Full List

Search

Recent Breaches

• Vimeo April 28, 2026 • [ unauthorized access, data leak, stolen data ] Vimeo confirmed that an unauthorized actor accessed certain user and customer data through the Anodot breach; ShinyHunters later leaked 106GB of stolen data affecting 119,200 email addresses.
• Mediaworks Hungary Zrt. April 28, 2026 • [ data extortion, data leak, financial data ] World Leaks claimed responsibility for a data-extortion attack against Mediaworks Hungary Zrt. and released nearly 8.5 TB of allegedly sensitive internal files on its dark web site. Local media that reviewed the material said it included payroll records, contracts, financial statements, and internal communications; public reporting did not confirm encryption, deletion, or operational disruption.
• Marutake Co., Ltd. April 28, 2026 • [ ransomware, unauthorized access, system outage ] Marutake Co., Ltd., a Japanese pharmaceutical and medical-supplies wholesaler, confirmed that a system outage was caused by ransomware resulting from unauthorized external access. As of its May 8, 2026 third notice, some servers remained impaired, some normal operations were difficult, and full restoration was expected to take considerable time, though the company was using alternative measures to maintain stable supply. Public Japanese security reporting linked the confirmed incident to a The Gentlemen leak-site claim, but Marutake stated that external leakage of personal information had not been confirmed.
• Gelatissimo April 27, 2026 • [ data leak, ransomware, financial data ] DragonForce listed Australian gelato franchiser Gelatissimo on its leak site around April 27, 2026 and claimed to have stolen more than 350 GB of data, with other reporting specifying 352.24 GB. The claimed data included sensitive employee data, financial details, operational information, and executive contact details, and the group threatened publication unless the company responded; reviewed reporting did not confirm encryption or operational disruption.
• Asian Football Confederation April 27, 2026 • [ data leak, Personally Identifiable Information (PII), passport scans ] A threat actor published an alleged Asian Football Confederation and Al Nassr FC player and coach database on a cybercrime forum on April 27, 2026, exposing more than 150,000 records including passport scans, contracts, email addresses, AFC registration files, and personal details. The actor credited ShinyHunters, but public reporting did not confirm ShinyHunters carried out the breach.
• Generation Life Limited April 27, 2026 • [ cyber incident, unauthorized access, third-party service provider ] Generation Life disclosed a contained cyber incident on April 27, 2026 involving an unauthorized party gaining access to part of its system through a third-party service provider. The company said the incident was quickly contained, core investment systems remained secure, services continued operating normally, and there was no evidence of unauthorized transactions. Qilin later claimed responsibility and alleged access to some Generation Life data, but public reporting did not confirm the scope, data types, encryption, or operational disruption.
• eBay Inc April 26, 2026 • [ DDoS attack, service disruption, hacktivism ] eBay experienced a widespread service disruption beginning April 26, 2026, affecting search, listings, checkout, and API functionality worldwide; the hacktivist group 313 Team claimed responsibility for a DDoS attack, but eBay did not confirm the cause.
• CTT April 26, 2026 • [ data leak, personally identifiable information, postal service ] In April 2026, data allegedly obtained from CTT, Portugals national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel.
• Udemy April 24, 2026 • [ data leak, extortion, cybercrime ] In April 2026, online training company Udemy was the victim of a pay or leak extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer.
• Kent District Library April 24, 2026 • [ ransomware, cyberattack, service disruption ] Kent District Library closed all branches after a ransomware attack disrupted computer systems and network-dependent services.
• Udemy, Inc. April 24, 2026 • [ data leak, extortion, ShinyHunters ] ShinyHunters listed Udemy in a pay-or-leak extortion attempt on April 24, 2026 and subsequently leaked data containing 1.4 million unique email addresses belonging to customers and instructors, along with names, physical addresses, phone numbers, employer information, and instructor payout methods. Public reporting did not confirm encryption, deletion, or operational disruption.
• East Inc. April 24, 2026 • [ unauthorized access, internal network, leak-site ] East Inc. confirmed that it detected unauthorized third-party access to its internal network on April 24, 2026. The company reported the incident to police and relevant authorities and engaged outside security specialists, while stating that external information leakage had not been confirmed. Public Japanese security reporting later linked the confirmed incident to a The Gentlemen leak-site claim, but did not confirm data publication or operational disruption.
• i.e.Smart Systems April 23, 2026 • [ ransomware, data-extortion, data leak ] The Gentlemen ransomware group publicly claimed responsibility for a data-extortion attack against i.e.Smart Systems, a Houston-area technology integrator, on April 23, 2026 and threatened to leak sensitive data if the company did not engage in negotiations. Public reporting did not confirm encryption, deletion, operational disruption, or the specific data volume.
• Anthropic April 21, 2026 • [ unauthorized access, third-party vendor breach, data leak ] A private online group reportedly gained unauthorized access to Anthropics limited-release Claude Mythos Preview model through a third-party vendor environment.
• Banco Rendimento April 21, 2026 • [ security incident, unauthorized access, banking ] Banco Rendimento identified and contained a security incident on April 21, 2026 affecting some client-access channels and accounts; the bank isolated the threat, restored operations the following day, and reported the incident to Brazilian authorities.
• Mile Bluff Medical Center April 21, 2026 • [ ransomware, data encryption, system disruption ] Mile Bluff Medical Center experienced system disruptions after a security event that encrypted data, affecting phone and computer systems; clinical teams operated under downtime procedures while the organization investigated and engaged third-party partners.
• ADT April 20, 2026 • [ data breach, extortion, data leak ] In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses. ADT also advised that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included" and that it had contacted all affected people.
• Pitney Bowes April 20, 2026 • [ extortion, data leak, hacking collective ] In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles.
• Aman April 20, 2026 • [ extortion, data leak, CRM breach ] In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.
• Administration of Kursk region April 20, 2026 • [ DDoS attack, government, service disruption ] On April 20, 2026, Kursk regional authorities reported a DDoS attack against regional administration servers that made the live broadcast of a government session unavailable. Officials said the session recording would be published later on official governor and regional government resources, and corroborating reporting said the attack was localized the same day.