Portend Breaches

Resolv March 22, 2026 • [ DeFi, cryptocurrency theft, exploit ] The Record reported that an attacker exploited Resolv DeFi, walking away with about $24.5 million in ETH after creating unbacked assets and causing potential secondary market impacts. Resolv posted an on-chain message offering the attacker 10% of the stolen ETH if they returned the remaining funds and ceased activity, threatening exchange coordination, law enforcement contact, and legal action otherwise. Reporting referenced a Chainalysis postmortem describing the incident as a failure of security assumptions around off-chain infrastructure. The attacker and access method were not publicly identified in the article excerpt.

IntraCare March 20, 2026 • [ unauthorized access, extortion, data breach investigation ] IntraCare disclosed unauthorized access to its network on March 20, 2026, while outside reporting linked the incident to a The Gentlemen extortion claim; the organization said it was still investigating what information, if any, was impacted.

Neukölln district heating plant March 20, 2026 • [ ransomware, internal IT systems, accounting ] Berlin police confirmed a ransomware attack against the Neuklln district heating plant that had been known since March 20, 2026; reporting said internal IT systems including accounting and internal communications were affected, while technical systems and heat supply remained unaffected.

The Ukrainian State Hydrology Agency March 19, 2026 • [ phishing, vulnerability exploitation, XSS ] BleepingComputer reported that Russia-linked APT28 (GRU) exploited a Zimbra Collaboration Suite vulnerability (CVE-2025-66376) in attacks targeting Ukrainian government entities. Researchers described a phishing operation (Operation GhostMail) where a single HTML email body triggered obfuscated JavaScript exploiting the Zimbra XSS flaw when opened in a vulnerable webmail session. The payload was described as harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and mailbox contents going back 90 days, with exfiltration over DNS and HTTPS. One referenced target was the Ukrainian State Hydrology Agency.

Foster City March 19, 2026 • [ cyberattack, service disruption, network intrusion ] GovTech (via SFGATE/TNS) reported a cyberattack that left Foster City (Bay Area; ~33,000 residents) largely paralyzed for five consecutive days after suspicious activity was discovered on the citys computer network on Thursday morning (Mar. 19, 2026). City officials said most computer systems were taken offline as a precaution while independent cybersecurity specialists investigate and remediate. Most government services were suspended with no restart timeline provided, while police and 911 services continued operating. Public reporting did not confirm the intrusion vector, ransomware group, or whether data was exfiltrated; the confirmed primary effect is prolonged disruption of municipal services.

Dutch Ministry of Finance March 19, 2026 • [ cyberattack, unauthorized access, internal system compromise ] The Record reported that the Dutch Ministry of Finance is investigating a cyberattack that compromised some internal systems. Officials said the breach was flagged on March 19, 2026 after a third party alerted the ministry to suspicious activity, and internal security teams found unauthorized access to several systems used by a department. Authorities said the affected systems were part of the ministrys primary infrastructure and were taken offline quickly once detected. The report did not confirm data theft or identify the attacker; the confirmed impact is internal-system compromise and operational disruption from systems being taken offline during response.

Trivy March 19, 2026 • [ supply chain attack, malicious code, credential-stealing malware ] TeamPCP compromised Trivy-related release components and published malicious code that turned trusted Trivy software artifacts into delivery vehicles for credential-stealing malware.

P3 Global Intel March 18, 2026 • [ data breach, data leak, personally identifiable information ] DataBreaches summarized reporting that hackers calling themselves The Internet YIFF Machine stole data from cloud-based tip and intelligence management company P3 Global Intel and provided it to DDoSecrets. The exposed dataset includes millions of tips and extensive personal data about people accused in tips, including names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, Social Security numbers, and criminal histories. The platform is used by thousands of clients, including Crime Stoppers programs, local and federal law enforcement agencies, public schools, and the U.S. military, so the breach has broad downstream exposure across many organizations.

Aura March 18, 2026 • [ voice phishing, vishing, data leak ] BleepingComputer reported Aura confirmed an incident where an unauthorized party gained access to nearly 900,000 records containing names and email addresses. Aura said the incident was caused by voice phishing targeting an employee and that the exposed data originated from a marketing tool used by a company acquired in 2021. Aura stated the event exposed information for 20,000 current and 15,000 former customers within the larger marketing dataset and that compromised customer information includes full names, email addresses, home addresses, and phone numbers, while emphasizing SSNs, account passwords, and financial information were not compromised. ShinyHunters claimed responsibility and said it stole 12GB of files and leaked them.

Duet Night Abyss March 18, 2026 • [ malware, infostealer, supply chain attack ] Kotaku reported that on March 18, 2026 Duet Night Abyss players PCs were infected after a malicious update was pushed through the games launcher. The malware was identified by users antivirus products as 'Trojan:MSIL/UmbralStealer.DG!MTB' (Umbral Stealer), an infostealer capable of logging keystrokes, taking screenshots, and attempting to harvest sensitive information such as passwords and cryptocurrency-related data. The developers said they addressed the issue and apologized, describing it as an external malicious attack spread via the launcher update.

Infinite Campus March 18, 2026 • [ unauthorized access, data leak, account compromise ] An unauthorized actor accessed an Infinite Campus employee's Salesforce account, exposing names and contact information for school staff; Infinite Campus said no student databases were accessed.

Yeshiva World News March 18, 2026 • [ defacement, hacktivism, website downtime ] Yeshiva World News was defaced with pro-Iran imagery and Farsi text on March 18, 2026, knocking the homepage offline and leaving the site on a maintenance page while restoration work continued.

At least one individual March 18, 2026 • [ phishing, malware, social engineering ] Cyber fraudsters in Navi Mumbai impersonated Mahanagar Gas Limited officials and sent malicious WhatsApp files or links that compromised victims' phones and enabled unauthorized access to their bank accounts.

Nordstrom March 17, 2026 • [ phishing, cryptocurrency scam, SSO compromise ] Cybernews reported Nordstrom customers received fraudulent emails from an official Nordstrom email address promoting a St. Patricks Day double your crypto scam. Reporting cited a source saying the breach occurred via an Okta SSO to Salesforce compromise, and scam emails were sent using Salesforce Marketing Cloud. Analysis of the scam wallet address indicated the attacker received a little over $5,600 in cryptocurrency.

The Gauteng Provincial Governmen March 17, 2026 • [ ransomware, data leak, data exfiltration ] Daily Maverick reported a ransomware-as-a-service syndicate calling itself XP95 claimed it stole 3.8TB of data from the Gauteng Provincial Government. The article describes the breach as a major failure of basic cybersecurity infrastructure and governance, with a massive dataset reportedly lifted/exfiltrated and allegedly offered for sale. The report did not provide a definitive public inventory of affected systems or all data elements, but characterized the exposure as potentially spanning personnel, procurement, and other government records at very large scale.

Sweden's BankID March 17, 2026 • [ data leak, credential leak, source code leak ] Biometric Update reported a hacker group calling itself ByteToBreach claimed a breach at CGIs Swedish division, leaking code and credentials tied to systems used by Swedish public authorities and linked in reporting to BankID authentication flows (including for the Swedish Tax Agency). The article said other databases containing personal data and electronic signature documents were allegedly being sold separately. The report is based on attacker claims and leak assertions and does not provide an official confirmation of full scope from CGI or BankID in the excerpt.

La Mutuelle Familiale March 17, 2026 • [ cyberattack, service disruption, investigation ] La Mutuelle Familiale disclosed a cyberattack detected on March 17, 2026 that temporarily disrupted multiple member and back-office services while investigations continued; no perpetrator or data theft was publicly confirmed.

Outpost24 March 16, 2026 • [ phishing, DKIM, social engineering ] SecurityWeek reported that a C-level executive at Outpost24 was targeted with a sophisticated phishing attempt that used a DKIM-signed email, trusted redirection infrastructure, compromised servers, and Cloudflare-protected phishing pages. Outpost24s subsidiary Specops Software said it detected and blocked the attack early before any systems were compromised or users impacted.

At least one member of the Ukrainian armed forces March 16, 2026 • [ espionage, spyware, phishing ] The Record reported researchers attributed a new espionage campaign targeting Ukrainian organizations to the Russia-linked group Laundry Bear (Void Blizzard), active since at least 2024. The campaign used spyware embedded in documents themed around Starlink satellite terminals and a well-known Ukrainian charity. The article is campaign reporting (multiple targets) and does not provide a single named victim incident with bounded impact metrics.

At least one KakaoTalk user March 16, 2026 • [ malware, account takeover, cyberattack ] Yonhap/The Korea Times reported a North Korea-linked group used stolen KakaoTalk accounts to distribute malware in recent cyberattacks, highlighting a new propagation tactic. Reporting said the threat actors compromise victims, gain access to KakaoTalk desktop accounts, and then use that trusted messaging channel to push malicious payloads to selected contacts.

Recent Breaches