Search Results for "PII"

Aman April 20, 2026 • [ extortion, data leak, CRM breach ] In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.

Ajax FC March 25, 2026 • [ data leak, unauthorized access, PII ] Ajax said a hacker unlawfully gained access to parts of its systems and viewed the email addresses of a few hundred people, as well as names, email addresses, and dates of birth for fewer than 20 people with stadium bans.

Infinite Campus March 18, 2026 • [ unauthorized access, data leak, account compromise ] An unauthorized actor accessed an Infinite Campus employee's Salesforce account, exposing names and contact information for school staff; Infinite Campus said no student databases were accessed.

Crunchyroll March 12, 2026 • [ data breach, data leak, PII ] In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users. The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP.

Westfield Mall of the Netherlands March 9, 2026 • [ phishing, data leak, PII ] Westfield Mall of the Netherlands informed customers that unauthorized persons accessed a database containing information for newsletter subscribers and Westfield Club loyalty program members. Reported exposed fields include first and last name, email address, telephone number, postal code, and date of birth. The mall said no financial data was compromised because bank account numbers, credit card details, and passwords were not stored in the affected database. The mall warned of phishing risk, reported the incident to data protection authorities, and URW filed a complaint with competent authorities.

Baydöner March 8, 2026 • [ data breach, data leak, plaintext passwords ] In March 2026, the Turkish restaurant chain Baydner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydner stated that payment and financial data was not affected.

Orthopaedic Institute of Western Kentucky March 6, 2026 • [ data breach, third-party vendor, medical records ] Orthopaedic Institute of Western Kentucky disclosed a patient data breach tied to two separate security incidents at its third-party vendor Keystone Technologies. Reporting stated one incident occurred in April 2025 and another occurred between July and August 1, 2025, and that in both cases unauthorized parties accessed files containing patient information. The disclosure indicated the potentially exposed data could include medical records, Social Security numbers, and addresses. No threat actor attribution, precise access method, or affected-patient count was provided in the brief report.

AkzoNobel March 3, 2026 • [ ransomware, data leak, internal correspondence ] AkzoNobel confirmed a security incident at one of its U.S. sites after the Anubis ransomware group published a partial leak. AkzoNobel stated the incident was contained and limited to the affected site. The leak samples described in reporting included confidential client agreements, internal email correspondence, technical specification sheets, material testing documents, and contact data such as email addresses and phone numbers, as well as passport scans.

KomikoAI February 25, 2026 • [ data breach, PII, AI prompts ] In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.

Local 100 chapter of the Transport Workers Union of America February 24, 2026 • [ ransomware, data leak, identity theft ] SC Media reported that Qilin claimed to have breached TWU Local 100 (NYC transit union) and published stolen data on its leak site, putting over 41,000 active transit workers and 26,000 retirees at risk of identity theft. The report notes Qilin did not specify how much data was taken, but highlighted that the union retains sensitive employee information such as contact details, salary information, job titles, medical and insurance benefits, and retirement/pension planning information. The report frames the incident as a ransomware groups breach claim with a presumed data-theft/extortion outcome.

Quitbro February 17, 2026 • [ data breach, data leak, PII ] In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users years of birth, responses to questions within the app and their last recorded relapse time. The apps maker, Plantake, did not respond to multiple attempts to contact them about the incident.

CarGurus February 14, 2026 • [ data breach, extortion, data leak ] In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes.

Odido February 12, 2026 • [ data breach, extortion, PII ] In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days. The exposed data includes names, physical addresses, phone numbers, bank account numbers, dates of birth, customer service notes and passport, drivers licence and European national ID numbers. Odido has published a disclosure notice including an FAQ to support affected customers.

Figure February 12, 2026 • [ social engineering, data leak, extortion ] Figure Technology Solutions confirmed it suffered a data breach after an employee fell victim to a social engineering attack, with attackers obtaining a limited number of files. SecurityWeek reported that the ShinyHunters group took credit and posted archive files on its leak site; Have I Been Pwned analysis identified roughly 967,000 user records in the leaked data. The exposed information includes names, dates of birth, email addresses, postal addresses, and phone numbers. The reporting frames the incident as data theft/extortion without describing service disruption to Figures lending operations.

Odido February 7, 2026 • [ data leak, unauthorized access, customer data theft ] Odido confirmed that hackers gained unauthorized access to its customer contact system and covertly downloaded large volumes of customer information. Odido said more than 6.2 million customers were affected. The compromised data includes names, phone numbers, postal and email addresses, dates of birth, IBAN bank account numbers, and government-issued ID details such as passport or drivers license numbers and validity dates. The report did not attribute the incident to a specific threat group and did not describe operational disruption beyond the data compromise.

Toy Battles February 6, 2026 • [ data leak, gaming, PII ] In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.

La Comisiï¿½n Nacional de Seguros y Fianzas (CNSF) February 6, 2026 • [ data leak, security incident, PII ] In the case of the National Insurance and Bonding Commission (CNSF) , the regulator reported that on January 30th it registered an information security incident that exposed intermediary identification documents containing data such as name, CURP (Unique Population Registry Code), RFC (Federal Taxpayer Registry), and photograph.

Flickr (via an undisclosed third-party provider) February 5, 2026 • [ data leak, third-party risk, phishing ] Flickr notified users of a potential data breach after a vulnerability in a system operated by one of its third-party email service providers may have allowed unauthorized access to member information. Flickr said it was alerted on February 5, 2026 and shut down access to the affected system within hours. The company stated that passwords and payment card numbers were not compromised. Exposed data may include real names, email addresses, usernames, account type, IP address, general location, and platform activity; Flickr urged vigilance for phishing and recommended changing passwords on other services if reused.

Association Nationale des Premiers Secours January 30, 2026 • [ data breach, PII, legacy system ] In January 2026, a data breach impacting the French non-profit Association Nationale des Premiers Secours (ANPS) was posted to a hacking forum. The breach exposed 5.6k unique email addresses along with names, dates of birth and places of birth. ANPS self-submitted the data to HIBP and advised the incident was traced back to a legacy system and did not impact health data, financial information or passwords.

Figure January 28, 2026 • [ social engineering, fintech, data leak ] In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.

Search Results (PII)