Last updated 2 weeks ago
In March 2026, the personal development and achievement media brand SUCCESS experienced a data breach exposing 253,510 unique records. The breach compromised email addresses, names, IP addresses, phone numbers, and for a limited number of staff members, bcrypt password hashes. The exposed data also included order information containing physical addresses and payment method details.
The breach involved unauthorized access to SUCCESS systems, which attackers then abused to send offensive newsletters containing quotes falsely attributed to contributors. The attack compromised both customer and staff data, with the staff password hashes representing a higher risk due to potential credential reuse across corporate systems.
SUCCESS issued a disclosure notice confirming the breach and the system abuse for malicious newsletter distribution. The company did not specify containment or remediation milestones beyond the public notification.
The SUCCESS breach demonstrates the risk of insufficient access controls that allowed attackers to both exfiltrate sensitive customer data and abuse system functionality for malicious newsletter distribution. The exposure of bcrypt-hashed staff passwords alongside customer PII indicates inadequate segmentation between customer-facing and internal administrative systems. The incident highlights the need for stricter API and system function monitoring to detect unauthorized use of legitimate features for malicious purposes.
Sign in to join the discussion.
Company
Industry
Disclosed
Records Affected
Attack Vector
Industry
Attack Vector