A Ransom-ISAC case study, built from a leaked negotiation chat and the blockchain trail, reconstructs how a US government entity quietly paid about $1 million to an extortion group called Kairos to keep stolen files from being published. Notably, Kairos never encrypted anything: there was no locker and no decryption key, just theft and the threat to leak, with special pressure applied to a folder of prosecutors' records. The month-long negotiation fell from a $3 million demand to a $1 million payment. The case reflects a broader shift, with roughly half of recent extortion now skipping encryption entirely, since data theft alone provides enough leverage.
US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.
GitHub said it is investigating after the cybercrime group TeamPCP listed 'GitHub's source code and internal orgs' for sale on the Breached forum, claiming access to about 4,000 internal repositories and asking at least $50,000. GitHub told BleepingComputer it has 'no evidence of impact to customer information stored outside of GitHub's internal repositories' and that customers will be alerted if that changes. TeamPCP is the same group behind the TanStack supply-chain attack that hit OpenAI and Grafana, the Aqua Trivy compromise, the LiteLLM infection, and the Mistral AI source-code theft. GitHub hosts code for 4 million organizations and 180 million developers.
7-Eleven has confirmed that an unauthorized party reached systems holding its franchisee documents on April 8, 2026. The extortion group ShinyHunters claims it stole more than 600,000 Salesforce records of personal and corporate information, posted samples on its Tor leak site, and demanded payment by April 21 or it would publish everything. 7-Eleven says the leaked files came from franchise applications and that it is notifying affected individuals. The breach fits the pattern ShinyHunters has run against Google, Cisco, Vimeo, Rockstar Games, Instructure, Zara, and the European Commission since mid-2025 - all delivered through compromised Salesforce instances rather than direct break-ins.
Have I Been Pwned has added Colombian buy-now-pay-later fintech Addi to its breach corpus with 34,532,941 unique email addresses. Addi acknowledged unauthorized activity on its platform back in March 2026 and warned customers that personal data might have been compromised. ShinyHunters then claimed responsibility and published the dataset, which goes well beyond emails: credit-scoring requests, credit bureau records, customer identity files, email-validation logs, Cedula de Ciudadania national ID numbers, estimated income, socioeconomic level, and purchase history. Addi is a Bogota-based BNPL lender with $1B+ in funding and is one of the larger Latin American fintech breaches publicly documented this year.
Grafana Labs says an attacker stole a token that gave access to its GitHub environment, downloaded the company's private codebase, and then demanded a ransom to keep the code from being published. Grafana refused to pay and cited FBI guidance against rewarding extortion. The company says no customer data was accessed and the compromised credentials have been invalidated. A data-extortion crew called CoinbaseCartel, tied to the same ecosystem as ShinyHunters, Scattered Spider, and LAPSUS$ with around 170 victims since September 2025, claimed credit. Grafana has not disclosed which code was taken or when the intrusion happened.