Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

France arrested a 15-year-old as the suspected hacker behind the French government ID agency breach - 11.7 million records confirmed stolen

Update on the ANTS breach we covered April 22: French police detained a 15-year-old on April 25, suspected of running the breach3d alias and stealing data from France Titres (ANTS), the agency that issues French ID cards, passports, and driver's licenses. The Paris Prosecutor's Office charged the minor on April 29 with three offenses carrying up to seven years in prison. ANTS now confirms 11.7 million accounts affected - lower than the original 19 million claim but still one of the largest leaks of French citizen identity data ever. Exposed data includes full names, email addresses, dates of birth, postal addresses, and phone numbers.

Check
If you live or operate in France, watch for highly-targeted phishing referencing real ID details over the next 90 days - the breach data is now confirmed in attacker hands.
Affected
11.7 million French residents whose ID data, contact details, and dates of birth are in the breach3d dataset. Acute risk for individuals who used these details to create accounts at French government services or banks. Organizations operating in France that use government-issued ID for KYC checks need to assume their data sources are tainted.
Fix
ANTS recommends affected users reset passwords on government and banking accounts and watch for impersonation messages claiming to be ANTS or La Poste. Treat any inbound email referencing your real ANTS data as hostile. KYC checks based on French government ID numbers should be backed by additional verification (face match, document liveness check) for the next 12 months.

Vimeo confirms user data was exposed via breach at analytics provider Anodot

Vimeo confirmed yesterday that user data was exposed when its analytics provider Anodot was breached. The video service hasn't said how many users are affected or what data was exposed beyond 'limited' account information, but Anodot's role suggests the leaked records include event-level user activity tied to Vimeo accounts: video views, account IDs, and the kind of telemetry analytics providers ingest. The pattern is the same as Citizens Bank, Frost Bank, Pitney Bowes, and now Vimeo: customer data leaks through a third-party vendor that the customer never directly signed up with.

Check
If you use Vimeo for any work-related video hosting, watch for Vimeo-themed phishing emails over the next few weeks referencing real account activity.
Affected
Vimeo users whose account data was processed by Anodot - a substantial subset given Anodot is a primary analytics provider. The risk is targeted phishing rather than account takeover: scammers who can reference real video views or account creation dates sound legitimate enough to bait credential resets. Organizations hosting marketing or training videos on Vimeo should expect staff targeting.
Fix
Treat any Vimeo email referencing your real account activity as potentially hostile - go to vimeo.com directly. Enable two-factor auth on Vimeo accounts, especially shared organizational ones. Review access logs for unfamiliar logins since April. For organizations: pull your vendor inventory and identify other analytics providers (Mixpanel, Heap, Amplitude) that hold customer data, and confirm breach notification SLAs.

Pitney Bowes customer and employee data leaked publicly - 8.2 million email addresses plus internal records with employee job titles

Pitney Bowes customer and employee data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 8.2 million unique email addresses, plus names, phone numbers, and physical addresses. A subset includes Pitney Bowes employee records with job titles - a useful starter pack for highly-targeted phishing against named staff. The data came from a misconfigured Salesforce Experience Cloud 'Guest User' permission that let unauthenticated visitors query CRM records directly. ShinyHunters had posted Pitney Bowes on its leak site April 18 with a three-day deadline.

Check
If your organization uses Salesforce Experience Cloud, audit Guest User permissions today and remove read access from CRM objects that don't need to be public.
Affected
Pitney Bowes customers (8.2M email addresses, names, phones, addresses now public) and employees with job titles in the leak. Any organization running Salesforce Experience Cloud with default Guest User permissions has the same exposure - this is a configuration failure, not a Salesforce flaw.
Fix
Run Salesforce's Guest User Permissions report and tighten anything reading customer or contact data. Confirm no Experience Cloud public site exposes Account, Contact, Lead, or Case objects without a clear public-data reason. Pitney Bowes employees should treat 'CEO needs you to wire' messages with extra suspicion - your name and title are now public.

ADT customer breach details now public on Have I Been Pwned - 5.5 million records confirmed, more than the 10 million ShinyHunters originally claimed but with worse data

Update on the ADT breach we covered April 25: Have I Been Pwned added the leaked dataset yesterday with 5,488,888 unique email addresses confirmed - lower than ShinyHunters' original 10 million claim but still the largest US home-security customer leak on record. Beyond the email, name, phone, and address fields ADT originally disclosed, the leak includes details ADT downplayed: account creation dates, premise types, internal account flags, ADT installer IDs, and prospect/customer status. None catastrophic alone, but combined gives attackers enough context to run convincing 'security audit' phone scams against named customers with real install dates and installer names.

Check
If you're an ADT customer, treat any inbound call referencing your real install date or installer name as hostile - those details are now public.
Affected
All 5,488,888 ADT customers and prospects - now indexable on HIBP. Acute risk for customers whose installer IDs are in the leak: scammers can call referencing 'Mike from your install on March 14, 2022' and sound legitimate enough to social-engineer security code resets. Elderly customers and high-value households are the highest-risk segment for follow-on physical security scams.
Fix
ADT customers should set a verbal codeword with ADT's real customer service line and refuse to verify identity to any inbound caller without it. Treat any 'free security upgrade' as a scam unless you initiated the call. Brief elderly family members specifically - they're the prime target for follow-on scams using leaked install details. Pressure ADT for credit monitoring if the SSN/Tax ID subset includes you.

Udemy customer and instructor data leaked publicly after ShinyHunters' extortion deadline expires - 1.4 million records including PayPal payout details

Online learning giant Udemy's customer and instructor data was leaked publicly today after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1.4 million unique email addresses. The dataset goes well beyond contact information: it includes full names, physical addresses, phone numbers, employer details, and instructor payout methods - PayPal email addresses, mailing addresses for cheques, and bank transfer details. Udemy was listed on ShinyHunters' 'pay or leak' portal April 24 with a three-day deadline. The company has not publicly confirmed the breach or said how attackers got in.

Check
Reset your Udemy password if you have an account, especially if you're an instructor with payout details on file, and watch for highly targeted phishing.
Affected
Udemy customers and instructors with accounts before April 2026, particularly instructors whose PayPal addresses, cheque mailing addresses, and bank transfer details are in the leak. Any organization using Udemy for staff training has employee details exposed and should expect tailored phishing referencing real course history.
Fix
Reset Udemy passwords and rotate any password reused on other accounts. Instructors should monitor PayPal and bank accounts and contact PayPal to flag the email as compromised. Brief staff that any 'Udemy' email referencing their real course history is potentially hostile - go to udemy.com directly rather than clicking links. Add Udemy lookalike domains to your DMARC monitoring.

Checkmarx confirms its source code, employee database, and cloud credentials were posted on the dark web after the March supply-chain attack

Checkmarx confirmed Friday that data from its private GitHub repository was posted on the dark web following the March 23 TeamPCP supply-chain attack. The LAPSUS$ group published the dump, which includes Checkmarx source code, an employee database, API keys, and MongoDB and MySQL credentials. Checkmarx says the affected GitHub repository was separate from the customer Checkmarx One SaaS production environment, with no customer data stored in it. The bigger picture: an attack that started by poisoning a single GitHub Action 35 days ago has now produced a full source code, credentials, and employee data leak - under five weeks end to end.

Check
If your team uses Checkmarx KICS or AST GitHub Actions, the Checkmarx Open VSX extensions, or any Checkmarx self-hosted product, rotate every credential issued during March.
Affected
Organizations using Checkmarx KICS or AST GitHub Action versions pulled between 12:58 and 16:50 UTC on March 23. Checkmarx Open VSX extensions ast-results 2.53.0 and cx-dev-assist 1.7.0. Any environment where Checkmarx-issued API keys reach cloud accounts, repos, or CI/CD secret stores - those credentials may be in the leak.
Fix
Rotate every credential, API key, and integration token that touched Checkmarx tooling in March. Audit GitHub Actions logs for outbound traffic to checkmarx[.]zone or audit.checkmarx.cx. Pin GitHub Actions to immutable commit SHAs rather than version tags. Treat any Checkmarx-issued auth token from March as burned and reissue. Watch for follow-up phishing referencing real Checkmarx employees.

ADT confirms breach after ShinyHunters claims 10 million records stolen via vishing-compromised Okta SSO and Salesforce exfil

ADT, the largest US home security company, filed an SEC 8-K on April 24 confirming a breach detected April 20. ShinyHunters listed ADT on its 'pay or leak' portal claiming over 10 million records with an April 27 deadline. ADT says the dataset was limited to names, phone numbers, addresses, plus DOBs and last-four SSN/Tax IDs for a small subset; no payment data was accessed and alarm systems were unaffected. Initial access was a vishing attack against an employee that compromised an Okta SSO session, which attackers used to reach ADT's Salesforce - the same playbook ShinyHunters ran against Carnival.

Check
If you run Salesforce behind Okta or another SSO, audit conditional-access policies this week and assume vishing-driven session-hijack is a credible vector for your tenant.
Affected
ADT customers, particularly the prospective customers confirmed in the dataset. From a security standpoint: any organization using Salesforce behind SSO without device-bound auth or per-session re-auth on bulk exports. The pattern across ShinyHunters victims (Carnival, ADT, Zara, 7-Eleven) shows MFA alone does not stop this group once help-desk vishing succeeds.
Fix
Brief frontline staff on the vishing pattern: spoofed VoIP, attacker poses as IT, walks user through MFA enrollment. Run a tabletop. In Okta and Entra ID, alert on new device registrations and on bulk Salesforce exports outside business hours. Tighten Permission Set Groups for bulk exports. Consider FIDO2 or platform passkeys for any role with bulk customer-data access.

US utility tech giant Itron breached - hackers reached internal IT systems but no impact on the 112 million customer endpoints it manages

Itron, the Washington-based utility technology company that manages 112 million energy and water meter endpoints across 7,700 customers in 100 countries, disclosed a cyberattack in an SEC 8-K filing April 24. An unauthorized third party reached parts of Itron's corporate IT network on April 13. Itron says it has expelled the attackers and seen no follow-up activity, and that customer-hosted environments (the actual utility infrastructure) were untouched. No ransomware group has claimed the attack. The incident is significant because Itron sits in the middle of US critical infrastructure - meter data, billing, and grid telemetry pass through its software at thousands of utilities.

Check
If you work with any utility tech vendor, confirm in writing whether your relationship touches their corporate IT or only their isolated customer-hosted environment.
Affected
Utilities running Itron software, meters, or services - particularly those whose contracts let Itron staff reach into utility systems. Any organization where a critical-infrastructure vendor has remote access without strict segmentation. Itron's segregation of customer-hosted from corporate IT is what limited this incident.
Fix
Review which Itron-side accounts can reach your utility infrastructure and rotate any credentials, API keys, or VPN profiles Itron staff have used since January. Demand a written attestation that customer-hosted environments are network-segregated from corporate IT. Map every critical-infrastructure vendor's reachability into your network, including informal paths.

Medtronic confirms breach after ShinyHunters claims theft of 9 million records and terabytes of internal data

Medtronic, the world's largest medical device maker, confirmed a breach of its corporate IT systems in an SEC filing April 24. ShinyHunters had listed Medtronic on its leak site April 18 claiming theft of more than 9 million records of personal data plus terabytes of internal corporate documents, with an April 21 deadline. The Medtronic listing has since been removed - a strong signal the company either paid the ransom or is still negotiating. Medtronic says product safety, manufacturing, distribution, and patient care are unaffected; the breach was confined to corporate IT, which is segregated from device infrastructure. Investigation into what personal data was exposed is ongoing.

Check
If you or staff have ever been a Medtronic patient, vendor, contractor, or applicant, watch for highly-targeted phishing referencing real medical device or employment details.
Affected
Medtronic patients (90,000+ employees, hundreds of millions of patients), suppliers, and former staff are all in scope until Medtronic clarifies what 9M+ records contain. Healthcare organizations sharing patient data with Medtronic for device monitoring, recall tracking, or research are exposed if those communications are in the leak.
Fix
Affected individuals: enable MFA on patient portals, monitor explanation-of-benefits statements, and report any unsolicited medical-device prompt or service call. Healthcare organizations: pull your data-sharing inventory with medical device vendors and confirm breach-notification SLAs. Companies sharing confidential records with Medtronic should assume those documents may be in the leak set.

Carnival confirms 7.5 million Holland America Mariner Society loyalty records leaked after ShinyHunters refused extortion deadline

Carnival Corporation has been confirmed as a ShinyHunters breach victim, and the data is now public. Have I Been Pwned added the breach on April 23 with 7,531,359 unique email addresses drawn from 8.7 million records. The data comes from the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands, and contains full names, dates of birth, genders, email addresses, and loyalty program status fields. ShinyHunters initially listed Carnival on its 'pay or leak' portal on April 18 with an April 21 deadline alongside Zara, 7-Eleven, and roughly 40 other organizations. When Carnival did not pay, the group published the dataset on its leak site this week. Carnival confirmed to reporters that the initial access came from a phishing compromise of a single employee account - a reminder that ShinyHunters continues to rely on human-layer intrusion rather than novel exploits. For anyone whose email, date of birth, or customer record appears in the dataset, the immediate risk is highly targeted phishing and account-takeover attempts that reference genuine Holland America booking details.

Check
If your organization has ever done corporate bookings, incentive travel, or employee perks through Holland America, Princess, or other Carnival brands, notify affected staff today and watch for cruise-themed phishing referencing genuine loyalty-program details over the coming weeks.
Affected
Anyone who has a Mariner Society loyalty account with Holland America Line, and by extension anyone who has booked a Holland America cruise through loyalty channels. The exposed fields (name, date of birth, email, gender, loyalty status) are foundational identity data - strong enough to power convincing impersonation, knowledge-based authentication bypass, and targeted spear-phishing.
Fix
Check Have I Been Pwned to confirm whether your address is in the Carnival dataset. If it is, watch for phishing emails pretending to be from Holland America or other Carnival brands that reference your real past bookings or loyalty tier - treat any such message as hostile and navigate to the Holland America site directly rather than clicking links. Rotate passwords on any account that shares a password with Mariner Society. At an organizational level, add 'holland-america.com' and 'hollandamericafund.com' lookalike domains to your DMARC and brand-monitoring watchlists, and brief travel-desk staff that any Mariner Society outreach should be verified by phone.