Search Results for "Data leak"

HubEE February 4, 2026 • [ security vulnerability, data leak, unauthorized access ] It wasn't the Service-public.gouv.fr portal itself that was directly hacked, but a key component of its infrastructure: HubEE, the platform responsible for transmitting supporting documents between users and government agencies. For several days, attackers exploited a security vulnerability, navigating the system undetected.

Choisir le Service Public (French civil service recruitment platform) February 4, 2026 • [ data leak, personal data theft, phishing risk ] Frances official civil-service recruitment platform Choisir le Service Public disclosed a security incident that resulted in the theft of personal data for 377,418 registered candidates. The stolen dataset includes standard identifiers (name, address, phone, date of birth, email) and more detailed professional/education profile fields that can enable highly targeted phishing and fraud. The platform stated passwords were not compromised and CVs/attachments were not taken. In response, some features (candidate space access and direct-application functionality) were temporarily disabled for several days, authorities were notified, and a complaint was planned.

Matsuyama Municipal Housing Management Center February 3, 2026 • [ ransomware, data leak, resident information ] Resident information for Matsuyama municipal housing was leaked after a ransomware attack affected servers used by the housing-management contractor.

Iron Mountain February 3, 2026 • [ unauthorized access, extortion, compromised credentials ] Iron Mountain said a breach claim by the Everest extortion gang was limited to access to a single folder on a file-sharing server that primarily contained marketing materials. The company stated that a single compromised login credential was used, the credential was deactivated, and there was no ransomware or malware involvement beyond the unauthorized access. Iron Mountain also said no other systems were breached and that no customer confidential or sensitive information was involved.

University of Nebraska Medical Center February 3, 2026 • [ vulnerability, unauthorized access, data leak ] University of Nebraska Medical Center learned in February 2026 that its REDCap application contained a vulnerability and took the application offline. UNMC's investigation determined that its REDCap instance was subject to unauthorized access between September 20, 2023 and February 3, 2026, though it could not determine whether personal information housed in REDCap was actually accessed. The incident potentially affected 26,937 individuals whose data varied by research study.

NationStates February 3, 2026 • [ vulnerability, remote code execution, data leak ] NationStates confirmed a data breach after taking its website offline to investigate a security incident. The operator stated that on January 27, 2026 a player reported a critical vulnerability, then exceeded authorized boundaries and obtained remote code execution on the main production server, allowing them to copy application code and user data. NationStates indicated the only way to restore confidence was to rebuild the server and determine what was accessed or copied, leading to site instability and downtime during response. The incident combines confirmed unauthorized access/data copying with operational disruption from the shutdown/rebuild.

Poly February 2, 2026 • [ ransomware, data leak, source code ] HackRead reported that the Everest ransomware group claimed it stole about 90GB of internal data from systems linked to Polycom (a legacy enterprise communications brand now under HP Inc., branded as Poly). Everest said the dataset included an internal database and documentation and threatened publication after a nine-day countdown. Screenshots posted by the group appeared to show engineering build directories, source code trees, debug/log files, and technical documentation for Polycom conferencing platforms (including RMX and RealPresence), with filenames referencing dates from 20172019. The report stated there was no indication that HPs current production systems or customer services were impacted and the screenshots did not show customer personal data.

Family Health Centers of Southern Indiana February 2, 2026 • [ cyberattack, data leak, PII ] Termite claimed responsibility for a cyberattack against Family Health Centers of Southern Indiana, identified by the domain fhcenters.org, on February 2, 2026. DataBreach later indexed 60,425 rows tied to the breach, with exposed fields including dates of birth, phone numbers, names, street addresses, and bank account information. Public sources did not confirm the intrusion vector, encryption, operational disruption, or exact data-theft mechanism.

Hosokawa Micron Corporation February 2, 2026 • [ unauthorized access, cloud storage breach, data leak ] Hosokawa Micron confirmed unauthorized access to one cloud storage account and leakage of personal data stored there.

Onze-Lieve-Vrouwinstituut Pulhof February 2, 2026 • [ ransomware, encryption, extortion ] Belgian media reported that OLV Pulhof in Berchem was hacked and its servers were encrypted, consistent with a ransomware incident. The attackers demanded payment and reportedly threatened to publish personal data of students and staff if the ransom was not paid. In a follow-up, school leadership said they had no information that data had actually been leaked at that time and that they were closely monitoring the situation with responders. The incident primarily produced disruption through system encryption and extortion pressure; confirmed data exposure was not established in the referenced update.

Westport Public Schools email account February 2, 2026 • [ phishing, email hijacking, data leak ] Student-submitted personal info via linked Google Form: name, email address, home address, date of birth, grade level, and bank name","Westport Public Schools reported that a district staff email account (identified as a Spanish teachers account) was hijacked on a Friday afternoon and then used to send a phishing email to students in grades K12 with the subject line Employment Program For Westport Public Schools. The message advertised a work-from-home employment program connected to Feed the Children and included a linked Google Form encouraging students to apply. Because the email originated from an internal staff account, it bypassed normal email restrictions and reached student inboxes across the district, including Staples High School. District officials said the technology department removed all copies of the email from the school system and began identifying students who clicked the link and may have submitted personal information; families of students who filled out the form were contacted directly and advised to monitor accounts for fraud. Officials stated no district systems were breached beyond the single compromised email account and that student school-issued accounts remained secure.

Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) and the Council for Justice February 1, 2026 • [ vulnerability, data leak, employee personal information ] Dutch media reporting summarized by DataBreaches stated that a vulnerability in Ivanti Endpoint Manager Mobile (EPMM), used by government agencies, allowed unauthorized third parties to access employee personal information at multiple Dutch agencies, including the Dutch Data Protection Authority and the Council for Justice. The exposed information was described as employee names, email addresses, and phone numbers; the number of affected employees was still under investigation at the time of reporting.

Olympique de Marseille February 1, 2026 • [ cyberattack, data leak, data breach ] Olympique de Marseille confirmed a cyberattack after a threat actor claimed to have breached club systems earlier in February and leaked samples of staff and supporter data online.

Tulsa International Airport January 31, 2026 • [ ransomware, data leak, internal documents ] Qilin ransomware gang claimed responsibility for a ransomware attack on Tulsa International Airport and posted leaked internal documents; airport confirmed incident but not the attribution.

European Commission January 30, 2026 • [ cyberattack, data leak, vulnerability exploitation ] The European Commission disclosed it detected traces of a cyberattack on January 30, 2026 targeting its central infrastructure used to manage staff mobile devices. The Commission said the incident may have resulted in access to staff names and mobile phone numbers for some employees, but it had not found evidence that managed mobile devices themselves were compromised. The Commission stated its response contained and cleaned the system within nine hours. The article notes the Commission did not disclose the initial access method, but the incident appeared linked to attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).

Provecho January 30, 2026 • [ data leak, email addresses, usernames ] In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed. Provecho has been notified and is aware of the claims surrounding the incident.

Ttareungyi (Seoul public bike-sharing service) January 30, 2026 • [ data breach, PII exposure, data leak ] Approximately 4500000 user records including user IDs and mobile phone numbers were exposed in a data breach affecting Seouls public bike-sharing service Ttareungyi; authorities stated the timing of the exposure was under investigation, and no attacker attribution had been confirmed at the time of reporting.

Match Group Inc. (Tinder, Hinge, OkCupid) January 29, 2026 • [ data leak, cybercrime, ShinyHunters ] A cybercrime group calling itself ShinyHunters claimed responsibility for accessing and leaking limited user and internal data from Match Group platforms. Match Group confirmed a security incident but stated that passwords, financial information, and private messages were not compromised.

Figure January 28, 2026 • [ social engineering, fintech, data leak ] In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.

Atlas Air January 27, 2026 • [ ransomware, data leak, aircraft maintenance ] Cybernews reported that the Everest ransomware group claimed it siphoned 1.2TB of data from cargo airline Atlas Air, including aircraft maintenance documents and repair reports and information related to Boeing aircraft. Cybernews said the attackers did not attach direct data samples, only screenshots, and noted that Atlas Air explicitly denied its systems were breached.

Search Results (Data leak)