Mexico City Civil Registry
February 26, 2026
•[ data leak, unauthorized access, exfiltration ]
Attackers gained unauthorized access to Mexican government civil registry databases and exfiltrated sensitive records. Stolen data reportedly includes birth certificate information and national identification numbers from Mexico Citys civil registry.
youX
February 15, 2026
•[ unauthorized access, data leak, exfiltration ]
youX (Australian finance technology platform) confirmed unauthorized access by a third party after a threat actor released data it claimed to have obtained during the incident. Public reporting said youX had flagged an IT security incident about a week earlier and that personal information may have been compromised. External threat reporting associated the incident with a large-scale exfiltration claim (hundreds of gigabytes) affecting borrowers and broker organizations, consistent with data-theft extortion behavior. The companys public statements centered on incident response actions, engagement with external experts, and regulatory notification while it worked to determine the precise scope and which individuals and organizations were impacted.
Nike
January 22, 2026
•[ ransomware, data leak, exfiltration ]
A ransomware group calling itself WorldLeaks (reported as a rebrand of Hunters International) claimed it breached Nike and began leaking data online. The groups leak-site posting dated January 22, 2026 alleged exfiltration of more than 1.4TB of files. A review of the leaked directory names suggested the exposed material primarily relates to product development and manufacturing operations, including design specifications and supplier-related operational documents, along with internal presentations and collaboration materials. Nike stated it was investigating the claims.
Hyatt
January 19, 2026
•[ ransomware, data leak, double-extortion ]
A ransomware group calling itself NightSpire publicly claimed on January 19, 2026 that it attacked Hyatt and exfiltrated 48.5GB of data originating from the Hyatt Place Chelsea New York hotel. The actors published samples that appeared to include internal company documents such as invoices, expense reports containing employee names, contact information, signatures, and partner company data, and researchers noted the sample list suggested possible exposure of employee credentials for internal tools (raising risk of further compromise). The posting indicated a free download link, consistent with double-extortion tactics where stolen data is leaked if negotiations fail. At the time of reporting, Hyatt had not publicly confirmed the breach and the claims remained unverified by the company.
CRRC MA
January 7, 2026
•[ credential theft, information-stealer malware, initial access broker ]
Reporting summarizing Hudson Rock research described an initial access broker believed to be an Iranian national operating under the aliases Zestix and Sentap who repeatedly accessed enterprise file repositories using credentials harvested by information-stealer malware (including RedLine, Lumma, and Vidar). Instead of exploiting a single company-specific vulnerability, the actor leveraged stolen usernames/passwords (some sitting in logs for years) to log into cloud/file-transfer environments lacking multi-factor authentication. The actor was described as exfiltrating large volumes of sensitive corporate data (examples referenced include aviation safety manuals, energy/utility mapping and infrastructure files, and medical/police-related records), then auctioning datasets or selling access on closed forums. Because the article describes a cross-victim pattern/campaign rather than one named-victim incident, this record is coded at the campaign level for a single-actor series of breaches.
SecretarÃÂa de Hacienda del Estado de Sonora
December 12, 2025
•[ data leak, unauthorized access, exfiltration ]
Mexican media reported unauthorized access to servers of the Secretara de Hacienda del Estado de Sonora in December 2025, during which the criminal group Chronus exfiltrated and leaked approximately 40GB of documents and databases. State authorities suspended online services as a preventive security measure while investigating the intrusion.
Greater Pittsburgh Orthopaedic Associates
August 10, 2025
•[ ransomware, data leak, exfiltration ]
Greater Pittsburgh Orthopaedic Associates identified anomalous network activity on August 10, 2025, and later disclosed that patient data was exposed; RansomHouse claimed it encrypted files and exfiltrated data from the network.
