Udemy
April 24, 2026
•[ data leak, extortion, cybercrime ]
In April 2026, online training company Udemy was the victim of a pay or leak extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer.
Pitney Bowes
April 20, 2026
•[ extortion, data leak, hacking collective ]
In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles.
Eholo Health
March 30, 2026
•[ data leak, vulnerability exploitation, medical records ]
XP95 claimed it stole 165 GB of data from Eholo Health, including more than 1.1 million medical notes and personal information tied to 601,308 users, after exploiting a vulnerability in the company's systems.
Liberty
March 23, 2026
•[ unauthorized access, data leak, personal information ]
Liberty notified customers that unauthorized access to personal information had occurred and said the exposed data included names, surnames, and identity numbers, while policies, investments, and services remained secure and operational.
Le Centre national des œuvres universitaires et scolaires
March 23, 2026
•[ data leak, data exfiltration, personal information ]
The Cnous said data was exfiltrated from its mesrdv.etudiant.gouv.fr appointment platform, exposing personal information from student social-services and housing appointments taken over the past ten years.
COMPAS (French Ministry of Education)
March 15, 2026
•[ data leak, intrusion, personal information ]
An intrusion into the French Education Ministry's COMPAS system exposed personal information linked to approximately 243,000 trainees and permanent education staff.
SUCCESS
March 4, 2026
•[ data breach, personal information, password hashes ]
In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders containing physical addresses and the payment method used. In SUCCESS' disclosure notice, they advised their system had also been abused to send offensive newsletters with quotes falsely attributed to contributors.
Lovora
February 25, 2026
•[ data breach, personal information, email addresses ]
In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users display names and profile photos, along with other personal information collected through use of the app. The apps maker, Plantake, did not respond to multiple attempts to contact them about the incident.
youX
February 15, 2026
•[ unauthorized access, data leak, exfiltration ]
youX (Australian finance technology platform) confirmed unauthorized access by a third party after a threat actor released data it claimed to have obtained during the incident. Public reporting said youX had flagged an IT security incident about a week earlier and that personal information may have been compromised. External threat reporting associated the incident with a large-scale exfiltration claim (hundreds of gigabytes) affecting borrowers and broker organizations, consistent with data-theft extortion behavior. The companys public statements centered on incident response actions, engagement with external experts, and regulatory notification while it worked to determine the precise scope and which individuals and organizations were impacted.
Cloud Imperium Games (CIG)
January 21, 2026
•[ unauthorized access, data breach, personal information ]
Cloud Imperium Games disclosed that on January 21, 2026 it was targeted by a sophisticated attack that resulted in unauthorized access to some backup systems with limited access to users basic account details. The company said impacted data included metadata, contact details, username, date of birth, and name. It stated the access was read-only and that no passwords or financial/payment information were stored in or accessible from the affected systems, and it had no indication the data had been leaked publicly at the time of disclosure.
Zealthy
January 16, 2026
•[ data leak, health information, personal information ]
Records advertised as Zealthy data were offered for sale online in January 2026, with sample files showing patient personal and health information; Zealthy had not publicly confirmed the incident in the reporting reviewed.
ICE List site
January 13, 2026
•[ denial-of-service attack, data leak, personal information ]
A website known as ICE List, operated by Netherlands-based immigration activist Dominick Skinner and described as dedicated to leaking personal information about U.S. immigration and border personnel, went offline following a denial-of-service attack on the evening of January 13, 2026. Reporting said the outage occurred shortly after media coverage that Skinner planned to publish additional personal data allegedly obtained from a whistleblower. Skinner stated it was only possible to speculate on who directed the attack but claimed a large amount of traffic appeared to come from Russia, consistent with bot traffic intended to overwhelm the site and disrupt access.
Tokyo FM Broadcasting Co., LTD
January 1, 2026
•[ data leak, personal information, telemetry ]
HackRead reported that on January 1, 2026 an actor using the alias victim claimed to have breached Tokyo FMs private computer systems and stolen data exceeding three million records. The stolen dataset was described as containing personal details (full names, birthdays, email addresses) plus technical telemetry (IP addresses and user-agent strings). The actor also claimed to have obtained internal system login IDs and information related to individuals jobs. The report emphasized that the claim was listed as pending verification at the time of publication, but Tokyo FM was described as investigating the allegation.
WhiteDate
December 29, 2025
•[ data breach, data leak, personal information ]
In December 2025, the dating website "for a Europid vision" WhiteDate suffered a data breach that was subsequently leaked online, initially exposing 6.1k unique email addresses. The leaked data included extensive personal information such as physical appearance, income, education and IQ. A more comprehensive dataset was later provided to HIBP, containing usernames, IP addresses, private messages, phpBB password hashes and a total of 20k unique email addresses.
Charlottesville Settlement Company
September 1, 2025
•[ data breach, network intrusion, data theft ]
WVIR (29News) reported that Charlottesville Settlement Company disclosed a September 2025 data breach that was discovered on March 10, 2026 and communicated to affected individuals in a letter dated March 18. The company said an unknown actor broke into its network and stole customers personal information, impacting 22,041 customers. The firm provides title insurance and settlement services for real estate transactions. The report did not enumerate specific data elements stolen, but stated affected individuals were offered credit monitoring and reimbursement coverage.
Elmcrest Children’s Center, Inc.
August 12, 2025
•[ unauthorized access, data leak, health information ]
Elmcrest Childrens Center, Inc. detected unauthorized access to its computer network on August 12, 2025. The investigation determined that files containing information for approximately 23,500 individuals were accessed, including names, addresses, dates of birth, treatment details, and insurance information.
Murex Petroleum Corporation
May 27, 2025
•[ unauthorized access, data breach, personal information ]
Unauthorized access to Murex Petroleum Corporation systems resulted in the access and acquisition of certain individuals personal information, as disclosed in a regulatory filing with the New Hampshire Department of Justice.
CFD Investments, Inc.
March 15, 2025
•[ unauthorized access, email account compromise, data leak ]
Unauthorized access to an employee email account at CFD Investments, Inc. resulted in exposure of client personal and financial information between March 15 and May 9, 2025; affected individuals were notified beginning January 28, 2026.
Woodfords Family Services
April 8, 2024
•[ unauthorized access, personal information, protected health information ]
Woodfords Family Services reported that after discovering suspicious activity in its network on April 8, 2024, it determined that certain files and folders were subject to unauthorized access and that personal and protected health information may have been compromised.
MinnesotaWorks.net
September 6, 2023
•[ unauthorized access, data leak, insider threat ]
The Department of Employment and Economic Development (DEED) in Minnesota notifies jobseekers of a data breach involving unauthorized access to their personal information at the MinnesotaWorks.net platform, after a person claiming to be an employee allegedly, viewed and copied user resume information without authorization.
