Full List

Search

Recent Breaches

• Booking.com April 15, 2026 • [ unauthorized access, data breach, PII leak ] Booking.com detected suspicious activity affecting a number of reservations and notified customers that unauthorized third parties may have accessed booking details, names, email addresses, addresses, phone numbers, and information shared with properties; financial information was not accessed, and Booking.com reset reservation PINs for affected users.
• Nigeria's Corporate Affairs Commission (CAC) April 15, 2026 • [ unauthorized access, data exfiltration, data breach ] Nigerias Corporate Affairs Commission confirmed unauthorized access to limited aspects of its information systems; ByteToBreach claimed it exfiltrated about 25 million documents, roughly 750 GB, from CAC infrastructure, but CAC did not confirm the volume or identify the perpetrator.
• Inditex (Zara owner) April 15, 2026 • [ unauthorized access, third-party breach, customer transaction information ] Inditex reported unauthorized access to third-party-hosted databases containing customer transaction information; the company said the affected databases did not contain addresses, passwords, or bank card details and that it applied security protocols and notified authorities.
• Bluesky April 15, 2026 • [ DDoS attack, service disruption, 313 Team ] Bluesky experienced a roughly 24-hour DDoS attack that intermittently disrupted core platform features; 313 Team claimed responsibility.
• Guesty April 15, 2026 • [ ransomware, extortion, data theft ] Vect claimed it stole 700GB of Guesty data and was negotiating with the company after a ransomware-related extortion listing.
• Council of Engineers Thailand April 15, 2026 • [ data breach, personal information, database security ] A hacker breached the Council of Engineers Thailand member database while data was being transferred between servers, stealing personal information of approximately 350,000 engineers.
• Grinex April 15, 2026 • [ cyberattack, cryptocurrency, asset theft ] Grinex, a Kyrgyzstan-based cryptocurrency exchange linked to Russia, suspended operations after a cyberattack in which assets worth 1 billion roubles, about $13.10 million, were stolen.
• Kemper April 15, 2026 • [ ransomware, social engineering, extortion ] In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign. The attackers allegedly accessed Kemper's Salesforce environment via social engineering as part of a broader campaign targeting hundreds of organisations using the same method. The group later published tens of gigabytes of data they claimed included internal directory data, Salesforce records and Stripe payment logs. Among the 269k unique email addresses were names, phone numbers, physical addresses and partial payment card data including the last 4 digits, expiry dates and card brands. Kemper confirmed the incident and stated they had engaged third-party cybersecurity experts and notified law enforcement.
• Undisclosed major user-generated content platform April 15, 2026 • [ DDoS, HTTP DDoS campaign, Cybercrime ] In mid-April 2026, cybercriminals launched a fragmented HTTP DDoS campaign against an undisclosed major user-generated content platform, generating approximately 2.45 billion malicious requests over five hours and peaking at 205,344 requests per second. The traffic originated from more than 1.2 million unique IP addresses across 16,402 autonomous systems.
• Empower Group April 15, 2026 • [ data leak, personally identifiable information, finance ] DragonForce reportedly claimed responsibility for a breach of Empower Group, a New York-based alternative financing provider, and claimed to have exfiltrated approximately 316GB of data. DataBreach later indexed 6,691,415 rows allegedly tied to the breach, including Social Security numbers, dates of birth, email addresses, phone numbers, names, and street addresses. Public sources did not confirm file encryption or operational disruption.
• Le Desk (media outlet) April 14, 2026 • [ DDoS attack, cyberattack, media outlet ] Le Desk was targeted by a large DDoS attack that generated 26.69 billion HTTP requests over 42 hours.
• At least one Chrome user April 14, 2026 • [ malicious extensions, credential theft, session hijacking ] A coordinated campaign used 108 malicious Chrome extensions published under five developer identities to route stolen credentials, user identities, browsing data, Google account information, and Telegram Web session data to shared command-and-control infrastructure. The extensions collectively had about 20,000 Chrome Web Store installs and could inject ads or arbitrary JavaScript into visited pages and open arbitrary URLs through browser-level abuse.
• McGraw Hill April 14, 2026 • [ misconfiguration, data leak, extortion ] McGraw Hill confirmed that a Salesforce-hosted webpage misconfiguration exposed limited contact data, while ShinyHunters claimed millions of Salesforce records and attempted extortion.
• Maryland Department of Assessments and Taxation April 14, 2026 • [ suspicious activity, web application security, incident response ] The Maryland Department of Information Technology detected suspicious activity on servers running the State Department of Assessments and Taxations Real Property Search website application on April 14, 2026 and took the site offline; no private data was reported compromised.
• Abrigo April 14, 2026 • [ extortion, data leak, fintech ] In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo staff and external contacts. Whilst separate from Abrigo's Salesforce compromise via the Drift application connector the previous year, the data fields described in that incident are consistent with the ShinyHunters data, namely that it was "business contact information" including "institution name, employee name, email addresses, and phone numbers".
• Unimed April 14, 2026 • [ unauthorized access, data theft, ransomware ] Unknown attackers gained unauthorized access to parts of Unimed's IT infrastructure on April 14, 2026 and stole patient billing data processed for German hospitals and clinics. Affected institutions included university hospitals in Cologne, Freiburg, Heidelberg, Tbingen, Ulm, Dsseldorf, Mainz, Saarland, Oldenburg, Hannover, Gttingen, and others. Reporting indicated the attackers intended broader system encryption, but this was stopped; hospitals said their clinical systems and patient care were not affected.
• Gastroenterology & Hepatology of CNY April 14, 2026 • [ ransomware, data-extortion, healthcare ] Exitium claimed responsibility for a ransomware and data-extortion attack against Gastroenterology & Hepatology of CNY on April 14, 2026, claiming it had encrypted systems and threatened to sell patient records if its demands were not met. DataBreach.com later indexed 196,959 rows associated with the leak, while other public reporting described Exitium's claim as involving approximately 167,303 patient records.
• At least one compromised Iranian device April 13, 2026 • [ spyware, cyber espionage, pegasus ] The article reports that the US Central Intelligence Agency used Israeli-made Pegasus spyware as part of a deception campaign inside Iran during an operation to rescue a downed American airman. According to the report, Pegasus was used to send fake messages to Iranian leadership and Islamic Revolutionary Guard Corps (IRGC) operatives, making it appear the missing airman had already been located. The piece says Pegasus enabled messages to be sent through apps like WhatsApp and Signal that looked like they came from compromised devices, helping mislead Iranian forces during the rescue effort. The report also says the CIA used a separate classified system called Ghost Murmur to locate the airman by detecting a heartbeat from a distance, though experts cited in the article expressed skepticism about that capability.
• Basic-Fit April 13, 2026 • [ unauthorized access, data breach, data leak ] Basic-Fit detected unauthorized access to the system that records member visits and stopped the intrusion within minutes, but external security experts determined that data for active members in several countries had been downloaded, affecting about 1 million members overall, including around 200,000 in the Netherlands.
• Itron, Inc. April 13, 2026 • [ unauthorized access, corporate systems, energy management ] Itron, a provider of energy and water management solutions, detected unauthorized access to some corporate systems on April 13 2026; operations continued and no further unauthorized activity or customer impact was observed.