LegionProxy data breach: 10,144 customer accounts exposed in April 2026

In April 2026, residential and ISP proxy provider LegionProxy was breached, with 10,144 customer accounts exposed. The dataset surfaced in May 2026 and has been indexed by Have I Been Pwned (HIBP), the breach corpus run by security researcher Troy Hunt that the industry treats as the authoritative public record for incidents like this. This post lays out what happened, what data was exposed, what affected customers should do, and what the incident says about the proxy industry more broadly.

LegionProxy is a commercial residential and ISP proxy network, the kind of provider that sells routed IP access to scraping teams, ad-verification operations, and multi-account managers.

What happened in the LegionProxy data breach

The breach is dated April 6, 2026 in public reporting, with the dataset added to HIBP roughly a month later in early May 2026 and announced by Troy Hunt on the same day it was indexed. 10,144 distinct accounts were affected.

The exposed dataset includes:

•        Email addresses

•        Names

•        bcrypt password hashes

•        Purchase records

There is no public information at the time of writing on how the dataset was obtained, whether the breach involved an intrusion into LegionProxy's systems directly or a third-party component, or what remediation steps LegionProxy has taken. LegionProxy has not published a detailed incident writeup in any venue covered by mainstream security press as of this article.

What customer data was exposed and why each field matters

Each of the four exposed field types creates a distinct downstream risk. None of them require a sophisticated attacker to act on.

Email addresses. Once an email is in a known breach corpus, it goes onto attacker wordlists. The two practical consequences are targeted phishing (the attacker now knows you have a LegionProxy account, which is itself useful context for crafting a convincing message) and credential stuffing, where leaked email-and-password pairs from one breach are tried against other sites at scale.

Names. A name attached to an email lets attackers personalize phishing. A generic “your account has been suspended” message converts at much lower rates than one that opens with the recipient's actual first name.

bcrypt password hashes. Password hashes are not plaintext passwords, but they are not nothing either. A weak password, a short password, or one already known to be in common-password wordlists can be cracked offline given enough compute. The practical takeaway for any affected customer is the same regardless of how strong the original password was: if that password was reused on any other account, the assumption has to be that it is now compromised everywhere.

Purchase records. Purchase records at proxy providers typically include product type, order amounts, and dates. Where those fields were included in the exposed dataset, they link a customer's identity to specific proxy purchases, which can reveal product mix (residential, mobile, ISP), volume tier, and operational timing. For customers using proxies for legitimate work like competitive intelligence, ad verification, or price monitoring, that information being attached to their identity in a public breach corpus is a business risk, not just a personal one. The exact fields exposed within the purchase records have not been publicly detailed.

How the hacker is using the breach data

After the breach, every customer in the dataset received a follow-up email from the hacker. The email has two parts that are worth understanding separately.

The first part recommends that recipients try two other proxy providers, framed as the suggestion to use if the recipient “actually wants good and cheap proxies.” Both providers are named directly in the email.

The second part is a broader claim about the proxy market. The hacker asserts that 99% of proxy services in the industry resell from four specific upstream providers, then lists those four.

Two practical takeaways for affected customers and for readers more broadly:

The second is interpretive. The structure of the email - first recommending two specific providers, then asserting that almost all of the market resells from a small set including those providers, this may make some people suspect that the hacker is somehow affiliated with one of these companies

What affected LegionProxy customers should do

The actions below are in order of urgency. None of them require coordination with LegionProxy.

1.     Reset the LegionProxy account password immediately. Use a unique password generated by a password manager.

2.     Change that password anywhere else it was reused. Email, billing platforms, scraping tools, anything with the same password as the LegionProxy account. This is the single highest-impact step for most affected users.

3.     Enable two-factor authentication on every account that supports it. Email, payment providers, and any business platform tied to the affected workflow.

4.     Check exposure on Have I Been Pwned. Search the affected email at haveibeenpwned.com to see whether it appears in this breach and any others.

5.     Watch for targeted phishing and follow-up emails from the hacker. Be specifically cautious of emails impersonating LegionProxy, payment processors, password-reset notifications, and any message that appears to come from the breach source itself, including ones recommending alternative proxy providers.

6.     Audit any business workflows tied to the LegionProxy account. Make sure billing details, saved credentials in tooling, and shared team access are reviewed and rotated where appropriate.

What this breach means for the proxy industry

Two observations are worth surfacing, both about how proxy-customer breaches differ from typical consumer breaches.

The first is that proxy customer data is operationally sensitive in ways most consumer breaches are not. A breached retail site exposes shopping history. A breached proxy provider exposes the connection between a real identity and a specific kind of automation. For customers running legitimate scraping, monitoring, or verification operations, that linkage being part of a public breach corpus carries business consequences beyond the personal credential risk.

The second is that provider transparency on incidents is the variable customers can actually evaluate. The technical specifics of how a given breach happened are usually opaque to the public for months or never disclosed at all. What customers can see is the response: how quickly an incident is acknowledged, whether affected users are notified directly, and what remediation detail is published. LegionProxy has not published a detailed remediation writeup at the time of this article. That is an observation about public visibility, not a technical claim.

The reasonable posture for any proxy customer reading this is the same one any breach should reinforce: credential hygiene, two-factor authentication, and treating breach monitoring as an ongoing habit rather than a response to specific incidents. Further details about the LegionProxy breach may emerge as third-party researchers publish more, and customers should expect to see updates from HIBP and security press if they do.