Anodot
April 4, 2026
•[ data breach, token theft, unauthorized access ]
ShinyHunters allegedly breached Anodot, causing its data connectors to stop working and enabling downstream customer cloud-data access through stolen tokens.
SongTrivia2
April 2, 2026
•[ data breach, data leak, password hashes ]
In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars.
PSK WIND Technologies
April 2, 2026
•[ data breach, hacktivism, server compromise ]
Handala claimed it breached PSK WIND Technologies servers and deleted sensitive information tied to Israeli air-defense command-and-control systems.
The Northern Ireland Education Authority
April 2, 2026
•[ cyberattack, personal information, data breach ]
The Northern Ireland Education Authority reported a cyberattack on the C2k school IT network that disrupted access and involved targeted access to confidential personal information.
Rituals
April 1, 2026
•[ data breach, unauthorized access, PII ]
Rituals confirmed that an unauthorized download of My Rituals membership data occurred in April 2026, affecting customers in Europe, the United Kingdom, and the United States. The downloaded data included names, dates of birth, gender, postal and email addresses, phone numbers, preferred store locations, and account types; Rituals did not disclose the exact number of affected members, and reporting stated that passwords and payment data were not accessed.
St. Joseph County
April 1, 2026
•[ data breach, cloud security, fax server ]
St. Joseph County confirmed a breach of an external cloud-based fax server while disputing Handalas broader 2 TB data-theft claim.
Hasbro Systems
March 28, 2026
•[ unauthorized access, cyberattack, operational disruption ]
Hasbro identified unauthorized access to its network on March 28, 2026 and took select systems offline as a containment measure while continuing operations through business-continuity procedures; the company warned that interim measures could cause order-processing, shipping, and invoicing delays while it reviewed potentially impacted files.
ZenBusiness
March 27, 2026
•[ data breach, extortion, ransomware ]
In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file.
City of Martinsville
March 25, 2026
•[ data breach, personal information, municipal computer systems ]
The City of Martinsville disclosed that, on or about March 25, 2026, its technology team became aware of disruptions to municipal computer systems and took steps to stop the incident. Early reporting said some services in the city municipal building could be delayed or limited for the rest of the week. The city later said personal information may have been accessed by the perpetrators, but public reporting did not identify the threat actor, confirm ransomware or encryption, specify the disruption mechanism, or quantify the affected data.
Addi
March 25, 2026
•[ fintech, data breach, extortion ]
In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cdula de Ciudadana), estimated income, socioeconomic levels, purchases and other credit-related data points.
Hong Kong Correctional Services Department
March 24, 2026
•[ unauthorized access, data breach, personal data leak ]
Hong Kong's Correctional Services Department said a hacker illegally accessed its internal Knowledge Management System on March 24, 2026 and then accessed another system containing personal data of about 6,800 current and former staff.
Centrum Medyczne Eskulap
March 24, 2026
•[ ransomware, medical records, encryption ]
Centrum Medyczne Eskulap reported that a ransomware attack on March 24, 2026 encrypted servers dedicated to patient services and blocked access to medical data and medical histories; reporting also said there was a high probability patient data may have been obtained before encryption, but no theft was confirmed.
Pick n Pay Stores Limited
March 23, 2026
•[ data breach, dark web, customer information ]
Pick n Pay confirmed a data breach involving customer information from an older version of its on-demand delivery platform, first known as Bottles and later Pick n Pay asap!. Reporting said the historical customer dataset had been offered for sale on a dark-web forum since March 23, 2026 and included names, contact details, residential addresses, dates of birth, partial payment-card information, encrypted passwords, and certain banking details. Public reporting did not identify the threat actor, encryption, data destruction, or operational disruption.
P3 Global Intel
March 18, 2026
•[ data breach, data leak, personally identifiable information ]
DataBreaches summarized reporting that hackers calling themselves The Internet YIFF Machine stole data from cloud-based tip and intelligence management company P3 Global Intel and provided it to DDoSecrets. The exposed dataset includes millions of tips and extensive personal data about people accused in tips, including names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, Social Security numbers, and criminal histories. The platform is used by thousands of clients, including Crime Stoppers programs, local and federal law enforcement agencies, public schools, and the U.S. military, so the breach has broad downstream exposure across many organizations.
Police Nationale (France) training platform users
March 17, 2026
•[ data breach, hacking, government ]
01net reported that data relating to French police personnel was stolen after the e-campus training platform was hacked.
Roan and Eurocamp
March 16, 2026
•[ data breach, phishing, supply chain attack ]
Roan and Eurocamp disclosed that an unauthorized third party exploited a vulnerability in a third-party technology provider on March 16, 2026 and stole guest booking data later used in WhatsApp scam attempts; no encryption was reported.
Divine Skins
March 13, 2026
•[ data breach, unauthorised access, data leak ]
In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users.
Crunchyroll
March 12, 2026
•[ data breach, data leak, PII ]
In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users. The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP.
Telus Digital
March 12, 2026
•[ Data breach, Credential theft, Cloud security ]
Telus Digital confirmed a security incident after ShinyHunters claimed it stole nearly 1 petabyte of data in a multi-month breach. Reporting stated ShinyHunters said it gained initial access using Google Cloud Platform credentials found in data stolen in the Salesloft/Drift breach, and that Telus was not negotiating. At publication, Telus Digital had not been added to the actors leak site in the cited report, and specific data categories and affected individuals were not publicly enumerated in the DataBreaches summary.
Michelin
March 11, 2026
•[ data breach, zero-day exploitation, hacking campaign ]
Michelin confirmed it was impacted by the Oracle E-Business Suite (EBS) hacking campaign, which SecurityWeek reports was claimed by Cl0p and involved exploitation of an Oracle EBS zero-day. Michelin stated that hackers accessed some files, but said only a small, localized volume of data was affected and it contained no sensitive or technical IT information; the company also said there was no ransomware and no impact on its global systems, and that corrective actions were effective. SecurityWeek reported the cybercriminals publicly released more than 315GB of archives allegedly stolen from Michelin, with a file-tree review indicating at least some data originated from an Oracle EBS environment.
