Victim: Blavity Inc. - A media technology and entrepreneurship holding company operating multiple brands targeting Black professionals and entrepreneurs, including AfroTech, Shadow and Act, Travel Noire, 21Ninety, and more.
Total Records Compromised: Close to 1.2 million users
Data types: Phone numbers, IP addresses, physical addresses, email addresses, user agents, and more.
Many profiles also include detailed salary information, how much disposable income they have, their race, their interests, how often they exercise, their marital status, how often they go on vacation, and so on.
Today's Release: High-value user lists from Blavity's marketing database, specifically their:
Note: This initial release does not include the complete "events" table from the database, which contains granular tracking data logging every new IP address and user agent each time users opened emails from Blavity's campaigns.
Download Links
Breach Timeline - Initial Compromise, Notification Campaign, Data Removal - August to 30 October, 2025
We compromised Blavity's CRM/marketing infrastructure back in August, extracting the complete user database containing PII for nearly 1.2 million individuals across their entire media ecosystem. At the end of last month, surprised to find the system still wide open, we refreshed our data with the new entries from their user database.
Then, using their own Iterable API creds, we launched an awareness campaign, successfully delivering breach notification emails to around 75,000 of their users before Blavity finally revoked the key.
In it, we informed users of the compromise and let them know that those with serious safety concerns could request to have their data removed from the leak package prior to its release in the case of nonpayment by Blavity.
We target corporations, not individuals. We do not like leaking PII of individuals whose only mistake was trusting companies like Blavity. We have already removed the data of more than 120 users who submitted requests, and we will continue to do so for those users who contact us via email or submit a request on https://data-removal.com
Email from our first mass mailing:
![[Image: first-email-screenshot.png]](https://data-removal.com/blavity-bleach/first-email-screenshot.png)
The Second Breach - 4 November, 2025
Five days later, on 4 November, while testing a security scanner on a random list of domains that included blavity.com, we stumbled upon ANOTHER, NEW Iterable API key they were exposing to the entire internet that had not been there before.
Naturally, we used this second key to launch another email campaign. Over the course of 8 hours, we successfully delivered breach notifications to over 200,000 users before this second API key was finally revoked.
Beyond the mass mailing access we (re)gained, had we not already exfiltrated their user data, this second live key would have allowed us to steal the entire database all over again. The fact that we found this key five days after they learned of the initial breach, which we'd conducted via the EXACT SAME attack vector, is truly mind-blowing, next-level negligence.
Blavity's (Lack Of) Response
Instead of accepting responsibility and paying the modest $120,000 price we set -- a tiny 10 cents per user -- Blavity has thus far responded only with legal threats. They sent us a cease and desist letter.
![[Image: cease-desist.png]](https://data-removal.com/blavity-bleach/cease-desist.png)
This was a silly thing to do, as we told them in our response:
![[Image: cease-desist-response.png]](https://data-removal.com/blavity-bleach/cease-desist-response.png)
The deadline is approaching. Blavity has until midnight of 14 November to make the right decision and pay the $120,000 to protect their users' data. They can extend the deadline by making a deposit.
Given their (lack of) response thus far, we are preparing for the likelihood that they will not pay, so up until the deadline, we will release data from Blavity's own curated "high-value" marketing lists, demonstrating exactly how they categorize and commodify their community members.
This release schedule will proceed unless Blavity does the right thing and decides their users' data privacy is worth the tiny price of 10 cents each. From their actions thus far, it appears they do not give a damn about these individuals who have been duped into believing they are part of a "community," when all they are to Blavity is data and dollar signs.
We don't like to leak PII of individuals whose only mistake was trusting companies like Blavity, and we would genuinely prefer not to do so. Unfortunately, our business model dictates the necessity of leaking data to impose cost and make an example of noncompliant victim corporations.
If this leaks, it's on you, Blavity.
Find out more here:
Contact:
Make a Difference -- Blavity Executives Contact Information:
Help us impose cost on Blavity. Email their leadership to ask them why they treat their users data with such complete negligence, and tell them to PAY UP.
Morgan Debaun, CEO
morgan@blavityinc.com
morgan.debaun@gmail.com
debaunm@gmail.com
morgan.debaun@blavityinc.com
Moronke Bolutayo, Vice-president
moronke.bolutayo@blavityinc.com
aboluronke@gmail.com
Wasif Khan, CRO
wasif.khan@blavityinc.com
wasifkhan1131@gmail.com
wasif.t.khan@gmail.com
wasifalikhan@yahoo.com
Jeff Nelson, COO
jeff@cinchapi.com
jtnelson1@gmail.com
jeff.nelson@blavityinc.com
jeff@blavityinc.com
Michael Hadgis, CRO
mike.hadgis@blavityinc.com
mikehadgis@gmail.com
michaelhadgis@gmail.com
mike.hadgis@gmail.com
mike8221@yahoo.com
Total Records Compromised: Close to 1.2 million users
Data types: Phone numbers, IP addresses, physical addresses, email addresses, user agents, and more.
Many profiles also include detailed salary information, how much disposable income they have, their race, their interests, how often they exercise, their marital status, how often they go on vacation, and so on.
Today's Release: High-value user lists from Blavity's marketing database, specifically their:
- DirectorVPSenior_Audience list
- Entrepreneur_Audience list
- InvestorVenture_Capitalist_Audience
- CEOFounderSmall_Business_Owners
- Founder_SubscribersCEOFounderSmall_Business_Owners
Note: This initial release does not include the complete "events" table from the database, which contains granular tracking data logging every new IP address and user agent each time users opened emails from Blavity's campaigns.
Download Links
Breach Timeline - Initial Compromise, Notification Campaign, Data Removal - August to 30 October, 2025
We compromised Blavity's CRM/marketing infrastructure back in August, extracting the complete user database containing PII for nearly 1.2 million individuals across their entire media ecosystem. At the end of last month, surprised to find the system still wide open, we refreshed our data with the new entries from their user database.
Then, using their own Iterable API creds, we launched an awareness campaign, successfully delivering breach notification emails to around 75,000 of their users before Blavity finally revoked the key.
In it, we informed users of the compromise and let them know that those with serious safety concerns could request to have their data removed from the leak package prior to its release in the case of nonpayment by Blavity.
We target corporations, not individuals. We do not like leaking PII of individuals whose only mistake was trusting companies like Blavity. We have already removed the data of more than 120 users who submitted requests, and we will continue to do so for those users who contact us via email or submit a request on https://data-removal.com
Email from our first mass mailing:
The Second Breach - 4 November, 2025
Five days later, on 4 November, while testing a security scanner on a random list of domains that included blavity.com, we stumbled upon ANOTHER, NEW Iterable API key they were exposing to the entire internet that had not been there before.
Naturally, we used this second key to launch another email campaign. Over the course of 8 hours, we successfully delivered breach notifications to over 200,000 users before this second API key was finally revoked.
Beyond the mass mailing access we (re)gained, had we not already exfiltrated their user data, this second live key would have allowed us to steal the entire database all over again. The fact that we found this key five days after they learned of the initial breach, which we'd conducted via the EXACT SAME attack vector, is truly mind-blowing, next-level negligence.
Blavity's (Lack Of) Response
Instead of accepting responsibility and paying the modest $120,000 price we set -- a tiny 10 cents per user -- Blavity has thus far responded only with legal threats. They sent us a cease and desist letter.
This was a silly thing to do, as we told them in our response:
The deadline is approaching. Blavity has until midnight of 14 November to make the right decision and pay the $120,000 to protect their users' data. They can extend the deadline by making a deposit.
Given their (lack of) response thus far, we are preparing for the likelihood that they will not pay, so up until the deadline, we will release data from Blavity's own curated "high-value" marketing lists, demonstrating exactly how they categorize and commodify their community members.
This release schedule will proceed unless Blavity does the right thing and decides their users' data privacy is worth the tiny price of 10 cents each. From their actions thus far, it appears they do not give a damn about these individuals who have been duped into believing they are part of a "community," when all they are to Blavity is data and dollar signs.
We don't like to leak PII of individuals whose only mistake was trusting companies like Blavity, and we would genuinely prefer not to do so. Unfortunately, our business model dictates the necessity of leaking data to impose cost and make an example of noncompliant victim corporations.
If this leaks, it's on you, Blavity.
Find out more here:
- NEW FulcrumSec onion: http://mqxwosftyqoknn4zy6ivhozpsnnnzbdjt...7id.onion/
- Blavity Bleach Blog onion: http://mqxwosftyqoknn4zy6ivhozpsnnnzbdjt...ity-bleach
- Data removal onion: http://mqxwosftyqoknn4zy6ivhozpsnnnzbdjt...ta-removal
- Clearnet data removal request page: data-removal.com
- Clearnet Blavity Bleach Blog: data-removal.com/blavity-bleach-blog
Contact:
- threatspians@fulcrumsec.net
- fulcrumsec@tuta.io
- Tox: 6A5E9ED3D7D26CAD5E6CA4E229CC80DA3C13AD002F73D4450078284E6C762F6DBDCF1FE9BF44
- @FulcrumSec on Telegram is frozen, do not contact us there.
Make a Difference -- Blavity Executives Contact Information:
Help us impose cost on Blavity. Email their leadership to ask them why they treat their users data with such complete negligence, and tell them to PAY UP.
Morgan Debaun, CEO
morgan@blavityinc.com
morgan.debaun@gmail.com
debaunm@gmail.com
morgan.debaun@blavityinc.com
Moronke Bolutayo, Vice-president
moronke.bolutayo@blavityinc.com
aboluronke@gmail.com
Wasif Khan, CRO
wasif.khan@blavityinc.com
wasifkhan1131@gmail.com
wasif.t.khan@gmail.com
wasifalikhan@yahoo.com
Jeff Nelson, COO
jeff@cinchapi.com
jtnelson1@gmail.com
jeff.nelson@blavityinc.com
jeff@blavityinc.com
Michael Hadgis, CRO
mike.hadgis@blavityinc.com
mikehadgis@gmail.com
michaelhadgis@gmail.com
mike.hadgis@gmail.com
mike8221@yahoo.com
