Zara is the latest big brand caught in the ShinyHunters extortion campaign tied to the March breach of analytics provider Anodot. The attackers - who got into Anodot in March and used that foothold to raid Snowflake-hosted data for at least a dozen downstream customers - have now published roughly one terabyte of files they say came from Zara's customer support system. Have I Been Pwned loaded 197,376 unique email addresses from the dump, along with product SKUs, order IDs, and the market each support ticket originated in. Zara's parent Inditex says no passwords or payment data were exposed.
Woflow, an AI-driven platform that maintains menu and product data for restaurants and merchants on delivery apps, is the next named victim of ShinyHunters' extortion campaign. The group has published over 2 terabytes of files it says came from Woflow, including names, phone numbers, physical addresses, and email addresses. Have I Been Pwned loaded 447,593 unique email addresses from the dump. The exposed data appears to cover both Woflow's direct customers and the end customers of those merchants - so the breach radius is wider than Woflow's own user list, reaching the customers of every business that relies on Woflow's data.
Braintrust, an AI evaluation and observability platform recently valued at $800 million, confirmed Tuesday that an unauthorized actor accessed one of its AWS accounts on May 4. The breached account held org-level API keys that customers store with Braintrust to access OpenAI, Anthropic, and other AI providers. Braintrust has confirmed exposure of one customer and is investigating three more reporting suspicious AI-provider usage spikes. The pattern - a relatively small AI infrastructure provider becoming a credential warehouse for downstream customers - is what Nudge Security's Jaime Blasco called 'the new shape of supply chain risk.'
Update on the Trellix breach we covered May 2: RansomHouse claimed the attack on its leak site Thursday and published screenshots that suggest the intrusion reached well beyond the source code repository Trellix originally acknowledged. Cybernews researchers reviewed the dumped images and identified internal dashboards for VMware vCenter, Rubrik backup, and Dell EMC storage - the systems that hold backups, credentials, and virtual machine images for the entire company. RansomHouse says the intrusion happened April 17 and resulted in data encryption. Trellix told BleepingComputer it's 'aware of claims of responsibility' and looking into them. RansomHouse currently lists 170+ victims on its Tor leak site.
NVIDIA confirmed Friday that a third-party GeForce NOW Alliance partner based in Armenia (GFN.am) was breached. The hacker, using the ShinyHunters handle on BreachForums, claims to have stolen names, email addresses, dates of birth, membership status, and 2FA enrollment status of millions of users - and is selling the database for $100,000. NVIDIA says its own systems are unaffected and the regional partner is notifying impacted users. The actor is suspected to be a ShinyHunters impersonator rather than the original gang. The partner serves users in Armenia, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan.
Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.
Marcus & Millichap customer data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1,837,078 unique email addresses, plus names, phone numbers, employer names, job titles, and company addresses. Marcus & Millichap is a major US commercial real estate brokerage that closed $50.9 billion in transactions in 2025. The company says the leaked data 'appeared limited to company forms, templates, marketing materials, and general contact information' but ShinyHunters originally claimed 30 million Salesforce records. The leak extends the ShinyHunters wave that already published Pitney Bowes, Carnival, Udemy, ADT, and ZenBusiness.
Trellix, the cybersecurity company formed from the 2022 merger of McAfee Enterprise and FireEye, disclosed Friday that attackers reached part of its source code repository. The company says it has 'no evidence' that source code releases were tampered with, that the source code itself was exploited, or that customer data was affected - but it has not said how long the attackers had access, who they were, or what they took. Trellix is now working with outside forensics firms and has notified law enforcement. Trellix sells endpoint protection, email security, and managed detection products to enterprise and government customers. The company has not given a timeline for further disclosure.
ZenBusiness customer data is now public on Have I Been Pwned, with 5,118,184 unique email addresses confirmed - alongside names, phone numbers, and CRM records pulled from Snowflake, Mixpanel, and Salesforce. ShinyHunters had threatened to publish the data in March after a failed extortion attempt; HIBP added the dataset yesterday. ZenBusiness is the AI-driven LLC formation and small business compliance platform backed by Mark Cuban. The breach extends the ShinyHunters wave that's already publicly released Pitney Bowes (8.2M), Carnival (7.5M), Udemy (1.4M), ADT (5.5M), and now ZenBusiness.
Instructure disclosed Friday that a 'criminal threat actor' breached its systems. The company runs Canvas, the learning management platform used by schools, universities, and corporate training programs - and a successful breach exposes student records, teacher records, course content, and grades. Instructure has not said how many users are affected or what data was taken, only that outside forensics are investigating. Canvas Data 2 and Canvas Beta have been in maintenance since May 1, with customers warned about API key issues. The pattern matches the January 2025 PowerSchool breach, which exposed data on 62 million students and is still being followed by ransom demands against individual schools.