Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: extortion (19 articles)Clear

ShinyHunters leaks Moody Bible Institute data on 2.3 million students and donors

The extortion group ShinyHunters has published data stolen from Moody Bible Institute, a Chicago-based Christian college, after a "pay or leak" campaign. Have I Been Pwned indexed more than 2.3 million unique email addresses along with names, physical addresses, phone numbers, and dates of birth belonging to students, alumni, donors, and supporters. ShinyHunters claimed a much larger haul spanning enrollment, donor, payroll, and communications systems, and some reporting ties the intrusion to the same ShinyHunters campaign that exploited an Oracle PeopleSoft flaw. Most of the leaked email addresses had already appeared in earlier breaches, raising the risk of credential stuffing and targeted phishing.

Check
People connected to Moody Bible Institute as students, alumni, donors, or staff should watch for a notification, be alert to phishing referencing the school, and check Have I Been Pwned.
Affected
Students, alumni, donors, and supporters of Moody Bible Institute whose contact details and dates of birth were exposed (over 2.3 million emails); the data supports credential stuffing and convincing phishing.
Fix
Affected people should reset any reused passwords, enable multi-factor authentication, and treat school-themed messages with caution. Organizations should secure SaaS and HR platforms, enforce MFA, and harden against social-engineering-driven data theft.

Medtronic notifies customers after ShinyHunters breach of corporate systems

Medical device maker Medtronic has begun notifying customers that their personal data was exposed in a breach of its corporate IT systems earlier this year, an attack claimed by the extortion group ShinyHunters. Medtronic noticed unusual activity in mid-April and its investigation found that an unauthorized actor had access between April 13 and 19. ShinyHunters claimed to hold roughly nine million records containing personal and internal corporate data, and Medtronic did not pay, with its listing later removed from the group's leak site. The company says its products, patient safety, and the networks running its medical devices were not affected, crediting separation between corporate and clinical systems.

Check
People who have dealt with Medtronic as customers, patients, providers, or partners should watch for their notification and stay alert to phishing or fraud that references Medtronic or medical accounts.
Affected
Individuals whose personal data sat in Medtronic's corporate IT systems, accessed between April 13 and 19; ShinyHunters claimed about nine million records, though device networks and patient safety were not affected.
Fix
Affected people should monitor for targeted phishing and identity fraud. Organizations should segment corporate IT from operational and clinical systems, harden SaaS and identity against social engineering, and enforce phishing-resistant MFA.

ShinyHunters leaks Sysco data with 2.7 million email addresses after extortion

Food distribution giant Sysco was hit by the extortion group ShinyHunters in a "pay or leak" attack, and after the company did not pay, the stolen data was published. Have I Been Pwned has indexed 2,691,852 unique email addresses belonging to staff and customers, alongside what is described as largely corporate contact information. The breach fits ShinyHunters' sweeping 2026 campaign against large enterprises, which has typically relied on social engineering and compromised SaaS integrations rather than software exploits. Exposed business contact data is useful for convincing, targeted phishing aimed at Sysco's staff, customers, and partners.

Check
People and businesses dealing with Sysco should check Have I Been Pwned for affected emails and stay alert to phishing or invoice fraud that references Sysco accounts, orders, or deliveries.
Affected
Sysco staff, customers, and partners whose email addresses and corporate contact details were exposed (2,691,852 indexed); the data supports targeted phishing and business email compromise against the food-distribution supply chain.
Fix
Treat unexpected Sysco-themed emails with caution, verify payment or account changes through known contacts, enable phishing-resistant MFA, and brief staff and partners on the heightened phishing risk from this exposure.

ShinyHunters leaks Madison Square Garden Sports data on nearly 10 million people

The extortion group ShinyHunters has published data stolen from Madison Square Garden Sports, owner of the New York Knicks and Rangers, after the company did not pay. Have I Been Pwned indexed 9,796,738 unique email addresses spanning staff and customers, alongside extensive personal, employment, and customer-relationship records including names, addresses, phone numbers, and some dates of birth. Reporting on the leak describes an internal "Talent" file profiling former players, executives' family members, and celebrities, in some cases with so-called threat assessments. The intrusion reportedly began with voice-phishing of staff, the same social-engineering pattern behind ShinyHunters' wider 2026 campaign against large enterprises.

Check
People who interacted with Madison Square Garden venues or teams should check Have I Been Pwned for their email and watch for targeted phishing or fraud referencing tickets, accounts, or events.
Affected
Staff and customers of Madison Square Garden Sports whose contact and personal data was exposed (9,796,738 emails); high-profile individuals named in internal files face heightened targeting and impersonation risk.
Fix
Reset and avoid reusing affected account passwords, enable phishing-resistant MFA, and stay alert to convincing phishing. Organizations should harden help desks against voice-phishing with strict caller-identity verification.

Tata Electronics confirms breach as extortion gang leaks Apple and Tesla files

Tata Electronics, the Indian manufacturer that assembles roughly a third of Apple's iPhones in India, has confirmed a cyberattack affecting part of its IT systems after the extortion group World Leaks began leaking stolen data. The group claims to have taken around 200,000 files, including confidential Apple and Tesla manufacturing and component design documents, internal emails, years of event logs, and copies of employee passports, some belonging to foreign nationals. Researchers say the data has been on the dark web since at least June 10, and a ransom was demanded. World Leaks, a rebrand of the Hunters International group, also claimed breaches at Nike and Dell.

Check
Manufacturers and their partners should review how design documents, supplier data, and employee identity records are segmented and monitored, and watch for phishing or fraud using leaked passport and email data.
Affected
Tata Electronics, its employees whose passports and emails were exposed, and partners like Apple and Tesla whose confidential design and manufacturing documents were reportedly included in the roughly 200,000 leaked files.
Fix
Segment and tightly control access to sensitive design and HR data, monitor for large data exfiltration, enforce phishing-resistant MFA, and prepare partners for downstream phishing and fraud using the leaked information.

Kodak confirms breach as ShinyHunters claims 2.2 million stolen records

Eastman Kodak has confirmed that an unauthorized third party gained temporary access to a limited amount of company data, after the extortion group ShinyHunters listed the firm on its dark-web leak site. ShinyHunters claims it stole more than 2.2 million records containing customer personal information and internal corporate data, and set a leak deadline of June 18, though it has released no proof and Kodak has not verified the figure. Kodak, now mainly a B2B manufacturing and technology company, says it engaged outside experts and law enforcement and sees no threat to operations. The breach fits ShinyHunters' prolific 2026 data-theft campaign.

Check
Kodak's business customers and partners should watch for targeted phishing and business email compromise referencing Kodak dealings, and verify any unexpected payment or account-change requests through known contacts.
Affected
Kodak customers and partners whose personal or corporate data may sit in the stolen records; ShinyHunters claims 2.2 million records, a figure Kodak has not confirmed and the group has not substantiated.
Fix
Watch for fraud and phishing tied to the breach, reset and stop reusing any Kodak-related credentials, and enable phishing-resistant MFA. Organizations should harden help-desk verification against social-engineering-driven data theft.

Cardiac monitoring firm iRhythm says patient health data stolen in attack

iRhythm, the US digital-health company behind the Zio wearable heart monitor, has told regulators that attackers stole patient data in a breach it considers material. In an SEC filing, the company said it detected unauthorized activity on June 8 in third-party-hosted business applications, accessed through a social-engineering attack, and received an extortion demand the next day from a threat actor claiming to hold proprietary data, protected health information, and other personal data. iRhythm says its clinical systems, medical devices, patient safety, and operations were not affected, with no payment-card or financial data involved. No ransomware group has publicly claimed the attack, and the number of affected people is not yet known.

Check
Healthcare and other organizations should review how third-party-hosted business applications are secured and monitored, and confirm that help desks and staff can resist social-engineering attempts to grant access.
Affected
iRhythm patients and others whose protected health information and personal data sat in the affected third-party business applications; clinical systems, devices, and financial data were reportedly not involved.
Fix
Enforce phishing-resistant MFA and strong identity verification on third-party SaaS, limit and log access to systems holding health data, and rehearse social-engineering scenarios with staff and help-desk teams.

ShinyHunters extorts Oracle PeopleSoft customers in widening data-theft spree

The extortion group ShinyHunters is running a wave of data-theft attacks against organizations using Oracle PeopleSoft, the enterprise software that large institutions rely on for HR, payroll, finance, and student records. Both cloud and on-premises instances are affected, and the gang claims data from more than 100 organizations. Attackers typically log in with stolen employee credentials, move through the PeopleSoft environment, and exfiltrate large datasets before demanding a Bitcoin ransom. A confirmed victim is the University of Nottingham, where a breach of an Oracle student-records system exposed 454,635 accounts. Researchers have shared attacker IP addresses and noted the use of MeshCentral remote-access agents.

Check
Review PeopleSoft access logs for logins from unfamiliar IPs or locations, check for MeshCentral or other unexpected remote-access agents, and confirm whether your org received a ShinyHunters extortion demand.
Affected
Organizations running cloud or on-premises Oracle PeopleSoft, particularly those with reused or phishable employee credentials and limited monitoring of administrative access to HR, finance, and student-records modules.
Fix
Enforce phishing-resistant MFA on all PeopleSoft accounts, rotate exposed credentials, block the shared attacker IPs, remove unauthorized remote-access tools, and tighten access controls and logging on instances.

Have I Been Pwned confirms two more ShinyHunters Salesforce extortion victims this week - financial-software firm Abrigo (711K) and insurer Canada Life (237K)

Troy Hunt's Have I Been Pwned added two new ShinyHunters victims this week. Abrigo - a Texas-based fintech that builds risk, compliance, and lending software for thousands of US banks and credit unions - had 711,099 unique email addresses and 1.75 million records lifted from its Salesforce environment in April after refusing to pay the ransom. The Canada Life Assurance Company, one of Canada's largest insurers, had 237,810 accounts confirmed in HIBP from a separate ShinyHunters Salesforce breach. Both fit the pattern of the months-long ShinyHunters mass-extortion campaign that already hit Zara, Woflow, and Instructure, with stolen data sitting in third-party Salesforce tenants rather than the victims' core systems.

Check
Check whether your company has a customer or vendor relationship with Abrigo or Canada Life, search your corporate email domains against Have I Been Pwned, and audit Salesforce Connected Apps and OAuth tokens granted to third-party integrations.
Affected
Customers, lenders, and partners of Abrigo (US community banks, credit unions, lenders) and Canada Life (Canadian insurance, savings, and retirement clients). Any organization with broad Salesforce access for third-party connected apps.
Fix
Rotate Salesforce passwords and API tokens where compromise is suspected, revoke unused Connected Apps in Salesforce setup, enforce MFA on every Salesforce user, and warn affected staff to expect impersonation phishing using the leaked PII.

Instructure confirms ShinyHunters used Canvas XSS flaws to deface school login portals and pressure ransom

Instructure confirms that ShinyHunters exploited multiple cross-site scripting flaws in Canvas to deface school login portals on May 7, demanding the company and individual schools negotiate ransom by May 12. The flaws are in user-generated-content features of the free Free-for-Teacher Canvas environment and let the attacker grab authenticated admin sessions. This was a second hit following the original breach disclosed a week earlier that ShinyHunters claims netted 3.6 terabytes covering 8,809 educational organizations and 275 million student, teacher, and staff records. Instructure has taken Free-for-Teacher offline and applied additional safeguards; main Canvas has been restored since May 9.

Check
If your school uses Canvas, check whether students or staff saw the defaced login page on May 7. Review browser logs for any extension that interacted with injected ransom content.
Affected
Canvas instances accessed through the Free-for-Teacher environment between May 7 and Instructure taking it offline. The exploited cross-site scripting flaws sit in user-generated-content features that allowed JavaScript injection. Schools and universities running the paid Canvas LMS are also exposed to the underlying data breach that ShinyHunters used for extortion leverage.
Fix
Wait for Instructure's official statement on which XSS vulnerabilities were exploited and when Free-for-Teacher returns. For paid Canvas tenants, assume usernames, email addresses, course names, enrollment information, and direct messages were part of the 3.6TB leak and treat affected accounts as phishing targets. Force-rotate any API tokens issued for Canvas integrations and audit external integrations that accepted user-generated content.