Someone just lost 324k payment records, complete with CVVs

Edit: A day and a half after publishing this post, the source of the data was eventually identified and a statement issued. Do see the updates at the end of this post.

I see a lot of data breaches. I see a lot of legit ones and I see a lot of fake ones and because of that, I always verify them before making any claims that an organisation has been hacked. Usually I'll verify and then in conjunction with journalists I know and trust, there'll be a private disclosure to the company involved. Good journos are very adept at getting answers to these things and when it's going to be a story that hits the news anyway, it ensures there's a way of getting responses from the impacted organisation before it hits the interwebs. Every so often though, we all get left totally stumped as to what actually went on.

Such has been the case recently for a data breach that I'm highly confident is legitimate but nobody wants to "own". I've worked with a couple of different trusted journos who are very good at getting answers but have ultimately been unable to draw the saga to a conclusion, largely because neither of the parties I believe are involved believes the breach originated from them. So I'm just going to write about the whole thing here, lay the facts out as they stand then see if anyone wants to own it once the details are public.

It all began with this tweet a couple of months ago on 10 July:

This isn't an embedded tweet because it has since been deleted. However, that happened more than a month later which was plenty of time for people to access the alleged BlueSnap database on the Mega hosting service before that link was also disabled. I grabbed a copy of it for later review then headed off on travels, not returning to look at it properly until late August.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities. BlueSnap was founded in Israel back in 2001 where it was originally known as Plimus (both of these facts have later relevance I'll come back to). It was later acquired in 2011 for $115M and rebranded as BlueSnap which is both the present day trading name and the alleged source of the breach in 0x2Taylor's tweet.

Obviously the first thing anyone is going to do when verifying a data breach is look at the contents so here's what I found: The data is in a single file named "Bluesnap_324K_Payments.txt" and as the name suggests, it has 324,380 rows in it with a total of 105k unique email addresses. The first transaction is on 10 March 2014, the last on 20 May 2016. Each row appears to be a payment record which looks like this:

The grey obfuscation is personal information relating to an Have I been pwned (HIBP) subscriber who assisted me with the verification process. The red obfuscation is card data and the arrow points to the "security-code" field which is the CVV. This is the CVV too but again, I'll come back to that.

This is actually only a small porting of the row, in fact it's a mere 14% of the entire record. Every row begins with "0x2Taylor" and contains pipe delimited values along with XML you see above. I've actually decoded a portion of this; the original file included encoding as follows:

\u003ccard-type\u003eVISA\u003c/card-type\u003e

Which decodes as follows:

<card-type>VISA</card-type>

This gives us a bit of a sense of where the data may have been used as the encoding could be used in the JavaScript context.

The other clue in the file here is the word "Plimus" which as you'll recall, was the name BlueSnap went by before 2011. That's two positive indicators of the source but they're also easily fabricated indicators and I wanted some hard facts. So I asked for them.

I've just passed 700k verified subscribers to HIBP, that is people who've come to the site, added their email address to the free notification service then received a confirmation email and clicked on the link to opt in. These are people who are interested in their exposure online, exactly the sort of exposure that this breach here has led to. What I do these days when I need to verify a data breach that's a bit harder than usual or is particularly sensitive is email some of the most recent HIBP subscribers who are in the alleged data breach and ask them if they're willing to assist in verifying the incident. When they respond (and it's always a positive response because they're naturally curious), I send them an email with questions along these lines:

1. Do you live on [redacted]?
2. Did you have a Visa card that expired in [redacted]?
3. There is a purchase against your record from 2014-06-15 for the value of $160 USD; do you recognise the name beginning with "JCC-Maccabi-Games"? This is possibly the service you paid.
4. This may be a harder one given the card has expired, but if you recall, did the CVV end with the number [redacted]?

Let's talk about that CVV for a moment. The Card Verification Value is an extremely important piece of data because it's used to verify the card in scenarios where it's not present, such as when making an online purchase. When the retailer requests the CVV, it means that even if someone has your card number and expiry, without that 3 or 4 digit code the data should be useless as far as making online purchases go. For example, if a database of transactions is leaked then so long as there's no CVV then the cards should be useless on any site that requests it (most do, Amazon is a notable exception to this). When the CVV is in the hands of a malicious party, the very mechanism that was put in place to protect consumers in "card not present" scenarios falls apart. PCI DSS is very clear about how the CVV (or CVV2 as it is these days) should be stored:

It shouldn't be stored and that's what makes this breach such a big issue. Violation of PCI DSS guidelines can lead to pretty serious fines and even loss of merchant facilities; the card providers take this very seriously. I take it seriously as well which is why I also asked HIBP subscribers to verify their CVV by providing me with an additional digit to avoid any confirmation bias (I didn't want them just answering "yes" to each of my questions). It checked out - this is the CVV.

I still wanted to be certain the transactions themselves were clear though but it was tricky to identify the actual source from the raw data alone. The one indicator of the source that was present in the file was an attribute named "soft-descriptor" which in the example above was "JCC-Maccabi-Games". I wondered initially whether this might just be a case of one particular site losing a bunch of data, that was until I aggregated the attribute and looked at the spread of records. In total, there were 899 unique values with the top 20 by prevalence appearing as follows:

1. EntourageManageme : 6299

• regpackclients : 6084
• Kidventure : 3728
• METNY2015201 : 2660
• Group-RX-New-Camp : 2535
• Wild-Whatcom : 2453
• CampKeeTov2016 : 2232
• garinusa : 2178
• JCC-Maccabi-Games : 2163
• USY-Summer-Program : 2088
• AvaAndersonNonT : 2005
• National-College-T : 1986
• High-Sierra-Pools : 1919
• Dedicated-To-Learn : 1846
• METNY-2014-2015 : 1761
• Dedicated-to-Learn : 1717
• EastBaySPCA : 1700
• SanDomenicoSummerC : 1684
• SAEP : 1642
• USY-International : 1548

The record I was looking at was merely the 9th most common result, clearly there were many others involved too. But it still wasn't clear precisely what these websites were nor what was purchased from them. The answer to that lie further down in the data within a Plimus URL formatted as follows:

https://www.plimus.com/jsp/show_invoice.jsp?ref=[redacted]

As the URL suggests, this then takes you through to an online invoice like this:

There are many interesting things about the invoice, the first of which is that it obviously identifies BlueSnap quite clearly both by virtue of their brand and the Plimus URL. It also matches the individual's identity and address from the data breach file which goes a long way to establishing authenticity. Then we can see the website itself where the payment was made which is at jcca.org. The site has a donation page complete with a payment form:

As you can see, the logo clearly indicates that this is "Secure Credit Card Processing"...

There's nothing on the site or the structure of the payment form that indicates BlueSnap though and it looks as though the integration with the payment provider is done entirely on the server side without exposing that information publicly. But there was another piece of information on the invoice which didn't initially stand out at me and only later piqued my interest after another HIBP subscriber made this comment:

I still have the conformation email (a Summer Camp). It referenced http://www.regpacks.com so that might be a possible source too.

Now this is interesting because the invoice in the earlier image refers to a support email address on the regpacks.com domain. Regpack offers a registration service and part of the feature set is this:

Receive payments during registration rather than post-registration

Dealing with payment info is serious business so they also offer some assurances as to their security position:

Another piece of relevant information on the Regpack website is a list of just a few of their customers, including JCC Maccabi Games:

Every single HIBP subscriber I contacted had an invoice referencing a Regpack email address for support. It was looking more and more like they were taking the registrations then passing them downstream to BlueSnap for payment processing. In fact, that's precisely what was happening and it was easily verified via a press release a few years ago:

Waltham, Mass.---April 2, 2013---BlueSnap™, the most flexible and advanced buying platform for online companies selling goods and services over the web and mobile, today announced that Regpack, a global online enrollment platform serving the private education industry, has selected BlueSnap to process the financial transactions for its online enrollments. Regpack integrates with BlueSnap’s flexible and advanced payments platform to provide a complete enrollment and payments solution for organizations such as private schools, camps, educational tourism, faith community organizations, seminars and professional conferences.

In that press release, the Regpack CEO goes on to say:

Moreover, BlueSnap’s strict security measures for online transactions mean that we can use BlueSnap to process payments and conduct business without going through the expense of becoming PCI-compliant level one on our own.

Now by this stage you'd think the whole thing was wrapped up; either Regpack or BlueSnap have had a data breach and leaked a few hundred thousand transactions replete with partial card data and CVVs. The problem is though, neither party believes the breach came from them. I worked with two separate journalists on this and they both had feedback from BlueSnap and Regpack suggesting another party was responsible. I also reached out to them both yesterday for comment and got this from BlueSnap:

Based on an investigation we initiated as soon as we heard about the data set, we hired a top PCI-certified Incident Response firm. Based on that investigation we confirmed that BlueSnap did not experience a system breach or any data loss.

And got this from Regpack:

As a preventive measure, we ran a full forensic investigation and it has concluded that there was no data breach on Regpack servers. In spite of that, we have run the full security protocol implemented in these cases and conclusively determined that our servers were not involved.

Personally, I see indicators implicating both of them. On those that point to BlueSnap losing the data, there's the name of the file itself and 0x2Taylor's original assertion that it came from them in the first place. The file wasn't named "Regpack_324K_Payments.txt", it was BlueSnap's name in there and whilst a file name alone is not proof of an incident, it's an indicator. Then there's the nature of the sites that were involved; when I checked with HIBP subscribers, we identified sources such as the Jewish Community Centers Association of North America mentioned above, Liberal Judaism and Passages America Israel. There were other non-Jewish organisations involved as well (such as the East Bay SPCA), but it's hard to ignore the coincidence of the organisation being implicated as having lost the card data to have its origins in Israel then see such a prevalence of Jewish websites using their services. But then again, they all had Regpack support email addresses on them, so onto them...

Regpack's name is associated with every one of the HIBP subscribers I contacted. I'd expect that if BlueSnap was the source of the breach then we'd be seeing a mix of downstream consumers in the file, unless they store the data in such a way that Regpack's records are isolated from other customers and they alone got breached. Another indicator pointing to Regpack as the source of the incident is that per the statement above, they don't need to be PCI complaint and thus haven't gone through the rigour of audits. (Edit: I've put a strike through this because the CEO's comment was around level one PCI compliance. Regpack may be compliant with a lower level requiring less rigour.) Now by no means does merely being PCI compliant guarantee a breach won't happen, but when the transgressions are as egregious as storing the CVV, something is majorly amiss. And finally, "regpackclients" features as the second most common "soft-descriptor" in the earlier bulleted list with over 6k entries. That's slightly odd because there are many other descriptors which then have invoices referring Regpack's email address for support, but it's yet another indicator of how heavily they feature in the data.

Now it's possible that the data has come from another unnamed party, but it's highly unlikely. Not only could I not pick a pattern in the data suggesting it was sourced from elsewhere, but the CVVs just shouldn't have been there. We've got 899 totally separate consumers of the Regpack service (so it's not from one of them) who send their data direct to Regpack who pass payment data onto BlueSnap for processing. Unless I'm missing a fundamental piece of the workflow (and I'm certainly open to suggestions on what this might be), it looks like accountability almost certainly lies with one of these two parties.

Lastly, just to absolutely, positively avoid any remaining doubt that this is a legitimate data breach, let me share a collection of responses from HIBP subscribers (note also the responses regarding the CVV):

Address is correct and yes I did have a card that expired in 2014

That all seems right

Yes, that information is correct

I had a Visa card ending in 10 and I am pretty sure it expired in 2013

Yes, we do have a visa that expires in 2020, and yes the CVV ends in 8

This is genuine information that you have provided

I don’t know how they got the CVV either

So that's where it stands at the moment - it's highly likely that either BlueSnap or Regpack lost the data - but frankly, I'm more concerned about those who have their info floating around the web which includes:

1. Names

• Physical addresses
• Email addresses
• IP Addresses
• Phone numbers
• Last 4 digits of their credit cards (remember, this is identity verification data and it's enormously useful for hijacking accounts)
• CVV
• Online invoices which then include details of their purchases

These people need to know that their data was posted publicly to Twitter and none of us have any idea how many people now have it. They need to cancel impacted cards (full card data wasn't leaked, but refer to the link above re partial data being used to hijack accounts) and be aware that their personal info has been exposed. The sites using these facilities also need to be notified because they're the ones that have the relationship with the customers. This requires the cooperation of BlueSnap and Regpack, the former of which is still hosting those invoices publicly on the plimus.com domain where anyone who has the invoice numbers from the breach can simply enumerate them and pull down even more personal data. It may not be a pleasant experience for them, but they need to step up and take responsibility.

I've now loaded all 105k email addresses into HIBP so if you think you may have been impacted, you can search for your address on the site. I've indicated that it's a BlueSnap breach and linked through to this post simply because that's the name it was represented as but will change that if it's determined otherwise. Right now the priority should be in supporting those whose personal data has been disclosed and attribution can follow later.

Update 1 (12 hours later): I've had further feedback from BlueSnap who remain adamant the data hasn't come from them and have issued the statement below to their merchants. I've asked point-blank if they believe Regpack is the source of the breach and will post an update here if there's any feedback I can share. As yet, I don't believe the individuals in the breach whose data is been publicly circulated have been notified by either party.

Update 2 (24 hours after initial post): There's been a lot of discussion on this incident both in the comments below and via email. A number of people have said they've reached out to Regpack and received responses indicating that they weren't the source of the breach and offering little support beyond there. I want to reiterate a few immutable facts:

1. The data in the breach is legitimate and contains personal information

• There are hundreds of thousands of transactions out in the wild including details on over 100k customers
• The data contains the last four digits of the card which are frequently used for identity verification purposes
• The data contains the CVV which should never have been stored by anyone
• BlueSnap has known about the incident since at least the 21st of August
• Regpack has known about the incident since at least the 26th of August
• Websites who had customer data exposed were using the services of Regpack
• Regpack may not have lost the data, but they're accountable to their customers which means the sites using their service
• As yet, to the best of my knowledge those impacted in the data breach have not been notified and that includes both websites using Regpack and customers who made purchases

Given there's still no resolution to this and neither BlueSnap nor Regpack believe they're responsible, I'm listing all 899 "soft-descriptor" values below complete with the number of transactions each has in descending order (these are the websites using the Regpack service). If your site is amongst that list and you're concerned for your customers, contact the organisation you sent the transaction to as they're the party you have the relationship with and entrusted with the data.

1. EntourageManageme : 6299
2. regpackclients : 6084
3. Kidventure : 3728
4. METNY2015201 : 2660
5. Group-RX-New-Camp : 2535
6. Wild-Whatcom : 2453
7. CampKeeTov2016 : 2232
8. garinusa : 2178
9. JCC-Maccabi-Games : 2163
10. USY-Summer-Program : 2088
11. AvaAndersonNonT : 2005
12. National-College-T : 1986
13. High-Sierra-Pools : 1919
14. Dedicated-To-Learn : 1846
15. METNY-2014-2015 : 1761
16. Dedicated-to-Learn : 1717
17. EastBaySPCA : 1700
18. SanDomenicoSummerC : 1684
19. SAEP : 1642
20. USY-International : 1548
21. ssoregistration : 1479
22. WildWhatcom : 1475
23. yjevents : 1403
24. CampKeeTov2015 : 1397
25. Pantano-Christian : 1377
26. TAPROOTNATUREEXPER : 1232
27. aardvarkisrael : 1224
28. Jackson-Sports-Aca : 1203
29. DBatMustangs : 1151
30. Mda-Israel-Program : 1148
31. JacksonSportsAcade : 1121
32. MissionBaySport : 1064
33. PantanoChristian : 1058
34. ElDoradoMusical : 1032
35. CWRU : 1023
36. USYSummerProgram : 1004
37. DanceTheatre : 967
38. ServeCamp : 965
39. Saint-Helens-scho : 927
40. BrightMindsYouth : 924
41. Northwest-Hydroele : 922
42. CreativeAction : 910
43. shevettapuach : 872
44. Young-Judaea-Year : 866
45. ArtTime : 864
46. USYInternational : 860
47. SAEP2016 : 856
48. Matthew13Catholi : 852
49. North-Texas-Confer : 817
50. real-life-summer-c : 799
51. Hanegev2015-2016 : 799
52. Camp-Kee-Tov-2014 : 786
53. Shasta-Community-C : 777
54. METNY : 773
55. ReggaeRunnerz : 767
56. Seaboard2015 : 742
57. DANCE411 : 740
58. OPEF2016SummerB : 736
59. Gilbert-High-Schoo : 725
60. L3X : 721
61. D2L2016-Walnut : 721
62. ShastaCommunityC : 704
63. ArizonaScienceCe : 701
64. MagnificatHighSc : 689
65. OPEF-BASE-Camp-201 : 674
66. grinnellcollege : 659
67. D2L2016-Diamond : 655
68. Hagalil20152 : 654
69. HS-uniform-fees : 648
70. El-Dorado-Musical : 648
71. Saint-Helens-Schoo : 643
72. artomatic : 639
73. garin : 636
74. WildfishRegistrat : 635
75. ParksPlusCreatio : 625
76. NorthTexasConfer : 625
77. SAN-JOAQUIN : 617
78. EMTZA-Staff-2014-2 : 614
79. Hanegev-2014-2015 : 606
80. teamworksdogtraini : 602
81. CampCardiac : 602
82. BergenCommunityC : 602
83. American-Pavilion : 600
84. tzofimcvk : 571
85. Group-RX : 571
86. BBYO-UK : 564
87. YoungJudaeaYear : 562
88. MdaIsraelProgram : 558
89. Juneau-Dance-Theat : 557
90. BASE-Camp-2014 : 548
91. VISnet-2014 : 539
92. Stonewall-Columbus : 536
93. camp-liberty : 536
94. LaurensKids : 532
95. WesternSocietyfo : 528
96. iedesign : 525
97. wujs : 503
98. camp-liberty2016 : 494
99. LimmudNY2016 : 482
100. visnet : 480
101. PENINSULACOLLEGE : 479
102. CRUSY-2014-2015 : 479
103. CourtsForKids : 479
104. Saint Helen's scho : 479
105. Field-Institute-of : 478
106. Seaboard-2014-2015 : 475
107. CampKeeTov2014 : 473
108. EMTZA2015-2016 : 472
109. Master-Russian-pro : 469
110. HighSierraPools : 463
111. MuseumoftheBibl : 462
112. 1870Farm : 460
113. SummerCollegeTra : 460
114. LIMMUDNY : 459
115. DistrictVIICDA : 456
116. USY-EMTZA : 442
117. UniversityCitySwim : 439
118. KidsCreativeAdve : 431
119. Young-Judaea-Amiri : 430
120. BACC-Camp : 427
121. CHUSY2015-2016 : 427
122. Young-Judaea-Summe : 420
123. VISnet2014 : 410
124. DoctorDevelopment : 399
125. JCCMaccabiGames : 397
126. METNY-2015-201 : 393
127. SWUSY2015-2016 : 393
128. nativ : 392
129. CRUSY2015-2016 : 390
130. BuildingMinds : 386
131. Parks-Plus-Creatio : 383
132. Kids-and-Culture-C : 379
133. CHUSY-2014-2015 : 377
134. Wild What : 374
135. RockyMountainBir : 373
136. SanDomenicoAfter : 372
137. One-Love-Training : 371
138. SaintHelensSchoo : 370
139. Needham-Millis-Dan : 369
140. Songleader-Boot-Ca : 368
141. 3CrossesCamp2016 : 359
142. Southwest-District : 358
143. FZYTour2016 : 356
144. JCCMaccabi2016- : 355
145. JTerm : 351
146. Nevada-City-CA : 350
147. ibc : 349
148. NERUSY201520 : 344
149. XavierHighSchool : 343
150. JewishBookCounci : 338
151. Jivamukti-Yoga-Wil : 337
152. FOOTSTEPSFORFERTIL : 334
153. Dance411Rental : 332
154. NewFrontier2015- : 332
155. SaintHelensBaske : 328
156. CampGideon : 327
157. NORTHERNMOVEME : 326
158. Camp-Eagle : 326
159. RythersAspiringY : 322
160. DBatsHSuniform : 320
161. Hagesher2015 : 318
162. XavieriPadSale : 316
163. IASSIST : 312
164. CH-USY : 310
165. SummerShowoffs : 310
166. Hope-Girls-Basketb : 308
167. Jewish-Book-Counci : 306
168. USYKadimamember : 305
169. USY International : 305
170. Newton-Inspires-20 : 300
171. regpack_clients : 299
172. CampTaylorHearts : 298
173. Hagesher-2014-2015 : 297
174. Soccerstlmo : 297
175. Jivamukti-Yoga-New : 295
176. DramaLearningof : 285
177. Southeast-Student : 282
178. homeschoolcampus : 281
179. SWUSY-2014-2015 : 275
180. Northwest-Technica : 274
181. FZYTour : 272
182. OurLadyofGoodC : 272
183. Hagalil-2014-2015 : 270
184. BACCCamp : 264
185. 3Crosses-Camp : 262
186. Israel Reform Move : 262
187. NorthwestTechnica : 260
188. WashingtonIrving : 257
189. ColoradoEducation : 257
190. COMMUNITYOFCHRIST : 256
191. Grace-North-Church : 254
192. SCRA Group Lessons : 254
193. EmersonWaldorfSc : 253
194. mmea : 251
195. Bali-Institute : 245
196. Menlo-Park-Legends : 244
197. ACSportsAcademy : 244
198. Art-Time : 243
199. WildernessExperie : 243
200. Ramah-2015-Summer : 236
201. Sway-Youth-Enrichm : 235
202. Hi-Tech-Learning : 232
203. CAConsultingLLC : 232
204. Camp-Taylor-Hearts : 230
205. Israel-Reform-Move : 229
206. SW-USY : 227
207. OurLadyMotherofthe : 226
208. WMtrainingandevent : 225
209. Liberal-Judaism-Ev : 224
210. YJyearroundreg : 224
211. NewHeights : 224
212. greenedventures : 223
213. JuneauDanceTheat : 223
214. nyoda : 221
215. TurtleHillEvents : 220
216. IslamicWeekendSc : 219
217. WildfishTheatreS : 216
218. FZY-Tour-2015 : 215
219. SouthwestDistrict : 215
220. CuyahogaValleyCh : 213
221. PortCityCommunit : 208
222. Southern-Connectic : 206
223. PooleofFineArts : 206
224. Cuyahoga-Valley-Ch : 205
225. Hi-TechLearning : 205
226. Group RX : 205
227. SCRA Private lesso : 204
228. Northern-Movement : 203
229. GroupRXNewCamp : 203
230. FreestyleLanguage : 203
231. HitchcockCenterF : 199
232. New-Frontier-2014- : 198
233. FieldInstituteof : 194
234. GilbertHighSchoo : 192
235. D2L2016-Suzanne : 191
236. CarolyneBarryAct : 190
237. Mapleton City - Ra : 189
238. Rye-PTA : 189
239. FarWest2015-2016 : 189
240. BBYOUK : 188
241. IndianapolisBarA : 188
242. Cycon : 186
243. New-Heights : 186
244. Soccerstlmo2016 : 186
245. Klein-United-Metho : 185
246. Walk-Your-Path-Wel : 184
247. WingraBoatsSumme : 181
248. Wildheart-Nature-S : 180
249. Hope-Basketball-Ca : 179
250. Camp-del-Corazon : 177
251. Hitchcock-Center-F : 177
252. Mt-Tabor-Summer-Ba : 177
253. Tzafon201520 : 177
254. USY-Pinwheel : 176
255. Notre-Dame-of-Mt : 175
256. TechSmart Kids : 175
257. catesol-2016-san-d : 174
258. OPEF-Build-Day-201 : 173
259. LincolnSchoolPTO : 171
260. USY-Leadership-Pro : 170
261. CommunityEnvironm : 170
262. Cambridge-EllisSc : 169
263. WoodsHumaneSocie : 169
264. BoysGirlsClubs : 168
265. JesseHelmsCenter : 165
266. YoungJudaeaSumme : 164
267. CampEagle2016 : 164
268. D2L2016-Chaparr : 164
269. PIP : 163
270. SCRA-Group-Lessons : 162
271. MasaTlalim : 162
272. Saint Helens Year : 162
273. LighthouseForthe : 162
274. catesol-2016-la-co : 162
275. YoungJudaeaYearCou : 161
276. Broadway-Bootcamp : 159
277. YoungJudaeaAmiri : 159
278. OCA2016Conventio : 158
279. ConservativeYeshiv : 156
280. OPEFBuild4Good : 156
281. 2015-Camp-del-Cora : 155
282. OPEF-Gadget-Day-20 : 155
283. Galilean-Bible-Cam : 154
284. l3x : 154
285. EMS-and-Healthcare : 154
286. SCRAGroupLessons : 153
287. Camp-Gideon : 153
288. marva : 151
289. AnimalFriends : 151
290. The-Circle-School : 149
291. NERUSY-2014-2015 : 149
292. Animal-Friends : 149
293. BionRegionalSymp : 149
294. Saint-Helens-Year : 147
295. JYTT-India-2015 : 145
296. Rosarian-Academy : 145
297. Jivamukti-Yoga : 143
298. WESLEYANCHURCH : 142
299. yj_events : 141
300. ccofSummer2016 : 141
301. MarquardtSchoolD : 138
302. TheHomeOwnership : 136
303. 2016CampdelCora : 136
304. RamahIsrael : 135
305. Hudson-Valley-Rib : 135
306. StonewallColumbus : 134
307. Liberal-Judaism-Ca : 132
308. SCRAPrivateLessons : 131
309. AMHCA : 131
310. NorthernMovement : 131
311. NoamMasortiSummerc : 130
312. SLBC2016 : 130
313. Dance-411-Summer-2 : 128
314. Pinwheel-2014-2015 : 128
315. ZebrafishHusbandr : 128
316. Master Russian pro : 126
317. Camp-Moonlight : 125
318. SCU : 125
319. AWS-Detroit : 123
320. OakHillMontessor : 121
321. Tichon-Ramah-Yerus : 119
322. HopeGirlsBasketb : 119
323. EMS and Healthcare : 119
324. Courts-For-Kids : 118
325. DoulaTrainingsIn : 117
326. ChoreographyFesti : 117
327. Rocky-Mountain-Bir : 116
328. LiberalJudaismCa : 116
329. knowledgecrossingb : 116
330. RosarianAcademyS : 116
331. McCallum-Theatres : 115
332. Camp-Sunrise : 115
333. HVRF2016 : 115
334. BethEl5776 : 114
335. TK20 : 113
336. Camp-Gan-Israel- : 112
337. KeystoneDiabetic : 112
338. JYTT-Costa-Rica-20 : 111
339. Canterbury-School : 110
340. OmiInternational : 110
341. TheIndependentSc : 110
342. catesol-2016-north : 110
343. BroadwayBootcamp : 107
344. Dance411Staff : 107
345. USPostalService : 107
346. BLax : 107
347. CEF-of-Fargo-and-M : 105
348. EPA20152016 : 105
349. BYP100 : 104
350. Tzafon-2014-2015 : 103
351. FICEAustria : 102
352. YoungJudaeaWUJS : 101
353. HooglandCenterFo : 101
354. Hanefesh2015 : 100
355. SlowFoodNewOrle : 100
356. camp_gan_israel : 96
357. Dance-411-Staff : 95
358. ISL Futbol : 95
359. PlaycreationsKids : 95
360. BeachesEpiscopal : 95
361. EPA-2014-2015 : 94
362. MasterRussianpro : 94
363. Mda Israel Program : 93
364. ZestfulGardens : 93
365. SCRA-Private-lesso : 92
366. CanterburySchool : 92
367. Village-Academy : 90
368. HPCS2016 : 90
369. YoungCodersAcade : 89
370. VistaSchoolingan : 89
371. NewNebConference : 88
372. 3CrossesCamp : 88
373. PacificIntegral : 88
374. Pinwheel2015-2016 : 88
375. Beth-El-School-Reg : 86
376. Doula-Trainings-In : 85
377. USYLeadershipPro : 85
378. Ramah-2014-Summer : 84
379. TheRingBoxingCl : 83
380. EvolveVolleyball : 83
381. Dance 411 Camp : 83
382. Ramah2016Summer : 81
383. Hope Girls Basketb : 81
384. Bios : 81
385. SpartanburgDaySc : 81
386. Hanefesh-2014-2015 : 80
387. CASFM : 79
388. Winterblast : 78
389. MtTaborSummerM : 78
390. Snider-Mountain-Ra : 76
391. NotreDameofMt : 76
392. Db-Skim-Camp : 75
393. BethElSchoolReg : 75
394. JYTTINDIA2016 : 75
395. GraceNorthFamily : 75
396. TheChurchofthe : 75
397. Mars-Global-Summit : 74
398. PensionPro-Confere : 74
399. Seaboard-2015- : 74
400. itf_ie : 74
401. NeedhamMillisDan : 72
402. goodwillevents : 71
403. Sway Youth Enrichm : 71
404. AUJS : 70
405. PacificIntegralR : 70
406. CollegePrepCamp : 70
407. GloucesterCommuni : 70
408. BaliInstitute : 69
409. JYTTCOSTARICA20 : 69
410. Race-Corps : 68
411. Maase-Olam-ITF : 68
412. CampMoonlight201 : 68
413. Dance-Versity : 67
414. WAM : 67
415. NationalAssociati : 67
416. BBYO UK : 66
417. YoungJudaeaCLIP : 66
418. GCBC-Guelph-Comm : 65
419. Overflow-Prophetic : 65
420. BASECampArboretu : 65
421. UtahSuzukiHarpI : 65
422. RamahIsraelInsti : 64
423. San-Domenico-After : 62
424. Mobile-Bay-Sailing : 62
425. WildheartNatureS : 62
426. mda : 62
427. OaklandInterfaith : 62
428. NorthwestHydroele : 61
429. AC-Sports-Academy : 59
430. CampEagle : 59
431. VillageAcademy : 59
432. SleepTreatmentCo : 59
433. Great-Lakes-Econom : 57
434. The Circle School : 57
435. SCAMedicalMissio : 57
436. luselandbiblecamp : 56
437. TheCircleSchool : 56
438. MaaseOlamITF : 56
439. Aspire Soccer Camp : 56
440. USY-ECRUSY : 56
441. USY Leadership Pro : 55
442. Ramah-Jerusalem-Da : 54
443. CollegiateWomens : 54
444. TichonRamahYerus : 54
445. Mabee-GerrerMuseu : 54
446. PACEApplication2 : 54
447. YoungJudaeaShalem2 : 53
448. Northeast Epi Conf : 53
449. american_sokol : 52
450. CampCardiacNeuro : 52
451. Temple Bnai Jeshur : 51
452. SacredHeart-Shi : 51
453. Lipkin-Tours : 50
454. Hagalil-2015-2 : 50
455. GalileanBibleCam : 50
456. Camp-Gailor-Maxon : 49
457. GarinTzabar : 49
458. 2020-Technologies : 48
459. HopeBoysBasketba : 48
460. TzabarPolin : 47
461. SpokaneINWAPSI : 47
462. St-Andrews-Bay-Ya : 46
463. OPAConvention2016 : 46
464. CorpusChristiChu : 45
465. DanceVersity : 45
466. USYAlumni : 45
467. IxlAcademy : 44
468. TheFoodBusiness : 44
469. WISEFORESTPRE : 43
470. Camp-Experience : 43
471. Liberal Judaism Ca : 43
472. SantaMonicaLittleL : 41
473. Willow-Springs-Cam : 41
474. ScruplesSymposium : 41
475. WestSideStudio : 41
476. CEF of Fargo and M : 41
477. Brian Jordan Camps : 41
478. LagniappeAssociat : 41
479. CrestmontCamp : 41
480. RAMAHISRAEL : 40
481. Ramah-Israel-Insti : 40
482. Ixl-Academy : 40
483. Friendship-Caravan : 39
484. PACE-Application-2 : 38
485. ierimon : 38
486. The-Food-Business : 38
487. Game-On-Sports : 38
488. Vermont Infectious : 38
489. CH USY : 38
490. ktantanim : 37
491. Crosslink-Meadows : 37
492. MBP EA Conference : 37
493. Young-Judaea-Shale : 36
494. LFFPPeaceLeadersPr : 36
495. KidsandCultureC : 36
496. ForestHillsField : 36
497. Pioneers Camp : 36
498. Maase Olam ITF : 36
499. WalkYourPathWel : 35
500. CampKeeTov2013 : 35
501. USY Summer Program : 35
502. Northeast-Epi-Conf : 34
503. Christ-Church : 34
504. WomenWorkinginC : 34
505. Clubcorp : 34
506. Hagesher-2015- : 33
507. garin_usa : 33
508. CadillacLaSalleClu : 33
509. CHUSYAnnualBenef : 33
510. FZY-Camp-2015 : 32
511. Collegiate-Womens : 32
512. goodwillslp : 32
513. YoungJudaeaOnwar : 32
514. CSAKarateCamp : 32
515. camp-yavneh : 31
516. CEF2015 : 31
517. IdeaCampRio : 31
518. KarenPickettLMFT : 30
519. ProyectoFeIntern : 30
520. OPEF Base Camp 201 : 30
521. ie_design : 30
522. Kappa-Sigma-5k-Tro : 30
523. SupportabilitiesF : 30
524. Santa-Monica-Littl : 29
525. Hope Basketball Ca : 29
526. ClearconnectSolut : 29
527. ALACCABibleCamp : 29
528. NSTEP-Study-Buddy : 28
529. Qverity : 28
530. CampSunrise : 28
531. HanegevStaff : 28
532. campganisrael : 28
533. CampWildcraft : 28
534. HEICFellowsCours : 27
535. TTS-Certification : 26
536. Young-Judaea-Onwar : 26
537. Onward-Israel-Gree : 26
538. RosarianAcademy : 26
539. StAndrewsBayYa : 26
540. USY - EMTZA : 26
541. Northfield-Confere : 26
542. 1870Farm-Presch : 26
543. SWUSY-Staff : 25
544. MaaseOlam : 25
545. ArtisticallyMe : 25
546. Habitat for Humani : 24
547. FZYKesher2016 : 24
548. GoTechCamp : 24
549. FreedomSchool : 24
550. HarvesterChristia : 24
551. shnatsherut : 23
552. Santa Monica Littl : 23
553. shevet_tapuach : 23
554. Aspire-Soccer-Camp : 23
555. OnwardIsraelGree : 23
556. StrongwaterSwim : 23
557. Camp-KidsTown : 22
558. SWAMIVIVEKANANDA : 22
559. ACNM : 22
560. Kenosee-Lake-Bible : 22
561. DbSkimCamp : 22
562. TheWordChurch : 22
563. EnvironmentalVolu : 22
564. ACNM2016 : 22
565. AnimatheForumF : 22
566. JYTT-Germany-2015 : 21
567. Prepare-Yourself-C : 21
568. GraceNorthChurch : 21
569. MtTaborSummerBa : 21
570. RamahJerusalemDa : 21
571. LimmudFest2016 : 21
572. SW USY : 20
573. Tichon Ramah Yerus : 20
574. Vermont-Infectious : 20
575. GOTS2016 : 20
576. AWSDetroitLadies : 20
577. AllenAcademy : 20
578. TTSCertification : 19
579. NewtonInspires20 : 19
580. Dance Versity : 19
581. Splash Bartow 2013 : 19
582. USY Pinwheel : 19
583. TechSmart-Kids : 19
584. goodwilledp : 19
585. ComposedEssays : 19
586. Sewickley-Academy : 18
587. HudsonValleyRib : 18
588. American Pavilion : 18
589. YoungJudaeaSummerP : 18
590. ATSuccessLondonS : 18
591. fzycamp : 17
592. WholisticLearning : 17
593. Shalomlearning : 17
594. Artstream : 17
595. METNY2016201 : 17
596. USY-EMTZA-Staff : 16
597. GCBCBOATING : 16
598. Veida : 16
599. Tzafon-2015-20 : 16
600. 2015CampdelCora : 16
601. CampMoonlight : 16
602. JYTTGermany2015 : 16
603. SWUSYStaff : 16
604. YoungJudaeaAmirim2 : 16
605. Dance411Camp : 16
606. Baden-PowellNorth : 16
607. GrowAGeneration : 16
608. Hanegev-Staff : 15
609. NERUSY-2015-20 : 15
610. USY - ECRUSY : 15
611. FZY-Year-Course-20 : 14
612. Pacific-Integral : 14
613. CrosslinkMeadows : 14
614. MobileBaySailing : 14
615. FZYYearCourse20 : 14
616. Ramah 2014 Summer : 14
617. FZYVeida2016 : 14
618. International-Law : 13
619. FZY-Events : 13
620. PBC-Church-Registr : 13
621. PensionProConfere : 13
622. EMTZAStaff : 13
623. Songleader Boot Ca : 13
624. JH Ranch - Decembe : 13
625. OneLoveTraining : 12
626. GameOnSports : 12
627. tzofim_cvk : 12
628. YoungJudaeaFood : 12
629. WorldLanguagePro : 12
630. itfie : 11
631. Customer-Love : 11
632. COLLEGECERT : 11
633. PBC-Camp-Registrat : 11
634. CEFofFargoandM : 11
635. FriendshipCaravan : 11
636. JH-Ranch-Decembe : 11
637. SacredHeart-Cam : 11
638. CampGideon-Volu : 10
639. betar-wingate : 10
640. CampLookout : 10
641. CoachTBasketball : 10
642. Pinwheel-2013-2014 : 9
643. GTO : 9
644. InSync Volleyball : 9
645. ChelseaYachtClub : 9
646. fzyyearcourse : 8
647. KolAmi : 8
648. Hanegev-Staff-2014 : 8
649. Hanefesh-2015- : 8
650. IXLAcademy2016 : 8
651. TheSchoolofBasketb : 7
652. SWUSY-Staff-2014-2 : 7
653. BIGR-AU : 7
654. Muscolo-Meat-Acade : 7
655. Zebrafish-Husbandr : 7
656. SouthernConnectic : 7
657. AFSIntercultural : 7
658. MDP : 7
659. IsraelTeenFellow : 7
660. catesol-2016-annua : 7
661. FZY-H-2013 : 6
662. Summer-College-Tra : 6
663. EMTZA-2015-2016 : 6
664. NationalCollegeT : 6
665. SummerAdultTrips : 6
666. green_edventures : 6
667. CrystalaireAdvent : 6
668. HolidayShow-Offs : 6
669. Sportstyme-Jupit : 6
670. GO-ART-BOX : 5
671. EPA-2015-2016 : 5
672. SWUSY-2015-2016 : 5
673. AutomicUniversity : 5
674. IslamicAssociatio : 5
675. fzy_camp : 5
676. FZY H+ 2013 : 5
677. Wild-What : 5
678. ICCA-Membership-Du : 5
679. Dbat-Mustangs-HS : 5
680. FamilySystemSpo : 5
681. GloucesterCounty : 5
682. cwa : 5
683. Camp-Gideon-Volu : 4
684. PBCCampRegistrat : 4
685. Dbat Mustangs - HS : 4
686. fzy_yearcourse : 4
687. ramah_high_school : 4
688. SummerDelegation : 4
689. FZYHadrachaPlus : 4
690. KingdomWorkersSp : 4
691. RaMessut : 4
692. Click-Connect : 3
693. Summer-Delegation : 3
694. EMTZA-Staff : 3
695. MassaFrance : 3
696. PBCChurchRegistr : 3
697. WiseYoungBuilder : 3
698. IdaTeam : 3
699. StaffordTechnical : 3
700. shnat_sherut : 3
701. Christ Church : 3
702. Hagalil20162 : 3
703. ATRRM : 3
704. MissionSquash : 3
705. Innovative-Academi : 2
706. Bumble-ABC : 2
707. A-Little-Culture : 2
708. Noam-Masorti-Summe : 2
709. YWCO : 2
710. Keytana : 2
711. CHUSY-2013-2014 : 2
712. Wise-Young-Builder : 2
713. Real-Life : 2
714. 33rd-FICE-CONGRESS : 2
715. Ramah2015Summer : 2
716. OPEFBASECamp201 : 2
717. FZYTour2015 : 2
718. SportScienceFunS : 2
719. Artomatic : 2
720. yj_yearcourse : 2
721. ramah_summer_semin : 2
722. SplashBartow : 2
723. l3x2012 : 2
724. Rye PTA : 2
725. israelchallenge : 2
726. ienachshon : 2
727. ramahhighschool : 2
728. FortClarkston : 2
729. UnitedSecurityTr : 2
730. FZYKeytana2016 : 2
731. SanFranciscoRecr : 2
732. GrinnellCollege : 2
733. HighroadConsultin : 2
734. CertifiedSiteSaf : 2
735. ChristsChurchof : 2
736. AWSGolfOuting : 2
737. JYCostaRicaAlumni : 1
738. OURLADYMOTHER : 1
739. ALASKA-NEW-MEDIA : 1
740. ALASKATECHNICAL : 1
741. COURTIER-INSPECT : 1
742. N-DEPTH-RESP : 1
743. Camp-Nyoda : 1
744. L3X-2014 : 1
745. COURT-SENTINEL : 1
746. Central-Union-AS : 1
747. Young-Judaea-Famil : 1
748. Legacy-Soccer-Acad : 1
749. Camp-Kee-Tov-2015 : 1
750. SportScience-Fun-S : 1
751. Stone-Mountain-Adv : 1
752. newtoninspires20 : 1
753. Stratford-Camp : 1
754. AC-Flight-Lacros : 1
755. ramahyouth : 1
756. PBC-Individual-Reg : 1
757. Camp-Liberty : 1
758. The-Center-For-Wil : 1
759. StemTree : 1
760. Thinking-Outside-T : 1
761. McCallum-Theatre : 1
762. Ramah-2016-Summer : 1
763. FPX-Conference : 1
764. Einsteins-Workshop : 1
765. Noahs-Ark-Zoo-and : 1
766. Mr-D-Math : 1
767. Western-Society-fo : 1
768. Refreshing-Lives : 1
769. River-City-FC : 1
770. FZY-Hadracha-Plus : 1
771. Palmetto-Engineeri : 1
772. North-Georgia-Home : 1
773. McCallum-Theatre-T : 1
774. SLBC-2016 : 1
775. Strongwater-Swim : 1
776. Young-Coders-Acade : 1
777. Hanegev-2015-2016 : 1
778. CHUSY-2015-2016 : 1
779. You-Give-It-We-Gr : 1
780. Acts-World-Relief : 1
781. Mindful-Leadership : 1
782. Automic-University : 1
783. Mabee-Gerrer-Museu : 1
784. Child-Care-Council : 1
785. FZYCamp2015 : 1
786. CampGanIsrael- : 1
787. USYMembership : 1
788. WildfishTheatre : 1
789. USYUploads : 1
790. InternationalUSY : 1
791. AmericanDanceIns : 1
792. SewickleyAcademy : 1
793. MuscoloMeatAcade : 1
794. CRUSY2014-2015 : 1
795. ECRUSY2015-2016 : 1
796. OPEFBASECampFie : 1
797. FortClarkton : 1
798. CyliaHarrietFoun : 1
799. JacobusConsulting : 1
800. McCallumTheatreD : 1
801. KidzNPlay : 1
802. WestMetroFireRe : 1
803. LifeSafetyDivisi : 1
804. Ktantanim2015-201 : 1
805. JDECRegistration : 1
806. WMtrainingcenter : 1
807. McCallumTheatres : 1
808. TeamworksDogTrai : 1
809. SouthwestVermont : 1
810. MemphisTheologica : 1
811. E-Rive : 1
812. yj_summer : 1
813. ie_rimon : 1
814. israel_challenge : 1
815. JH History Makers : 1
816. LCFOilers : 1
817. ICCA Conferences : 1
818. Innovative Academi : 1
819. yj_shalem : 1
820. SWUSY Staff : 1
821. L3X 2013 : 1
822. shevettapuach2012 : 1
823. College-Hockey-Exp : 1
824. Student-Education : 1
825. OPEF-Day-Camp-2013 : 1
826. tigermma : 1
827. Camp-Jano-India : 1
828. Maccabi-games : 1
829. Florida-Flyers : 1
830. shevettapuach2014 : 1
831. Artisul : 1
832. DanceMissionYout : 1
833. AWSDetroitChrist : 1
834. WaynefleteInc : 1
835. InternationalGlov : 1
836. JacksonSportsAca : 1
837. CATESOL2016Annua : 1
838. AFA : 1
839. Curtissandbox : 1
840. CampRamahIsrael : 1
841. CumberlandCounty : 1
842. FZYWUJSSpring20 : 1
843. FZYAmirim2016 : 1
844. CampLiberty2016 : 1
845. PilgrimCamp : 1
846. Armed2Defend : 1
847. HopeBasketballCa : 1
848. WBRTR-Runners : 1
849. WorldWarBrick : 1
850. DistrictSummitRe : 1
851. FreedomSchoolPar : 1
852. LutheranChurchof : 1
853. PanforkBaptistEn : 1
854. CATESOL2016North : 1
855. SantaClaraUniver : 1
856. GalileanRetreat : 1
857. Spokane-AVIDIns : 1
858. TitanRobotics : 1
859. KingdomWorkers : 1
860. ArmedServicesYMC : 1
861. CIS-HPCS : 1
862. CaliforniaWorkfor : 1
863. SkySummerCamp : 1
864. CIS-CTS : 1
865. TheBlackEconomic : 1
866. Sportstyme-Welli : 1
867. Sportstyme-Winte : 1
868. CHUSY2016201 : 1
869. CRUSY2016201 : 1
870. Emtza2016201 : 1
871. WUSY20162017 : 1
872. VSSDance : 1
873. EPAHagesher2016 : 1
874. HanefeshNERUSY2 : 1
875. HaNegev2016-201 : 1
876. NewFrontier2016 : 1
877. Pinwheel2016 : 1
878. Seaboard2016 : 1
879. Tzafon2016-2017 : 1
880. WildfishTheatreJ : 1
881. ProLevelTraining : 1
882. MinnesotaMusicEd : 1
883. FarWest2016 : 1
884. GlobalWritersIns : 1
885. KidsIntheGame : 1
886. JumpStart : 1
887. YoungJudaeaAlumn : 1
888. KidVenture-Aftersc : 1
889. SEFOF : 1
890. McCallumTheatreT : 1
891. MtCarmelMusicF : 1
892. AWSDetroit : 1
893. StoneMountainAdv : 1
894. CampArrahWanna : 1
895. CampSonburst : 1
896. FrestaValley : 1
897. KieslingAssociate : 1
898. 2016-2017WinterB : 1
899. Medinformatix : 1

Update 3 (a day and a half after initial post):

I've had further communication with both BlueSnap and Regpack since writing this post and the source of the data has now been identified as originating from Regpack. Let me share a statement from them here:

Further to the article Troy Hunt published both Regpack and BlueSnap have looked into the presented data loss. Reviewing the post by Troy Hunt assisted our engineers in reaching this conclusion: 

Regpack has confirmed that all payments information passed to the payment processor is encrypted on its databases. Nonetheless, periodically, this information is decrypted and kept internally for analysis purposes. We identified that a human error caused those decrypted files to be exposed to a public facing server and this was the source of the data loss. This was identified by our teams going back and reviewing some of the log files as indicated in the blog discussion post.  We have changed our approach to handling this data and are confident that this one-time mistake will not occur again.

To reiterate our security stance:

1. The source of the data loss was a procedural human error.
2. Neither Regpack nor BlueSnap had our systems breached. This has been confirmed by independent forensic experts retained by each company after the initial data loss. As a further security measure, RegPack has rebuilt all servers and run full security scans on the new servers. 
3. Both Regpack and BlueSnap have conducted thorough reviews of the environments and found that all systems are secure.
4. Regpack and Bluesnap have updated all internal security procedures and processes to ensure that no data can leave internal environments.  This will prevent the loss we saw in this case.

Regpack is notifying vendors whose customers were potentially affected so they can make the appropriate communications.

Obviously they now have various processes to go through including reaching out to impacted customers who will in turn need to contact their customers (the ones who made the purchases) and notify them of the data exposure. I've just updated HIBP to reflect the source of the data as being Regpack and adjusted the description accordingly.

If you run a website that uses Regpack services then you should hear from them directly. If you believe that your personal information was exposed then you should hear from the site you provided it to (yes, I know they didn't lose the data but that's the chain of relationships here).

Thank you to everyone who commented and provided input on this post, I'm glad the source has now been identified and steps can be taken to protect those who were exposed.