Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: hibp (13 articles)Clear

ShinyHunters leaks Sysco data with 2.7 million email addresses after extortion

Food distribution giant Sysco was hit by the extortion group ShinyHunters in a "pay or leak" attack, and after the company did not pay, the stolen data was published. Have I Been Pwned has indexed 2,691,852 unique email addresses belonging to staff and customers, alongside what is described as largely corporate contact information. The breach fits ShinyHunters' sweeping 2026 campaign against large enterprises, which has typically relied on social engineering and compromised SaaS integrations rather than software exploits. Exposed business contact data is useful for convincing, targeted phishing aimed at Sysco's staff, customers, and partners.

Check
People and businesses dealing with Sysco should check Have I Been Pwned for affected emails and stay alert to phishing or invoice fraud that references Sysco accounts, orders, or deliveries.
Affected
Sysco staff, customers, and partners whose email addresses and corporate contact details were exposed (2,691,852 indexed); the data supports targeted phishing and business email compromise against the food-distribution supply chain.
Fix
Treat unexpected Sysco-themed emails with caution, verify payment or account changes through known contacts, enable phishing-resistant MFA, and brief staff and partners on the heightened phishing risk from this exposure.

American Tower breach surfaces on Have I Been Pwned with 216,000 accounts

Data from a breach of American Tower, one of the largest wireless communications infrastructure companies, has been indexed by Have I Been Pwned, which added 216,601 affected accounts. The extortion group ShinyHunters is linked to the incident, consistent with its sweeping 2026 campaign that has used social engineering against staff to reach corporate systems and exfiltrate data at major enterprises. American Tower operates critical telecom infrastructure, making any exposure of employee or partner data a concern for follow-on phishing and targeted attacks. Exposed contact details are commonly reused for convincing phishing against affected individuals and the organization.

Check
People connected to American Tower should check Have I Been Pwned for their email and stay alert to phishing referencing the company; the organization should review how the data was accessed.
Affected
Individuals whose data was exposed in the American Tower breach (216,601 accounts indexed); exposed contact information supports targeted phishing against a company operating critical communications infrastructure.
Fix
Reset and avoid reusing affected passwords, enable phishing-resistant MFA, and treat unexpected messages referencing American Tower with caution. Organizations should harden help desks and accounts against social-engineering-driven access.

Ralph Lauren breach exposes customer data as ShinyHunters extends retail spree

Have I Been Pwned has added 139,903 accounts from a breach of fashion brand Ralph Lauren, which the extortion group ShinyHunters claimed as part of its sweeping 2026 campaign against retail and luxury names. ShinyHunters says it took around 220 GB of data, including customer personal information, purchase histories, and financial transaction details, along with unreleased product and strategy plans. The group typically breaks in not through a brand's core systems but via connected platforms like Salesforce or customer-service tools. Exposed purchase and contact data is prime material for convincing phishing and fraud aimed at the retailer's customers.

Check
Ralph Lauren customers should check Have I Been Pwned for their email, watch for phishing or fraudulent charges referencing orders or accounts, and review payment statements for unauthorized activity.
Affected
Ralph Lauren customers whose personal, purchase, and transaction data was exposed (139,903 accounts confirmed); the breach is part of a broader ShinyHunters wave hitting retail and luxury brands through connected platforms.
Fix
Reset and stop reusing any Ralph Lauren account passwords, enable MFA, stay alert to order- and refund-themed phishing, and consider monitoring payment cards used with the retailer for fraud.

JCPenney breach exposes Social Security numbers and tax records of 368,000

Have I Been Pwned has added 368,418 accounts from a breach of JCPenney, after the extortion group ShinyHunters claimed in mid-June it stole data from the retailer and several sister brands under Catalyst Brands and Authentic Brands Group. ShinyHunters says the haul includes highly sensitive employee and customer data: Social Security numbers, dates of birth, W-2 tax forms, payroll records, and scans of government-issued IDs. Unlike passwords, these identifiers cannot simply be reset, raising long-term identity-theft and tax-fraud risk. JCPenney has not confirmed the full scope, and the group has not published samples, but the data types make this a serious exposure.

Check
Current and former JCPenney and Catalyst Brands staff and customers should check Have I Been Pwned, watch for tax, payroll, and identity-themed phishing, and monitor for fraudulent tax filings or new-account activity.
Affected
JCPenney employees and customers, plus those tied to sister brands like Aeropostale, Brooks Brothers, Lucky Brand, and Nautica; exposed Social Security numbers, W-2s, and ID scans carry lasting fraud risk.
Fix
Consider a credit freeze and fraud alert, file taxes early to pre-empt fraudulent returns, reset any reused JCPenney passwords, enable MFA, and treat tax or payroll messages referencing the breach with caution.

HIBP confirms 248,000 accounts from ShinyHunters breach of advisory firm CFGI

Have I Been Pwned has added 248,235 accounts from the March breach of CFGI, a US accounting and financial-advisory firm that works closely with corporate finance teams at mid-market and Fortune 500 companies. The extortion group ShinyHunters claimed the intrusion, posting hundreds of thousands of records including names, emails, phone numbers, and home addresses, along with internal corporate documents and identity-system metadata. Because CFGI sits inside its clients' finance functions, the stolen contact and relationship data is unusually useful for convincing business email compromise and client-impersonation scams aimed at authorizing fraudulent payments.

Check
If you work with or for CFGI, check Have I Been Pwned for your email and watch for finance-themed phishing, fake wire instructions, or audit-document requests referencing CFGI.
Affected
CFGI employees, clients, and contacts whose personal and corporate data was exposed (248,235 accounts confirmed); the firm's finance-function clients face elevated business email compromise risk.
Fix
Reset and stop reusing CFGI-related credentials, enable phishing-resistant MFA, and verify any unexpected payment, wire, or account-change request through a known, pre-established voice channel rather than email links.

56 million accounts surface in latest infostealer log compilation

Breach-tracking service Have I Been Pwned has added a fresh batch of stealer logs covering 56,278,397 accounts, harvested by infostealer malware from infected computers. Unlike a single company breach, stealer logs are credentials and session data scraped directly from victims' devices, often capturing the exact website-and-password pairs a person types, plus browser cookies that can let attackers skip login entirely. Because the data comes from malware on individual machines, exposure cuts across countless unrelated services. The scale is a reminder that infostealer infections, frequently spread through cracked software, malicious ads, and fake downloads, remain one of the biggest sources of credential theft.

Check
Check whether your email or your organization's domains appear in Have I Been Pwned's stealer-log dataset, and look for signs of infostealer infection such as unexpected logins or browser-session anomalies.
Affected
Anyone whose device was infected by infostealer malware; exposed data includes saved website passwords and browser session cookies that can bypass logins across many unrelated services.
Fix
Reset passwords for exposed accounts from a clean device, invalidate active sessions, enable phishing-resistant MFA, and run endpoint malware scans to find and remove the underlying infostealer.

Corporate travel firm BCD Travel breach exposes 396,000 accounts

Have I Been Pwned has added BCD Travel - one of the world's largest corporate travel-management companies - to its breach corpus with 396,313 unique email addresses. BCD Travel arranges business travel for large enterprises and government clients worldwide, so the exposed dataset likely skews toward corporate and frequent-traveler accounts. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected travelers should anticipate travel-themed phishing - itinerary updates, booking confirmations, loyalty-program lures - and should rotate any reused passwords and enable MFA.

Check
Check whether your @company emails appear in HIBP's BCD Travel corpus. Warn business travelers about itinerary, booking-confirmation, and loyalty-program phishing over the next 60-90 days.
Affected
396,313 unique email addresses tied to BCD Travel corporate-travel accounts. Dataset likely skews toward enterprise and government frequent travelers, raising targeted travel-themed phishing risk.
Fix
Affected individuals: rotate BCD Travel passwords and any reused elsewhere, enable MFA, scrutinize unsolicited travel emails. Organizations: add BCD Travel to breach-monitoring watchlists and brief traveling staff.

Dental-benefits provider DentaQuest added to Have I Been Pwned with 2,553,599 breached accounts; healthcare-themed phishing risk

Have I Been Pwned has added US dental-benefits provider DentaQuest to its breach corpus with 2,553,599 unique email addresses. DentaQuest is one of the largest dental and vision benefits administrators in the United States, serving Medicaid, Medicare, and commercial members. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Healthcare and insurance data carries elevated risk: affected members should anticipate benefits-themed phishing, claim-status lures, and identity-theft attempts, and should rotate any reused passwords. It is among the larger US healthcare-adjacent breaches surfacing recently.

Check
Check whether your @company emails appear in HIBP's DentaQuest corpus. Warn affected staff about dental/medical-benefits-themed phishing - claim status, coverage updates, refund lures - over the next 60-90 days.
Affected
2,553,599 unique email addresses tied to DentaQuest dental and vision benefits members (Medicaid, Medicare, commercial). Healthcare data elevates identity-theft and benefits-phishing risk.
Fix
Affected individuals: rotate DentaQuest passwords and any reused elsewhere, enable MFA, monitor benefits statements. Organizations: add DentaQuest to breach-monitoring watchlists and brief staff on healthcare-themed social engineering.

Automotive marketplace Edmunds added to Have I Been Pwned with 177,860 breached accounts; expect car-buying-themed phishing

Have I Been Pwned has added the US automotive marketplace Edmunds to its breach corpus with 177,860 unique email addresses. Edmunds is a widely used car-research and shopping platform offering pricing, reviews, and dealer listings. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected users should anticipate car-buying-themed phishing such as financing offers, dealer-contact lures, or vehicle-quote follow-ups, and should rotate any reused passwords. The addition continues a steady run of mid-size US consumer-platform breaches surfacing in HIBP.

Check
Check whether your @company emails appear in HIBP's Edmunds corpus. Warn affected staff about car-buying-themed phishing (financing offers, dealer contacts) over the next 30-60 days.
Affected
177,860 unique email addresses tied to Edmunds accounts. Reused passwords are the primary downstream risk; expect automotive-themed phishing and credential-stuffing against other services.
Fix
Affected individuals: rotate Edmunds passwords and any reused elsewhere, enable MFA. Organizations: add Edmunds to breach-monitoring watchlists and brief staff on car-shopping-themed social engineering.

ShinyHunters Charter Communications breach hit 4.9 million unique accounts (42M records claimed) - HIBP confirms scale

HIBP has confirmed 4.9 million unique accounts (4,851,517 email addresses) were affected by the Charter Communications breach disclosed earlier this week. The ShinyHunters extortion gang initially claimed 42 million records exfiltrated from Charter's Salesforce instance via voice-phishing of a Microsoft Entra account on April 1; the unique-account count is lower because individuals appeared on multiple records (customer + business + plan-info). Charter publicly denies that CPNI (Customer Proprietary Network Information) or sensitive personal data was taken. The HIBP entry refines the scope to a defender-actionable figure and lets customers and IR teams check exposure across their workforce.

Check
Run your @company.com domains against HIBP for Charter exposure. If you are a Charter customer or vendor, expect targeted vishing themed around Spectrum service issues for the next 60 days.
Affected
4.9 million unique Charter/Spectrum customer email addresses now in HIBP. SaaS-extortion playbook (Salesforce + Entra/Okta SSO + BPO vishing) remains the broader risk pattern.
Fix
Affected individuals: rotate Spectrum credentials, enable MFA, scrutinize unsolicited Charter calls. Organizations with Salesforce + Entra: enforce phishing-resistant MFA on all admin and BPO identities.