Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: data-breach (31 articles)Clear

Texas Parks and Wildlife vendor breach exposes 3 million license holders

The Texas Parks and Wildlife Department says a breach at the third-party vendor that runs its hunting and fishing license sales exposed personal data for 3,087,721 customers, in what officials call the state's largest government data breach this year. The exposed information includes driver's license details, passport numbers where provided, email addresses, phone numbers, and home addresses; the department says Social Security numbers, dates of birth, and financial data were not taken. Texas Cyber Command detected the intrusion, which reached customer profile data through the vendor's systems. Because driver's license and passport numbers cannot be reset, affected people face lasting identity-theft and phishing risk.

Check
Texas hunting and fishing license holders should enroll in the offered Kroll credit monitoring before September 14, watch for phishing referencing licenses or state agencies, and review financial statements for fraud.
Affected
The 3,087,721 Texas hunting and fishing license customers whose driver's license, passport, and contact details were exposed through the department's third-party license vendor; minors were reportedly not affected.
Fix
Place a credit freeze or fraud alert with the major credit bureaus, enroll in the free monitoring, and stay alert to identity fraud. Organizations should tighten third-party vendor access controls and monitoring.

Ralph Lauren breach exposes customer data as ShinyHunters extends retail spree

Have I Been Pwned has added 139,903 accounts from a breach of fashion brand Ralph Lauren, which the extortion group ShinyHunters claimed as part of its sweeping 2026 campaign against retail and luxury names. ShinyHunters says it took around 220 GB of data, including customer personal information, purchase histories, and financial transaction details, along with unreleased product and strategy plans. The group typically breaks in not through a brand's core systems but via connected platforms like Salesforce or customer-service tools. Exposed purchase and contact data is prime material for convincing phishing and fraud aimed at the retailer's customers.

Check
Ralph Lauren customers should check Have I Been Pwned for their email, watch for phishing or fraudulent charges referencing orders or accounts, and review payment statements for unauthorized activity.
Affected
Ralph Lauren customers whose personal, purchase, and transaction data was exposed (139,903 accounts confirmed); the breach is part of a broader ShinyHunters wave hitting retail and luxury brands through connected platforms.
Fix
Reset and stop reusing any Ralph Lauren account passwords, enable MFA, stay alert to order- and refund-themed phishing, and consider monitoring payment cards used with the retailer for fraud.

JCPenney breach exposes Social Security numbers and tax records of 368,000

Have I Been Pwned has added 368,418 accounts from a breach of JCPenney, after the extortion group ShinyHunters claimed in mid-June it stole data from the retailer and several sister brands under Catalyst Brands and Authentic Brands Group. ShinyHunters says the haul includes highly sensitive employee and customer data: Social Security numbers, dates of birth, W-2 tax forms, payroll records, and scans of government-issued IDs. Unlike passwords, these identifiers cannot simply be reset, raising long-term identity-theft and tax-fraud risk. JCPenney has not confirmed the full scope, and the group has not published samples, but the data types make this a serious exposure.

Check
Current and former JCPenney and Catalyst Brands staff and customers should check Have I Been Pwned, watch for tax, payroll, and identity-themed phishing, and monitor for fraudulent tax filings or new-account activity.
Affected
JCPenney employees and customers, plus those tied to sister brands like Aeropostale, Brooks Brothers, Lucky Brand, and Nautica; exposed Social Security numbers, W-2s, and ID scans carry lasting fraud risk.
Fix
Consider a credit freeze and fraud alert, file taxes early to pre-empt fraudulent returns, reset any reused JCPenney passwords, enable MFA, and treat tax or payroll messages referencing the breach with caution.

Kodak confirms breach as ShinyHunters claims 2.2 million stolen records

Eastman Kodak has confirmed that an unauthorized third party gained temporary access to a limited amount of company data, after the extortion group ShinyHunters listed the firm on its dark-web leak site. ShinyHunters claims it stole more than 2.2 million records containing customer personal information and internal corporate data, and set a leak deadline of June 18, though it has released no proof and Kodak has not verified the figure. Kodak, now mainly a B2B manufacturing and technology company, says it engaged outside experts and law enforcement and sees no threat to operations. The breach fits ShinyHunters' prolific 2026 data-theft campaign.

Check
Kodak's business customers and partners should watch for targeted phishing and business email compromise referencing Kodak dealings, and verify any unexpected payment or account-change requests through known contacts.
Affected
Kodak customers and partners whose personal or corporate data may sit in the stolen records; ShinyHunters claims 2.2 million records, a figure Kodak has not confirmed and the group has not substantiated.
Fix
Watch for fraud and phishing tied to the breach, reset and stop reusing any Kodak-related credentials, and enable phishing-resistant MFA. Organizations should harden help-desk verification against social-engineering-driven data theft.

HIBP confirms 248,000 accounts from ShinyHunters breach of advisory firm CFGI

Have I Been Pwned has added 248,235 accounts from the March breach of CFGI, a US accounting and financial-advisory firm that works closely with corporate finance teams at mid-market and Fortune 500 companies. The extortion group ShinyHunters claimed the intrusion, posting hundreds of thousands of records including names, emails, phone numbers, and home addresses, along with internal corporate documents and identity-system metadata. Because CFGI sits inside its clients' finance functions, the stolen contact and relationship data is unusually useful for convincing business email compromise and client-impersonation scams aimed at authorizing fraudulent payments.

Check
If you work with or for CFGI, check Have I Been Pwned for your email and watch for finance-themed phishing, fake wire instructions, or audit-document requests referencing CFGI.
Affected
CFGI employees, clients, and contacts whose personal and corporate data was exposed (248,235 accounts confirmed); the firm's finance-function clients face elevated business email compromise risk.
Fix
Reset and stop reusing CFGI-related credentials, enable phishing-resistant MFA, and verify any unexpected payment, wire, or account-change request through a known, pre-established voice channel rather than email links.

Cardiac monitoring firm iRhythm says patient health data stolen in attack

iRhythm, the US digital-health company behind the Zio wearable heart monitor, has told regulators that attackers stole patient data in a breach it considers material. In an SEC filing, the company said it detected unauthorized activity on June 8 in third-party-hosted business applications, accessed through a social-engineering attack, and received an extortion demand the next day from a threat actor claiming to hold proprietary data, protected health information, and other personal data. iRhythm says its clinical systems, medical devices, patient safety, and operations were not affected, with no payment-card or financial data involved. No ransomware group has publicly claimed the attack, and the number of affected people is not yet known.

Check
Healthcare and other organizations should review how third-party-hosted business applications are secured and monitored, and confirm that help desks and staff can resist social-engineering attempts to grant access.
Affected
iRhythm patients and others whose protected health information and personal data sat in the affected third-party business applications; clinical systems, devices, and financial data were reportedly not involved.
Fix
Enforce phishing-resistant MFA and strong identity verification on third-party SaaS, limit and log access to systems holding health data, and rehearse social-engineering scenarios with staff and help-desk teams.

ShinyHunters breach of Berkadia exposes 305,000 in real estate finance

Breach-tracking service Have I Been Pwned has confirmed that 305,216 accounts were exposed in the March attack on Berkadia, a large US commercial real estate finance firm that handles mortgage banking and investment sales. The extortion group ShinyHunters claimed the intrusion, saying it stole millions of Salesforce records containing personal and internal corporate data, around 27GB compressed, and threatened to leak them after the company did not meet its deadline. The breach is part of a broad ShinyHunters campaign this year against companies' Salesforce environments, typically entered by socially engineering employees or help desks rather than exploiting a software flaw.

Check
If you work with or for Berkadia, check whether your email appears in Have I Been Pwned and watch for targeted phishing referencing mortgage, loan, or real estate dealings.
Affected
Berkadia clients, partners, and staff whose personal and business data sat in the breached Salesforce records (305,216 accounts confirmed); the broader ShinyHunters campaign targets corporate Salesforce tenants.
Fix
Reset and stop reusing any passwords tied to Berkadia dealings and enable phishing-resistant MFA. Organizations should lock down Salesforce access, restrict bulk exports, and harden help-desk identity verification.

K-12 platform Infinite Campus breach confirmed, 137,000 student-linked accounts

Have I Been Pwned has confirmed 137,123 accounts exposed in a breach of Infinite Campus, a widely used K-12 student information system in the US. The extortion group ShinyHunters claimed the attack back in March, posting that it had stolen personal data and internal corporate information. Because student information systems hold sensitive records on minors and their families, exposed data raises the risk of identity theft and highly targeted phishing aimed at parents, students, and school staff. The incident fits the same ShinyHunters data-theft pattern seen across the education sector this year, including the much larger Canvas breach.

Check
School districts using Infinite Campus should confirm whether their tenant was affected and notify families; individuals should watch for phishing or fraud referencing schools, student accounts, or enrollment.
Affected
Students, parents, and school staff whose data is held in affected Infinite Campus deployments (137,123 accounts confirmed); minors' records carry long-term identity-theft risk.
Fix
Reset exposed credentials, enable MFA on school and family accounts, and brief parents and staff to verify any school-related message before clicking. Districts should review SaaS access controls and export limits.

Novo Nordisk says clinical trial patient data stolen in breach

Novo Nordisk, the pharmaceutical giant behind Wegovy and Ozempic, has disclosed that attackers copied data from its internal IT systems, including information on patients in some of its clinical trials. The company stressed the patient data was de-identified, containing fields like patient ID, year of birth, sex, biomarkers, and lifestyle factors rather than names or direct identifiers. Novo has not said how many people are affected or named the attacker, and is not offering credit monitoring, instead advising patients and healthcare professionals to stay alert for unexpected messages or calls. Pharma firms are increasingly targeted for their valuable research and patient data.

Check
Patients in Novo Nordisk trials and contacted healthcare professionals should watch for unexpected calls or messages referencing the company or a trial, and verify any such contact through official channels.
Affected
Patients in some Novo Nordisk clinical trials whose de-identified data (patient ID, year of birth, sex, biomarkers, lifestyle factors) was copied, plus healthcare professionals the company has contacted.
Fix
There is no direct user fix; stay alert for targeted phishing referencing the breach. Pharma and research organizations should tighten access controls, monitoring, and segmentation around trial and research data stores.

French government messenger Tchap breached, hitting 73,000 public servants

France's government messaging platform Tchap, the in-house, Matrix-based app that civil servants are required to use instead of WhatsApp or Signal, was breached after a threat actor hijacked a single user account, no software exploit needed. The cyber agency ANSSI detected it on June 7. Officials say data tied to about 73,000 accounts, roughly 9 percent of users, was exposed: the attacker scraped everything shared in public chat rooms, which are not encrypted, while private end-to-end conversations stayed protected. The haul includes over 13.5GB of documents and media plus hardcoded LDAP credentials leaked in a PowerShell script. Entry was via the education ministry's server.

Check
Review what your organization shares in unencrypted public or group chat channels, and scan scripts and config files for hardcoded credentials like the LDAP secret exposed in this breach.
Affected
Around 73,000 French public-sector Tchap accounts; data posted in unencrypted public chat rooms was exposed, while end-to-end-encrypted private conversations were not. The entry point was one hijacked account.
Fix
Enforce phishing-resistant MFA so single accounts cannot be hijacked, remove hardcoded credentials from scripts, treat public chat rooms as non-confidential, and monitor for bulk data access across collaboration platforms.