data breach

South Korean e-commerce giant Coupang confirmed an additional 165,000 user accounts were exposed in the massive data breach affecting 33.7 million total accounts, triggered by a former employee using valid authentication keys.

The ShinyHunters cybercriminal group published stolen data from Harvard University and the University of Pennsylvania after ransom demands went unpaid, exposing over 2 million alumni, donor, and student records.

NationStates shut down its site after a vulnerability reporter chained input sanitization flaws to achieve remote code execution, copying user emails, password hashes, and IP addresses.

The Russian-speaking Qilin ransomware group listed Tulsa International Airport as a victim, leaking financial documents, employee IDs, and executive communications in the aviation sector's first reported attack of 2026.

ShinyHunters stole 10 million records from Match Group dating platforms via a vishing attack that compromised Okta SSO credentials. The breach exposed user advertising IDs, IP addresses, and dating profile content.

ShinyHunters breached Crunchbase via Okta voice phishing, exfiltrating over 2 million records. The attack was part of a broader campaign targeting approximately 100 organizations using real-time SSO phishing kits.

The WorldLeaks extortion group published 1.4TB of Nike intellectual property including product designs, tech packs, and manufacturing documents spanning 2020-2026 after the company didn't pay.

Cybernews researchers discovered a massive Elasticsearch cluster containing national IDs, passwords, and personal data of hundreds of millions of Chinese citizens, hosted on bulletproof infrastructure and accessible for three weeks.

The Everest ransomware group leaked 72.7 million Under Armour customer records including emails, names, dates of birth, purchase history, and loyalty program details after the company didn't pay.

A former ShinyHunters member leaked the BreachForums user database with 324,000 accounts, including usernames, emails, password hashes, and 70,000 IP addresses. Law enforcement interest is likely.

Exposed API tokens in Disputifier's frontend allowed attackers to process unauthorized refunds and exfiltrate data from Shopify merchants. The app was delisted after the company allegedly refused bug bounty negotiations.

A threat actor using the alias '888' exfiltrated 200GB+ from ESA systems including Bitbucket repositories, API tokens, and contractor data from SpaceX, Airbus, and Thales. Criminal probe initiated.

A record merge error during a system enhancement exposed member PHI through Blue Shield's member portal. The October 2025 incident was disclosed in January 2026 under HIPAA requirements.

TridentLocker claims to have stolen 3.4GB from Sedgwick Government Solutions, which provides claims services to DHS, ICE, CBP, DOL, and CISA. The attack targeted an isolated file transfer system.

Extortion group Crimson Collective claims to have stolen data on over 1 million Brightspeed customers, including PII, billing details, and payment information. A class-action lawsuit has been filed.