Tessco Technologies
April 30, 2026
•[ ransomware, data exfiltration, data leak ]
On April 30, 2026, the ransomware group PayoutsKing claimed to have exfiltrated and encrypted 615GB of data from Tessco Technologies, a U.S. wireless communications products distributor, including contact information for over 100,000 individuals and Salesforce records for more than 500,000 customers.
Adaptavist Group
March 31, 2026
•[ unauthorized access, stolen credentials, data theft ]
Adaptavist Group detected unauthorized access to some systems in late March 2026 after an intruder used stolen credentials. Adaptavist said the accessed systems contained typical business data such as contact information, contracts, and NDAs; The Gentlemen claimed responsibility and claimed 24 GB of data theft, allegedly including source code, customer records, internal documents, credentials, and production-system references, but Adaptavist did not confirm the full claim.
Remita Payment Services Ltd
March 31, 2026
•[ data exfiltration, KYC documents, database leak ]
Remita Payment Services Ltd was named in Nigerian data-protection investigations after ByteToBreach claimed to have exfiltrated approximately 3 TB of data from Remita-linked systems, including KYC documents, databases, logs, backups, source code, password hashes, and customer and employee records. The Nigeria Data Protection Commission served notices of investigation on April 1, 2026, and the claimed data theft remains under investigation.
Russell Cellular
March 23, 2026
•[ data leak, customer records, employee credentials ]
Russell Cellular was reported to be the source of a dataset offered for sale containing alleged customer records and employee credentials.
Sterling Bank Plc
March 18, 2026
•[ CVE-2025-55182, remote code execution, data leak ]
ByteToBreach exploited CVE-2025-55182 in Sterling Banks internet-facing pilot infrastructure on March 18, 2026, gaining unauthenticated remote code execution, conducting internal reconnaissance, and publishing artefacts that Web Security Lab assessed as technically substantiating compromise of customer and employee records.
Baydöner
March 8, 2026
•[ data breach, data leak, plaintext passwords ]
In March 2026, the Turkish restaurant chain Baydner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydner stated that payment and financial data was not affected.
Monterrey Water Utility
February 26, 2026
•[ unauthorized access, data leak, billing information ]
Attackers gained unauthorized access to Monterreys municipal water utility databases and stole internal and customer records. The exposed data reportedly includes billing and account information linked to utility customers.
Substack
October 1, 2025
•[ phishing, data leak, unauthorized access ]
Substack notified users of a data breach after it identified evidence on February 3, 2026 that an unauthorized third party accessed limited user data in October 2025. Substack stated that credit card numbers, passwords, and financial information were not accessed. The company did not disclose how access was obtained, but said it fixed the system issue that enabled it and warned users to be cautious of phishing. Reporting cited a database allegedly containing 697,313 records posted to a hacking forum, consistent with exposure of emails, phone numbers, and internal account metadata.
Panera Bread
August 1, 2025
•[ data breach, unauthorized access, data leak ]
Panera Bread reportedly suffered a data breach that exposed approximately 14 million customer records after unauthorized access to an application database, with no evidence of operational disruption disclosed at the time of reporting.
Canada Goose
August 1, 2025
•[ data leak, third-party breach, customer records ]
BleepingComputer reported that Canada Goose was investigating after ShinyHunters leaked more than 600,000 customer records. Canada Goose said it had not found evidence its own systems were breached and believed the data related to past customer transactions. ShinyHunters told BleepingComputer the dataset was unrelated to recent SSO attacks and claimed it originated from a third-party payment processor breach and dates back to August 2025. The exposed data was described as including purchase history plus device/browser information and order values; it did not appear to include full payment card numbers.
Canada Goose
July 4, 2025
•[ data leak, third-party breach, customer records ]
In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly. The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card type and last 4 digits. Canada Goose advised that the data "appears to relate to past customer transactions" and stated that it originated from a breach at a third party in August 2025. The most recent transaction date in the data is July 2025.
iMenu360
August 11, 2022
•[ data leak, customer records, PII ]
In approximately late 2022, 3.4M customer records from iMenu360 ("The world's #1 most trusted online ordering platform") were exposed. The data appeared to be from ordering systems using the platform and contained email and physical addresses, latitudes and longitudes, names and phone numbers. Numerous attempts were made to contact iMenu360 about the incident between April and August 2023, but no response was received.
