High Data Breaches

In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak . The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. They subsequently published the alleged data which contained over 2M uniqu...

In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service,...

In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users . The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the conten...

In February, the AI-powered comic generation platform KomikoAI suffered a data breach . The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.

In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt . Following the incident, 1M records containing 317k unique email addresses were published, with the attackers threatening to leak additional data in the following days. That threat was subsequently ...

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.

In February 2026, data obtained from the fintech lending platform Figure was publicly posted online . The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and at...

In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum . In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.

In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand , largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 and included 624k uniqu...

In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.

In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as publicatio...

In January 2026, Panera Bread suffered a data breach that exposed 14M records . After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses. Pa...

In December 2025, data from France's Pass'Sport program was posted to a popular hacking forum . Initially misattributed to CAF (the French family allowance fund), the data contained 6.5M unique email addresses affecting 3.5M households. The data also included names, phone numbers, genders and physic...

In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online . The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number,...

In August 2020, news broke of a data breach of Russian airline Utair that dated back to the previous year . The breach contained over 400k unique email addresses along with extensive personal information including names, physical addresses, dates of birth, passport numbers and loyalty program detail...

In April 2022, Russian pharmaceutical company Gemotest suffered a data breach that exposed 31 million patients . The data contained 6.3 million unique email addresses along with names, physical addresses, dates of birth, passport and insurance numbers. Gemotest was later fined for the breach.

In March 2025, the French vehicle inspection company AUTOSUR suffered a data breach exposing over 10M customer records, though only 487k unique email addresses were present. The compromised data included names, phone numbers, physical addresses, and vehicle details such as make and model, VIN, and r...