Update on the ANTS breach we covered April 22: French police detained a 15-year-old on April 25, suspected of running the breach3d alias and stealing data from France Titres (ANTS), the agency that issues French ID cards, passports, and driver's licenses. The Paris Prosecutor's Office charged the minor on April 29 with three offenses carrying up to seven years in prison. ANTS now confirms 11.7 million accounts affected - lower than the original 19 million claim but still one of the largest leaks of French citizen identity data ever. Exposed data includes full names, email addresses, dates of birth, postal addresses, and phone numbers.
Vimeo confirmed yesterday that user data was exposed when its analytics provider Anodot was breached. The video service hasn't said how many users are affected or what data was exposed beyond 'limited' account information, but Anodot's role suggests the leaked records include event-level user activity tied to Vimeo accounts: video views, account IDs, and the kind of telemetry analytics providers ingest. The pattern is the same as Citizens Bank, Frost Bank, Pitney Bowes, and now Vimeo: customer data leaks through a third-party vendor that the customer never directly signed up with.
Pitney Bowes customer and employee data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 8.2 million unique email addresses, plus names, phone numbers, and physical addresses. A subset includes Pitney Bowes employee records with job titles - a useful starter pack for highly-targeted phishing against named staff. The data came from a misconfigured Salesforce Experience Cloud 'Guest User' permission that let unauthenticated visitors query CRM records directly. ShinyHunters had posted Pitney Bowes on its leak site April 18 with a three-day deadline.
Update on the ADT breach we covered April 25: Have I Been Pwned added the leaked dataset yesterday with 5,488,888 unique email addresses confirmed - lower than ShinyHunters' original 10 million claim but still the largest US home-security customer leak on record. Beyond the email, name, phone, and address fields ADT originally disclosed, the leak includes details ADT downplayed: account creation dates, premise types, internal account flags, ADT installer IDs, and prospect/customer status. None catastrophic alone, but combined gives attackers enough context to run convincing 'security audit' phone scams against named customers with real install dates and installer names.
Online learning giant Udemy's customer and instructor data was leaked publicly today after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1.4 million unique email addresses. The dataset goes well beyond contact information: it includes full names, physical addresses, phone numbers, employer details, and instructor payout methods - PayPal email addresses, mailing addresses for cheques, and bank transfer details. Udemy was listed on ShinyHunters' 'pay or leak' portal April 24 with a three-day deadline. The company has not publicly confirmed the breach or said how attackers got in.
Checkmarx confirmed Friday that data from its private GitHub repository was posted on the dark web following the March 23 TeamPCP supply-chain attack. The LAPSUS$ group published the dump, which includes Checkmarx source code, an employee database, API keys, and MongoDB and MySQL credentials. Checkmarx says the affected GitHub repository was separate from the customer Checkmarx One SaaS production environment, with no customer data stored in it. The bigger picture: an attack that started by poisoning a single GitHub Action 35 days ago has now produced a full source code, credentials, and employee data leak - under five weeks end to end.
ADT, the largest US home security company, filed an SEC 8-K on April 24 confirming a breach detected April 20. ShinyHunters listed ADT on its 'pay or leak' portal claiming over 10 million records with an April 27 deadline. ADT says the dataset was limited to names, phone numbers, addresses, plus DOBs and last-four SSN/Tax IDs for a small subset; no payment data was accessed and alarm systems were unaffected. Initial access was a vishing attack against an employee that compromised an Okta SSO session, which attackers used to reach ADT's Salesforce - the same playbook ShinyHunters ran against Carnival.
Itron, the Washington-based utility technology company that manages 112 million energy and water meter endpoints across 7,700 customers in 100 countries, disclosed a cyberattack in an SEC 8-K filing April 24. An unauthorized third party reached parts of Itron's corporate IT network on April 13. Itron says it has expelled the attackers and seen no follow-up activity, and that customer-hosted environments (the actual utility infrastructure) were untouched. No ransomware group has claimed the attack. The incident is significant because Itron sits in the middle of US critical infrastructure - meter data, billing, and grid telemetry pass through its software at thousands of utilities.
Medtronic, the world's largest medical device maker, confirmed a breach of its corporate IT systems in an SEC filing April 24. ShinyHunters had listed Medtronic on its leak site April 18 claiming theft of more than 9 million records of personal data plus terabytes of internal corporate documents, with an April 21 deadline. The Medtronic listing has since been removed - a strong signal the company either paid the ransom or is still negotiating. Medtronic says product safety, manufacturing, distribution, and patient care are unaffected; the breach was confined to corporate IT, which is segregated from device infrastructure. Investigation into what personal data was exposed is ongoing.
Carnival Corporation has been confirmed as a ShinyHunters breach victim, and the data is now public. Have I Been Pwned added the breach on April 23 with 7,531,359 unique email addresses drawn from 8.7 million records. The data comes from the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands, and contains full names, dates of birth, genders, email addresses, and loyalty program status fields. ShinyHunters initially listed Carnival on its 'pay or leak' portal on April 18 with an April 21 deadline alongside Zara, 7-Eleven, and roughly 40 other organizations. When Carnival did not pay, the group published the dataset on its leak site this week. Carnival confirmed to reporters that the initial access came from a phishing compromise of a single employee account - a reminder that ShinyHunters continues to rely on human-layer intrusion rather than novel exploits. For anyone whose email, date of birth, or customer record appears in the dataset, the immediate risk is highly targeted phishing and account-takeover attempts that reference genuine Holland America booking details.