Cyber Incident Victim: YSense

The ClixSense breach began on September 4, 2016, at approximately 5:00 AM EST when attackers redirected the website to a gay porn site. This initial disruption prompted immediate contact between ClixSense's lead developer and owner Jim Grago. The following day (September 5, Labor Day), attackers escalated their intrusion by compromising the company's hosting provider to disable all servers and hacking into Microsoft Exchange servers to alter email account passwords. On September 6, attackers gained access to a legacy server still connected to the primary database server, enabling them to exfiltrate the complete users table containing records for approximately 6.6 million accounts. The compromised data included plaintext passwords, usernames, email addresses, physical addresses, dates of birth, genders, IP addresses, security answers, Social Security numbers, account balances, and payment histories. Attackers additionally stole over 70,000 business and personal emails along with the site's complete source code.

A Pastebin post published on September 10 advertised the stolen data, listing 6,606,008 accounts with plaintext credentials and offering the full dataset for sale while providing sample files containing 2.2 million records. Though the post was removed within two days, sample data remained publicly accessible. ClixSense initiated mandatory password resets shortly after detecting the breach and terminated the legacy server that facilitated database access. The company's public announcement acknowledged the database compromise through an outdated server but omitted references to the circulating data or specific protective measures for users. Forensic analysis by third-party researcher Troy Hunt confirmed the data's authenticity, noting its recency compared to historical breaches. The exposure of plaintext passwords and sensitive identifiers created significant risks for credential stuffing attacks, identity theft, and targeted phishing against affected users.