databreaches.net/
Posted on January 24, 2026 by Dissent

Telehealth provider Call-On-Doc, Inc., dba Call-On-Doc.com, advertises that it has 2 million active patients and treats 150+ medical conditions. It claims to be the most highly rated telehealth service, and it assures patients of “state-of-the-art” data security for their information. But if a post on a hacking forum is accurate, Call-On-Doc recently had a breach that may have affected more than one million patients.

According to a sales listing on a hacking forum, Call-On-Doc was breached in early December, and 1,144,223 patient records were exfiltrated. The types of information reportedly included:

Patient Code, Transaction Number, Patient Name, Patient Address, Patient City, Patient State, Patient Zip, Patient Country, Patient Phone Number, Patient Email Address, Medical Category, Medical Condition, Service / Prescription, Paid Amount

Three screenshots with rows of dozens of patients’ information were included in the listing. An additional .txt file with information on 1,000 patients was also included.

Inspection of the screenshots immediately raised concerns about the sensitive information they revealed. Although some appointments were visits for conditions such as strep infections or other medical conditions, a number of patient records were for the “STD” category (sexually transmitted disease), with the specific type of STD listed in the “Condition” field.

Is Call-On-Doc HIPAA-Regulated?
Call-On-Doc does not accept insurance. It is a self-pay model, and no health insurance information or Social Security Numbers were included in the data. Because it is self-pay, DataBreaches is unsure whether Call-On-Doc is a HIPAA-regulated entity. If it uses electronic transmission for other covered transactions, it might be. But even if it is not a HIPAA-regulated entity, it would still be regulated by state laws and the Federal Trade Commission (FTC).

When HIPAA does not apply, the FTC can investigate and take enforcement action for violations of the FTC Act if there are deceptive or “unfair practices,” such as promising excellent data security for health data or patient information, but failing to deliver it.

A check of Call-On-Doc’s website reveals the following statement in its FAQ:

Q: Is my payment and medical information safe with Call-On-Doc?

A: Absolutely! Call-On-Doc employs state-of-the-art security measures, including our proprietary Electronic Health Record (EHR) system, and is fully HIPAA compliant.

According to the threat actor, they found no evidence of any encryption, and the entity did not detect the attack while it was in progress. HIPAA does not actually mandate encryption, but what “state-of-the-art” security measures did Call-On-Doc use to provide the kind of protection that protected health information (PHI) requires? And have they implemented any changes or additional protections since being alerted to the alleged breach?

Given that patients from many states may be involved, this might be a situation in which multiple state attorneys general collaborate to investigate a breach and an entity’s risk assessment, security, and incident response, including notification obligations.

Notification Obligations and Regulatory Questions
DataBreaches emailed Call-On-Doc’s privacy@ email address on Thursday to ask if it had confirmed any breach. There was no reply.

DataBreaches emailed its support@ email address on Friday. There was no reply.

If these are real data, there are several questions regulators may investigate.

According to the individual who posted the listing and shared additional details with DataBreaches in private communication, the breach occurred in early December. They contacted Call-On-Doc on December 25 to alert them to the breach and to try to negotiate a payment to avoid leaking or selling it. “They contacted me from an unofficial email address. I provided all the evidence and details, but then they stopped responding—basically ignoring me,” the person told DataBreaches.

Regardless of which federal or state agencies may have jurisdiction, if these are real patient data, Call-On-Doc also has a duty to notify patients and regulators promptly. While some regulations or statutes require “without unreasonable delay,” HIPAA has a “no later than 60 calendar days from discovery” deadline, and 19 states have notification deadlines of 30 days. As of publication, DataBreaches cannot find any substitute notice, media notice, website notice, or notification to any state attorneys general or federal regulators.

DataBreaches reminds readers that Call-On-Doc has not confirmed the claims. Even though the patient data appears likely to be real, AI has advanced to the point where threat actors can create datasets that appear legitimate. DataBreaches does not think that is the case here, but can’t rule out that possibility without contacting patients, which this site tries to avoid to spare patients any embarrassment or anxiety. For a small random sample from the 1,000 records file that DataBreaches checked via Google searches, most patients are still at the addresses listed in the 1,000-patient sample. Others could be verified as having lived at the listed addresses in the recent past.

One other detail suggests the data are real: the seller is accepting escrow for the sale, which is usually an indicator that the listing is not a scam.

This post may be updated when Call-On-Doc responds or more information becomes available.

If you were or are a Call-On-Doc patient and have heard from Call-On-Doc about a breach, we’d like to hear from you.

databreaches.net
Posted on December 25, 2025 by Dissent

Over the years, DataBreaches has been contacted by many people with requests for help notifying entities of data leaks or breaches. Some of the people who contact this site are cybercriminals, hoping to put pressure on their victims. Others are researchers who are frustrated by their attempts at responsible disclosure.

When it’s a “blackhat” contacting this site, DataBreaches often responds by seeking more information from them, and may even contact their target to ask for confirmation or a statement about claims that are being made. Usually, DataBreaches does not report on the attack or claims at that time, so as not to add to the pressure the entity might be under to pay some extortion. Occasionally, though, depending on the circumstances and the length of time since the alleged breach, this site may report on an attack that an entity has not yet disclosed, especially if personal information is already being leaked.

Some people have questioned whether I have been too friendly with cybercriminals or a mouthpiece for them. Occasionally, I have even been accused of aiding criminals. I’ve certainly knowingly aided some criminals who have contacted me over the years if they are trying to do the right thing or turn their lives around. And I’ve also helped some cybercriminals in ways I cannot reveal here because it involves off-the-record situations. One person recently referred to me as the “threat actor whisperer.”

The reality is that I talk to most cybercriminals as people and chatting with them gives me greater insights into their motivations and thinking. And, of course, it occasionally gives me tips and exclusives relevant to my reporting.

Do some threat actors lie to me? Undoubtedly. I resent being “played” and I get mad at myself if I have been duped.

The remainder of this post is about a data leak on a few forums involving data from WIRED and Condé Nast and how DataBreaches was “played.”

A Message on Signal
On November 22, a message request appeared on Signal from someone called “Lovely.” The avatar was a cute kitten, and the only message was “Hello.”

DataBreaches’ first thought was that this was a likely scammer, but curiosity prevailed, so I accepted the request. What they wrote next surprised me:

Can you try to get me a security contact at Condé Nast? I emailed them about a serious vulnerability on one of their websites a few days ago but I haven’t received a response ye

“Lovely,” who assured me they were not seeking a bug bounty or any payment, said they were simply trying to inform Condé Nast of a vulnerability that could expose account profiles and enable an attacker to change accounts’ passwords. On inquiry, they claimed they had only downloaded a few profiles as proof of the vulnerability.

“Lovely” showed me screenshots of attempts to inform WIRED and Condé Nast via direct contact with one of their security reporters and someone who claimed to be from their security team.

They also showed me my own registration data from WIRED.com, which was accurate, and the information from a WIRED reporter who also seemingly confirmed his data was also correct.

WIRED account information for DataBreaches that Lovely showed her on November 27. It shows email address and date registered and last updated among the fields.
WIRED account information for DataBreaches that Lovely showed her on November 27. It shows email address and date registered and last updated among the fields.
It all seemed consistent with what they had claimed.

Despite its vast wealth, Condé Nast lacks a security.txt file that explains how to report a vulnerability to them. Nowhere on its site did it plainly explain how to report a vulnerability to them.

Trying to help Condé Nast avoid compromise of what was described to me as a serious vulnerability risking more than 33 million users’ accounts, I reached out to people I know at WIRED. I also reached out to Condé Nast but received no replies from them.

When the “Researcher” Really Is Dishonorable
Weeks of failed attempts to get a response from Condé Nast followed and Lovely started stating that they were getting angry and thinking about leaking a database just to get the firm’s attention. Leaking a database? They had assured me they had only downloaded a few profiles as proof. But now they stated they had downloaded more than 33 million accounts. They wrote:

We downloaded all 33 million user’s information. The data includes email address, name, phone number, physical address, gender, usernames, and more.

The vulnerabilities allow us to
– view the account information of every Condé Nast account
– change any account’s email address and password

They also provided DataBreaches with a list of the json files showing the number of user accounts for each publication. Not all publications had all of the types of information.

DataBreaches reached out to Condé Nast again with that information, but again received no reply. A contact at WIRED was able to get the firm’s security team to engage and Lovely eventually told DataBreaches that they had made contact and given the security team information on six vulnerabilities they had found.

Six? How many lies had Lovely told me? Lovely asked me to hold off on reporting until the firm had time to remediate all the vulnerabilities. DataBreaches agreed, for the firm’s sake, but by now, had no doubts that Lovely had been dishonest and she had been “played.”

Eventually, Lovely sent a message that everything had now been remediated. DataBreaches asked, “Did they pay you anything?” And that’s when Lovely answered, “Not yet.” DataBreaches subsequently discovered that they have been leaking data from WIRED on at least two forums, with a list of all the json files they intend to leak. Or perhaps they intend to sell some of the data. Either way, they lied to this blogger to get her help in reaching Condé Nast.

“Regrets, I’ve Had a Few”
At one point when I reached out on LinkedIn seeking a contact at Condé Nast, someone suggested that Lovely wasn’t a researcher but was a cybercriminal and that I was aiding them.

With the clarity of hindsight, he was right in one respect, although I certainly had no indication of that at the outset or even weeks later. But as I replied to him at the time, “I hope I wasn’t helping a cybercriminal, but if Condé Nast found out about a vulnerability that allowed access to 33M accounts, did I harm Condé Nast by reaching out to them, or did I help them?”

I don’t know if Condé Nast verified Lovely’s claims or not about the alleged vulnerabilities. That said, based on what I had been told, I don’t regret my repeated attempts to get their security team to contact Lovely to get information about the alleged vulnerability.

As for “Lovely,” they played me. Condé Nast should never pay them a dime, and no one else should ever, as their word clearly cannot be trusted.

Update of December 27, 2025: By now, the data leak has started to be picked up on LinkedIn by Alon Gal and on Have I Been Pwned by Troy Hunt. Condé Nast has yet to issue any public statement or respond to this site’s inquiries. As HIBP reports:

In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online. The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number, date of birth, gender, and geographic location or full physical address. The WIRED data allegedly represents a subset of Condé Nast brands the hacker also claims to have obtained.

databreaches.net Posted on September 15, 2025 by Dissent

On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined.

Kering never responded to emailed inquiries, but ShinyHunters provided DataBreaches with samples from both attacks that appeared legitimate. They also provided chat logs from negotiations they claimed took place with someone presenting themselves as Balenciaga’s safety manager. Those negotiations appeared to go on for more than a month and a half between June 20 and mid-August. According to the logs, it appeared Kering agreed to pay a ransom of 500,000 euros, but then they went silent and never followed through.

Kering Issues a Statement
Although they did not respond to DataBreaches’ questions at the time, Kering issued a statement that they provided to other news sites, including LeMagIT and The Guardian.

Their statement, as reported by LeMagIT, does not answer all of the questions DataBreaches had, but it’s a start. Kering states:

« En juin 2025, nous avons constaté qu’un tiers non autorisé avait temporairement accédé à nos systèmes et consulté des données clients limitées provenant de certaines de nos Maisons », explique le service de presse de Kering dans une déclaration adressée à la rédaction.

Celle-ci ajoute que « nos Maisons ont immédiatement signalé cette intrusion aux autorités compétentes et ont informé les clients conformément aux réglementations locales ».

Et de préciser qu’aucune « information financière, telle que des numéros de compte bancaire ou de carte de crédit, ni aucun numéro d’identification personnelle (numéro de sécurité sociale), n’ont été compromise lors de cet incident ».

Selon le service de presse de Kering « l’intrusion a été rapidement identifiée et des mesures appropriées ont été prises pour sécuriser les systèmes concernés et éviter que de tels incidents ne se reproduisent à l’avenir ».

A machine translation roughly yields:

In June 2025, we found that an unauthorized third party had temporarily accessed our systems and accessed limited customer data from some of our Houses. Our Houses immediately reported this intrusion to the competent authorities and informed the customers in accordance with local regulations….. No financial information, such as bank account or credit card numbers, nor any personal identification number (social security number), was compromised during this incident.

According to Kering’s statement, “the intrusion was quickly identified and appropriate measures were taken to secure the affected systems and prevent such incidents from recurring in the future.”

They do not name the brands affected, they do not disclose the total number of affected individuals, and when asked what countries were affected, Kering reportedly declined to answer Reuter’s question.

An Inconsistent Statement?
It appears that neither Kering nor any of the affected brands detected the breaches on their own, and they only first found out when ShinyHunters contacted them in June. Why they did not discover the breaches by their own means is unknown to DataBreaches.

DataBreaches can confirm that there was no financial information in the samples of records that DataBreaches inspected. However, Kering’s statement to another news outlet contradicts claims made by ShinyHunters to DataBreaches.net in important respects.

As previously reported, ShinyHunters provided this site with chat logs of negotiations between ShinyHunters and someone claiming to be a representative of Balenciaga. But Kering has apparently told the BBC that it did not engage in conversations with the criminal(s), and it didn’t pay any ransom, consistent with long-standing law enforcement advice.

Their denial appears to be factually inaccurate, at least in part.

At the time of our first publication, DataBreaches reported that Balenciaga had made a small test payment in BTC to ShinyHunters. This site did not include specific proof in that article, but ShinyHunters had provided this site with evidence at the time. We are posting that proof now in light of Kering’s denial that they engaged in any conversations or paid any ransom.

The chat log provided to this site showed that Balenciaga was to make a small test payment in BTC to ShinyHunters on or about July 4. The amount mentioned in the chat log was 0,00045 BTC. The chat log also showed the BTC address as bc1qzwpshyadethrqum0yyjh7uxxzhsnjjgapdmr4c. DataBreaches had redacted that address from the published report.

On July 4, Balenciaga’s “user” told ShinyHunters that the test payment had been made:

[en attente] : 2025-07-04
[03:09:08] shinycorp: Bonjour, vous nous aviez promis un paiement hier, mais nous n’avons rien reçu. des nouvelles ?
[04:23:45] Utilisateur: Bonjour
[04:24:05] Utilisateur: nous avons eu du retard pour la création du compte
[04:24:09] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b
[04:24:18] Utilisateur: ci joint la preuve du paiement test
[04:24:24] Utilisateur: je vous invite à vérifier
[04:52:42] shinycorp: Reçu pour la première fois
[06:17:52] shinycorp: Veuillez diffuser la transaction.
[07: 45: 06] Utilisateur: fichier: / / / C: / Utilisateurs / X / Bureau / flux de blocs.htm
[07:46:28] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b

DataBreaches had looked up the wallet address and found confirmation of the payment. The following is a screengrab showing the payment.

Btcpaid

Kering’s reported claims about no conversations and no payment appear to be refuted by the chat log and corresponding BTC transaction. ShinyHunters did not claim that Kering paid their ransom demand, but they do claim that there were extensive negotiations and that a small test payment was made, and there seems to be proof of that.

Kering’s statement to other news sites also leaves a lot of other unanswered questions. They told the BBC that they had emailed all affected customers, but that raises other questions. DataBreaches emailed Kering again today to ask for additional details. Specifically, DataBreaches asked them:

Have you notified data protection regulators in all of the countries where your customers reside?
When did you send emails to customers to notify them?
Have you notified store customers by postal mail if the customers did not provide email addresses? If not, how have you notified those without email addresses?
Your statement claims that you did not have any conversations with the attackers. Has your legal department obtained IP addresses from qtox to find out the IP address of the person representing themself as Balenciaga’s negotiator? Are you claiming that ShinyHunters was lying about negotiations, or are you saying something else?
No reply has been received.

Furthermore, we still do not know how many unique customers, total, were affected by these attacks on their brands. The BBC reported that it might be less than 7.4 million based on the number of unique email addresses. But the 7.4 million unique email addresses were only for the Balenciaga, Brioni, and Alexander McQueen data. There were more than 43 million records for the Gucci data set, so there would be a significant number of unique email addresses and customers there, too, and not all customers provide an email address.

Although Kering does not seem to be embracing public transparency in its incident response, we may eventually find out more if investors demand accountability or if data protection regulators report on any investigations and findings.

databreaches.net Posted on September 8, 2025 by Dissent

Some data breaches make headlines for the number of people affected globally, such as a Facebook scraping incident in 2019 that affected 553 million people worldwide. Then there are breaches that affect a country’s entire population or much of it, such as a misconfigured database that exposed almost the entire population of Ecuador in 2019, an insider breach that compromised the information of almost all Israelis in 2006, a misconfigured voter database that exposed more than 75% of Mexican voters in 2016, and the UnitedHealth Change Healthcare ransomware incident in 2024 that affected more than 190 million Americans.

And now there’s Vietnam. ShinyHunters claims to have successfully attacked and exfiltrated more than 160 million records from the Credit Institute of Vietnam, which manages the country’s state-run National Credit Information Center. Vietnam National Credit Information Center is a public non-business organization directly under the State Bank of Vietnam, performing the function of national credit registration; collecting, processing, storing and analyzing credit information; preventing and limiting credit risks; scoring and rating the credit of legal entities and natural persons within the territory of Vietnam; and providing credit information products and services in accordance with the provisions of the State Bank and the law.

While those affiliated with ShinyHunters bragged on Telegram that Vietnam was “owned within 24 hours,” ShinyHunters listed the data for sale on a hacking forum, and provided a large sample of data from what they described as more than 160 million records with “very sensitive information including general PII, credit payment, risks analysis, Credit cards (require you’re own deciphering of the FDE algorithm), Military ID’s, Government ID’s Tax ID’s, Income Statements, debts owed, and more.”

DataBreaches asked ShinyHunters for additional details about the incident, including how many unique individuals were in the data, because the country’s entire population is slightly under 102 million. ShinyHunters responded that the data set included historical data. They stated that they did not know how many unique individuals were involved, but were pretty sure they got the entire population.
Because this incident did not seem to be consistent with ShinyHunters’ recent campaigns, DataBreaches asked how they picked the target and how they gained access. According to ShinyHunters, they picked the target because it held a massive amount of data. The total amount or records (line) across all tables was like 3 billion or more, they said, and they gained access by an n-day exploit. On follow-up, DataBreaches asked whether this was an exploit that CIC could have been able to patch. There was no actual patch available, Shiny stated, as the software was end-of-life.

In response to a question as to whether the CIC had responded to any extortion or ransom demands, ShinyHunters stated that there had been no ransom attempt at all because ShinyHunters assumed they would not get any response at all.

DataBreaches emailed the CIC to ask them about the claims, but has received no reply by publication. If CIC responds to DataBreaches’ inquiries, this post will be updated, but it is important to note that there is no confirmation of ShinyHunters’ claims at this point, however credible their claims may appear.

It is also important to note that this post has referred to this as an attack by ShinyHunters and has not attributed it to Scattered Spider or Lapsus$. When DataBreaches asked which group(s) to attribute this to, ShinyHunters had replied, “It wasn’t a Scattered Spider type of hack … so ShinyHunters.” ShinyHunters acknowledged that they need to deal with the name situation, but said, “I don’t know how to fix the name problem considering for years everyone thought both are completely different groups.”

databreaches.net - Chatox and Brosix are communications platforms that advertise for personal use and team use. They are owned by Stefan Chekanov.

The only statement Chatox makes about its data security is “Chatox employs encryption across all communications, making it an extremely secure communication and collaboration platform.”

Brosix Enterprise advertises its security:

Brosix provides you with an efficient and secure communication environment, and Text Chat is a central element of this. With this feature you can instantly send, and receive, text messages to your network contacts. Better yet, all messages sent with Brosix are fully encrypted using end-to-end encryption technology, guaranteeing that your communication remains secure.

Brosix uses AES (Advanced Encryption Standard, used by US government) with 256 bit keys. Which means the encryption can’t be broken in a reasonable time.

All communication channels are direct, peer-to-peer, between the users and are not routed through Brosix servers. In some cases, if user firewalls do not allow direct connection, data is routed through Brosix servers. In these rare cases, the channels through the servers are built in a way that Brosix cannot decrypt and see the user data that flows.

So why did a researcher find a lot sensitive chats in plain text with individuals’ first and last names, username, password, IP address, chat message, and attached files — all unencrypted?

What to Know
A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files.
There was a total of 980,972 entries in the users’ tables, with entries going back to 2006.
The researcher first logged the backup as exposed in late April. From the logs, the researcher stated that the files in question were exposed from at least May 11th 2024 – July 4th 2025 . Because logging only began in late April, the server could have been exposed before then.
The top email domains for each of the two platforms are listed below:
Brosix Enterprise Database Chatox Database
14826 gmail.com
5472 yahoo.com
2086 hotmail.com
1805 mail.ru
1111 allstate.com
679 rankinteractive.com
633 yandex.ru
582 issta.co.il
376 outlook.com
353 gp-servicedirect.com 63291 mail.ru
48075 gmail.com
20099 yandex.ru
13789 yahoo.com
7868 hotmail.com
6734 bk.ru
4541 allstate.com
3316 rambler.ru
3297 inbox.ru
3204 list.ru

Developing: Someone claiming to be an “affiliate plus” for AlphV claims they were responsible for the Change Healthcare attack but that AlphV stole the payment Change Healthcare had made and suspended the affiliate’s account.

The affiliate’s claims appeared on Ramp Forum and have been circulating since then. The post can be seen below, via @vx-underground:

Over on SuspectFile, Marco A. De Felice reports that the NoEscape ransomware gang is threatening to release 1.5 TB of data from PruittHealth Network. De Felice...