Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: breach (8 articles)Clear

DHS confirms breach of unclassified Homeland Security information-sharing network

The US Department of Homeland Security has confirmed a breach of the Homeland Security Information Network, an unclassified but sensitive platform that federal, state, local, and private-sector partners use to share threat information and coordinate operations. The intrusion is believed to have happened between late May and early June, and according to reporting, the attackers targeted HSIN servers and an associated SharePoint collaboration system. DHS says it isolated the affected systems, that classified networks were not touched, and that the platform remains operational, but it has not attributed the attack or confirmed whether documents were stolen. Even without confirmed theft, compromising this coordination hub is operationally significant.

Check
Organizations that connect to or share data through HSIN should watch for follow-on phishing or misuse of any exposed coordination data, and confirm the security of their own SharePoint collaboration systems.
Affected
Federal, state, local, and private-sector partners who use HSIN to share sensitive information; the breach hit HSIN servers and a linked SharePoint system, though data theft is not confirmed.
Fix
Patch and harden SharePoint and other collaboration platforms, segment sensitive information-sharing systems, enforce phishing-resistant MFA, and monitor for unusual access, given attackers are actively targeting SharePoint and coordination hubs.

Corporate travel firm BCD Travel breach exposes 396,000 accounts

Have I Been Pwned has added BCD Travel - one of the world's largest corporate travel-management companies - to its breach corpus with 396,313 unique email addresses. BCD Travel arranges business travel for large enterprises and government clients worldwide, so the exposed dataset likely skews toward corporate and frequent-traveler accounts. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected travelers should anticipate travel-themed phishing - itinerary updates, booking confirmations, loyalty-program lures - and should rotate any reused passwords and enable MFA.

Check
Check whether your @company emails appear in HIBP's BCD Travel corpus. Warn business travelers about itinerary, booking-confirmation, and loyalty-program phishing over the next 60-90 days.
Affected
396,313 unique email addresses tied to BCD Travel corporate-travel accounts. Dataset likely skews toward enterprise and government frequent travelers, raising targeted travel-themed phishing risk.
Fix
Affected individuals: rotate BCD Travel passwords and any reused elsewhere, enable MFA, scrutinize unsolicited travel emails. Organizations: add BCD Travel to breach-monitoring watchlists and brief traveling staff.

UN World Food Programme Gaza registration platform breached - personal data of ~600,000 Palestinian households stolen, phishing warning issued

The UN World Food Programme - the world's largest humanitarian organization - has disclosed that its self-registration application for Palestine, used to register Gaza residents for assistance, was breached. Attackers accessed beneficiaries' names, ID numbers, phone numbers, and location data (including neighborhood information recorded at registration). The WFP says the intrusion occurred May 14 and exposed data for roughly 600,000 Palestinian households in Gaza. It has temporarily suspended the registration platform and stressed that assistance will continue uninterrupted. The agency warned beneficiaries to be wary of anyone claiming to represent the WFP and requesting information or money, and not to click suspicious links - a clear phishing-risk signal.

Check
Humanitarian and NGO operators: review self-registration and beneficiary platforms for exposure. If you work with WFP Gaza data, treat names, IDs, phone numbers, and locations as compromised.
Affected
Roughly 600,000 Palestinian households in Gaza whose WFP registration data (names, ID numbers, phone numbers, locations) was stolen in the May 14 breach. High risk of targeted phishing and fraud.
Fix
Affected beneficiaries: ignore unsolicited WFP-themed requests for information or money and avoid suspicious links. NGOs: harden registration platforms, minimize stored PII, and segment beneficiary databases.

Dental-benefits provider DentaQuest added to Have I Been Pwned with 2,553,599 breached accounts; healthcare-themed phishing risk

Have I Been Pwned has added US dental-benefits provider DentaQuest to its breach corpus with 2,553,599 unique email addresses. DentaQuest is one of the largest dental and vision benefits administrators in the United States, serving Medicaid, Medicare, and commercial members. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Healthcare and insurance data carries elevated risk: affected members should anticipate benefits-themed phishing, claim-status lures, and identity-theft attempts, and should rotate any reused passwords. It is among the larger US healthcare-adjacent breaches surfacing recently.

Check
Check whether your @company emails appear in HIBP's DentaQuest corpus. Warn affected staff about dental/medical-benefits-themed phishing - claim status, coverage updates, refund lures - over the next 60-90 days.
Affected
2,553,599 unique email addresses tied to DentaQuest dental and vision benefits members (Medicaid, Medicare, commercial). Healthcare data elevates identity-theft and benefits-phishing risk.
Fix
Affected individuals: rotate DentaQuest passwords and any reused elsewhere, enable MFA, monitor benefits statements. Organizations: add DentaQuest to breach-monitoring watchlists and brief staff on healthcare-themed social engineering.

Automotive marketplace Edmunds added to Have I Been Pwned with 177,860 breached accounts; expect car-buying-themed phishing

Have I Been Pwned has added the US automotive marketplace Edmunds to its breach corpus with 177,860 unique email addresses. Edmunds is a widely used car-research and shopping platform offering pricing, reviews, and dealer listings. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected users should anticipate car-buying-themed phishing such as financing offers, dealer-contact lures, or vehicle-quote follow-ups, and should rotate any reused passwords. The addition continues a steady run of mid-size US consumer-platform breaches surfacing in HIBP.

Check
Check whether your @company emails appear in HIBP's Edmunds corpus. Warn affected staff about car-buying-themed phishing (financing offers, dealer contacts) over the next 30-60 days.
Affected
177,860 unique email addresses tied to Edmunds accounts. Reused passwords are the primary downstream risk; expect automotive-themed phishing and credential-stuffing against other services.
Fix
Affected individuals: rotate Edmunds passwords and any reused elsewhere, enable MFA. Organizations: add Edmunds to breach-monitoring watchlists and brief staff on car-shopping-themed social engineering.

BWH Hotels (Best Western's parent) had attackers in its reservation system for over six months - guests' contact details and stay records exposed across Best Western, WorldHotels, and SureStay brands

BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.

Check
Search corporate travel and expense systems for stays at BWH-branded properties between October 2025 and April 2026, and warn frequent business travelers to treat any unexpected reservation emails as suspect.
Affected
BWH Hotels guests with reservations in the affected web application between October 14, 2025, and April 22, 2026. Brands include Best Western, Best Western Hotels and Resorts, WorldHotels, SureStay, and Sure Hotels.
Fix
Treat any unexpected emails or texts referencing past BWH stays as untrusted, even if the details match. Visit the booking property's verified website directly instead of clicking links, and rotate any reused passwords.

Telehealth aggregator OpenLoop Health confirms 716,000 patient records stolen in a 24-hour intrusion in January - downstream consumer brands still unnamed

OpenLoop Health, an Iowa-based telehealth infrastructure company that supplies clinicians and prescription processing to dozens of consumer telehealth platforms, has confirmed via the HHS breach portal that a January 2026 incident affected 716,000 individuals. Attackers were inside its systems for only one day - January 7 to 8 - but exfiltrated names, addresses, email addresses, dates of birth, and medical information. Social Security numbers and electronic health records were not accessed. A threat actor called Stuckin2019 claimed responsibility and put samples on a hacking forum; OpenLoop reportedly paid them and the listing was taken down. Because OpenLoop is white-label, affected patients enrolled through many different consumer telehealth brands.

Check
Search HR and benefits records for employee enrollments in telehealth programs (weight loss, men's health, hormone therapy) that may run on OpenLoop's backend, and review supplier security questionnaires for any telehealth vendor.
Affected
Patients of any consumer telehealth platform that uses OpenLoop Health as its clinical infrastructure provider. 716,000 individuals confirmed via HHS OCR; threat actor Stuckin2019 claimed 1.6 million.
Fix
Affected individuals should enroll in the free IDX credit and identity monitoring OpenLoop is offering, and watch for medical-themed phishing for at least 12 months. Treat unexpected appointment reminders or prescription notices as suspect until verified.

Vercel confirms breach - attackers got in through Context.ai AI tool's Google Workspace OAuth, stole customer environment variables

Cloud development platform Vercel disclosed a security incident on April 19 after a threat actor claiming to be ShinyHunters posted stolen data for sale on a hacking forum. Vercel CEO Guillermo Rauch confirmed the initial access came through a breach at Context.ai, an enterprise AI platform one Vercel employee had signed up for using their Vercel enterprise account with 'Allow All' OAuth permissions. Attackers compromised Context.ai, stole the OAuth token, took over the employee's Google Workspace account, and pivoted into Vercel environments. Once inside, they accessed environment variables not marked as 'sensitive' - these are stored unencrypted at rest, unlike sensitive env vars which Vercel encrypts. The attacker posted 580 employee records (names, emails, account status, activity timestamps) as a teaser, plus screenshots of an internal Vercel Enterprise dashboard. They claim to also have access keys, source code, database data, and API keys, though Vercel characterizes impact as a 'limited subset' of customers. Mandiant is engaged. This is the cleanest real-world example to date of the AI supply chain risk pattern everyone has been warning about: a third-party AI tool with broad OAuth scopes becomes the initial access vector into your primary infrastructure.

Check
If you deploy apps on Vercel, rotate all environment variables immediately - especially any not marked 'sensitive'. Also audit every third-party AI/SaaS tool that has OAuth access to your Google Workspace or similar identity provider.
Affected
Any Vercel customer with environment variables not marked 'sensitive'. Vercel has directly contacted a 'limited subset' of customers whose credentials were compromised. If you weren't contacted, Vercel says it has no evidence of your data being accessed at this time. Separately: any organization using Context.ai with Google Workspace OAuth granted 'Allow All' permissions.
Fix
Rotate every Vercel environment variable and redeploy applications to pick up the new values. Mark any secret as 'sensitive' in Vercel's dashboard going forward - this encrypts at rest. In Google Workspace Admin, search for and revoke OAuth App ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Review Google Workspace audit logs between April 1-19 for unusual OAuth grants or token access. Audit every third-party tool connected to your Google Workspace - specifically those granted broad OAuth scopes - and remove any your team isn't actively using.