms) |
2024 |
CN-attributed; Verizon, AT&T, Lumen; CALEA wiretap-system access. |
Categories worth knowing#
Category |
Notes |
|---|---|
Credit-card / payment breaches |
Heartland (2008), Target (2013), Home Depot (2014), TJX (2007). Drove PCI DSS revisions. |
Healthcare / PHI |
Anthem (2015), Premera (2015), Excellus (2015), LabCorp (2019), Change Healthcare (2024). |
Government / clearance |
OPM (2015), Equifax credit reports (2017), DoD contractor leaks (multi). |
Identity / KBA |
Equifax (2017), Aadhaar (2018), Experian, Onfido. |
Source-code leaks |
Microsoft (2022, Lapsus$), Nvidia (2022), Samsung (2022), Okta (2022), Rockstar GTA6 (2022). |
Cred-stuffing source corpora |
“Collection #1” (773M; 2019), “Collection #2-5” (2.2B; 2019), CL0UD9 / RockYou2024. |
SaaS / vault breaches |
LastPass (2022), Okta (2022 / 2023 / 2024), 1Password (2023, contained), CircleCI (2023). |
Cloud control-plane |
Capital One (SSRF -> IMDSv1, 2019), MOVEit (2023), Snowflake customer-credential breaches (2024). |
Telecom / CALEA |
T-Mobile (multi), Optus (2022), Salt Typhoon (2024). |
ICS / OT |
Stuxnet (2010), Ukraine grid (2015 / 2016), TRITON (2017), Colonial Pipeline (IT-side, 2021). |
By Name (A-Z)#
Breach |
Records |
Target |
Attacker |
Ngrams for searching |
|---|---|---|---|---|
1Password |
n/a (no vault data exfil) |
1Password (password manager) |
Scattered Spider (Okta cross-incident) |
“1password okta 2023”, “1password incident report” |
Aadhaar |
1.1B |
UIDAI (Indian biometric ID authority) |
Web-portal misconfiguration; broker resellers |
“aadhaar leak 2018”, “UIDAI breach” |
Adobe |
153M |
Adobe Systems |
Unknown intruder; weak 3DES-ECB password store |
“adobe 2013 breach”, “adobe password hints” |
Adult FriendFinder |
412M |
FriendFinder Networks (adult dating) |
Unknown; SHA-1 and plaintext stores |
“adult friendfinder 2016”, “friendfinder networks breach” |
Anthem |
78.8M |
Anthem Inc. (health insurer) |
Deep Panda / Black Vine (China-attributed) |
“anthem 2015 breach”, “deep panda anthem” |
Ashley Madison |
32M |
Avid Life Media / Ashley Madison |
“The Impact Team” (hacktivist) |
“ashley madison leak 2015”, “impact team avid life” |
Capital One |
100M |
Capital One Financial |
Paige Thompson (ex-AWS engineer) |
“capital one 2019 ssrf”, “paige thompson capital one” |
Change Healthcare |
~190M PHI |
Change Healthcare (UnitedHealth subsidiary) |
ALPHV/BlackCat ransomware |
“change healthcare 2024 ransomware”, “ALPHV change healthcare” |
CircleCI |
secret material |
CircleCI (CI/CD SaaS) |
Infostealer on engineer laptop (actor not named) |
“circleci 2023 incident”, “circleci infostealer” |
Colonial Pipeline |
operational (5,500 mi pipeline halt) |
Colonial Pipeline Co. |
DarkSide ransomware |
“colonial pipeline 2021”, “darkside ransomware colonial” |
Dubsmash |
162M |
Dubsmash (video-clip app) |
Sold on Dream Market by “Gnosticplayers” |
“dubsmash 2018 breach”, “gnosticplayers dubsmash” |
Equifax |
147M |
Equifax (credit bureau) |
Indictment names four PLA officers (China-attributed) |
“equifax 2017 apache struts”, “equifax PLA indictment” |
Exactis |
340M |
Exactis (data broker) |
Exposed Elasticsearch (no actor) |
“exactis 2018 elasticsearch leak”, “vinny troia exactis” |
Excellus |
10M |
Excellus BlueCross BlueShield |
APT (long dwell; not publicly attributed) |
“excellus 2015 breach”, “excellus blueshield 10 million” |
Experian |
multi |
Experian (credit bureau) |
Various: T-Mobile reseller breach 2015; Brazil 2021 leak |
“experian breach 2015 tmobile”, “experian brazil 2021” |
533M |
Meta / Facebook |
Scraped via contact-import enumeration (no actor named) |
“facebook 533 million leak 2021”, “facebook contact import scrape” |
|
First American Financial |
885M |
First American Financial Corp. (title insurer) |
IDOR-discovered by independent researcher |
“first american financial 2019 IDOR”, “EagleProMA leak” |
Heartland Payment Systems |
130M cards |
Heartland Payment Systems |
Albert Gonzalez crew (SQLi) |
“heartland 2008 SQL injection”, “albert gonzalez heartland” |
Home Depot |
56M cards |
The Home Depot |
FIN6-aligned actors (BlackPOS malware) |
“home depot 2014 POS”, “BlackPOS home depot” |
JPMorgan Chase |
76M households / 7M SMB |
JPMorgan Chase & Co. |
Aratov / Shalon / Orenstein crew (later indicted) |
“jpmorgan 2014 breach”, “shalon orenstein jpmorgan” |
Kaseya VSA |
~1,500 downstream MSPs (see campaign table) |
Kaseya (RMM vendor) |
REvil / Sodinokibi |
“kaseya VSA 2021 REvil”, “kaseya CVE-2021-30116” |
LabCorp |
7.7M |
LabCorp (via AMCA collector) |
AMCA web-portal compromise (actor unspecified) |
“labcorp 2019 amca”, “AMCA breach quest labcorp” |
LastPass |
source + vault metadata + encrypted vaults |
LastPass (password manager) |
Single actor; DevOps engineer’s home plex exploit |
“lastpass 2022 breach”, “lastpass plex CVE” |
165M (2012) / 700M (2021) |
2012: Yevgeniy Nikulin; 2021: scraped by “Tom Liner” |
“linkedin 2012 nikulin”, “linkedin 700 million scrape 2021” |
||
Log4Shell |
global (mass exploitation; see campaign table) |
Apache Log4j (CVE-2021-44228) |
Mass: ransomware, cryptominers, nation-state |
“log4shell CVE-2021-44228”, “log4j JNDI exploit” |
Marriott / Starwood |
500M |
Marriott International (Starwood reservation DB) |
APT10/APT41-adjacent (China-attributed) |
“marriott starwood 2018”, “marriott APT China indictment” |
Medibank |
9.7M |
Medibank (Australian insurer) |
REvil-linked Aleksandr Ermakov (sanctioned) |
“medibank 2022 leak”, “ermakov medibank sanctions” |
Microsoft Exchange (ProxyLogon) |
~250K servers (mass exploitation; see campaign table) |
On-prem Microsoft Exchange |
HAFNIUM (China-attributed) + mass copycats |
“proxylogon HAFNIUM 2021”, “exchange CVE-2021-26855” |
Microsoft / Storm-0558 |
government mailboxes |
Microsoft 365 cloud (token signing key) |
Storm-0558 (China-attributed) |
“storm-0558 token forgery”, “microsoft signing key crash dump” |
Mossack Fonseca (Panama Papers) |
11.5M documents (2.6TB) |
Mossack Fonseca (Panamanian law firm) |
“John Doe” leaker; ICIJ publication |
“panama papers 2016”, “mossack fonseca ICIJ leak” |
MOVEit |
thousands of downstream orgs (see campaign table) |
Progress MOVEit Transfer (CVE-2023-34362) |
Cl0p ransomware |
“moveit CVE-2023-34362”, “cl0p moveit mass exploitation” |
MyHeritage |
92M |
MyHeritage (genealogy) |
Unknown; SHA-1 hashes on third-party server |
“myheritage 2018 breach”, “myheritage 92 million emails” |
MySpace |
360M |
MySpace |
Sold by “Tessa88” / “Peace_of_mind” |
“myspace 2016 breach”, “tessa88 myspace dump” |
NetEase |
234M |
NetEase Mail (China) |
Unknown |
“netease 2015 mail breach”, “163.com leak” |
NotPetya |
global ($10B est.) |
M.E.Doc patient zero; downstream multiple (see campaign table) |
Sandworm / GRU Unit 74455 (Russia-attributed) |
“notpetya 2017 sandworm”, “M.E.Doc notpetya supply chain” |
Nvidia |
source + signing certs |
Nvidia |
Lapsus$ |
“nvidia 2022 lapsus”, “nvidia signing certificate leak” |
Okta |
support / session tokens |
Okta (identity provider) |
2022: Lapsus$; 2023: HAR-file token theft |
“okta 2022 lapsus sitel”, “okta 2023 har file” |
Onfido |
multi |
Onfido (identity verification) |
Various deepfake / KYC bypass actors |
“onfido KYC bypass”, “onfido deepfake liveness” |
OPM |
22M |
Office of Personnel Management (clearance records / SF-86) |
APT (China-attributed) |
“OPM 2015 breach”, “SF-86 clearance leak China” |
Optus |
9.8M |
Optus (Australian telecom) |
“OptusData” extortionist |
“optus 2022 breach”, “optusdata extortion api” |
Premera |
11M |
Premera Blue Cross |
APT (China-attributed; tied to Anthem campaign) |
“premera 2015 health records”, “premera blue cross APT” |
Rockstar GTA6 |
source / pre-release video |
Rockstar Games |
Lapsus$ (Arion Kurtaj) |
“rockstar gta6 leak 2022”, “arion kurtaj rockstar” |
RSA SecurID |
SecurID seed material |
RSA Security (then EMC) |
APT1 / Comment Crew (China-attributed) |
“RSA securid 2011”, “comment crew RSA seeds” |
Salt Typhoon |
lawful-intercept access (see campaign table) |
Multiple telecom carriers |
Salt Typhoon (China-attributed) |
“salt typhoon telecom 2024”, “salt typhoon CALEA wiretap” |
Samsung |
source code |
Samsung Electronics |
Lapsus$ |
“samsung 2022 lapsus source code” |
Snowflake customer set |
165 orgs (see campaign table) |
Multiple Snowflake tenants |
UNC5537 (Connor Moucka et al.) |
“snowflake 2024 ticketmaster”, “UNC5537 snowflake breach” |
SolarWinds (SUNBURST) |
18K downloaded; ~100 exploited (see campaign table) |
SolarWinds Orion + downstream tenants |
APT29 / Cozy Bear (Russia-attributed) |
“solarwinds sunburst 2020”, “APT29 orion compromise” |
Sony PSN |
77M |
Sony PlayStation Network |
Anonymous / LulzSec adjacent (claim disputed) |
“sony psn 2011”, “playstation network outage 2011” |
Sony Pictures |
corp-wipe + leak |
Sony Pictures Entertainment |
Lazarus Group (DPRK-attributed) |
“sony pictures 2014”, “lazarus the interview wiper” |
Stuxnet |
1,000+ centrifuges damaged |
Natanz enrichment facility (Iran) |
Equation Group / Unit 8200 (joint attribution) |
“stuxnet 2010 natanz”, “stuxnet siemens S7-300” |
Target |
40M cards / 70M PII |
Target Corp. |
FIN7-aligned (Fazio HVAC vendor pivot) |
“target 2013 fazio HVAC”, “BlackPOS target” |
TJX Companies |
94M cards |
TJX (subsidiaries; see campaign table) |
Albert Gonzalez crew (WEP-broken WiFi) |
“TJX 2007 breach”, “albert gonzalez TJX” |
T-Mobile |
40-100M per incident |
T-Mobile USA |
John Binns (2021); other incidents unattributed |
“tmobile 2021 john binns”, “tmobile breach 100 million” |
TRITON |
safety controllers (Schneider Triconex) |
Petrochemical plant (Saudi Arabia) |
XENOTIME / TEMP.Veles (Russia-attributed) |
“TRITON triconex 2017”, “xenotime TRISIS malware” |
200M / 5.4M |
Twitter (now X) |
Single actor via API enumeration (Devil / Ryushi) |
“twitter 2022 200 million”, “twitter API leak Devil” |
|
Uber |
57M (2016) / internal (2022) |
Uber Technologies |
2016: extortion + cover-up; 2022: Lapsus$ |
“uber 2016 sullivan cover up”, “uber 2022 lapsus teapotuberhacker” |
Ukraine grid |
230k customers / 1.5h outage |
Ukrenergo / Prykarpattyaoblenergo (electric utilities) |
Sandworm / GRU Unit 74455 |
“ukraine power grid 2015”, “sandworm crashoverride 2016” |
WannaCry |
200K systems / 150 countries (see campaign table) |
Global (see campaign table) |
Lazarus Group (DPRK-attributed) |
“wannacry 2017 eternalblue”, “lazarus wannacry NHS” |
Yahoo |
3B (all accounts) |
Yahoo |
FSB-tasked Karim Baratov + Alexsey Belan (Russia-indicted) |
“yahoo 2013 3 billion”, “FSB baratov belan yahoo” |
Multi-Target Campaigns#
Kaseya VSA (2021)#
Target |
Notes |
|---|---|
~50 direct MSP victims |
Initial REvil deployment via VSA on-prem. |
~1,500 downstream organizations |
Encrypted via the compromised MSPs. |
Coop Sweden |
Most-publicized downstream; ~800 stores closed. |
Synnex (USA) |
IT distributor; downstream pivot risk. |
Various MSPs (Huntress / Datto telemetry) |
Distributed across SMBs. |
Log4Shell (2021)#
Target |
Notes |
|---|---|
Apache Log4j (CVE-2021-44228) |
The vulnerability itself; “JNDI lookup” feature. |
Minecraft (mass) |
First in-the-wild proof; chat-string trigger. |
VMware Horizon |
Mass-exploited by Conti, AvosLocker, ransomware crews. |
Cisco Webex |
Vendor-confirmed exposure. |
iCloud, Steam, Tesla, etc. |
Confirmed-exposed surfaces (vendor disclosures). |
Belgian Ministry of Defence |
First public state-attributed compromise via Log4Shell. |
Vietnamese / Iranian / Chinese clusters |
Cited by Microsoft Threat Intelligence as active exploitation. |
Microsoft Exchange — ProxyLogon (2021)#
Target |
Notes |
|---|---|
On-prem Exchange (mass) |
~250K servers worldwide. |
European Banking Authority |
Publicly disclosed. |
Norwegian Parliament |
Publicly disclosed. |
~30K organizations (Krebs estimate) |
Compromised in the first wave. |
HAFNIUM-cluster operations |
Initial; followed by 9+ copycat groups. |
MOVEit (2023)#
Target |
Notes |
|---|---|
Progress MOVEit Transfer |
The vulnerable product (CVE-2023-34362). |
BBC |
25K UK employees (via Zellis payroll). |
British Airways |
Employee PII (via Zellis). |
Aer Lingus |
Employee PII (via Zellis). |
Shell |
Vendor data. |
IHG (Holiday Inn) |
Customer data. |
Ernst & Young |
Client data. |
Maximus |
11M U.S. Medicare/Medicaid records. |
Oregon DMV |
3.5M licenses. |
Louisiana OMV |
6M licenses. |
2,700+ organizations |
Per Emsisoft tracking by Q4 2024. |
NotPetya (2017)#
Target |
Notes |
|---|---|
M.E.Doc (Linkos Group) |
Ukrainian accounting software; supply-chain patient zero. |
Maersk |
Shipping; near-total IT loss; ~$300M. |
Merck |
Pharma; ~$1.4B; long insurance war (war-exclusion ruling). |
FedEx (TNT Express) |
Logistics; ~$300M. |
Reckitt Benckiser |
Consumer goods; ~$100M. |
Mondelez |
Snacks; insurance precedent. |
Saint-Gobain |
Construction; ~$380M. |
WPP |
Advertising; multi-day outage. |
Rosneft / Bashneft |
Russian oil firms (collateral on initial Ukraine vector). |
Chernobyl monitoring |
Lost telemetry briefly; manual readings. |
Salt Typhoon (2024)#
Target |
Notes |
|---|---|
Verizon |
Lawful-intercept-relevant access. |
AT&T |
Lawful-intercept-relevant access. |
Lumen Technologies |
Long-haul carrier; transit-pipe access. |
T-Mobile |
Wireless carrier; mitigation reported successful. |
Charter Communications |
Reportedly affected. |
Consolidated Communications |
Reportedly affected. |
Windstream |
Reportedly affected. |
Snowflake customer set (2024)#
Target |
Notes |
|---|---|
AT&T |
109M customer call/text metadata. |
Ticketmaster (Live Nation) |
560M customer records. |
Santander |
30M customers (Spain, Chile, Uruguay). |
Advance Auto Parts |
380M records. |
Pure Storage |
Telemetry; contained. |
Anheuser-Busch |
Confirmed. |
Lending Tree |
Confirmed. |
Neiman Marcus |
64M customers. |
Los Angeles Unified School District |
Stolen creds via infostealer pipeline. |
165 total tenants (UNC5537 dataset) |
All without MFA on the affected accounts. |
SolarWinds — SUNBURST (2020)#
Target |
Notes |
|---|---|
SolarWinds Orion build pipeline |
The supply-chain pivot itself. |
Microsoft |
Source-code repo access. |
FireEye / Mandiant |
Discovered the campaign via own compromise. |
Treasury Department |
Email tenant access. |
Commerce Department / NTIA |
Email tenant access. |
DHS |
Internal disclosure. |
State Department |
Confirmed access. |
National Nuclear Security Admin (NNSA) |
Reported access. |
Intel, Cisco, Nvidia, VMware, Belkin |
Confirmed downloaded backdoor; varying impact. |
~100 high-value tenants |
Out of 18K who downloaded, per CISA estimate. |
TJX (2007)#
Target (subsidiary) |
Notes |
|---|---|
T.J. Maxx |
Primary brand; original WEP-broken Minnesota store. |
Marshalls |
Same parent infrastructure. |
HomeGoods |
Same parent infrastructure. |
A.J. Wright |
Same parent infrastructure (then-owned). |
Bob’s Stores |
Same parent infrastructure (then-owned). |
Winners (Canada) |
TJX Canada brand. |
HomeSense (Canada / UK) |
TJX international brand. |
T.K. Maxx (UK / Ireland) |
European brand. |
WannaCry (2017)#
Target |
Notes |
|---|---|
NHS (UK) |
80 trusts disrupted; ~19K appointments cancelled. |
Telefónica |
Spain telecom; first major public report. |
Renault |
Auto plants stopped (France, Slovenia). |
Nissan (Sunderland) |
Production halted. |
Deutsche Bahn |
Information-board displays. |
FedEx (TNT) |
International parcel ops. |
Hitachi |
Mail and other internal systems. |
Honda (Sayama) |
Japan plant halted briefly. |
PetroChina |
Gas-station payment terminals offline. |
Boeing |
Limited production-area infection (2018, late spread). |
Cuban Ministry of Information |
Public sector hit. |
Russian Interior Ministry |
1,000 computers hit. |
Search Queries#
OSINT entry points for hunting a specific breach, attribution, and downstream victim datasets.
Hosted lookup#
Service |
Pattern |
|---|---|
Have I Been Pwned |
|
HIBP domain search |
|
DeHashed |
|
IntelX |
|
LeakCheck |
|
MITRE ATT&CK Groups |
|
SecurityScorecard / RiskRecon |
vendor portals; enterprise. |
Google / Bing dorks#
Goal |
Dork |
|---|---|
Primary reporting |
|
SEC 8-K disclosure |
|
Mandiant / FireEye writeup |
|
Vendor PIRs / IRs |
|
State AG / regulator notices |
|
HIBP-confirmed dumps |
|
CISA advisory |
|
Reuters / FT timeline |
|
Court / indictment lookup#
Goal |
Query |
|---|---|
DOJ press release |
|
PACER / CourtListener |
|
Sanctions |
|
Indictment PDFs |
|
Actor / TTP pivot#
Goal |
Query |
|---|---|
Attribution |
|
Indicators of compromise |
|
Sandbox runs |
|
C2 / infrastructure |
|
References#
Have I Been Pwned, searchable catalog of breached accounts; the standard reference.
DataBreaches.net, ongoing reporting and analysis.
Privacy Rights Clearinghouse, US-focused chronology.
ITRC Data Breach Reports, US Identity Theft Resource Center annual reports.
Verizon DBIR, annual “patterns and incidents” report.
Mandiant M-Trends, annual tradecraft trends.
Krebs on Security, breach reporting and analysis.
Hacking, techniques used in breaches.
Hacker Groups, attribution.