Braintrust
May 4, 2026
•[ unauthorized access, API keys, cloud security ]
Braintrust confirmed unauthorized access to an internal AWS account on May 4, 2026 that likely exposed customer org-level AI-provider API keys used to access cloud-based AI models. Braintrust locked down the compromised account, audited and restricted related systems, rotated internal secrets, and instructed customers to rotate affected keys.
Anodot
April 4, 2026
•[ data breach, token theft, unauthorized access ]
ShinyHunters allegedly breached Anodot, causing its data connectors to stop working and enabling downstream customer cloud-data access through stolen tokens.
St. Joseph County
April 1, 2026
•[ data breach, cloud security, fax server ]
St. Joseph County confirmed a breach of an external cloud-based fax server while disputing Handalas broader 2 TB data-theft claim.
P3 Global Intel
March 18, 2026
•[ data breach, data leak, personally identifiable information ]
DataBreaches summarized reporting that hackers calling themselves The Internet YIFF Machine stole data from cloud-based tip and intelligence management company P3 Global Intel and provided it to DDoSecrets. The exposed dataset includes millions of tips and extensive personal data about people accused in tips, including names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, Social Security numbers, and criminal histories. The platform is used by thousands of clients, including Crime Stoppers programs, local and federal law enforcement agencies, public schools, and the U.S. military, so the breach has broad downstream exposure across many organizations.
Pivot Health
March 13, 2026
•[ unauthorized access, cloud security, health insurance information ]
Pivot Health became aware of suspicious activity in its Amazon Web Services environment on or around March 13, 2026. Its investigation determined that an unauthorized actor accessed the AWS environment at various times between February 26, 2026 and March 13, 2026, and that certain information stored in AWS was viewed or copied. The affected data included health insurance and coverage information, identifiers, dates of coverage, and in some cases financial account information. Public reporting did not identify a responsible actor, ransomware, or operational disruption.
Telus Digital
March 12, 2026
•[ Data breach, Credential theft, Cloud security ]
Telus Digital confirmed a security incident after ShinyHunters claimed it stole nearly 1 petabyte of data in a multi-month breach. Reporting stated ShinyHunters said it gained initial access using Google Cloud Platform credentials found in data stolen in the Salesloft/Drift breach, and that Telus was not negotiating. At publication, Telus Digital had not been added to the actors leak site in the cited report, and specific data categories and affected individuals were not publicly enumerated in the DataBreaches summary.
Elecq
March 7, 2026
•[ ransomware, data breach, cloud security ]
Fleet World reported that EV charging solutions provider Elecq suffered a ransomware attack on its AWS cloud platform discovered on March 7, 2026 after unusual activity. A notice to customers said compromised information included customer names, email addresses, phone numbers, home addresses, and location data. The company stated that no payment/financial information was accessed and that the physical charging devices were not affected and remained secure and operational.
Ameriprise
March 2, 2026
•[ extortion, data leak, ShinyHunters ]
In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure, and subsequently published the data after negotiations allegedly failed. The published data contained 500k unique email addresses as well as names, phone numbers, physical addresses and employer information. In their disclosure to state attorneys general, Ameriprise reported 47,876 affected people; the larger email address population represents contacts from Ameriprise's broader operational systems, including internal staff. Ameriprise further advised that they have "implemented heightened monitoring of your account(s) to include enhanced identity verification procedures".
MediCopy Services, Inc.
January 13, 2026
•[ unauthorized access, data leak, healthcare ]
An unauthorized actor accessed MediCopy Services' cloud-based file-sharing platform on January 13, 2026, and downloaded files related to release-of-information requests for certain Deaconess patients, including patients of Deaconess Henderson Hospital, Deaconess Union County Hospital, and surrounding clinics. Deaconess stated that its own IT systems and electronic medical record system were not impacted.
Global-e
January 7, 2026
•[ data exposure, third-party compromise, unauthorized access ]
Reporting aggregated by DataBreaches.Net indicates Ledger was impacted by a data exposure incident involving its third-party payment processor, Global-e. The report describes an email notification stating that an unauthorized party accessed Global-es cloud system and obtained Ledger customers personal details, including names and contact information associated with orders. The notification did not specify when the access occurred, how many Ledger customers were affected, or whether additional data types (e.g., payment details) were involved. The incident is treated as a third-party compromise affecting Ledger customer data.
Iberia Airlines
January 7, 2026
•[ infostealer, malware, credential theft ]
TechRadar and HackRead summarized Hudson Rock research describing a campaign in which an actor using the alias Zestix (aka Sentap) leveraged credentials harvested by infostealer malware (e.g., RedLine, Lumma, Vidar) to access corporate cloud instances where multi-factor authentication was not enforced. Reporting stated the attacker obtained and attempted to auction or sell large volumes of sensitive corporate files from roughly 50 enterprises worldwide, with at least one victim reportedly losing on the order of 139GB of data. Specific victim impacts vary by organization, and the timing of initial credential theft was not fully specified.
An undisclosed company's cloud environment
November 28, 2025
•[ cloud security, credential exposure, misconfiguration ]
HackRead summarized Sysdig Threat Research Team observations of an attacker taking over an organizations AWS cloud environment on Nov. 28, 2025 in roughly eight minutes. The report described the compromise as being enabled by exposed AWS credentials stemming from a storage/configuration error, and stated the intruder rapidly escalated to full administrative control using automation and AI-assisted workflows.
At least one undisclosed retail/consumer-services organisation
October 23, 2025
•[ financial fraud, account compromise, cloud security ]
Threat cluster Jingle Thief compromises cloud accounts at retailers/consumer services to issue high-value gift cards at scale, maintaining persistence (rogue MFA apps, Entra enrollments) and living-off-the-land in M365; activity spiked AprilMay 2025 and is financially motivated fraud rather than service disruption. Campaign-level intel, not a single-victim event.
ConnectWise
May 29, 2025
•[ nation-state attack, security incident, cloud security ]
ConnectWise reported a suspected nation-state breach impacting a small number of ScreenConnect cloud customers; investigation with Mandiant ongoing; no counts shared.
