Undisclosed Middle East entity
February 24, 2026
•[ ransomware, cyberattack, data breach ]
Symantec and Carbon Black linked Lazarus to a Medusa ransomware attack against an undisclosed Middle East entity; the same reporting noted an unsuccessful attempt against a U.S. healthcare organization, which is not coded here as a successful event.
Quitbro
February 17, 2026
•[ data breach, data leak, PII ]
In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users years of birth, responses to questions within the app and their last recorded relapse time. The apps maker, Plantake, did not respond to multiple attempts to contact them about the incident.
CarGurus
February 14, 2026
•[ data breach, extortion, data leak ]
In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes.
Washington Hotel chain (Fujita Kanko)
February 13, 2026
•[ ransomware, unauthorized access, point-of-sale system issues ]
A ransomware incident impacted the Washington Hotel chain in Japan, with Fujita Kanko reporting that unauthorized access to some servers was detected on February 13, 2026. The company said it took protective measures to cut off attacker access, formed an internal task force, and engaged police and outside cybersecurity experts. The company confirmed unauthorized access to business data on servers, while stating customer information tied to the external Washington Net system was believed unaffected at the time. Some hotels experienced point-of-sale system issues, but the company reported no major business disruption overall.
EBR Systems
February 13, 2026
•[ network disruption, unauthorized access, patient health data ]
EBR Systems experienced a network disruption around February 13, 2026 and later determined that certain information stored on its network, including a limited amount of patient health data, was subject to unauthorized access; the incident was contained and did not cause material business disruption.
CarGurus
February 13, 2026
•[ data breach, social engineering, vishing ]
TechRadar reported that ShinyHunters claimed to have breached CarGurus and stolen about 1.7 million corporate records, threatening to release the data by a stated deadline. The report linked the claim to a broader wave of social-engineering vishing attacks used to obtain employee credentials/MFA codes and then access SSO dashboards (Okta/Entra/Google) and downstream applications. At the time of reporting in the article, CarGurus had not publicly confirmed the breach details, the precise intrusion window, or exactly what categories of data were taken beyond the actors claim, so this record reflects an alleged data-theft event pending independent confirmation.
Odido
February 12, 2026
•[ data breach, extortion, PII ]
In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days. The exposed data includes names, physical addresses, phone numbers, bank account numbers, dates of birth, customer service notes and passport, drivers licence and European national ID numbers. Odido has published a disclosure notice including an FAQ to support affected customers.
Odido
February 12, 2026
•[ data breach, extortion, data leak ]
In February 2026, the Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Following the incident, 1M records containing 317k unique email addresses was published publicly, with a threat by the attackers to continue leaking more data in the following days. The data also included names, physical addresses, phone numbers, bank account numbers and notes about customers left by service operators. Odido has published a disclosure notice detailing the extent of the incident, providing an FAQ and advising the incident also impacted dates of birth, passport and drivers licence numbers.
Odido
February 12, 2026
•[ data breach, extortion, data leak ]
In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, 1M records containing 317k unique email addresses were published, followed by further releases exposing an additional 371k and then 833k unique email addresses, with the latter also including passport, drivers licence and European national ID numbers. The exposed data includes names, physical addresses, phone numbers, bank account numbers and customer service notes. Odido has published a disclosure notice advising that impacted data may also include dates of birth and government-issued identity document numbers.
Nippon Medical School Musashi Kosugi Hospital (日本医科大å¦æ¦è”µå°æ‰ç—…院)
February 6, 2026
•[ ransomware, data breach, healthcare ]
Japans Nippon Medical School Musashi Kosugi Hospital disclosed it suffered a ransomware attack after nurse-call terminals malfunctioned and investigation found its nurse-call system servers were attacked. The hospital stated patient personal information stored on the nurse-call system servers was stolen and that the intrusion path was tied to a maintenance VPN device. Public reporting in Japan said attackers demanded a large ransom (reported internationally as about $100 million). The hospital stated it would not comply with the ransom demand and reported that clinical services continued while investigation and recovery actions proceeded.
National Supercomputing Center (NSCC) Tianjin
February 6, 2026
•[ data breach, military, aerospace ]
FlamingChina claimed to have breached the National Supercomputing Center in Tianjin and offered for sale more than 10 petabytes of allegedly stolen data, including claimed military, aerospace, research, and client datasets; the breach was not confirmed by NSCC Tianjin, but experts who reviewed samples said they appeared consistent with data expected from the facility.
Beacon Mutual Insurance Co.
February 6, 2026
•[ ransomware, data breach, workers' compensation ]
Insurance Journal reported that Rhode Island-based workers compensation insurer Beacon Mutual experienced a ransomware attack and was working to determine what information and which individuals may have been affected. The report indicates an active investigation and response effort, but does not provide a confirmed data-type list, count of affected individuals, or a detailed timeline of intrusion and restoration in the excerpt available.
Conpet
February 4, 2026
•[ cyberattack, ransomware, data breach ]
Romanias national oil pipeline operator Conpet said a cyberattack disrupted parts of its technology infrastructure and knocked its website offline earlier in the week, while operational technology systems (including SCADA and telecoms) remained functional and oil transport operations were not affected. Conpet did not confirm a data breach or name the attacker, but the Qilin ransomware group listed Conpet on its leak site and claimed to have stolen nearly one terabyte of data, publishing images of alleged internal documents, financial records, and passport scans. Conpet said it took immediate mitigation steps, worked with national cybersecurity authorities, and filed a criminal complaint.
Olympique de Marseille
February 1, 2026
•[ cyberattack, data leak, data breach ]
Olympique de Marseille confirmed a cyberattack after a threat actor claimed to have breached club systems earlier in February and leaked samples of staff and supporter data online.
Association Nationale des Premiers Secours
January 30, 2026
•[ data breach, PII, legacy system ]
In January 2026, a data breach impacting the French non-profit Association Nationale des Premiers Secours (ANPS) was posted to a hacking forum. The breach exposed 5.6k unique email addresses along with names, dates of birth and places of birth. ANPS self-submitted the data to HIBP and advised the incident was traced back to a legacy system and did not impact health data, financial information or passwords.
Ttareungyi (Seoul public bike-sharing service)
January 30, 2026
•[ data breach, PII exposure, data leak ]
Approximately 4500000 user records including user IDs and mobile phone numbers were exposed in a data breach affecting Seouls public bike-sharing service Ttareungyi; authorities stated the timing of the exposure was under investigation, and no attacker attribution had been confirmed at the time of reporting.
Valtori (Finnish Government ICT Centre) mobile device management service
January 30, 2026
•[ data breach, mobile device management, zero-day vulnerability ]
Valtori reported a data breach identified on January 30, 2026 in the mobile device management service it provides to Finlands government shared ICT services. Valtori said the attacker accessed information used to operate the service, including names, work email addresses, phone numbers, and device details, and that investigation later found the scope could involve a substantially larger number of users (about 50,000). Valtori stated no data stored directly on mobile devices was compromised. The root cause was described as exploitation of a zero-day vulnerability in a commercial mobile management product, compounded by the systems failure to permanently delete historical data.
Multiple organizations with exposed MongoDB databases
January 30, 2026
•[ MongoDB, data breach, ransomware ]
A threat actor actively accessed, queried, and ransacked more than 1400 publicly exposed MongoDB application servers, exfiltrating data and leaving ransom notes demanding payment in exchange for deletion or non-disclosure of the stolen information.
Edmunds
January 24, 2026
•[ data breach, ShinyHunters, PII ]
In January 2026, the automotive research and car-shopping platform Edmunds was listed by the ShinyHunters hacking group as having been breached. Data purportedly obtained in the incident was later published publicly and included 178k unique email addresses, usernames, passwords, IP addresses, phone numbers and vehicle-related records.
CarMax
January 24, 2026
•[ data breach, extortion, data leak ]
In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.
