University of Nottingham
June 9, 2026
•[ cyber attack, extortion, data leak ]
In June 2026, the University of Nottingham was the target of a cyber attack, later linked to a ShinyHunters "pay or leak" extortion campaign. Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments. In a post about the incident, the university advised that the breach affected both "current students, and alumni".
BCD Travel
May 29, 2026
•[ extortion, data leak, data theft ]
In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses. Other exposed data included names, addresses, phone numbers, job titles and employer names, spanning a variety of different data sets including leads, internal staff and support tickets.
Charter
May 23, 2026
•[ extortion, data leak, ShinyHunters ]
In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses. A subset of approximately 85k records originating from an internal employee directory also included job titles. Charter confirmed the incident, but stated that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated.
DentaQuest
May 23, 2026
•[ data leak, extortion, healthcare ]
In May 2026, the dental benefits administrator DentaQuest was the target of a ShinyHunters "pay or leak" extortion campaign that resulted in the group publicly publishing hundreds of gigabytes of data allegedly obtained from the company. The data included 2.6M unique email addresses along with names, addresses and phone numbers. Much of the data appeared in healthcare enrollment files (ASC X12 transaction sets) with some containing Medicaid IDs, while additional data appeared in member records and related files. DentaQuest acknowledged "a cybersecurity incident involving unauthorized access to a limited portion of our network", and advised they had contained the attack and mitigated the threat.
Raise the Bottom
May 15, 2026
•[ substance use disorder treatment, addiction recovery, behavioral health services ]
Raise the Bottom, an Idaho substance use disorder treatment organization, was listed in a breach involving 57,507 indexed rows. DataBreach identified exposed names, email addresses, and phone numbers; BreachSense attributed the breach to CMD and described Raise the Bottom as an Idaho-based addiction recovery, counseling, and behavioral health services provider.
WholeHealth Chicago
May 15, 2026
•[ data leak, PII, cyberattack ]
Cmdorganization claimed responsibility for a cyberattack against WholeHealth Chicago on May 15, 2026. DataBreach later indexed 36,409 rows allegedly tied to the breach, including dates of birth, email addresses, phone numbers, and names. Public sources did not confirm file encryption, operational disruption, or a precise intrusion vector.
Cushman & Wakefield
May 3, 2026
•[ vishing, PII, data leak ]
Cushman & Wakefield confirmed a vishing-related security breach in May 2026 after ShinyHunters and Qilin separately listed the company. ShinyHunters claimed theft of more than 500,000 Salesforce records containing PII and internal corporate data and later reportedly published a 50GB Salesforce-linked dataset after negotiations failed. DataBreach indexed 2,198,033 rows associated with the breach. Public sources did not confirm encryption or operational disruption.
MiniMed Panamá
May 2, 2026
•[ data exposure, PII, plaintext credentials ]
MiniMed Panam was listed among the Panamanian health-sector platforms directly affected by data exposure in a Vecert Analyzer intelligence report cited by La Estrella de Panam. The incident was dated May 2, 2026, and outside OSINT reporting described roughly 400,000 exposed records associated with MiniMed, including a usersdata table with 74,233 records containing PII and plaintext credentials. Public reporting did not identify the threat actor, encryption, data destruction, or operational disruption.
Florida East Coast Railway
April 30, 2026
•[ data-extortion, data leak, PII ]
PayoutsKing claimed responsibility for a data-extortion attack against Florida East Coast Railway on April 30, 2026 and threatened to leak sensitive data unless negotiations were initiated. DataBreach.com later indexed 16,668 rows associated with the breach, including names, email addresses, and phone numbers. Public sources did not confirm successful encryption or operational disruption.
Advanta Genetics LLC
April 29, 2026
•[ data leak, healthcare, PII ]
Advanta Genetics LLC, a Texas clinical and molecular diagnostics laboratory, was listed by Aurora on April 29, 2026. Aurora claimed access to patient, provider, employee, financial, legal/regulatory, and proprietary company data. DataBreach.com indexed 280,802 rows containing Social Security numbers, birthdates, email addresses, phone numbers, names, and street addresses. Public reporting noted that Advanta had not confirmed the full scope of Aurora's claims and did not confirm encryption or operational disruption.
Instructure
April 29, 2026
•[ unauthorized access, data leak, PII ]
Instructure detected unauthorized access to part of its Canvas environment on April 29, 2026. The incident exposed user identifying information and messages from affected institutions; Instructure stated that core learning data, course content, submissions, credentials, passwords, dates of birth, government identifiers, and financial information were not compromised.
Udemy, Inc.
April 24, 2026
•[ data leak, extortion, ShinyHunters ]
ShinyHunters listed Udemy in a pay-or-leak extortion attempt on April 24, 2026 and subsequently leaked data containing 1.4 million unique email addresses belonging to customers and instructors, along with names, physical addresses, phone numbers, employer information, and instructor payout methods. Public reporting did not confirm encryption, deletion, or operational disruption.
Aman
April 20, 2026
•[ extortion, data leak, CRM breach ]
In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.
Aman Resorts
April 18, 2026
•[ extortion, data leak, PII ]
ShinyHunters named Aman Resorts in an April 2026 pay-or-leak extortion campaign and claimed compromise of over 500,000 Salesforce CRM records containing PII. DataBreach indexed 294,871 rows, while Have I Been Pwned reported over 200,000 unique email addresses and said the leaked data also included names, phone numbers, physical addresses, dates of birth, nationalities, spouse names, and VIP status codes. Public sources did not confirm encryption, data destruction, or operational disruption.
Kemper
April 15, 2026
•[ ransomware, social engineering, extortion ]
In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign. The attackers allegedly accessed Kemper's Salesforce environment via social engineering as part of a broader campaign targeting hundreds of organisations using the same method. The group later published tens of gigabytes of data they claimed included internal directory data, Salesforce records and Stripe payment logs. Among the 269k unique email addresses were names, phone numbers, physical addresses and partial payment card data including the last 4 digits, expiry dates and card brands. Kemper confirmed the incident and stated they had engaged third-party cybersecurity experts and notified law enforcement.
Council of Engineers Thailand
April 15, 2026
•[ data breach, personal information, database security ]
A hacker breached the Council of Engineers Thailand member database while data was being transferred between servers, stealing personal information of approximately 350,000 engineers.
City of Ardmore
April 8, 2026
•[ ransomware, phishing, data leak ]
On April 8, 2026, ransomware encrypted Ardmore police/internal servers after a phishing email; the incident was contained within hours, and information tied to criminal complaints and investigations, including names, addresses, and phone numbers, may have been exposed.
7-Eleven
April 8, 2026
•[ extortion, data leak, ShinyHunters ]
In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers. A small number of records also contained additional exposed data fields. The company later advised the breach was limited to "certain 7-Eleven systems used to store franchisee documents", a statement consistent with the exposed data.
LegionProxy
April 6, 2026
•[ data breach, email addresses, password hashes ]
In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases.
The McLamb Group, Inc.
April 6, 2026
•[ data leak, PII, Social Security numbers ]
PEAR claimed The McLamb Group, Inc. on its leak site with an estimated attack date of April 6, 2026. DataBreach indexed 124,203 rows and listed exposed fields including Social Security numbers, dates of birth, email addresses, phone numbers, names, and street addresses. Public reporting did not confirm encryption, data destruction, attacker-caused operational disruption, or the exact intrusion vector.
