Hacking Forum Posts Expose Customer Data from digiDirect and MediaWorks
Customer and marketing data from Australian retailer digiDirect and New Zealand media company MediaWorks was exposed after separate datasets were posted to a popular hacking forum. The digiDirect breach, published in September 2024, contained more than 300,000 rows of personal information, including names, email addresses, physical addresses, phone numbers, and dates of birth. About half of the email addresses were tied to external marketplace domains such as Amazon, eBay, and Westfield, suggesting some affected records may have come from third-party marketplace activity.
MediaWorks suffered a larger exposure after a dataset was publicly posted in March 2024 containing millions of rows and 163,000 unique email addresses linked to people who entered online competitions. The leaked records included names, physical addresses, phone numbers, dates of birth, genders, and competition responses. Following the leak, some victims reportedly received ransom demands seeking payment in exchange for deletion of their stolen data, underscoring the downstream extortion risk created by publicly traded personal data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
digiDirect customer data published on hacking forum
In September 2024, a dataset attributed to Australian retailer digiDirect was published on a popular hacking forum. The exposed breach contained more than 300,000 rows of personal information, including names, email addresses, physical addresses, phone numbers, and dates of birth.
MediaWorks victims reportedly receive ransom demands
After the MediaWorks data exposure, some affected individuals reportedly received ransom demands seeking payment in exchange for deletion of their stolen data. This marked an escalation from data exposure to direct extortion of victims.
MediaWorks competition entrant data posted on hacking forum
In March 2024, a large dataset belonging to New Zealand media company MediaWorks was publicly posted on a popular hacking forum. The exposed data contained millions of rows, including 163,000 unique email addresses and personal details from people who entered online competitions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
Mar 21, 2026
Customer Data Exposed in LDLC and LuLu Retail Breaches
French retailer **LDLC** disclosed a breach affecting customers of its physical stores after stolen data was advertised for sale on a hacking forum. The exposed dataset reportedly included **1.26 million unique email addresses** along with customers' names, phone numbers, and physical addresses, indicating broad exposure of personally identifiable information tied to retail transactions. Emirati retailer **LuLu** also suffered a customer data breach in which an initial set of about **190,000 email addresses** and linked phone numbers was shared on a hacking forum. The incident escalated when the threat actor later leaked a larger backup from **October 2022**, exposing an additional **2.6 million unique email addresses** as well as names, physical addresses, order data, and **`PBKDF2` password hashes**, significantly increasing the risk of account compromise and follow-on phishing or fraud.
Mar 27, 2026