Cushman & Wakefield
May 5, 2026
•[ vishing, extortion, data leak ]
In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with tens of thousands of external email addresses and corporate contact records. The exposed data was primarily business information, including names, job titles, company addresses and phone numbers.
Reborn Gaming
April 30, 2026
•[ data breach, gaming, vulnerability ]
In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned.
Vimeo
April 28, 2026
•[ extortion, data leak, third-party breach ]
In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include "Vimeo video content, valid user login credentials, or payment card information".
Individual Filipino pensioner
April 28, 2026
•[ vishing, phishing, malware ]
A 68-year-old Filipino pensioner received a fraudulent call claiming to be from the Social Security System and was sent a Viber link to a fake app. After installation, malware hijacked his Android phone, froze the screen and power button, and allowed thieves to drain three bank accounts and two e-wallets, stealing more than 1 million.
Vimeo
April 28, 2026
•[ unauthorized access, data leak, stolen data ]
Vimeo confirmed that an unauthorized actor accessed certain user and customer data through the Anodot breach; ShinyHunters later leaked 106GB of stolen data affecting 119,200 email addresses.
Gelatissimo
April 27, 2026
•[ data leak, ransomware, financial data ]
DragonForce listed Australian gelato franchiser Gelatissimo on its leak site around April 27, 2026 and claimed to have stolen more than 350 GB of data, with other reporting specifying 352.24 GB. The claimed data included sensitive employee data, financial details, operational information, and executive contact details, and the group threatened publication unless the company responded; reviewed reporting did not confirm encryption or operational disruption.
eBay Inc
April 26, 2026
•[ DDoS attack, service disruption, hacktivism ]
eBay experienced a widespread service disruption beginning April 26, 2026, affecting search, listings, checkout, and API functionality worldwide; the hacktivist group 313 Team claimed responsibility for a DDoS attack, but eBay did not confirm the cause.
Udemy
April 24, 2026
•[ data leak, extortion, cybercrime ]
In April 2026, online training company Udemy was the victim of a pay or leak extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer.
Kent District Library
April 24, 2026
•[ ransomware, cyberattack, service disruption ]
Kent District Library closed all branches after a ransomware attack disrupted computer systems and network-dependent services.
Anthropic
April 21, 2026
•[ unauthorized access, third-party vendor breach, data leak ]
A private online group reportedly gained unauthorized access to Anthropics limited-release Claude Mythos Preview model through a third-party vendor environment.
Banco Rendimento
April 21, 2026
•[ security incident, unauthorized access, banking ]
Banco Rendimento identified and contained a security incident on April 21, 2026 affecting some client-access channels and accounts; the bank isolated the threat, restored operations the following day, and reported the incident to Brazilian authorities.
Mile Bluff Medical Center
April 21, 2026
•[ ransomware, data encryption, system disruption ]
Mile Bluff Medical Center experienced system disruptions after a security event that encrypted data, affecting phone and computer systems; clinical teams operated under downtime procedures while the organization investigated and engaged third-party partners.
ADT
April 20, 2026
•[ data breach, extortion, data leak ]
In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses. ADT also advised that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included" and that it had contacted all affected people.
Pitney Bowes
April 20, 2026
•[ extortion, data leak, hacking collective ]
In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles.
Aman
April 20, 2026
•[ extortion, data leak, CRM breach ]
In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.
Administration of Kursk region
April 20, 2026
•[ DDoS attack, government, service disruption ]
On April 20, 2026, Kursk regional authorities reported a DDoS attack against regional administration servers that made the live broadcast of a government session unavailable. Officials said the session recording would be published later on official governor and regional government resources, and corroborating reporting said the attack was localized the same day.
Mastodon (mastodon.social)
April 20, 2026
•[ DDoS attack, service disruption, 313 Team ]
Mastodons flagship mastodon.social server was hit by a DDoS attack on April 20, 2026, making the instance unusable at times and causing much of the site to become inaccessible. Mastodon implemented countermeasures by 9:05 a.m. ET and restored access within a couple of hours, while warning that instability could continue as the attack was ongoing; SC Media reported that 313 Team claimed responsibility.
Nordenta
April 20, 2026
•[ ransomware, data leak ]
The Danish dental supplier Nordenta was listed on the Kairos ransomware leak site around April 20, 2026, and Computerworld reported on April 22 that the company had been hit by ransomware. Kairos claimed to have stolen 1.68 TB of data and used the leak-site post to pressure company executives, but the specific data categories and operational impact were not confirmed in the reviewed sources.
ADT Inc.
April 20, 2026
•[ vishing, social engineering, data breach ]
ShinyHunters compromised an ADT employee Okta SSO account through vishing, used the account to access ADTs Salesforce instance, and stole personal information later assessed by Have I Been Pwned as affecting 5.5 million individuals.
BePrime
April 20, 2026
•[ unauthorized access, missing MFA, credential leak ]
BePrime, a managed cybersecurity services provider in Mexico, was breached in April 2026 after attackers accessed administrator accounts lacking MFA, exfiltrating 12.6 GB of data that included plaintext credentials, client penetration testing reports, Cisco Meraki API keys controlling 1,858 network devices, and live surveillance camera feeds from client offices.
