The extortion group ShinyHunters has published data stolen from Madison Square Garden Sports, owner of the New York Knicks and Rangers, after the company did not pay. Have I Been Pwned indexed 9,796,738 unique email addresses spanning staff and customers, alongside extensive personal, employment, and customer-relationship records including names, addresses, phone numbers, and some dates of birth. Reporting on the leak describes an internal "Talent" file profiling former players, executives' family members, and celebrities, in some cases with so-called threat assessments. The intrusion reportedly began with voice-phishing of staff, the same social-engineering pattern behind ShinyHunters' wider 2026 campaign against large enterprises.
Bajaj Auto, one of India's largest makers of motorcycles and three-wheelers, has disclosed a ransomware attack that hit its systems and those of its wholly owned subsidiary Bajaj Auto Technology Limited on the morning of June 23. In a regulatory filing, the company said its technical team and outside experts responded quickly and that containment measures have so far been effective. Bajaj Auto has not disclosed the ransomware strain, whether data was stolen, or whether production was affected, and reported the incident to India's CERT-In. Its shares fell more than 2 percent, and the attack follows a separate breach at Tata Electronics.
Xsolis, a US healthcare technology company whose AI software is used by more than 600 hospitals and insurers for utilization management and reimbursement decisions, has disclosed a breach affecting 1,396,519 people. Attackers got in through a targeted phishing attack on an employee in January, accessing files containing patient data Xsolis handles for its clients. The exposed information includes names, dates of birth, addresses, Social Security numbers, health insurance details, and medical treatment information. Because Xsolis is a vendor, affected individuals may never have dealt with it directly; downstream health systems including Mayo Clinic are among those whose patients are impacted.
Tata Electronics, the Indian manufacturer that assembles roughly a third of Apple's iPhones in India, has confirmed a cyberattack affecting part of its IT systems after the extortion group World Leaks began leaking stolen data. The group claims to have taken around 200,000 files, including confidential Apple and Tesla manufacturing and component design documents, internal emails, years of event logs, and copies of employee passports, some belonging to foreign nationals. Researchers say the data has been on the dark web since at least June 10, and a ransom was demanded. World Leaks, a rebrand of the Hunters International group, also claimed breaches at Nike and Dell.
An attacker drained the well-known Ethereum trading bot JaredFromSubway by patiently baiting it into a trap rather than exploiting a software bug. Over several weeks, the attacker deployed 66 fake token contracts and sham liquidity pools mimicking WETH, USDC, and USDT, structured so the bot's automated logic treated them as profitable opportunities and granted token-spending approvals to attacker-controlled contracts. Later trades left those approvals active, and a single transaction then swept the bot's real funds. Security firms estimate the loss near $7.5 million, while the operator claims around $15 million. It is a reminder that standing token approvals in automated systems are dangerous even when the underlying contracts are sound.
The Texas Parks and Wildlife Department says a breach at the third-party vendor that runs its hunting and fishing license sales exposed personal data for 3,087,721 customers, in what officials call the state's largest government data breach this year. The exposed information includes driver's license details, passport numbers where provided, email addresses, phone numbers, and home addresses; the department says Social Security numbers, dates of birth, and financial data were not taken. Texas Cyber Command detected the intrusion, which reached customer profile data through the vendor's systems. Because driver's license and passport numbers cannot be reset, affected people face lasting identity-theft and phishing risk.
Have I Been Pwned has added 139,903 accounts from a breach of fashion brand Ralph Lauren, which the extortion group ShinyHunters claimed as part of its sweeping 2026 campaign against retail and luxury names. ShinyHunters says it took around 220 GB of data, including customer personal information, purchase histories, and financial transaction details, along with unreleased product and strategy plans. The group typically breaks in not through a brand's core systems but via connected platforms like Salesforce or customer-service tools. Exposed purchase and contact data is prime material for convincing phishing and fraud aimed at the retailer's customers.
Have I Been Pwned has added 368,418 accounts from a breach of JCPenney, after the extortion group ShinyHunters claimed in mid-June it stole data from the retailer and several sister brands under Catalyst Brands and Authentic Brands Group. ShinyHunters says the haul includes highly sensitive employee and customer data: Social Security numbers, dates of birth, W-2 tax forms, payroll records, and scans of government-issued IDs. Unlike passwords, these identifiers cannot simply be reset, raising long-term identity-theft and tax-fraud risk. JCPenney has not confirmed the full scope, and the group has not published samples, but the data types make this a serious exposure.
Cybernews researchers found an unprotected Elasticsearch database holding 24 billion records and over 8 terabytes of data, most of it infostealer logs: stolen usernames, passwords, and the services they unlock. The collection also pulls from Telegram channels and older breach dumps. Oddly, it included thousands of records tracking CVE vulnerabilities, breach news articles, and social-media posts about cyber incidents, with content as recent as 2026, suggesting the owner is actively curating and refreshing the stash with new leaks. The researchers could not determine how many records are duplicates, how old the data is, or who owns it.
Nintendo of America has confirmed that attackers stole internal employee data through TinyPulse, a third-party employee-survey service run by WebMD Health Services, after a threat actor calling itself SHADOWBYT3$ posted the haul and demanded a $2 million ransom. Nintendo says its own systems were not breached, no customer or financial data was touched, and the exposure is limited to internal survey content for a small subset of employees, mostly several years old. The attacker, however, claims to hold more, including bank statements and tax forms. The incident is a textbook third-party vendor breach affecting a major brand.