Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Zara confirmed in ShinyHunters Anodot fallout - 197,000 customer support records leaked

Zara is the latest big brand caught in the ShinyHunters extortion campaign tied to the March breach of analytics provider Anodot. The attackers - who got into Anodot in March and used that foothold to raid Snowflake-hosted data for at least a dozen downstream customers - have now published roughly one terabyte of files they say came from Zara's customer support system. Have I Been Pwned loaded 197,376 unique email addresses from the dump, along with product SKUs, order IDs, and the market each support ticket originated in. Zara's parent Inditex says no passwords or payment data were exposed.

Check
Search corporate email logs for a spike in phishing or fake order-status messages spoofing Zara customer service over the past 30 days, especially targeting users who shop with their work email.
Affected
Zara customers who contacted customer support are exposed via leaked email addresses, product SKUs, order IDs, and the market of origin (197,376 unique addresses confirmed by HIBP). Inditex has stated no passwords or payment information were included. Any organization whose data was held by Anodot remains part of this broader supply-chain campaign.
Fix
Treat the 197K leaked email addresses as confirmed-exposed for phishing targeting. Apply stricter inbound filtering for Zara order-status or return-label phishing lures. Educate employees who use work email for personal e-commerce. If your company uses Anodot, or routes data through Snowflake integrations exposed by the Anodot breach, follow the remediation Anodot and Snowflake published in April and rotate any tokens shared with Anodot.

AI merchant data platform Woflow leaked - 447,000 records exposed in ShinyHunters extortion

Woflow, an AI-driven platform that maintains menu and product data for restaurants and merchants on delivery apps, is the next named victim of ShinyHunters' extortion campaign. The group has published over 2 terabytes of files it says came from Woflow, including names, phone numbers, physical addresses, and email addresses. Have I Been Pwned loaded 447,593 unique email addresses from the dump. The exposed data appears to cover both Woflow's direct customers and the end customers of those merchants - so the breach radius is wider than Woflow's own user list, reaching the customers of every business that relies on Woflow's data.

Check
Check whether your restaurant chain, merchant operations, or delivery integrations rely on Woflow to maintain menu, product, or location data, and review customer service tickets for phishing referencing Woflow-handled records.
Affected
Direct Woflow customers (restaurant chains, merchant networks, delivery-app operators) and the end consumers of those merchants. Leaked fields confirmed by HIBP include names, email addresses, phone numbers, and physical addresses - 447,593 unique email addresses total. No passwords or payment details have been reported in the published dataset.
Fix
If you are a Woflow customer, contact your account team for the official IoC list and impacted-record scope. Notify your own customers if their data was passed through Woflow. Apply stricter inbound filtering for phishing impersonating restaurant brands, delivery platforms, or order confirmations. Rotate any API keys or shared credentials your team exchanged with Woflow integrations in the past 18 months.

AI evaluation startup Braintrust got hacked - and is asking every customer to rotate their AI provider API keys because the breached AWS account stored them all in one place

Braintrust, an AI evaluation and observability platform recently valued at $800 million, confirmed Tuesday that an unauthorized actor accessed one of its AWS accounts on May 4. The breached account held org-level API keys that customers store with Braintrust to access OpenAI, Anthropic, and other AI providers. Braintrust has confirmed exposure of one customer and is investigating three more reporting suspicious AI-provider usage spikes. The pattern - a relatively small AI infrastructure provider becoming a credential warehouse for downstream customers - is what Nudge Security's Jaime Blasco called 'the new shape of supply chain risk.'

Check
If your organization uses Braintrust, log into the org-level settings page and check the timestamp of every stored AI provider secret. Audit AI provider billing dashboards for unexpected usage spikes since April.
Affected
Braintrust customers, particularly AI-forward companies that store provider API keys in Braintrust org-level settings. Public reports suggest the customer base includes Box, Cloudflare, Dropbox, Notion, Ramp, and Stripe. Beyond Braintrust: any AI eval, observability, or gateway tool that holds customer-issued provider keys is the same risk pattern.
Fix
Rotate every AI provider API key stored with Braintrust - go to org-level settings, delete existing secrets, configure new ones, verify timestamps. Apply the same rotation to keys stored in similar AI eval/observability/gateway tools. Switch from static API keys to short-lived OIDC-issued credentials where the AI provider supports it. Add SCPs that restrict which AI provider services your IAM keys can call.

RansomHouse claims the Trellix breach and posts screenshots showing it reached internal VMware, Rubrik, and Dell EMC dashboards - far more than the 'small portion of source code' Trellix originally disclosed

Update on the Trellix breach we covered May 2: RansomHouse claimed the attack on its leak site Thursday and published screenshots that suggest the intrusion reached well beyond the source code repository Trellix originally acknowledged. Cybernews researchers reviewed the dumped images and identified internal dashboards for VMware vCenter, Rubrik backup, and Dell EMC storage - the systems that hold backups, credentials, and virtual machine images for the entire company. RansomHouse says the intrusion happened April 17 and resulted in data encryption. Trellix told BleepingComputer it's 'aware of claims of responsibility' and looking into them. RansomHouse currently lists 170+ victims on its Tor leak site.

Check
If your organization runs Trellix endpoint, IPS, ePolicy Orchestrator, or email security, audit checksums of every Trellix update installed since April 17. Hunt for unusual outbound traffic from Trellix product hosts.
Affected
Trellix customers - 53,000+ enterprises and government agencies in 185 countries protecting 200M+ endpoints. Acute risk: organizations relying on Trellix for backup integrity (Rubrik exposed) or VMware management (vCenter exposed). Defense and federal customers face higher residual risk pending Trellix's full incident report.
Fix
Hold non-emergency Trellix product updates until Trellix releases a written incident report with concrete scope. Verify checksums for every Trellix agent updated since April 17 against Trellix's published values. Treat any Trellix-issued credentials, API tokens, or signing certificates from before April 17 as potentially compromised and request rotation. Demand a written incident report within 30 days.

NVIDIA confirms a regional GeForce NOW partner in Armenia got breached - millions of user records exposed but NVIDIA's own systems are intact

NVIDIA confirmed Friday that a third-party GeForce NOW Alliance partner based in Armenia (GFN.am) was breached. The hacker, using the ShinyHunters handle on BreachForums, claims to have stolen names, email addresses, dates of birth, membership status, and 2FA enrollment status of millions of users - and is selling the database for $100,000. NVIDIA says its own systems are unaffected and the regional partner is notifying impacted users. The actor is suspected to be a ShinyHunters impersonator rather than the original gang. The partner serves users in Armenia, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan.

Check
If you or staff use GeForce NOW from Armenia, Georgia, Kazakhstan, Moldova, Ukraine, or Uzbekistan, log in to gfn.am and check for breach notifications. Search inbox for GeForce NOW or NVIDIA-themed emails since May 5.
Affected
GeForce NOW users registered through GFN.am, the Armenia-based regional partner serving Armenia, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan. Records reported leaked include names, email addresses, dates of birth, membership status, and 2FA enrollment - but not passwords. Acute risk for users who reused the GFN.am password elsewhere.
Fix
Reset GFN.am passwords and any other accounts using the same password. Enable 2FA if not already on. Treat any inbound emails referencing your real NVIDIA or GeForce NOW account details as hostile - go to gfn.am directly. For organizations: regional alliance partners often have weaker security than the parent vendor - audit which third-party regional services hold employee or customer data.

Hackers tell schools to pay by Tuesday or 275 million students' messages and IDs go public - Canvas operator Instructure confirms breach

Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.

Check
If your school or organization uses Canvas, prepare your student/parent breach notification template this week - Instructure data is likely to be public by Tuesday.
Affected
Schools, universities, and corporate training organizations using Canvas - 9,000 institutions globally, 275 million individuals. Acute risk for K-12 districts where data on under-13 students falls under COPPA and state student privacy laws (NY Education Law 2-d, California SOPIPA, ~130 similar state statutes). Salesforce-integrated Canvas tenants face additional exposure.
Fix
Rotate every Canvas API key and re-authorize integrations as Instructure has now mandated. Pull your district's Canvas data-sharing inventory and identify which downstream tools held copies. For K-12: prepare COPPA and state-AG notification templates now - PowerSchool's breach triggered class actions in 11 states. Brief students, parents, and faculty that any 'Canvas account verification' email this week is potentially hostile.

Commercial real estate broker Marcus & Millichap data leaked publicly - 1.8 million records including job titles for follow-on phishing

Marcus & Millichap customer data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1,837,078 unique email addresses, plus names, phone numbers, employer names, job titles, and company addresses. Marcus & Millichap is a major US commercial real estate brokerage that closed $50.9 billion in transactions in 2025. The company says the leaked data 'appeared limited to company forms, templates, marketing materials, and general contact information' but ShinyHunters originally claimed 30 million Salesforce records. The leak extends the ShinyHunters wave that already published Pitney Bowes, Carnival, Udemy, ADT, and ZenBusiness.

Check
If you've ever interacted with Marcus & Millichap as a buyer, seller, or broker, watch for highly-targeted phishing referencing real property listings or transaction history over the next 90 days.
Affected
Marcus & Millichap clients - commercial real estate buyers, sellers, brokers, and prospects whose employer and job title data is now public. Acute risk: real estate scammers running 'wire transfer fraud' against named buyers using the leaked job titles and employer names to make spear-phishing convincing. Lenders and title companies that worked transactions with Marcus & Millichap face downstream exposure.
Fix
Treat any Marcus & Millichap email referencing your real role or company as potentially hostile - call known contacts via published phone numbers to verify. For real estate professionals: enable wire transfer verification protocols requiring out-of-band confirmation. Lenders and title companies should add Marcus & Millichap-themed lookalike domains to phishing detection. Affected individuals can monitor through HIBP.

Cybersecurity firm Trellix says attackers reached part of its source code repository

Trellix, the cybersecurity company formed from the 2022 merger of McAfee Enterprise and FireEye, disclosed Friday that attackers reached part of its source code repository. The company says it has 'no evidence' that source code releases were tampered with, that the source code itself was exploited, or that customer data was affected - but it has not said how long the attackers had access, who they were, or what they took. Trellix is now working with outside forensics firms and has notified law enforcement. Trellix sells endpoint protection, email security, and managed detection products to enterprise and government customers. The company has not given a timeline for further disclosure.

Check
If your organization uses any Trellix product, watch for unusual update patterns this week and avoid auto-updating until Trellix confirms the integrity of its release pipeline.
Affected
Trellix customers - enterprises and US government agencies that use Trellix endpoint, email, IPS, or managed detection products. Source code access doesn't automatically mean compromised products, but it's the starting position for finding new vulnerabilities. Defense and federal customers face higher residual risk pending Trellix's full disclosure.
Fix
Verify Trellix product update integrity by comparing checksums for any agent updated since the breach window. Hold non-emergency Trellix updates pending more clarity. For high-security environments, run Trellix in monitor-only mode for the next two weeks. Track Trellix's incident page directly and demand a written incident report within 30 days.

Mark Cuban-backed business filing service ZenBusiness leaked - 5 million customer records now public after ShinyHunters extortion failed

ZenBusiness customer data is now public on Have I Been Pwned, with 5,118,184 unique email addresses confirmed - alongside names, phone numbers, and CRM records pulled from Snowflake, Mixpanel, and Salesforce. ShinyHunters had threatened to publish the data in March after a failed extortion attempt; HIBP added the dataset yesterday. ZenBusiness is the AI-driven LLC formation and small business compliance platform backed by Mark Cuban. The breach extends the ShinyHunters wave that's already publicly released Pitney Bowes (8.2M), Carnival (7.5M), Udemy (1.4M), ADT (5.5M), and now ZenBusiness.

Check
If you used ZenBusiness to set up an LLC, treat any inbound communication referencing your real business name, formation date, or registered agent details as potentially hostile.
Affected
ZenBusiness customers - mostly small business owners, freelancers, and startup founders. The leak includes business formation details that uniquely identify the type of business you set up. Acute risk: small business owners targeted by 'compliance reminder' phishing referencing their real EIN, registered agent address, or annual report deadline.
Fix
Reset ZenBusiness account passwords and rotate any password reused on other accounts. Watch state filing systems for unauthorized changes to your registered agent or business address - attackers can hijack LLCs by changing these. Treat any 'urgent compliance notice' email as potentially hostile. For LLCs holding valuable assets, consider freezing changes through your secretary of state's office where supported.

Instructure, the company that runs Canvas for schools and universities, says hackers breached its systems

Instructure disclosed Friday that a 'criminal threat actor' breached its systems. The company runs Canvas, the learning management platform used by schools, universities, and corporate training programs - and a successful breach exposes student records, teacher records, course content, and grades. Instructure has not said how many users are affected or what data was taken, only that outside forensics are investigating. Canvas Data 2 and Canvas Beta have been in maintenance since May 1, with customers warned about API key issues. The pattern matches the January 2025 PowerSchool breach, which exposed data on 62 million students and is still being followed by ransom demands against individual schools.

Check
If your school or organization uses Canvas, audit which API keys you have integrated with Canvas and rotate any issued in the past 6 months as a precaution.
Affected
Schools, universities, and corporate training organizations using Canvas. Student records, teacher records, course content, gradebook data, and uploaded files are all in scope until Instructure confirms otherwise. Salesforce-integrated Canvas tenants may be at higher risk - 2025's Instructure incident traced to a Salesforce compromise.
Fix
Rotate Canvas API keys, especially for downstream tools (gradebook integrations, SSO, third-party plugins). Brief students, parents, and faculty that any 'Canvas account verification' email is potentially hostile - go to canvas.instructure.com directly. Request Instructure's incident notification timeline in writing and pre-prepare your own student/parent notification template.