A threat actor going by Euphoric_Reply_5727 is selling a database advertised as 340 million OnlyFans user records on a cybercrime forum for 0.313 BTC (around $76,000). In private messages, the seller admitted to HackRead that they did not breach OnlyFans directly - the dataset was assembled by correlating old data-breach corpora with publicly visible OnlyFans profile information. Sample records include usernames, email, phone, join date, follower counts, linked social profiles, and a 'card' field claimed to be payment-card-last-4. The privacy risk is real even without a fresh breach: the correlated dataset enables targeted phishing, stalking, impersonation, and blackmail of OnlyFans users.
A week after CISA was first notified of credentials leaking from its Private-CISA GitHub repository, the agency is still working to invalidate and replace many of the exposed keys, according to TruffleHog creator Dylan Ayrey. On May 19, Senator Maggie Hassan and Representatives Bennie Thompson and Delia Ramirez sent letters demanding answers, noting CISA has lost a third of its workforce and almost all senior leaders to forced retirements and buyouts. An RSA private key giving full read access to every CISA-IT GitHub repository was still active when Ayrey re-tested on May 20; CISA rotated it after KrebsOnSecurity's notification, but other critical credentials reportedly remain unrotated.
GitHub has confirmed that roughly 3,800 internal repositories were exfiltrated after one of its employees installed a malicious version of the Nx Console VS Code extension. The malicious extension has been pulled and the affected device has been isolated. GitHub's current assessment is that the activity was limited to internal repos and that no customer data stored outside them was touched. The numbers line up with the claim TeamPCP posted on Breached, where they offered the code for at least $50,000. The breach connects this week's Nx Console compromise to the broader TeamPCP campaign that also hit OpenAI and Grafana.
GitHub said it is investigating after the cybercrime group TeamPCP listed 'GitHub's source code and internal orgs' for sale on the Breached forum, claiming access to about 4,000 internal repositories and asking at least $50,000. GitHub told BleepingComputer it has 'no evidence of impact to customer information stored outside of GitHub's internal repositories' and that customers will be alerted if that changes. TeamPCP is the same group behind the TanStack supply-chain attack that hit OpenAI and Grafana, the Aqua Trivy compromise, the LiteLLM infection, and the Mistral AI source-code theft. GitHub hosts code for 4 million organizations and 180 million developers.
Grafana Labs has confirmed that its previously disclosed GitHub breach started with the TanStack npm supply-chain attack run by TeamPCP, the same one that hit OpenAI and Mistral AI. Grafana detected the activity on May 11, rotated a significant number of GitHub workflow tokens, but one token slipped through and the attacker used it to pull Grafana's codebase. The downstream extortion attempt under the CoinbaseCartel banner came on May 16 and Grafana refused to pay, citing FBI guidance. The incident chains TeamPCP's TanStack OIDC-token theft into a directly observable secondary breach at a major observability vendor.
A contractor with administrative access at CISA, the US agency that tells everyone else how to do cybersecurity, ran a public GitHub repository called Private-CISA that exposed administrative AWS GovCloud keys, plaintext passwords in CSVs for internal CISA systems, and credentials to the agency's internal artifactory. The owner had even disabled GitHub's default secret-scanning protections. Researcher Philippe Caturegli of Seralys validated that the AWS keys still worked against three high-privilege GovCloud accounts and could have given an attacker a launchpad to deploy backdoors into CISA's internal build pipelines. CISA says it is investigating and has seen no evidence of compromise.
7-Eleven has confirmed that an unauthorized party reached systems holding its franchisee documents on April 8, 2026. The extortion group ShinyHunters claims it stole more than 600,000 Salesforce records of personal and corporate information, posted samples on its Tor leak site, and demanded payment by April 21 or it would publish everything. 7-Eleven says the leaked files came from franchise applications and that it is notifying affected individuals. The breach fits the pattern ShinyHunters has run against Google, Cisco, Vimeo, Rockstar Games, Instructure, Zara, and the European Commission since mid-2025 - all delivered through compromised Salesforce instances rather than direct break-ins.
An Amazon S3 bucket simply named 'tabiq' was left open to anyone who knew the name, exposing over a million passports, driver's licenses, and identity-verification selfies submitted by hotel guests worldwide. The platform, run by Japanese operator Reqrea, handles digital check-in. Researcher Anurag Sen found the bucket and notified TechCrunch and JPCERT; the bucket has since been locked down. Reqrea says the exposed files date from early 2020 through May 2026 and that it does not yet know how the bucket became public. The company is still reviewing access logs to determine whether anyone else accessed the data.
Have I Been Pwned has added Colombian buy-now-pay-later fintech Addi to its breach corpus with 34,532,941 unique email addresses. Addi acknowledged unauthorized activity on its platform back in March 2026 and warned customers that personal data might have been compromised. ShinyHunters then claimed responsibility and published the dataset, which goes well beyond emails: credit-scoring requests, credit bureau records, customer identity files, email-validation logs, Cedula de Ciudadania national ID numbers, estimated income, socioeconomic level, and purchase history. Addi is a Bogota-based BNPL lender with $1B+ in funding and is one of the larger Latin American fintech breaches publicly documented this year.
Grafana Labs says an attacker stole a token that gave access to its GitHub environment, downloaded the company's private codebase, and then demanded a ransom to keep the code from being published. Grafana refused to pay and cited FBI guidance against rewarding extortion. The company says no customer data was accessed and the compromised credentials have been invalidated. A data-extortion crew called CoinbaseCartel, tied to the same ecosystem as ShinyHunters, Scattered Spider, and LAPSUS$ with around 170 victims since September 2025, claimed credit. Grafana has not disclosed which code was taken or when the intrusion happened.