Data Breach Roundup (Jan 23 – Jan 29, 2026)

Want to stay informed? Get the data breach roundup delivered straight to your inbox every week! New and current subscribers can now adjust your newsletter settings to get subscribed.

Subscribe to emails

149 Million Usernames and Passwords Exposed by Unsecured Database

Credentials were for Gmail, iCloud, TikTok, Facebook, OnlyFans, Binance, multiple countries' government systems, banks, and more. It was unclear who the database belonged to, so researcher Jeremiah Fowler notified the hosting provider, who took it down as a Terms of Service violation. He said he believes the database was due to an infostealer and that it was growing during his attempts to get it taken down, highlighting that perhaps infostealers are starting to become a bigger problem.

App for Quitting Porn Leaked Users' Masturbation Habits

An unnamed app for designed to help users abstain from watching porn is leaking the data of over 600,000 users, 100,000 of whom claim to be minors. The data includes age, how often they masturbate, and how viewing porn makes them feel. The developer initially said he would fix the issue quickly, but has since denied that there is any vulnerability. The author notes that the vulnerability exists in Google Firebase, which frequently has these sort of vulnerabilities. They compare it to how Amazon's S3 used to suffer from poor defaults that frequently resulted in data breaches.

Hackers Say They've Hacked Match Group, Maker of Hinge, OkCupid

The attackers were able to get access by using voice phishing on Okta. From there there were able to collect data from other third parties like Doordash, AppsFlyer, and translation services. The stolen data appears to include mostly internal documents but also some users' unique advertising IDs.

Massive AI Chat App Leaked Millions of Users Private Conversations

We're living in the golden age of Firebase misconfiguration breaches. "Chat & Ask AI" - an app that claims 50 million users - has had private messages with chatbots exposed. The leaked messages include troubling prompts like how to cook meth, to write a suicide note, or how to hack various apps. The attacker claims he was able to access over 300 million messages from over 25 million users. The data included complete chat history, timestamps of messages, the name users gave to their chatbots, and which model it used (ChatGPT, Claude, Gemini, etc). On the plus side, the company fixed the issue within hours of disclosure.

An AI Toy Exposed 50,000 Logs of Its Chats With Kids to Anyone With a Gmail Account

A researcher found they were able to log into Bondu's public-facing web console using a Google username and could access children's names, birth dates, family member names, "objectives” for the child chosen by a parent, and detailed summaries and transcripts of every previous chat between the child and their Bondu. The company took the portal down "in a matter of minutes" and relaunched it the next day with proper authentication.

Have I Been Pwned: SoundCloud data breach impacts 29.8 million accounts

Back in December, we shared that SoundCloud had suffered a data breach but little information was known at the time. Thanks to Have I Been Pwned, we now know that nearly 30 million users had their email addresses, geographic locations, names, usernames, avatars, and profile statistics scraped from the site.

France fines unemployment agency €5 million over data breach

Back in March 2024, France's unemployment agency (France Travail, formerly Pôle Emploi) suffered a data breach that exposed the personal information of job seekers from the past 20 years, including names, dates of birth, national insurance numbers, email and home address, and phone number. Now CNIL (France's data protection office, among other things) has issued a nearly €6 million fine.