Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

ShinyHunters publishes Charter Communications data after failed extortion - up to 5 million customer records now leaked, not just claimed

The ShinyHunters extortion group has now published the Charter Communications data it stole, after the telecom giant apparently refused to pay. Earlier reporting put the breach at 4.9 million HIBP-confirmed unique accounts; ShinyHunters' leak is described as potentially impacting up to 5 million customers. Charter is one of the largest US telecoms, providing internet, cable, mobile, and phone services to residential and business customers under the Spectrum brand. The data was originally exfiltrated via voice-phishing of a Microsoft Entra account on April 1 and a Salesforce export. With the data now public rather than merely claimed, the phishing and identity-theft risk to affected customers rises sharply.

Check
If you are a Charter/Spectrum customer or vendor, treat the leaked dataset as public now. Watch for Spectrum-themed phishing and account-recovery fraud over the next 60-90 days.
Affected
Up to 5 million Charter/Spectrum customers whose records are now publicly leaked, not just claimed. Names, contact details, and plan information enable targeted phishing and impersonation.
Fix
Affected individuals: rotate Spectrum credentials, enable MFA, scrutinize unsolicited Charter contacts. Organizations: refresh breach-monitoring watchlists and brief help desks against Charter-themed social engineering.

ShinyHunters Charter Communications breach hit 4.9 million unique accounts (42M records claimed) - HIBP confirms scale

HIBP has confirmed 4.9 million unique accounts (4,851,517 email addresses) were affected by the Charter Communications breach disclosed earlier this week. The ShinyHunters extortion gang initially claimed 42 million records exfiltrated from Charter's Salesforce instance via voice-phishing of a Microsoft Entra account on April 1; the unique-account count is lower because individuals appeared on multiple records (customer + business + plan-info). Charter publicly denies that CPNI (Customer Proprietary Network Information) or sensitive personal data was taken. The HIBP entry refines the scope to a defender-actionable figure and lets customers and IR teams check exposure across their workforce.

Check
Run your @company.com domains against HIBP for Charter exposure. If you are a Charter customer or vendor, expect targeted vishing themed around Spectrum service issues for the next 60 days.
Affected
4.9 million unique Charter/Spectrum customer email addresses now in HIBP. SaaS-extortion playbook (Salesforce + Entra/Okta SSO + BPO vishing) remains the broader risk pattern.
Fix
Affected individuals: rotate Spectrum credentials, enable MFA, scrutinize unsolicited Charter calls. Organizations with Salesforce + Entra: enforce phishing-resistant MFA on all admin and BPO identities.

Carnival Corporation confirms breach affecting 5,995,277 customers - April 10 social-engineering of employee account, ShinyHunters claimed

Carnival Corporation, the world's largest cruise-line operator with 90+ ships across Carnival, Princess, Holland America, Costa, P&O, Cunard, AIDA, and Seabourn, has confirmed a breach affecting 5,995,277 customers. The intrusion began April 10 when an employee was social-engineered into giving up account credentials; Carnival's IT team detected the unauthorized activity on April 14. ShinyHunters claimed responsibility in April and listed the company on its data leak site. Carnival served around 13.5 million guests in 2024 across its fleet. The company is now notifying affected individuals. The pattern aligns with the broader ShinyHunters SaaS-extortion playbook documented across Charter, Instructure, and others over the past quarter.

Check
If your @company.com domains include former Carnival, Princess, Holland America, Cunard, AIDA, or Seabourn customers, prepare for targeted phishing themed around bookings, refunds, and loyalty programs.
Affected
5,995,277 Carnival customers across nine cruise brands. Initial access via social-engineering an employee account on April 10. Same ShinyHunters playbook as Charter and Instructure.
Fix
Enforce phishing-resistant MFA across cruise/hospitality estate. Train front-line staff against social-engineering for account credentials. Audit Salesforce/Entra exports for bulk-data signals.

Fake 'UK Visa Portal' third-party (Active Leadgen LLC) exposed 100,000 passports and selfies on public AWS S3

TechCrunch has flagged a public AWS S3 bucket operated by a UAE-registered third-party site, UK Visa Portal (Active Leadgen LLC), that exposed at least 100,000 passport scans and selfies belonging to people who paid extra to apply for UK electronic travel authorizations. The site is not the official GOV.UK service; users could complete the same application directly on GOV.UK in minutes for free. The third party reportedly responded with legal threats instead of remediation. The dataset is now in the wild and creates substantial identity-document compromise risk - passport scans plus selfies enable KYC bypass against banks, exchanges, and government services.

Check
Brief staff that 'UK Visa Portal' and similar third-party visa-help sites are not GOV.UK and may leak documents. Anyone who uploaded a passport to ukvisaportal.com should treat it as compromised.
Affected
100,000+ individuals (and counting) who used Active Leadgen LLC's UK Visa Portal site. Passport scans plus selfies enable KYC bypass against banks, exchanges, and government services.
Fix
Affected individuals: report passport as potentially compromised; consider replacement. Banks/exchanges: tighten document-plus-liveness verification against AI-generated impersonations using leaked identity documents.

Insurance provider Kemper added to Have I Been Pwned with 269,299 breached accounts; new financial-services dataset searchable

Have I Been Pwned has added US insurance provider Kemper to its breach corpus with 269,299 unique email addresses. Kemper offers auto, home, life, and health insurance across the United States. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected customers should anticipate insurance-themed phishing - claim-status updates, policy-renewal prompts, or premium-refund lures. The addition continues a steady run of US financial-services and insurance breaches surfacing in HIBP through late May.

Check
Check whether your @corp emails appear in HIBP's Kemper corpus. Warn affected staff and customers about insurance-themed phishing (claims, renewals, refunds) over the next 30-60 days.
Affected
269,299 unique email addresses tied to Kemper insurance accounts (auto, home, life, health). Customers are exposed to targeted insurance-themed social engineering.
Fix
Affected individuals: rotate Kemper passwords, enable MFA, scrutinize unsolicited insurance communications. Organizations: add Kemper to breach-monitoring watchlists and brief help desks on potential impersonation.

Charter Communications confirms ShinyHunters breach: 40M records via vishing-compromised Microsoft Entra employee account and Salesforce export

US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.

Check
Audit Microsoft Entra and Salesforce admin sign-ins for unusual IPs and large record exports around April 1, 2026. Search service-account activity for bulk data pulls.
Affected
Charter Communications/Spectrum customers (consumer and business). ShinyHunters claims 40M records exfiltrated via vishing of an Entra account. Broader: any org with Salesforce + Entra/Okta SSO + BPO support.
Fix
Enforce phishing-resistant MFA on every Entra account, especially help-desk and BPO identities. Apply Salesforce Shield Event Monitoring to alert on bulk exports. Train BPO/help-desk staff against vishing.

Lithuania investigates theft of 600,000 state registry records; opposition leader alleges Russian intelligence; Centre of Registers chief resigns

Lithuanian authorities are investigating the theft of around 600,000 records from the country's Centre of Registers, which holds state registry data. The breach was detected in early April and disclosed publicly only after weeks of internal investigation. Centre of Registers chief Adrijus Jusas resigned Monday, citing years of underinvestment that would need ~€60 million to address. The leader of Lithuania's conservative opposition alleges 'hallmarks of a Russian intelligence operation' and warns the data (including residential addresses linked to sensitive government personnel) could enable surveillance, phishing, and sabotage planning. Lithuanian prosecutors have neither confirmed nor denied Russian involvement.

Check
If your organization has Lithuanian operations or staff with state registry records, treat residential addresses and personal identifiers as compromised. Monitor for targeted phishing and impersonation.
Affected
Lithuanian citizens and residents whose data is held by the Centre of Registers. Sensitive government personnel are at heightened risk per the opposition leader's warning about surveillance use.
Fix
Lithuanian operations: update access credentials per government guidance. Watch for spear-phishing using residential-address pretexts. NATO/EU defenders: assume similar Eastern European registries are next given the precedent.

Oncology Institute confirms patient data exposure via third-party breach; reports point to Cognizant-owned TriZetto (3.4M+ patients in original incident)

The Oncology Institute, a US outpatient cancer-care network, has filed an SEC 8-K confirming that patient information was exposed in a third-party vendor breach. Kroll, acting as the vendor's third-party administrator, notified the company on May 20 that unauthorized access had been detected. The vendor is not officially named, but multiple reports point to Cognizant-owned TriZetto Provider Solutions, which previously disclosed a breach in March 2026 affecting more than 3.4 million patients via its provider-portal infrastructure. The Oncology Institute first flagged the incident in a November 2025 8-K. The vendor has set up a patient portal for inquiries.

Check
If your organization uses TriZetto Provider Solutions or other Cognizant healthcare-data services, request a fresh breach assessment from your account team. Audit shared-data agreements for blast-radius.
Affected
Patients of The Oncology Institute and the wider TriZetto Provider Solutions ecosystem (3.4M+ patients in the original March 2026 disclosure). Healthcare providers using TriZetto for eligibility verification are exposed.
Fix
Notify affected patients per HIPAA. Tighten third-party risk reviews for healthcare-data processors. Implement strict data-handling SLAs in vendor contracts with breach notification deadlines.

Have I Been Pwned adds Ameriprise Financial with 502,597 breached accounts; financial-services dataset newly searchable

Have I Been Pwned has added Ameriprise Financial to its breach corpus with 502,597 unique email addresses. The financial-services giant manages over $1 trillion in assets across wealth management, advisory, and asset-management services. Underlying breach details and the original disclosure source have not been published alongside the HIBP entry, but the addition lets organizations and individuals check whether their accounts appear in the leaked dataset. Customers should expect targeted phishing themed around investment-account verification or advisor-impersonation pretexts. The breach adds to a recent run of financial-services HIBP listings including Marcus & Millichap (1.8M) and Cushman & Wakefield (310K).

Check
Check whether your @corp emails appear in HIBP's Ameriprise breach corpus. Warn affected employees about wealth-management-themed phishing and advisor-impersonation pretexts in the next 30-60 days.
Affected
502,597 unique email addresses tied to Ameriprise Financial accounts. Likely high-net-worth individuals and advisors are over-represented in the dataset compared to typical breach corpora.
Fix
Affected individuals: rotate Ameriprise passwords, enable strongest available MFA, monitor account statements for unauthorized transactions. Treat unsolicited 'Ameriprise' or 'Columbia Threadneedle' contacts as suspicious.

Threat actor advertises 340M OnlyFans profiles for $76K - dataset built from correlating old breaches and public data, not direct hack

A threat actor going by Euphoric_Reply_5727 is selling a database advertised as 340 million OnlyFans user records on a cybercrime forum for 0.313 BTC (around $76,000). In private messages, the seller admitted to HackRead that they did not breach OnlyFans directly - the dataset was assembled by correlating old data-breach corpora with publicly visible OnlyFans profile information. Sample records include usernames, email, phone, join date, follower counts, linked social profiles, and a 'card' field claimed to be payment-card-last-4. The privacy risk is real even without a fresh breach: the correlated dataset enables targeted phishing, stalking, impersonation, and blackmail of OnlyFans users.

Check
Set domain monitoring alerts for your @company.com email addresses appearing in OnlyFans-themed correlated leak datasets. Warn high-profile employees about targeted impersonation phishing.
Affected
Active OnlyFans users whose accounts are publicly visible. The correlation dataset enables targeted phishing, sextortion, stalking, and impersonation even though no fresh breach occurred.
Fix
If you operate identity-verification flows: assume OnlyFans-correlated identity data is on the criminal market. Strengthen account-recovery flows that rely on email + phone-number proof. Treat as already-leaked.