Michelin
March 11, 2026
•[ data breach, zero-day exploitation, hacking campaign ]
Michelin confirmed it was impacted by the Oracle E-Business Suite (EBS) hacking campaign, which SecurityWeek reports was claimed by Cl0p and involved exploitation of an Oracle EBS zero-day. Michelin stated that hackers accessed some files, but said only a small, localized volume of data was affected and it contained no sensitive or technical IT information; the company also said there was no ransomware and no impact on its global systems, and that corrective actions were effective. SecurityWeek reported the cybercriminals publicly released more than 315GB of archives allegedly stolen from Michelin, with a file-tree review indicating at least some data originated from an Oracle EBS environment.
Loblaw
March 10, 2026
•[ data breach, unauthorized access, customer information ]
Canadian retailer Loblaw disclosed a data breach after a criminal third party accessed basic customer information. The company said the accessed data included names, email addresses and phone numbers. Loblaw stated its investigation indicated passwords, health information, and credit card data were not compromised, and PC Financial was not impacted. The company did not provide the number of affected customers, the intrusion vector or evidence of ransomware. The confirmed primary effect is unauthorized access to limited customer contact information.
Slavia Insurance
March 10, 2026
•[ data breach, medical records, vendor error ]
Czech insurer Slavia pojiovna reported that attackers obtained about 150 GB of sensitive data, including insurance documents, medical records, and direct communications with clients. The companys spokesperson attributed the incident to an error by a supplier/vendor and said the issue was detected by Slavias security systems and remediation steps were underway to prevent recurrence. Public reporting did not identify the attacker or provide counts of affected clients, but indicated the stolen data types are sensitive and could enable fraud or targeted extortion/phishing.
Baydöner
March 8, 2026
•[ data breach, data leak, plaintext passwords ]
In March 2026, the Turkish restaurant chain Baydner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydner stated that payment and financial data was not affected.
Elecq
March 7, 2026
•[ ransomware, data breach, cloud security ]
Fleet World reported that EV charging solutions provider Elecq suffered a ransomware attack on its AWS cloud platform discovered on March 7, 2026 after unusual activity. A notice to customers said compromised information included customer names, email addresses, phone numbers, home addresses, and location data. The company stated that no payment/financial information was accessed and that the physical charging devices were not affected and remained secure and operational.
Orthopaedic Institute of Western Kentucky
March 6, 2026
•[ data breach, third-party vendor, medical records ]
Orthopaedic Institute of Western Kentucky disclosed a patient data breach tied to two separate security incidents at its third-party vendor Keystone Technologies. Reporting stated one incident occurred in April 2025 and another occurred between July and August 1, 2025, and that in both cases unauthorized parties accessed files containing patient information. The disclosure indicated the potentially exposed data could include medical records, Social Security numbers, and addresses. No threat actor attribution, precise access method, or affected-patient count was provided in the brief report.
FBI surveillance system
March 6, 2026
•[ data breach, surveillance system, law enforcement sensitive information ]
Reporting stated the White House was working with the FBI, NSA, and CISA to respond to an apparent breach of an FBI surveillance system disclosed to Congress. The system is unclassified but contains law-enforcement sensitive information, including returns from legal process such as pen register and trap-and-trace surveillance returns, and personally identifiable information about subjects of FBI investigations. The report did not identify the attacker, intrusion vector, or the full scope/timeline of access.
Woflow
March 4, 2026
•[ data breach, extortion, PII ]
In March 2026, the AI-driven merchant data platform Woflow was named as a victim by the ShinyHunters data extortion group. The group subsequently published tens of thousands of files allegedly obtained from the company, comprising more than 2TB of data. The trove included hundreds of thousands of email addresses, names, phone numbers and physical addresses, with the data indicating it related to Woflow customers and, in turn, the customers of merchants using their platform.
SUCCESS
March 4, 2026
•[ data breach, personal information, password hashes ]
In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders containing physical addresses and the payment method used. In SUCCESS' disclosure notice, they advised their system had also been abused to send offensive newsletters with quotes falsely attributed to contributors.
Lehigh Carbon Community College
March 4, 2026
•[ data breach, IT disruption, campus closure ]
Reporting stated that Lehigh Carbon Community College in Pennsylvania suffered a data breach that forced the college to close all campuses for more than a week in early March 2026. After reopening, IT disruptions reportedly persisted (including lack of Wi-Fi and phone service), indicating ongoing recovery and restoration of core services. A trustee publicly attributed the closures to a data breach, but the college did not disclose a threat actor, entry vector, or specific data types in the public reporting cited.
Blanchard Training and Development, Inc.
March 3, 2026
•[ unauthorized access, PII, financial information ]
Blanchard Training and Development, Inc. identified unusual activity in its network environment on March 4, 2026, and later determined that an unauthorized individual may have copied certain information between March 3 and March 4. DataBreach indexed 494,404 rows tied to Blanchard, including names, contact information, addresses, and bank account information.
At least one Hungarian government ministries
March 1, 2026
•[ credential leak, infostealer, stealer logs ]
Bellingcat identified 795 Hungarian government email/password combinations circulating in breach data across 12 of 13 ministries, including defence, foreign affairs, interior, and finance; stealer logs indicated 97 machines across government departments may have been compromised, with some logs as recent as March 2026.
Bitrefill
March 1, 2026
•[ data breach, cryptocurrency theft, PII leak ]
Bitrefill published a post-mortem stating it was attacked on March 1, 2026 and attributed the activity to North Koreas Lazarus Group. The breach was discovered after suspicious purchasing patterns suggested gift card stock and supplier supply lines were being exploited. Bitrefill said attackers accessed about 18,500 purchase records containing customer email addresses, crypto payment addresses, and metadata including IP addresses. The attackers also drained some Bitrefill cryptocurrency wallets and transferred funds to attacker-controlled wallets; the company did not disclose the amount stolen and said it would absorb the losses.
Bitrefill
March 1, 2026
•[ cyberattack, data breach, cryptocurrency theft ]
Bitrefill disclosed that a March 1, 2026 cyberattack originating from a compromised employee laptop enabled attackers to obtain legacy credentials, access a snapshot containing production secrets, and escalate into parts of Bitrefills infrastructure. The attackers accessed parts of the database and some cryptocurrency wallets, leading to theft of funds and misuse of gift card inventory/supply flows. Bitrefill reported exposure of about 18,500 purchase records containing customer email addresses, IP addresses, and cryptocurrency payment addresses; for about 1,000 purchases, customer names were also potentially exposed (stored encrypted, but the attackers may have obtained decryption keys). Bitrefill said it shut down systems to isolate the incident, worked with security experts/on-chain analysts/law enforcement, and assessed the method as consistent with Lazarus/BlueNoroff activity.
RXNT
March 1, 2026
•[ data breach, healthcare, PII ]
RXNT, the SaaS provider for the Office of the Attending Physician, experienced a breach on March132026 where attackers accessed the platform and copied patient prescription records, including names, addresses, dates of birth, and medication details.
Undisclosed Russian company
March 1, 2026
•[ ransomware, cyber warfare, pro-Ukrainian group ]
A pro-Ukrainian group known as Bearlyfy used GenieLocker ransomware against an undisclosed Russian company as part of a broader campaign targeting Russian firms.
Michoacán State Government
February 26, 2026
•[ data breach, citizen identification data, government registry records ]
Attackers accessed databases belonging to the Michoacn state government and stole sensitive administrative records. The compromised information reportedly includes citizen identification data and government registry records.
Ngong Ping 360
February 26, 2026
•[ ransomware, data breach, internal network compromise ]
Ngong Ping 360 said an attacker stole personal data from its internal network and made a ransom demand. The company said the affected network was separate from cable car operations and electronic payment systems.
KomikoAI
February 25, 2026
•[ data breach, PII, AI prompts ]
In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.
Lovora
February 25, 2026
•[ data breach, personal information, email addresses ]
In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users display names and profile photos, along with other personal information collected through use of the app. The apps maker, Plantake, did not respond to multiple attempts to contact them about the incident.
