Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Kodak confirms breach as ShinyHunters claims 2.2 million stolen records

Eastman Kodak has confirmed that an unauthorized third party gained temporary access to a limited amount of company data, after the extortion group ShinyHunters listed the firm on its dark-web leak site. ShinyHunters claims it stole more than 2.2 million records containing customer personal information and internal corporate data, and set a leak deadline of June 18, though it has released no proof and Kodak has not verified the figure. Kodak, now mainly a B2B manufacturing and technology company, says it engaged outside experts and law enforcement and sees no threat to operations. The breach fits ShinyHunters' prolific 2026 data-theft campaign.

Check
Kodak's business customers and partners should watch for targeted phishing and business email compromise referencing Kodak dealings, and verify any unexpected payment or account-change requests through known contacts.
Affected
Kodak customers and partners whose personal or corporate data may sit in the stolen records; ShinyHunters claims 2.2 million records, a figure Kodak has not confirmed and the group has not substantiated.
Fix
Watch for fraud and phishing tied to the breach, reset and stop reusing any Kodak-related credentials, and enable phishing-resistant MFA. Organizations should harden help-desk verification against social-engineering-driven data theft.

HIBP confirms 248,000 accounts from ShinyHunters breach of advisory firm CFGI

Have I Been Pwned has added 248,235 accounts from the March breach of CFGI, a US accounting and financial-advisory firm that works closely with corporate finance teams at mid-market and Fortune 500 companies. The extortion group ShinyHunters claimed the intrusion, posting hundreds of thousands of records including names, emails, phone numbers, and home addresses, along with internal corporate documents and identity-system metadata. Because CFGI sits inside its clients' finance functions, the stolen contact and relationship data is unusually useful for convincing business email compromise and client-impersonation scams aimed at authorizing fraudulent payments.

Check
If you work with or for CFGI, check Have I Been Pwned for your email and watch for finance-themed phishing, fake wire instructions, or audit-document requests referencing CFGI.
Affected
CFGI employees, clients, and contacts whose personal and corporate data was exposed (248,235 accounts confirmed); the firm's finance-function clients face elevated business email compromise risk.
Fix
Reset and stop reusing CFGI-related credentials, enable phishing-resistant MFA, and verify any unexpected payment, wire, or account-change request through a known, pre-established voice channel rather than email links.

Cardiac monitoring firm iRhythm says patient health data stolen in attack

iRhythm, the US digital-health company behind the Zio wearable heart monitor, has told regulators that attackers stole patient data in a breach it considers material. In an SEC filing, the company said it detected unauthorized activity on June 8 in third-party-hosted business applications, accessed through a social-engineering attack, and received an extortion demand the next day from a threat actor claiming to hold proprietary data, protected health information, and other personal data. iRhythm says its clinical systems, medical devices, patient safety, and operations were not affected, with no payment-card or financial data involved. No ransomware group has publicly claimed the attack, and the number of affected people is not yet known.

Check
Healthcare and other organizations should review how third-party-hosted business applications are secured and monitored, and confirm that help desks and staff can resist social-engineering attempts to grant access.
Affected
iRhythm patients and others whose protected health information and personal data sat in the affected third-party business applications; clinical systems, devices, and financial data were reportedly not involved.
Fix
Enforce phishing-resistant MFA and strong identity verification on third-party SaaS, limit and log access to systems holding health data, and rehearse social-engineering scenarios with staff and help-desk teams.

56 million accounts surface in latest infostealer log compilation

Breach-tracking service Have I Been Pwned has added a fresh batch of stealer logs covering 56,278,397 accounts, harvested by infostealer malware from infected computers. Unlike a single company breach, stealer logs are credentials and session data scraped directly from victims' devices, often capturing the exact website-and-password pairs a person types, plus browser cookies that can let attackers skip login entirely. Because the data comes from malware on individual machines, exposure cuts across countless unrelated services. The scale is a reminder that infostealer infections, frequently spread through cracked software, malicious ads, and fake downloads, remain one of the biggest sources of credential theft.

Check
Check whether your email or your organization's domains appear in Have I Been Pwned's stealer-log dataset, and look for signs of infostealer infection such as unexpected logins or browser-session anomalies.
Affected
Anyone whose device was infected by infostealer malware; exposed data includes saved website passwords and browser session cookies that can bypass logins across many unrelated services.
Fix
Reset passwords for exposed accounts from a clean device, invalidate active sessions, enable phishing-resistant MFA, and run endpoint malware scans to find and remove the underlying infostealer.

ShinyHunters breach of Berkadia exposes 305,000 in real estate finance

Breach-tracking service Have I Been Pwned has confirmed that 305,216 accounts were exposed in the March attack on Berkadia, a large US commercial real estate finance firm that handles mortgage banking and investment sales. The extortion group ShinyHunters claimed the intrusion, saying it stole millions of Salesforce records containing personal and internal corporate data, around 27GB compressed, and threatened to leak them after the company did not meet its deadline. The breach is part of a broad ShinyHunters campaign this year against companies' Salesforce environments, typically entered by socially engineering employees or help desks rather than exploiting a software flaw.

Check
If you work with or for Berkadia, check whether your email appears in Have I Been Pwned and watch for targeted phishing referencing mortgage, loan, or real estate dealings.
Affected
Berkadia clients, partners, and staff whose personal and business data sat in the breached Salesforce records (305,216 accounts confirmed); the broader ShinyHunters campaign targets corporate Salesforce tenants.
Fix
Reset and stop reusing any passwords tied to Berkadia dealings and enable phishing-resistant MFA. Organizations should lock down Salesforce access, restrict bulk exports, and harden help-desk identity verification.

K-12 platform Infinite Campus breach confirmed, 137,000 student-linked accounts

Have I Been Pwned has confirmed 137,123 accounts exposed in a breach of Infinite Campus, a widely used K-12 student information system in the US. The extortion group ShinyHunters claimed the attack back in March, posting that it had stolen personal data and internal corporate information. Because student information systems hold sensitive records on minors and their families, exposed data raises the risk of identity theft and highly targeted phishing aimed at parents, students, and school staff. The incident fits the same ShinyHunters data-theft pattern seen across the education sector this year, including the much larger Canvas breach.

Check
School districts using Infinite Campus should confirm whether their tenant was affected and notify families; individuals should watch for phishing or fraud referencing schools, student accounts, or enrollment.
Affected
Students, parents, and school staff whose data is held in affected Infinite Campus deployments (137,123 accounts confirmed); minors' records carry long-term identity-theft risk.
Fix
Reset exposed credentials, enable MFA on school and family accounts, and brief parents and staff to verify any school-related message before clicking. Districts should review SaaS access controls and export limits.

Iran-linked Handala steals data from California water utility Cal Water

The Iran-linked group Handala claims it breached California Water Service (Cal Water), one of the largest US investor-owned water utilities, and published a 5GB sample to prove it. Analysts say the attackers reached a customer billing database holding personal data (names, addresses, account and payment details) and an internal GPS-correction server, leaking administrative credentials in the process. Handala framed the attack as retaliation for US actions against Iran and boasted it could disrupt water supply, but researchers stress the evidence does not support that claim, neither system controls water treatment, and the group is known to exaggerate. Cal Water has not yet publicly confirmed the incident.

Check
Water and other critical-infrastructure operators should verify strict isolation between IT and operational-technology networks, and review access logs and exposed credentials on internet-facing billing and GPS or telemetry systems.
Affected
California Water Service customers whose billing data was exposed, and the utility's internal GPS-correction systems; the broader US water sector faces heightened Iran-linked targeting per CISA warnings.
Fix
Rotate all exposed credentials and take the affected GPS server offline to audit it, enforce phishing-resistant MFA on privileged accounts, segment IT from OT, and report to CISA and WaterISAC.

Novo Nordisk says clinical trial patient data stolen in breach

Novo Nordisk, the pharmaceutical giant behind Wegovy and Ozempic, has disclosed that attackers copied data from its internal IT systems, including information on patients in some of its clinical trials. The company stressed the patient data was de-identified, containing fields like patient ID, year of birth, sex, biomarkers, and lifestyle factors rather than names or direct identifiers. Novo has not said how many people are affected or named the attacker, and is not offering credit monitoring, instead advising patients and healthcare professionals to stay alert for unexpected messages or calls. Pharma firms are increasingly targeted for their valuable research and patient data.

Check
Patients in Novo Nordisk trials and contacted healthcare professionals should watch for unexpected calls or messages referencing the company or a trial, and verify any such contact through official channels.
Affected
Patients in some Novo Nordisk clinical trials whose de-identified data (patient ID, year of birth, sex, biomarkers, lifestyle factors) was copied, plus healthcare professionals the company has contacted.
Fix
There is no direct user fix; stay alert for targeted phishing referencing the breach. Pharma and research organizations should tighten access controls, monitoring, and segmentation around trial and research data stores.

French government messenger Tchap breached, hitting 73,000 public servants

France's government messaging platform Tchap, the in-house, Matrix-based app that civil servants are required to use instead of WhatsApp or Signal, was breached after a threat actor hijacked a single user account, no software exploit needed. The cyber agency ANSSI detected it on June 7. Officials say data tied to about 73,000 accounts, roughly 9 percent of users, was exposed: the attacker scraped everything shared in public chat rooms, which are not encrypted, while private end-to-end conversations stayed protected. The haul includes over 13.5GB of documents and media plus hardcoded LDAP credentials leaked in a PowerShell script. Entry was via the education ministry's server.

Check
Review what your organization shares in unencrypted public or group chat channels, and scan scripts and config files for hardcoded credentials like the LDAP secret exposed in this breach.
Affected
Around 73,000 French public-sector Tchap accounts; data posted in unencrypted public chat rooms was exposed, while end-to-end-encrypted private conversations were not. The entry point was one hijacked account.
Fix
Enforce phishing-resistant MFA so single accounts cannot be hijacked, remove hardcoded credentials from scripts, treat public chat rooms as non-confidential, and monitor for bulk data access across collaboration platforms.

Japanese utility Kyushu Electric loses drive holding 10.9 million customer records

Kyushu Electric Power, one of Japan's largest utilities, has disclosed a physical security incident: a storage drive containing the personal data of more than 10.9 million customers went missing. Because the exposure stems from lost media rather than a network intrusion, the risk depends largely on whether the drive was encrypted, a detail that determines if the data is readable by whoever finds it. The incident is a reminder that data-governance failures, like unencrypted or poorly tracked portable storage, can expose as many records as a sophisticated hack. Affected customers should watch for fraud and phishing attempts referencing their utility account.

Check
Kyushu Electric customers should watch statements and inboxes for fraud or phishing referencing their utility account; organizations should audit how portable drives holding personal data are encrypted and tracked.
Affected
More than 10.9 million Kyushu Electric Power customers whose personal data was stored on the missing drive; exposure severity depends on whether that storage was encrypted.
Fix
Encrypt all portable and removable media holding personal data, maintain strict chain-of-custody and inventory for such drives, and minimize the data placed on movable storage in the first place.