Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: data-extortion (6 articles)Clear

Case study reveals US county paid $1 million to data-theft extortion group

A Ransom-ISAC case study, built from a leaked negotiation chat and the blockchain trail, reconstructs how a US government entity quietly paid about $1 million to an extortion group called Kairos to keep stolen files from being published. Notably, Kairos never encrypted anything: there was no locker and no decryption key, just theft and the threat to leak, with special pressure applied to a folder of prosecutors' records. The month-long negotiation fell from a $3 million demand to a $1 million payment. The case reflects a broader shift, with roughly half of recent extortion now skipping encryption entirely, since data theft alone provides enough leverage.

Check
Review whether you could detect the signs seen here: password-guessed logins, repeated failed logins, and large outbound transfers to burner file-sharing links, and confirm sensitive record stores are segmented and monitored.
Affected
Organizations holding sensitive records, especially smaller government bodies with limited resources; data-theft extortion needs no ransomware, only stolen files and the threat to publish, to force a large payment.
Fix
Enforce multi-factor authentication and alert on failed logins, segment and monitor sensitive record stores, watch for large outbound transfers, and treat any promise to delete stolen data as worthless.

Charter Communications confirms ShinyHunters breach: 40M records via vishing-compromised Microsoft Entra employee account and Salesforce export

US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.

Check
Audit Microsoft Entra and Salesforce admin sign-ins for unusual IPs and large record exports around April 1, 2026. Search service-account activity for bulk data pulls.
Affected
Charter Communications/Spectrum customers (consumer and business). ShinyHunters claims 40M records exfiltrated via vishing of an Entra account. Broader: any org with Salesforce + Entra/Okta SSO + BPO support.
Fix
Enforce phishing-resistant MFA on every Entra account, especially help-desk and BPO identities. Apply Salesforce Shield Event Monitoring to alert on bulk exports. Train BPO/help-desk staff against vishing.

TeamPCP claims ~4,000 GitHub internal repos stolen and for sale on Breached forum, GitHub confirms investigation

GitHub said it is investigating after the cybercrime group TeamPCP listed 'GitHub's source code and internal orgs' for sale on the Breached forum, claiming access to about 4,000 internal repositories and asking at least $50,000. GitHub told BleepingComputer it has 'no evidence of impact to customer information stored outside of GitHub's internal repositories' and that customers will be alerted if that changes. TeamPCP is the same group behind the TanStack supply-chain attack that hit OpenAI and Grafana, the Aqua Trivy compromise, the LiteLLM infection, and the Mistral AI source-code theft. GitHub hosts code for 4 million organizations and 180 million developers.

Check
Audit GitHub Actions workflows for refs pulled via pull_request_target from forks. Inventory developer machines that synced internal-org repos in the last 30 days for unusual outbound git pushes.
Affected
GitHub.com users specifically: TeamPCP's claim is limited to GitHub's own internal repos so far. Downstream impact is possible if private code referencing customer secrets is leaked.
Fix
Wait for GitHub's official notification. Rotate any tokens or PATs that lived in repositories you suspect could be referenced by GitHub internal code, and assume secret-scanning rules might be reverse-engineered.

ShinyHunters drains 7-Eleven's Salesforce: 600K+ records, franchisee documents, ransom refused

7-Eleven has confirmed that an unauthorized party reached systems holding its franchisee documents on April 8, 2026. The extortion group ShinyHunters claims it stole more than 600,000 Salesforce records of personal and corporate information, posted samples on its Tor leak site, and demanded payment by April 21 or it would publish everything. 7-Eleven says the leaked files came from franchise applications and that it is notifying affected individuals. The breach fits the pattern ShinyHunters has run against Google, Cisco, Vimeo, Rockstar Games, Instructure, Zara, and the European Commission since mid-2025 - all delivered through compromised Salesforce instances rather than direct break-ins.

Check
Audit Connected Apps and OAuth consents in Salesforce. Review login history for unfamiliar IPs and service-account sessions that exported large record sets in the last 90 days. Verify MFA on every API user.
Affected
Organizations running Salesforce without Conditional Access on API users, without IP allowlisting on integration users, or with high-privilege Connected Apps that have not been reviewed in the last quarter.
Fix
Revoke unused Connected Apps and refresh tokens. Enforce MFA and IP restrictions on every Salesforce identity. Apply Shield Event Monitoring to alert on bulk exports and report downloads. Rotate API keys with broad permissions.

Colombian fintech Addi confirms 34.5M-account breach after ShinyHunters published credit and ID data

Have I Been Pwned has added Colombian buy-now-pay-later fintech Addi to its breach corpus with 34,532,941 unique email addresses. Addi acknowledged unauthorized activity on its platform back in March 2026 and warned customers that personal data might have been compromised. ShinyHunters then claimed responsibility and published the dataset, which goes well beyond emails: credit-scoring requests, credit bureau records, customer identity files, email-validation logs, Cedula de Ciudadania national ID numbers, estimated income, socioeconomic level, and purchase history. Addi is a Bogota-based BNPL lender with $1B+ in funding and is one of the larger Latin American fintech breaches publicly documented this year.

Check
If your org operates in Colombia or onboards Colombian customers, search fraud and KYC pipelines for accounts created since March 2026 using a Cedula present in the leak. Monitor for synthetic-identity signals.
Affected
Anyone who held an Addi account before March 2026, plus organizations that rely on Colombian credit-bureau attributes or Cedula numbers for customer verification. ShinyHunters has now publicly released the data.
Fix
Individuals: freeze credit at DataCredito and TransUnion CIFIN, assume your Cedula and income data are public. Organizations: switch from Cedula-only verification to multi-factor identity proofing for new Colombian accounts.

Grafana GitHub breach: codebase stolen, CoinbaseCartel extortion attempt refused

Grafana Labs says an attacker stole a token that gave access to its GitHub environment, downloaded the company's private codebase, and then demanded a ransom to keep the code from being published. Grafana refused to pay and cited FBI guidance against rewarding extortion. The company says no customer data was accessed and the compromised credentials have been invalidated. A data-extortion crew called CoinbaseCartel, tied to the same ecosystem as ShinyHunters, Scattered Spider, and LAPSUS$ with around 170 victims since September 2025, claimed credit. Grafana has not disclosed which code was taken or when the intrusion happened.

Check
Audit your GitHub organization for long-lived PATs and broad-scope tokens. Search audit logs for code clones or downloads from machine accounts in the last 90 days.
Affected
Grafana Labs (codebase). Grafana states no customer data or systems were impacted; Grafana Cloud and open-source Grafana users are not affected.
Fix
Rotate long-lived GitHub tokens to fine-grained PATs scoped to specific repos. Enable secret scanning and push protection. Deploy canary tokens to detect unauthorized code access.