Cyber Incident Victim: Hungarian Human Rights Foundation

On November 21, 2016, attackers identifying themselves as Kapustkiy and CyberZeist breached the Hungarian Human Rights Foundation (hhrf.org) website using a SQL injection vulnerability. This technique allowed unauthorized access to databases containing over 20,000 user accounts. The compromised data included sensitive personal information such as phone numbers and home addresses, with some accounts linked to U.S. government email addresses (@state.gov). Kapustkiy, a security pentester with prior history of exposing vulnerabilities, selectively leaked portions of the stolen data while withholding full disclosure to allow remediation time. The attackers claimed to have notified the organization's security team about the breach shortly after discovery. Despite this notification, the website remained operational immediately following the incident, leaving user data exposed until mitigation efforts began.

The breach occurred against the backdrop of Kapustkiy's recent infiltration of an Italian government website (Dipartimento della Funzione Pubblica) using similar SQL injection methods, where 45,000 accounts had been compromised the prior week. By November 22, the Hungarian Human Rights Foundation took its website offline for maintenance to investigate the breach and address vulnerabilities. Concurrently, Kapustkiy removed all leaked documents from public access, characterizing the takedown as mission completion following the organization's responsive action. The incident exposed sensitive personal data of thousands, including individuals with potential government affiliations, though no specific evidence of data misuse was documented in available reports. The foundation did not publicly disclose remediation timelines or additional technical details beyond the maintenance notice.