CyberServe 2021 Data Breach

CyberServe 2021 Data Breach: Israeli Hosting Provider Breached by Black Shadow

Hosting & Infrastructure / Web Hosting / Enterprise / Consumer

CyberServe 2021 Data Breach: Israeli Hosting Provider Breached by Black Shadow

Israeli web-hosting provider (host of the Atraf LGBTQ platform).

Confirmed · ObscureIQ Intelligence
Limited DisclosureThis breach is handled differently. Because being connected to it can itself be sensitive, we do not confirm anyone’s presence publicly. Use the private exposure check at the bottom of this page.
Breach Risk Index i
45/100
Lower riskHigher risk
Moderate: notable exposure with meaningful misuse potential.
Data Sensitivity i
Restricted
Being associated with this breach can itself be harmful. Disclosure is limited and presence is not confirmed to unverified parties.
1.1MRecords
2021Year

The Breach Risk Index (BRI) is a proprietary 0–100 score rating how dangerous a breach is right now, based on how recently the data has been circulating on the dark web and how valuable it is to attackers.

Crucial data exposed
PHI / MedicalHealth Information; Hiv Status
IntimateSexual Orientation
Classification Tags
Black ShadowHosting & InfrastructureHostingDirect Customers2021

Breach Summary

In October 2021 the Black Shadow group breached CyberServe, ransomed it, and publicly leaked a broad dataset spanning multiple hosted sites, including the Atraf LGBTQ platform and the Machon Mor medical institute. Exposed data (roughly 1.1M records) ranged from relationship and HIV/health information to email addresses and plaintext passwords.

Full threat analysis, exploitation vectors, and principal guidance below.

11 additional sections · verified field analysis · defensive doctrine

Querying breach corpus…
Cross-referencing exposed field types…
Resolving threat-actor attribution…
Compiling principal risk advisory…

1.1M records analyzed

About CyberServe

CyberServe was an Israeli web-hosting provider whose customers included the Atraf LGBTQ dating/nightlife platform and the Machon Mor medical institute.

Why They Hold Your Data

A hosting provider holds its clients' user data, which here spanned LGBTQ dating profiles, medical-institute records, and account credentials stored in plain text.

Recent Developments

In October 2021 the Iran-affiliated group Black Shadow breached and ransomed CyberServe, then leaked customer data publicly.

Data Points Exposed

18 verified field types
Date of Birth High
Email Address
Family Structure
Full Name
Gender
Geographic location
Health Information High
Hiv Status Critical
IP Address
Lifestyle Habits
Messages And Chat
Password High
Phone Number
Physical And Lifestyle Profile
Profile Photo
Religion
Sexual Orientation High
Username

Breach Impact

The leak was among Israel's most damaging, exposing LGBTQ individuals and patients to outing and extortion and prompting national cyber-authority involvement.

Exploitation & Downstream Threats

• Credential stuffing against reused passwords across other platforms | • Identity verification bypass using name + date of birth combination | • SIM swap attacks where phone numbers are present | • Targeted phishing campaigns using exposed email addresses | • Doxxing risk from physical address exposure

Principal Risk Advisory

What this means for a principal

A consumer-service breach: contact and account data supports phishing, account takeover and profile enrichment. For a high-profile principal this is targeting-grade, not merely identity-theft-grade: the combination lets an adversary locate, impersonate, or pressure the principal with little additional work.

What You Should Do

  1. Reset any reused passwords and enable MFA on email first, then financial accounts.
  2. Watch for medical-benefit fraud and health-themed phishing that references real provider relationships.
  3. Be alert to sextortion or blackmail attempts referencing this data and do not engage; preserve and report messages.
  4. Guard against SIM-swap and vishing: add a carrier port-out PIN and verify any 'support' calls independently.
  5. Do not use unofficial 'am I affected' lookups; several are themselves harvesting operations.

How ObscureIQ Can Help

  1. Corpus confirmation: determine whether and where the principal (plus household and staff) appear in this dataset and which specific fields are exposed for them.
  2. Exposure mapping and footprint neutralization: cross-reference against broker-available data and suppress still-removable elements, prioritizing address and phone, since this record re-seeds broker networks.
  3. ThreatWatch tuned to this incident's identifiers and misuse pattern (impersonation and targeting patterns, not generic credential monitoring).
BS
Threat Actor: Black ShadowConfidence: Medium
Nation-state-linked hacktivist / extortion group

Motivation: Hacktivism (anti-Israel), extortion
An Iran-affiliated hacking group active around 2020-2021 that breached Israeli organizations and leaked or ransomed their data for political effect, notably the Shirbit insurer (2020) and the CyberServe hosting provider hosting the Atraf LGBTQ platform (2021).

Read the full threat-actor profile →

Protect Yourself

Protect Yourself: Limited Disclosure

Check If You’re Affected: Verification Required

Because being associated with this breach can itself be harmful, we do not confirm whether anyone appears in it to unverified parties. Verify your identity to privately check whether your own data appears in this breach or related indexes.

We will only reveal whether a specific person appears in this breach to that person.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation