Baydöner
March 8, 2026
•[ data breach, data leak, plaintext passwords ]
In March 2026, the Turkish restaurant chain Baydner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydner stated that payment and financial data was not affected.
Monterrey Water Utility
February 26, 2026
•[ unauthorized access, data leak, billing information ]
Attackers gained unauthorized access to Monterreys municipal water utility databases and stole internal and customer records. The exposed data reportedly includes billing and account information linked to utility customers.
Substack
October 1, 2025
•[ phishing, data leak, unauthorized access ]
Substack notified users of a data breach after it identified evidence on February 3, 2026 that an unauthorized third party accessed limited user data in October 2025. Substack stated that credit card numbers, passwords, and financial information were not accessed. The company did not disclose how access was obtained, but said it fixed the system issue that enabled it and warned users to be cautious of phishing. Reporting cited a database allegedly containing 697,313 records posted to a hacking forum, consistent with exposure of emails, phone numbers, and internal account metadata.
Panera Bread
August 1, 2025
•[ data breach, unauthorized access, data leak ]
Panera Bread reportedly suffered a data breach that exposed approximately 14 million customer records after unauthorized access to an application database, with no evidence of operational disruption disclosed at the time of reporting.
Canada Goose
August 1, 2025
•[ data leak, third-party breach, customer records ]
BleepingComputer reported that Canada Goose was investigating after ShinyHunters leaked more than 600,000 customer records. Canada Goose said it had not found evidence its own systems were breached and believed the data related to past customer transactions. ShinyHunters told BleepingComputer the dataset was unrelated to recent SSO attacks and claimed it originated from a third-party payment processor breach and dates back to August 2025. The exposed data was described as including purchase history plus device/browser information and order values; it did not appear to include full payment card numbers.
Canada Goose
July 4, 2025
•[ data leak, third-party breach, customer records ]
In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly. The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card type and last 4 digits. Canada Goose advised that the data "appears to relate to past customer transactions" and stated that it originated from a breach at a third party in August 2025. The most recent transaction date in the data is July 2025.
