Even if you’re extra careful online and take all the right precautions to secure your accounts and the data they contain, your personal information could still end up on the dark web. Case in point, one billion personal records from 26 countries around the world were just found left in an unsecured database.

No, this wasn’t a data breach, and hackers weren’t involved in any way whatsoever. Instead, this was a data leak discovered by the team at Cybernews, where a databased was accidentally left unprotected online without a password. The personal data in that database was used by other companies to verify users in the U.S., Canada, Australia, Mexico and loads of other countries.

Although cybercriminals weren’t behind this massive new data leak, just as the Cybernews team did, they too could have accessed and downloaded this exposed data to use in future attacks.

Here’s everything you need to know about this new data leak, including the steps you can take right now to stay safe from any potential attacks or scams.

Exposed personal data

Like many security researchers, such as Jermeiah Fowler, the news outlet’s team, and others (including cybercriminals) will often scour the internet looking for exposed databases. Cybernews found this massive trove of exposed personal records on November 11 2025, and immediately contacted the company, which then secured the database the following day.

In total, the database held one terabyte of data for users across 26 countries. The U.S. was hit the hardest with 204 million records exposed, followed by Mexico at 123 million and the Philippines with 72 million.

Given that the database was left unsecured for some time, the following personal data was exposed online:

• Full names
• Addresses
• Post codes
• Dates of birth
• National IDs
• Phone numbers
• Genders
• Email addresses
• Telco metadata
• Breach status and social profile annotations

With all of this valuable personal data in hand, cybercriminals could launch all manner of attacks and scams, including account takeovers, targeted phishing attacks, credit fraud, SIM swaps and even identity theft. To make matters worse, all of this leaked data was structured, which would make searching through these records much easier than if the data were unstructured.

How to stay safe after a data leak

Just like with a data breach, you could potentially receive a data breach notification letter in the mail if your personal records were exposed in this leak. If so, you should follow the letter’s instructions and take advantage of the free access to one of the best identity theft protection services if that’s offered.

If not, though, there are still plenty of steps you can take to stay safe after a data leak. For starters, you want to be on the lookout for any suspicious phone calls or messages as they could be targeted phishing attacks designed to steal even more of your data. These could arrive via email or text, so be wary of any messages from unknown senders.

Signing up for identity theft protection is a great way to protect yourself after a major leak, as these services can help you recover a stolen identity as well as any funds lost to scams or fraud. As always, though, it’s also a good idea to protect your Windows PC with the best antivirus software or your Apple computer with the best Mac antivirus software. The reason is that those phishing emails could arrive with malicious attachments designed to infect your devices with malware.

Either way, it’s up to you to ensure that you’re taking all of the necessary precautions, such as being careful where you click, to stay safe from any attacks that try to leverage this exposed data.

More from Tom's Guide

• A new spyware called ZeroDayRat can take over your iPhone or Android via text
• How did the FBI get Nancy Guthrie's Google Nest camera footage if it was disabled and what does it mean for your privacy?
• 300,000+ Chrome users installed these malicious extensions posing as AI assistants — delete them right now

Hackers have caused absolute chaos in Ubisoft’s Rainbow Six Siege after breaching the company’s systems.

Instead of leaking stolen data from the game online, they’ve turned the company’s internal systems against it to ban and unban players, manipulate in-game message feeds and most surprisingly, give all players 2 billion in Rainbow Six Siege credits. While a 2 billion credit windfall for a single player is valued at roughly 13.3 million, reports suggest the total value of currency distributed across the entire player base has reached a staggering 339 trillion.

To make matters worse, security researchers are reporting that this breach is directly related to a recently disclosed MongoDB vulnerability. Dubbed MongoBleed, the flaw allows unauthenticated attackers to remotely leak the memory of exposed MongoDB instances. Attackers even used their access to the game’s management services to hijack a ban ticker that Ubisoft says had actually been disabled, using it to mock the company’s leadership directly.

Here’s everything you need to know about the recent Rainbow Six Siege hack along with the MongoBleed flaw and why this tactical, team-based first person shooter likely won’t be the last victim.

The Siege under siege

First launched back in 2015, Rainbow Six Siege is a tactical, first-person shooter and live-service game that pits two teams against each other. It had over 80,000 active monthly players at the beginning of the year thanks to the launch of a new expansion but this number has fallen to around 40,000 in the latter half of this year.

On December 27th, reports that the game was breached by hackers first began circulating online. While normally this would result in player data being stolen and then sold online, something completely different happened as a result of this breach.

The hackers behind the Rainbow Six Siege breach took the following actions after gaining access to Ubisoft’s systems:

• Banned and unbanned thousands of people randomly, including high-profile streamer accounts.
• Took over the ban feed to broadcast custom messages mocking Ubisoft leadership, even though the ban ticker feature had actually been disabled in a past update.
• Gave everyone 2 billion in premium R6 credits and Renown. While the value of these credits for a single player is estimated at over 13 million, some reports suggest the total value of currency distributed reached a staggering 339 trillion.
• Gave everyone every skin in the game, including ultra-rare Glaciers and even developer-only cosmetics.

According to BleepingComputer, Ubisoft confirmed that the incident took place early in the morning on December 27th and said its teams were working to resolve an issue currently affecting the game. From there, the company then shut down the game and its in-game marketplace to prevent further damage to the player-driven economy.

If you’re a Ubisoft player that spent some of those 2 billion credits that magically appeared in your Rainbow Six Siege account, there’s good news and bad news. While you won’t be punished for spending them, Ubisoft is currently rolling back all transactions that occurred after 11:00 AM UTC on December 27th.

So how did the hackers behind this breach manage to pull it off? Well, at least according to some reports, the new MongoBleed flaw is to blame.

Leaking memory without passwords

Although they haven’t been verified by Ubisoft yet, the security research group VX-Underground is claiming with medium to high confidence that hackers used a recently disclosed MongoDB flaw to breach the company’s systems.

The vulnerability (tracked as CVE-2025-14847 and dubbed MongoBleed) allows unauthenticated attackers to remotely leak the memory of exposed MongoDB instances. By sending malformed, compressed network packets to the server's zlib decompression logic, attackers can trick the database into "bleeding" fragments of its internal heap memory. This can expose sensitive data like plain-text database passwords, session tokens, and administrative authentication keys.

As reported by The Hacker News, MongoBleed has a high-severity CVSS score of 8.7 and impacts a broad range of database versions:

• MongoDB 8.2.0 through 8.2.2
• MongoDB 8.0.0 through 8.0.16
• MongoDB 7.0.0 through 7.0.27
• MongoDB 6.0.0 through 6.0.26
• MongoDB 5.0.0 through 5.0.31
• MongoDB 4.4.0 through 4.4.29
• All legacy versions including MongoDB Server v4.2, v4.0, and v3.6

While the flaw has been patched in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30, many organizations have not yet upgraded to a fixed release.

What makes the investigation so complex is that multiple unrelated groups of cybercriminals appear to have targeted Ubisoft simultaneously.

According to VX-Underground, a first group compromised live game services to manipulate inventories and bans, while a second group allegedly used MongoBleed to pivot into Ubisoft’s internal Git repositories. This second group reportedly stole source code for various projects dating from the 1990s to the present day. Meanwhile, a third group is reportedly attempting to extort Ubisoft over stolen user data, while a fourth group claims the source code was already compromised long before the current chaos began.

Rainbow Six Siege won’t be the last victim

While Rainbow Six Siege could potentially be the first public victim of MongoBleed, the sheer scale of MongoDB’s global footprint shows that it likely won’t be the last. As of this year, over 60,000 organizations across nearly every industry rely on this open-source tool for their backend infrastructure.

With 200,000 instances estimated to currently be exposed online, the potential for widespread exploitation of MongoBleed is quite high. Since this exploit isn’t too complicated and requires no authentication, other companies could suffer a similar fate to what happened with Rainbow Six Siege if they don’t patch their systems immediately.

From credential harvesting to undetected data theft, MongoBleed attacks could have wide reaching implications for organizations and their users across a wide variety of industries.

Hopefully companies take immediate steps to remedy this situation because if they don’t you’ll be reading (and I’ll be writing) about a lot more MongoBleed-powered attacks next year.

More from Tom's Guide

• Your Social Security number is vulnerable to identity thieves — here's how to lock it down
• 5 steps to safer social media in 2026: The settings you should enable right now
• That mystery gift might be a scam: What brushing scams are and what to do about them

The problems with the data leak at the Tea app have grown since the initial news broke last week and now include two data exposure incidents that put the personal info of thousands of users at risk online.

So what happened with the app that suddenly sprang into the number one position on the App Store and then suddenly into the spotlight for problems and user issues?

We break down everything you need to know about the infamous Tea app below.

What is the Tea app?

The Tea app is a women-only dating app that acts as a safety platform. Its users share anonymous reviews about men they've dated or are dating and have conversations about them. In order to start a membership, users must submit a selfie and a government issued ID for verification.

The Tea app recently became the top free app in the App Store for iOS users and has 2 million downloads; it's also has top Google Play Store rankings as well. It has gotten enough notoriety that people on 4chan were calling for it to be hacked, according to reporting on The New York Times.

What happened with the initial breach?

Although the event is not technically a 'breach' per se, according to various reports including one from BGR , a leak occurred on Friday, July 25.

The Tea app and website were untouched but an unsecured database of thousands of online records were leaked across various websites after an anonymous 4chan user pointed out that the app uses an unsecured Firebase storage bucket to house the IDs, selfies, photos and images uploaded by users.

That user additionally shared a Python script that could be used to download the data from the storage bucket which has since been secured. Altogether over 59GB of data was exposed which includes: 72,000 images included 13,000 selfies and identification images submitted by users, as well as 59,000 images from posts, comments and direct messages. Location data could be obtained from some of these images too.

Tea confirmed in a public statement that this initial leak affected users who had signed up before February 2024, calling it a “legacy storage system,” and confirming that no email addresses or phone numbers were exposed.

The company behind the app then went onto explain that the selfies could not be deleted as they were stored in order to comply with law enforcement requirements related to cyber-bullying prevention. However, this leaked data – which has now been shared across various hacking forums – not only exposes the app's members to a variety of phishing and social engineering attacks but also stalking and humiliation.

What happened in this latest breach?

This secondary breach contains an additional database of 1.1 million private messages sent between users on the platform and includes more recent data – from 2023 to just last week – as well as messages on sensitive topics.

According to the reporting from 404 media, it would be possible to identify users based on their social media profiles, phone numbers or other personal information that wass revealed in these messages.

What is happening now?

Tea says it is continuing to work with law enforcement in order to assist with the investigation and in a statement to Bleeping Computer, the company stated that that some direct messages (DMs) were also accessed as part of the first incident. Likewise, Tea confirmed that it has now taken the affected messaging systems offline, though they have found no additional evidence of access to any other parts of its systems.

Tea added that they were working to identify users whose personal information was involved and they would be offering free access to the best identity protection theft services to affected individuals. Tea has also encouraged users who have questions to reach out to them via support@teaforwomen.com for more information. Tea users should also consider replacing their IDs, freezing their credit, and carefully monitoring all of their online accounts.

Additionally, users should be aware of the signs of a phishing or social engineering attack and be wary of any unexpected links or attachments in emails or texts, especially those from unknown senders. Be wary of anyone who attempts to contact you through social media, and anyone who asks for personal information.

More from Tom's Guide

• Millions hit in quishing attacks as malicious QR codes surge — how to stay safe
• Has your computer been hacked? 11 ways to tell and what to do now
• Microsoft Authenticator is going to delete your passwords on Friday — what to do right now

A free VPN app with more than 50,000 downloads on the Google Play store left a database containing 18.5GB of connection logs exposed on the internet for anyone to find.

According to Cybernews, which made the discovery, the exposed database belongs to BeanVPN and contained more than 25 million records including user device and Play Service IDs, IP addresses, connection timestamps and other diagnostic information.

While the ElasticSearch instance has since been secured, Cybernews security researcher Aras Nazarovas explained in a blog post what cybercriminals could do with the information it contained.

"The information found in this database could be used to de-anonymize BeanVPN's users and find their approximate location using geo-IP databases," Nazarovas wrote. "The Play Service ID could also be used to find out the user's email address that they are signed in to their device with." 

Violating its own privacy policy

BeanVPN is developed by a company called IMSOFT which explains in its privacy policy that it doesn’t store connection logs and timestamps, IP addresses and other diagnostic information.

While IMSOFT appears to have violated its own privacy policy in this regard, the company also emphasized that it protects user data with “best-in-class physical, procedural and technical security” at its offices and information storage facilities. As Cybernews notes though, publicly available information suggests that its only office is located in an apartment building in Bucharest, Romania.

Although privacy policies can often tell you quite a bit about a VPN company, it’s up to the businesses themselves to adhere to them.

Exposed databases continue to put consumers at risk

Exposed databases are a recurring problem for VPN companies and tech giants alike as they can be accessed by anyone who finds one online since such databases aren’t password protected.

Back in March 2021, Cybernews discovered three databases leaked by SuperVPN, GeckoVPN and ChatVPN which contained the data of 21 million people. Email addresses, passwords, full names, country information and payment details from these databases were then sold on the dark web. Additionally, in May of this year, Cybernews found an unsecured database belonging to UK law enforcement agencies that contained information on millions of vehicles. 

Unlike cyberattacks where hackers exploit vulnerabilities or other weaknesses to gain access to sensitive data, with an exposed database the businesses who collected the data in the first place are the ones responsible as they failed to store it securely. We all use passwords on our smartphones and laptops, so why aren’t companies doing the same with their databases? Besides losing customers over data privacy concerns, businesses that fail to secure their databases can also be fined by regulators.

Why opting for a paid VPN is your best bet

Saving a bit of cash by choosing a free VPN over a paid one may seem like a good idea at first until you consider the limitations. Most free VPNs come with some kind of a catch in the form of data limits, speed restrictions, fewer servers or less features. 

If you just want a bit of extra privacy for certain tasks, then a free VPN may be worth your while. However, not all free VPNs are cut from the same cloth. Even if a free VPN app has a lot of downloads on the Google Play Store or Apple App Store, it may be selling your data or putting you at risk in other ways. This is why we’ve put together a list of the best free VPNs from reputable companies that are actually worth using.

Still though, signing up for a paid VPN will always be the better option as you’ll have access to more features with no restrictions alongside regular updates and customer support you can contact if you run into any connection problems. Another possible option worth considering is signing up for one of the picks from our list of the best antivirus software as many antivirus makers throw in access to a VPN as an extra. In fact, both Norton 360 Deluxe and Trend Micro Maximum Security both include unlimited VPN access. This way you can secure devices against malware and other cyber threats while protecting your privacy with a VPN.

If you already have a security suite on your devices and just want a reliable VPN, then ExpressVPN, NordVPN and Surfshark are currently our top picks.

REM’s Michael Stipe sang “it’s the end of the world as we know it and I feel fine” — maybe because he knew that earth's history could be stored in an indestructible black box being developed to record and preserve the moment Planet Earth meets its demise. 

This cheerful pre-holiday thought comes courtesy of the Earth's Black Box project. The project, as our sibling publication Live Science explains, is working on creating an indestructible take on the recorder found in commercial aircraft designed to record all the adjustments a plane makes and thus an account of what may have gone wrong if it crashes. 

Earth's Black Box version is aiming to take that concept and go large with it, supposedly by early 2022. The idea is to record every action humanity takes relating to the health of the planet and thus have “an unbiased account of the events that lead to the demise of the planet.” 

"Unless we dramatically transform our way of life, climate change and other man-made perils will cause our civilization to crash," Earth's Black Box website explains, seemingly with a whiff of doomsday about it.

There is a tinge of hopefulness, with the project hoping the Black Box will “hold accountability for future generations, and inspire urgent action.” Perhaps the idea of all the bad stuff humans do to the planet being recorded and potentially pursued by judgemental extra-terrestrial life might shame humanity into taking more action to prevent climate disasters.

One can imagine a group of sniggering ETs making fun of how people kept filling their cars with an explosive liquid extracted from dead dinosaurs, or doubled over in laughter at the idea of investing in billionaire space travel and not ozone repair.

One tough (and smart) box

Making a box that could survive the collapse of humanity and the end of the world requires some serious engineering. But Earth's Black Box isn't being created to withstand the impact of an asteroid, for example, but rather the ravaging effects of climate change. 

As a joint project between the university of Tasmania, communications organization Clemenger BBDO, and art collective Glue Society, Earth's Black Box is a mix of modernist sculpture meets sensor station. 

Set to be roughly the length of a bus as 10 meters long, the 4-meter high and 3-meter wide black box resembles an asymmetrical trapezoid monolith laying horizontally. It's surface will be layered with solar panels, which will power a warehouse of mass storage devices and communication equipment.

If the solar panels fail, there's a battery backup hardware on hand, and all that tech will be protected by a 7.5 cm-thick steel shell. However, internet connectivity will still be on offer to help with the archiving of data; we just hope they have good antivirus protection planned. 

Speaking of data collection, the black box will suck up a lot of it. It'll gather atmosphere CO2 levels, monitor land and sea temperatures, measure ocean acidification, track the extinction of species, monitor human population numbers and military action, as well as track political movement in global governance. It'll also monitor social media posts and pull in data and news from the Web relating to climate change.

As for where the black box will be based, the west coast of Tasmania has been requested. That's down to the geological and political stability of the region, meaning there won't be a despotic leader around to mess with it. 

Of course, time will tell if this project comes to fruition early next year. But with earth's temperature predicted to rise by more than two degree Celsius if climate change isn't managed, as well as a looming water crisis and ice sheets destabilizing, perhaps a black box tracking humanity's climate foibles and action might be better set up sooner than later. 

A whopping 3.2 billion password-username pairs are up for grabs in an unnamed online hacking forum. But don't panic — the data is nothing new. It's a compilation of stolen credentials from dozens of old data breaches, some going back ten years.

That doesn't mean you shouldn't be aware that your old passwords are floating out there. Yes, your passwords, and ours too. Pretty much anyone who's ever created more than three online accounts has had a password compromised by now.

• What to do after a data breach
• The best password managers to keep your accounts safe
• Just in: Microsoft Viva aims to fix the way we work from home

This new treasure trove of dusty old data was publicized by Lithuanian English-language website Cybernews, which says the compromised credentials are a mishmash of data from breaches at LinkedIn (2012, 117 million compromised accounts), Netflix (we don't actually remember any Netflix data breach) and others. 

We haven't seen the data ourselves, but we imagine that the massive Yahoo breaches of 2013 (3 billion) and 2014 (500 million) are probably in there somewhere. 

Cybernews said the database is being advertised as the "Compilation of Many Breaches (COMB)." It's in a password-protected container, and the data has been cleaned up, categorized and made searchable. The password to the container is available to authorized users of the hacker forum.

"Most of the contents are almost all publicly available," the poster who put up the link in the hacker forum writes in a screen grab captured by Cybernews. "All data is in an alphabetical tree-like structure," and "a query script is included."

The link poster said the total number of credentials amounted to 3.8 billion, but Cybernews got hold of the data and boiled it down to 3.2 billion after removing duplicates.

How you can minimize the damage from data leaks

So what do you need to do about this? You can use Cybernews' own data-leak checker, which claims to hold 2.5 billion compromised email addresses, to see if your email address is in the mix. 

You can also use Australian security researcher Troy Hunt's HaveIBeenPwned website, which checks both your email address and your password, but never at the same time. Odds are that at least one of your old passwords and some of your email addresses are in at least one of these databases. 

But overall, you need to observe a few simple rules.

1) Data breaches happen, and it's not your fault.

2) Don't reuse passwords. If you do, a data breach affecting one of your accounts will affect many others too.

3) Make all your passwords strong and unique.

4) Using one of the best password managers will make Rules 2 and 3 easy to follow.

What happens when a database full of vital personal information is left unprotected on the internet? Potential data thieves find it within hours, says hybrid tech blog/research team/VPN affiliate reseller Comparitech.

On May 12, Comparitech spun up a "honeypot" server containing fake user data and left it without adequate password protection to attract thieves, explained the site's Paul Bischoff in a blog post earlier this week. 

"We wanted to find out how fast data can be compromised if left unsecured," Bischoff wrote.

• What to do after a data breach
• The best identity theft protection to keep your personal data safe
• Latest: Stimulus check 2020: Everything you need to know

Over the next 11 days, the honeypot server was accessed 175 times, with the first try coming eight hours and 35 minutes after the server went online. More than three dozen intrusions were made over the next four days. 

The Shodan search engine indexed and listed the server on May 16, and 22 more accesses were made in the following 24 hours.

This research is admittedly self-serving, because Comparitech specializes in finding unprotected databases on the internet. Yet it's never been clear whether that matters, because security researchers can rarely tell if anyone else found an open server before they did or if any data was stolen.

To use a real-world analogy, if you find the front door to your home unlocked, but nothing seems to be missing, then how can you tell if anyone got in? Comparitech's study is like leaving the house door unlocked while setting up a surveillance camera across the street to monitor it.

Attacks or just queries?

Most of the "attackers" -- Comparitech's words, not ours, because accessing an unprotected database is not a crime -- were using IP addresses in the U.S., Romania and China. That doesn't mean they were physically located in those countries.

In fact, most of the "attacks" simply queried the database's status, which is no big deal. But some aimed to "mine cryptocurrency, steal passwords, and destroy data," Bischoff wrote.

The experiment came to an abrupt end May 22, when a real genuine attacker, probably a bot, "deleted the contents of the database and left a message with contact information and request for payment" in Bitcoin.

This wasn't exactly a scientific study. It's just one server in a one-time test that lasted less than two weeks. We don't know how many other honeypots, if any, Comparitech set up before it got the results it wanted. 

A more thorough study would set up many more servers in many different locations at many different locations over a longer period of time, then analyze how many servers get accessed and how frequently. Then we'd have a real idea of just how likely it is for unprotected sensitive data to get stolen.

UPDATE: These records have been fed into the HaveIBeenPwned database, so you can now search for your email address(es).

A treasure trove of records containing personal details of 1.2 billion people was found unprotected on the open internet last month, security researchers Bob Diachenko and Vinny Troia disclosed today (Nov. 22). But don't panic! 

Most or all of the data is already publicly available, including names, addresses, email addresses, phone numbers and links to social-media profiles. No passwords, Social Security numbers or credit-card numbers were involved, and dates of birth do not seem to have been either. (The database is no longer accessible online.) 

Nonetheless, this kind of public data isn't normally all found in the same place for free. It seems that the data was taken, perhaps legitimately, from People Data Labs and OxyData.io, two different people-search services that (legally) scrape the internet to aggregate details about individuals for marketing purposes, and then charge their customers for access. 

As such, you can think of these services as phone books for everyone who has a presence online, and the open database as a free version of that. The data could arguably all be considered contact information.

What's the danger?

Do you need to worry about this? Perhaps not. All this data stored in one place would make it easier for spammers and scammers to contact you, but they could also just buy (or steal) the same information from either of the two firms from which this data trove was taken. 

Scammers can also use free tools to scrape such data from websites. One such tool is Maltego, freemium software that lets you plug in a name, address or phone number and get a list of all the online data associated with that piece of data. It's possible that the people-search services whose data ended up in the unprotected database used similar tools.

What you can do 

What you CAN do is make sure that your social-media profiles don't contain the truly sensitive data that would let someone steal your identity or hijack your online accounts. 

So make sure your date of birth isn't visible on your Facebook profile. You can live without those canned birthday wishes from people you barely know. Don't even post the day and month, because it's easy enough to figure out your year of birth by looking at your school friends.

Don't put a photo of your credit card on Instagram or Twitter. Don't put your Social Security number anywhere online, unless you're checking your credit reports or doing business with the government. And, for heaven's sake, stop reusing passwords.

• How to opt out of data-broker and people-finder services
• What to do after a data breach
• Best password managers