Video player not working? Use these links to watch it somewhere else!
WATCH ON: 
/ 
/ 
/ 
/ 
/ 
There has been a data leak at The Corbett Report. One of the latest updates of the GiveWP WordPress plugin “accidentally” started publishing the email addresses and usernames of some (but not all) Corbett Report users to the source code of the site. The plugin has been deactivated and the email addresses are no longer exposed, but the email addresses were already caught by the spambots. Tens of thousands of websites use this plugin and I was able to personally verify a number of websites where this was happening.
UPDATE: GiveWP has finally patched this massive security flaw with their latest update but are still trying to downplay the problem and limit discussion of it in their own forum. Will literally any data security researcher actually publish anything about this massive data leak of email addresses?
The email addresses exposed were only those who signed up on the site’s membership form since 2024. No other members (people who signed up before, or people who signed up by alternate methods like Substack or PO Box) were affected. I am in the process of emailing every email address that was exposed by this, but if you are a Corbett Report member who has any questions or concerns about this event, please contact me directly.
The level of hypocrisy and lack of integrity in IT is what made me quit in disgust. These people are absolutely obnoxious and should be ashamed of themselves. But they have no shame, no shame at all. I guess when you put the pedal to the metal and just commit shameless acts like there is no tomorrow, you run out.
I may be projecting a bit, I don’t know the Impress people and don’t want to be an asshole about it. To err is human, but so is taking timely responsibility.
It’s hard to articulate how bad it actually is at this point.
We’ve got major credit card, banking, retail & utility websites with bugs & design flaws that only an amateur website would normally have.
And there’s this signature ethics-devoid communist dictatorial air wafting from an enormous percentage of it.
It’s like the same politically motivated vibe-coding organization is getting its fingers into virtually everything.
And just like this GiveWP incident, there’s a maddeningly bizarre lack of talk about it.
There is a common factor here: incompetence.
I’m inclined to believe that these things come from malice more than incompetence these days. Although with AI generating everything for everyone, it’s only going to get harder to tell.
Even if it started as incompetence the fact that they are trying to downplay the impacts makes this look more malicious to me.
Animals
“….that only an amateur website would normally have…..”
The code was probably glued together snippets by the pajeets they could hire cheapest. There is an actual competency crisis going on in a lot of areas which is why a lot of things are falling apart.
Indeed, Sir. We sorely miss the Old White Guys in every sector. Appliances, farming, hospitals, woodworking, and all points in between.
Mr. Mike reminds me of my time at IRS. No bad report could go forward. No matter what. A single decision could cost the US Taxpayers $50k or nearly get a guy killed. Nope! Ignore!
In this particular case, i think along w/ incompetence comes a Built-in Back Door.
Unaffected but look forward to the solutions watch mentioned.
https://corbettreport.com/salting-your-data-solutionswatch/
Same here, Solutions Watch is one of my many favorite parts of the Corbett Report.
Ah. That explains why I’ve been getting a prodigious amount of email spam in the last week or so. I’m glad I know why that has been happening. Thanks for being forthright, James.
Got 8 scam mails (first one on July 27th). They went straight to the spam folder.
related meme
No email stuff here but daily spam phone calls from around the country regarding unpaid taxes from a phony:
Tax Resolution Center
Good site for more info on this…
https://malwaretips.com/blogs/tax-resolution-center-calls-about-back-taxes-are-a-scam/
A real madness to our tribe.
These will be no one’s “good ol’ days” for sure. :-/
THEY GOT YOU GOOD (song)
https://old.bitchute.com/video/Hpm24888Hud2/
Evidently this plugin has had other issues . You can Google it.
Patchstack is a great service to use on all WP sites. https://patchstack.com/database/wordpress/plugin/give
Amazing nobody reported on it and sorry that happened to you. No worries on my end, though. Spam bots have had my email address since their inception.
Just as a test people in the USA should put their name and state into Google and see how much comes up….mist of us are leaking information like a sieve
Every time you give your phone number out it’s associated with your name….and dont get me started on credit card companies asking folks for their income.
The vast majority of people have their name, often a phone number, previous addresses and often their relatives pop up……if you put the address in you can (if your feeling creepy) take a virtual tour of their house or at least get the lay out if it’s been sold and the listing was online (most are).
I recalls guy in a store getting quite irritated when I wouldn’t give him my phone number (I never do) for a cash purchase I made. lol, he asked “dont you want to be in the system?” And glared when I said no.
Privacy is starting to be either a luxury item or costs you in access or convenience…..btw you should never put fees on your debit card because it’s a lot easier to close a credit card account or get a pre paid card, or get some one else to buy stuff online for you.
I also change my phone number every time I get a new phone, which also lets me prune people out of my loop if I don’t want to hear from them.
Sadly people are very complacent- I know one guy who’s porn addled PC got several grand taken from his bank account…..he got the money back and I told him to just get a cheep laptop for banking and nothing else…..last I heard he. Uses THE NEW Laptop for porn as well as his PC.
Shakes head…and ugh.
Duck,
This sounds familiar…my former little colonial Denmark is very similar…
In DK it’s linked to the pure stupidity of their CPRnumber (social security number in the US)
In a place where everything is put into one number, it’s basically like asking for problems…and, I have noticed some similarities in our two “systems” which makes me happy I don’t live in any of the 2 countries..
The Irish system is not perfect but definitely more secure/private. This said, the Danes have attempted to steal from my card more than once but, having a good bank, we’ve been able to stop the madness so far..
I’ve mentioned it to DK many times but “we just do as we’ve always done” and, I just make sure to secure myself, happy I managed to get out of there…
When using a custom alias for a site, it is a good idea to make something that doesn’t include the URL or site name (e.g., isupportjames@example.com for a corbettreport account). Some scammers are smart enough to filter addresses out based on a number of factors (often also subaddresses).
I am not affiliated with Frantech (I pay for other services from Frantech.), but they now offer an exceptionally inexpensive mail hosting service with their NameCrane site service called CraneMail that includes unlimited aliases (and mail accounts).
It also looks like Pi-hole was hit by this:
https://pi-hole.net/blog/2025/07/30/compromised-donor-emails-a-post-mortem/
I would be vague in my update as well. If they tell people exactly what happened in their update, that lets people who want your data know where to look for that information on sites that haven’t updated to the latest version.
You are misunderstanding on several levels.
This is not about providing technical details that would allow any would be attackers easier access. Pro tip: there’s no need for attackers with this type of issue.
This is about covering up, downplaying and resorting to censorship in regards to an issue where personal information has been exposed to everyone on the web.
When people expect a post morem, they don’t need technical details but an explanation on how the process managed to fail so miserably and what is going to be done to prevent the same from happening in the future. Or, as PC demands, going forward. These people are always going forward. Ignorence is both a bliss and extremely annoying.
The reality of matter is, rewrites are demanding and tests are commonly performed as smoke tests. I.e. only the most obvious issues may be uncovered. Everything else is left to the end users to figure out on their own. Data breaches schmeacers be damned.
?
Something is missing on the webpage…
Typically on a webpage, to the right column was the “Reportage” image, then RECENT POSTS, then below that RECENT COMMENTS. Under that was an ARCHIVE selection box.
See example here…
https://web.archive.org/web/20250725101753/https://corbettreport.com/interview-1964-stablecoins-are-worse-than-cbdcs-with-mark-goodwin/
I am guessing that the right side’s stuff had to do with the plugin.
It is no longer “missing.” The right side is there now.
Dr. Reiner Fuellmichs’ most recent statement from prison: https://www.youtube.com/watch?v=SFVapSpNWe4
I just changed my password since I signed up for membership on November 2024.
I did receive Spam more than usual since Monday 28/7/2025…
A solutions watch education crash course on proxy emails would be awesome!
All things aside, unless the networks are P2P working in isolation, the internet is a DARPA project, so… all you put in here is easily visible by “The Architect”.
I learned recently that Boeing uses CDs to update their pilot control software systems as the onboard computer themselves are not connected to the internet and thus unhackable, which gets you thinking, MAYBE 1990s technology (and our childhood, frankly) was PEAK Humanity experience and it all went downhill from there.
Yes you could say that being born in the 80s I’m somewhat a child of the internet also, which is why I’ve never trusted these devices. I got my first smartphone in 2018, a late adopter… a Covid Vaccine by the guy (trans-woman) who invented WINDOWS??
HA! Expect a system crash soon…
You know that’s what they say: She called her “invention” just like her soldier: “micro” and “soft”!
Is what it is, no fault of the Corbett Report.
I’m a proud subscriber, I’m sure I can cope with a bit of spam.
Yeah, I received a lot of spam (get very little usually ) a few days ago for a couple of days, this makes sense.
No spam emails in my inbox.
But I’ve been busy. A Nigerian Princess had emailed me. She doesn’t mind how ugly I am, and we will get married soon. I gave her my checking account information so she can fly to the U.S. and we can finally meet in person.
Funds have just been withdrawn from my account. I am waiting to hear from her about the flight schedule. It’s been a few days. I hope she is okay.
Many blessings to you and yours. Does this mean you are soon going to join our betters in the royal family?
Bad news.
My checking account is now empty and the bride-to-be found someone else in Uganda at a wedding event. See below.
New York Post [PHOTOS]
https://archive.ph/TXjb4
Socialist New York City Mayoral frontrunner Zohran Mamdani celebrated his recent nuptials with a lavish, three-day affair at his family’s ritzy, secluded Ugandan compound — complete with masked security guards and a cellphone jamming system.
The gates of the bustling, private compound, which sits in the wealthy Buziga Hill area outside the capital city of Kampala, were heavily guarded by military-style, masked men this week, with guests streaming in and partying until midnight, according to sources in the town who wished to remain anonymous for security reasons…
…“Outside the Mamdani house were more than 20 special forces command unit guards, some in masks, and there was a phone-jamming system set up — and all for the strictly invite-only Mamdani event,” one witness confirmed to The Post.
“One gate had around nine guards stationed at it,” they added.
Could it be that the Jimmy Dore appearance put to much light 💡 on you and The Corbett Report?
Spam free since 2009. Member of CorbettReport since 2020.
Last week I got spam for the first time, and its growing every day. Such a shame.
I dont believe in incompetence at this level. Its obvious that this important site is taking flak
from Unit 8200 and their affiliates, when they are over the target.
Pi-hole was also affected, they have a write-up on their site.
https://pi-hole.net/blog/2025/07/30/compromised-donor-emails-a-post-mortem
Appreciate the transparency and detailed coverage.
It’s great to see many people using e-mail aliases and that helping multiple people isolate problems quickly.
Thanks James for updates. I have received more spam but it’s been obvious so no worries. All the best.
ITSec these days is all security theater. All we really have is OPSec, so salting your data is paramount. Take my life as an example. It was only when pride got the better of me and I got lax that the curse of Morgoth was able to catch up to me. Still managed to take out Glaurung single handed, but don’t remind me of that mistake with my sis.
James and members, if reading this, please consider switching your platforms to Nostr protocol. It is decentralized, runs off relays (gossip protocol is optional), keeps your user info anonymous thru npubs, secured your info thru nsec (no email or personal info is required), it’s cross functional across all Nostr platforms, and has been successfully running for a couple of years now. Nostr can be used for website logins with bitcoin/lightning billing, social media apps (Damus), and just recently messaging apps (WhiteNoise: still needs a lot of work) and you only need one account. Let me know if you would like more info.
Transcript to this announcement and others. Will update monthly.
https://mega.nz/folder/K91GkZ7Z#wGmMEBdRZzo4VOQnZkWxPQ
Summary of related links:
– https://github.com/impress-org/givewp/issues/8042 | GitHub issue
– https://haveibeenpwned.com/Breach/ThePi-Hole | HaveIBeenPawned – rel to Pi-hole
– https://pi-hole.net/blog/2025/07/30/compromised-donor-emails-a-post-mortem/ | Pi-hole blog post
– https://x.com/GiveWP/status/1950554546746388958 | Twitter – GiveWP patch
– https://x.com/haveibeenpwned/status/1951053679144083704 | Twitter – Have I Been Pwned
– https://x.com/klevstul/status/1951202752991723772 | Twitter – Reaching out to Steve Gibson – Security Expert
Official statement:
GiveWP Privacy Incident: What Happened and What’s Next
https://givewp.com/givewp-privacy-incident-what-happened-and-whats-next/
This must have come back to bite them in the ass pretty deeply that they decided to issue such a statement.
Yup.
Thanks for letting us know so clearly James.
Usually I use different e-mail address for all registrations, I have 50+ e-mail aliases by now. I use Proton Mail subscription and it includes this option. I can even reply from those addresses, without changing “sender address” in Thunderbird (it’s automatically replaced in transit). And the address is automatically created upon receiving the first mail (using my own domain – that is).
I use a medieval fantasy game character name generators for names, not “jamescorbett@” or similar addresses. I switched to this, when I first needed to mail a webshop and my sender looked very stupid – you can imagine – it was THEIR NAME. 🙂
Unfortunately, I used a normal address on this site, because it was a card payment and I don’t like card provider seeing 10-20-30 different addresses for me. I was worried what would they “think”, or would they record all of those, or what…?? Would they find it a suspicious transaction and block it? Any recommendations on this?
But it’s OK, no worries, I can cope with some more spam. My addresses are out in the wild anyway. Some addresses exist since 1996. And I do have some of them on my websites in plain sight. 🙂 Maybe not this one, but well… just +1 then.
Data Leak
I signed up for a Privacy Academy.com class last December. I think that they are really good. Father and son duo. They take you through classes to protect your privacy. Their suggestion for an app to create fake email names and addresses was called, addio.com. I have not tried it yet. Good luck to you. You looked bummed out on NWNW. Thank you for the info.
“I will be checking – proactively after every update”
Not sure if you are aware but there exists a tool you can self-host (if you want my help I hereby offer to host it for you for free as a thank you for all you have taught me over the years) that can keep track of changes to a website and you can even add things like “conditional actions”: https://changedetection.io/tutorial/conditional-actions-web-page-changes
I am no expert in how to run, configure or even use this software but I am fairly tech-savvy and I don’t doubt for a minute that I can get it working. Any techie you trust can most likely set it up for you.
This article explain what I think you are after better than I can:
https://changedetection.io/tutorial/source-code-monitor-how-get-alerts-changes-html-source-code
One of many articles on self-hosting it:
https://jussiroine.com/2023/12/self-hosting-changedetection-io-for-monitoring-websites/
Best regards
This is likely a lot easier (and more reliable) to setup locally with wget or curl and grep.
Hey, when I started to get all these spam emails, I went into them and clicked “unsubscribe.”
Then I got the Corbett email telling the subscribers not to click on any links.
Do you guys think anything bad will happen from that?
**the spam emails stopped arriving, btw.
I’m assuming you’re taking about a laptop or pc?
I’d suspect that either that email was from a legit list that was buying emails in bulk OR that it confirmed that the address is “live” and it’s worth spamming.
Is your device acting different?
Slower or having pop ups or something? If so you might want to do a reinstall, but TBH (and I’m NOT an expert) windows would have probably said it was downloading something and asked for a click to confirm- an actual windows thing not an email thing- before it allowed it to install malware.
So I’d say your “probably “ ok but keep an eye on your device for weirdness….also if you do banking and such on it and cant buy a 2nd device you should have an extra browser that you JUST use for bank login…certain sites can apparently grab saved passwords and such from a browser
I don’t use Microsoft products (because of Bill Gates)
But, no, no pop ups. Seems normal, so far.
If your in Linux I’d just do a reinstall- I kinda do that every six month “just because” and I like to play at distro hopping
If your on Apple a reinstall is pretty easy too.
I’m still confused about how many people were affected by the data leak.
You mentioned:
“The email addresses exposed were only those who signed up on the site’s membership form since 2024. No other members (people who signed up before, or people who signed up by alternate methods like Substack or PO Box) were affected.”
Well I signed up to become a member of your site many times BEFORE 2024, yearly in fact. I renew my membership each year.
I recently received an e-mail from you informing me that I fell victim to the data breach. Since I’ve been a member here for more than a decade I concluded that the people who were exposed weren’t just new members, but renewing members as well.
So the notice you gave that “If you signed up before 2024 <as I did> … your e-mail address was not exposed” is not correct is it?
Perhaps you could tell us what percentage of your members were exposed?
Here’s a possible solution to prevent any future data leaks.
Perhaps you could use a three-computer system?
The first computer would be the one you currently use for your main website work (episodes, podcasts, videos, newsletter, NWNW etc.)
Those operations would continue as before.
A second computer (it could be a notebook) would handle your Corbett Report members list. It would contain all the members’ information that you currently keep: Names, user names, home addresses, e-mail addresses, payment details etc.
This computer would never connect to the internet. You could import this information from your first computer to make the transition go smoothly.
Regular backups would be made of this computer’s data, but it would be made to a set of USB sticks.
These USB sticks would never be used with any other computer, so there would be no risk of infection.
A third computer (again it could be a notebook) would handle your e-mail communications. The best way to go with this would be an e-mail client that resides and stores all your e-mail on your computer.
This would be the only piece of software on this computer besides the operating system.
I’ve been using The Bat to perform my e-mail duties for around 25 years.
You would only connect a cable to the internet for this e-mail computer when you want to check/send your Corbett Report (CR) e-mail. You could use a switch to turn on/off the internet connection.
Infections could occur with e-mail attachments etc. but this has always been the case. Safe computer practice would prevent this.
Regular scans of the computer to check for any infections would be recommended.
The main thing with this three-computer system is that your CR e-mail list wouldn’t reside and be exposed on your website.
FT
I think the issue was the code running on the website- as I understand it Mr Corbett didnt get hacked and data jacked on his own machine…the website “plugin” he used was bad.
He can’t really do a lot about that unless he runs a static page or something like that
Right Duck I realize that his computer wasn’t hacked, that the problem was with the plugin.
But with the setup I am suggesting, a rogue plugin wouldn’t cause the problem that happened.
The disconnecting/reconnecting of the e-mail computer wouldn’t really be necessary. Probably overkill. Just another layer of precaution.
The separation of the member’s data onto another computer that never touched the internet though is the key to ensuring the data would always be safe.
The plugin is installed on the server. WordPress uses a database table to store the plugin data (user names and emails) then the plugin just dumps out all of its data for the world to see.
Likely some developer was trying to figure out a problem, forgot to remove the blurb out part from the code, nobody performed code review and finally some bozo had the new version deployed.
James discontinued the use of said plugin.
Wherever the plugin actually lies, his members’ data is still currently vulnerable to the outside world.
My suggestion would keep the members’ data safe no matter what plugin is used in the future.
Ah, the joy of using disposable email addresses for virtually everything. Including the corbett report login. I have just received one spoofed email, I deleted the email, recreated a new one, and spam is gone 🙂