Woflow
March 4, 2026
•[ data breach, extortion, PII ]
In March 2026, the AI-driven merchant data platform Woflow was named as a victim by the ShinyHunters data extortion group. The group subsequently published tens of thousands of files allegedly obtained from the company, comprising more than 2TB of data. The trove included hundreds of thousands of email addresses, names, phone numbers and physical addresses, with the data indicating it related to Woflow customers and, in turn, the customers of merchants using their platform.
Tehran traffic cameras
March 3, 2026
•[ hacking, surveillance, espionage ]
DataBreaches summarized reporting alleging Israeli intelligence hacked or accessed a very large portion of Tehrans traffic camera network over multiple years to track senior Iranian officials, including Ayatollah Ali Khamenei. The reporting claimed real-time camera data (including cameras around Khameneis compound) was encrypted and transmitted to servers in Israel and used to build pattern of life intelligence, such as where security teams parked vehicles.
AkzoNobel
March 3, 2026
•[ ransomware, data leak, internal correspondence ]
AkzoNobel confirmed a security incident at one of its U.S. sites after the Anubis ransomware group published a partial leak. AkzoNobel stated the incident was contained and limited to the affected site. The leak samples described in reporting included confidential client agreements, internal email correspondence, technical specification sheets, material testing documents, and contact data such as email addresses and phone numbers, as well as passport scans.
Ten official Syrian government accounts on the social media platform X
March 3, 2026
•[ social media compromise, account takeover, coordinated intrusion ]
Weekly Blitz reported Syrias Ministry of Communications and Information Technology confirmed that at least ten official Syrian government accounts on X were briefly compromised in a coordinated intrusion. The article lists affected accounts including the General Secretariat of the Presidency, the Syrian Central Bank, and multiple ministries (Transport, Higher Education, Education, Youth and Sports), as well as the elections committee account. The primary impact described is unauthorized takeover of social media accounts (posting capability), not a broader breach of internal government IT systems or confirmed data theft.
Blanchard Training and Development, Inc.
March 3, 2026
•[ unauthorized access, PII, financial information ]
Blanchard Training and Development, Inc. identified unusual activity in its network environment on March 4, 2026, and later determined that an unauthorized individual may have copied certain information between March 3 and March 4. DataBreach indexed 494,404 rows tied to Blanchard, including names, contact information, addresses, and bank account information.
Iranian energy and aviation infrastructure
March 2, 2026
•[ DDoS, wipers, intrusions ]
This SecurityWeek link is an overview/analysis of cyber activity during escalating USIsraelIran conflict, describing multiple incidents (e.g., DDoS, wipers, claims of intrusions) by different actors across different targets. It does not describe one discrete cyberattack against a single clearly identified victim with a bounded timeline and measurable primary effects suitable for a single incident record.
Geo News
March 2, 2026
•[ cyberattack, broadcast hijacking, satellite hacking ]
Pakistan Observer reported Geo News said it suffered a sustained and sophisticated cyberattack over the prior 24 hours in which its transmission via Pakistans PakSat satellite was hacked. The channel said attackers breached the broadcast feed, caused repeated interruptions, and hijacked the screen to air unauthorized messages. Geo News stated it had no connection to the malicious content and was working to restore secure operations. The report focuses on disruption of broadcast integrity/availability rather than data theft.
Fusion Superplex
March 2, 2026
•[ ransomware, server infrastructure, internal operations ]
Fusion Superplex said a ransomware attack temporarily affected server infrastructure, internal operations, its IMAX system, and online ticketing.
Ameriprise
March 2, 2026
•[ extortion, data leak, ShinyHunters ]
In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure, and subsequently published the data after negotiations allegedly failed. The published data contained 500k unique email addresses as well as names, phone numbers, physical addresses and employer information. In their disclosure to state attorneys general, Ameriprise reported 47,876 affected people; the larger email address population represents contacts from Ameriprise's broader operational systems, including internal staff. Ameriprise further advised that they have "implemented heightened monitoring of your account(s) to include enhanced identity verification procedures".
Denmark School District
March 1, 2026
•[ ransomware, cyber incident, connectivity outage ]
Reporting stated the Denmark School District in Denmark, Wisconsin, lost internet access for five school days due to a cyber incident, forcing paper-based workarounds. DataBreaches noted a ransomware tracking site listed the district domain as a claimed victim by INC Ransom with a discovery date of March 1, 2026, but emphasized that listing alone is not confirmation of ransomware or data theft. The confirmed primary effect described is a weeklong connectivity outage impacting school operations.
Department of Homeland Security (DHS)
March 1, 2026
•[ hacktivism, data leak, government contracts ]
DataBreaches summarized reporting that hacktivists calling themselves Department of Peace claimed to have hacked DHS and leaked allegedly stolen documents. The transparency collective DDoSecrets published data described as relating to contracts between DHS, ICE, and more than 6,000 companies (including major defense contractors and large technology firms). The report attributes the source to DHSs Office of Industry Partnership procurement unit; DHS confirmation and the exact intrusion method were not provided in the DataBreaches excerpt.
Undisclosed Qatari organization
March 1, 2026
•[ DLL hijacking, PlugX, backdoor malware ]
HackRead summarized Check Point Research describing a China-linked campaign beginning March 1, 2026 that used conflict-themed lures and DLL hijacking to install PlugX backdoor malware against targets in Qatar. The report described lures disguised as war news and a separate energy-sector lure delivering a Rust loader and ultimately Cobalt Strike, with the goal of espionage against Qatars military and oil/gas interests.
Bitrefill
March 1, 2026
•[ cyberattack, data breach, cryptocurrency theft ]
Bitrefill disclosed that a March 1, 2026 cyberattack originating from a compromised employee laptop enabled attackers to obtain legacy credentials, access a snapshot containing production secrets, and escalate into parts of Bitrefills infrastructure. The attackers accessed parts of the database and some cryptocurrency wallets, leading to theft of funds and misuse of gift card inventory/supply flows. Bitrefill reported exposure of about 18,500 purchase records containing customer email addresses, IP addresses, and cryptocurrency payment addresses; for about 1,000 purchases, customer names were also potentially exposed (stored encrypted, but the attackers may have obtained decryption keys). Bitrefill said it shut down systems to isolate the incident, worked with security experts/on-chain analysts/law enforcement, and assessed the method as consistent with Lazarus/BlueNoroff activity.
Bitrefill
March 1, 2026
•[ data breach, cryptocurrency theft, PII leak ]
Bitrefill published a post-mortem stating it was attacked on March 1, 2026 and attributed the activity to North Koreas Lazarus Group. The breach was discovered after suspicious purchasing patterns suggested gift card stock and supplier supply lines were being exploited. Bitrefill said attackers accessed about 18,500 purchase records containing customer email addresses, crypto payment addresses, and metadata including IP addresses. The attackers also drained some Bitrefill cryptocurrency wallets and transferred funds to attacker-controlled wallets; the company did not disclose the amount stolen and said it would absorb the losses.
Undisclosed Russian company
March 1, 2026
•[ ransomware, cyber warfare, pro-Ukrainian group ]
A pro-Ukrainian group known as Bearlyfy used GenieLocker ransomware against an undisclosed Russian company as part of a broader campaign targeting Russian firms.
Undisclosed Israeli individual smartphone
March 1, 2026
•[ malware, phishing, spyware ]
A trojanized fake Red Alert app delivered through spoofed SMS messages targeted Israeli users and, when installed, enabled theft of messages, contacts, location data, and other device information from affected smartphones.
At least one Hungarian government ministries
March 1, 2026
•[ credential leak, infostealer, stealer logs ]
Bellingcat identified 795 Hungarian government email/password combinations circulating in breach data across 12 of 13 ministries, including defence, foreign affairs, interior, and finance; stealer logs indicated 97 machines across government departments may have been compromised, with some logs as recent as March 2026.
170 Ukrainian prosecutors and investigators
March 1, 2026
•[ espionage, email compromise, state-sponsored ]
Russia-linked hackers compromised Ukrainian prosecutors and investigators email accounts as part of a broader email-espionage campaign involving at least 284 inboxes.
At least one critical infrastructure provider
March 1, 2026
•[ advanced persistent threat, critical infrastructure, programmable logic controllers ]
Iran-affiliated advanced persistent threat actors accessed internet-exposed Rockwell Automation/Allen-Bradley programmable logic controllers at one or more U.S. critical infrastructure providers, manipulated project files and HMI/SCADA displays, resulting in operational disruption and financial loss.
RXNT
March 1, 2026
•[ data breach, healthcare, PII ]
RXNT, the SaaS provider for the Office of the Attending Physician, experienced a breach on March132026 where attackers accessed the platform and copied patient prescription records, including names, addresses, dates of birth, and medication details.
