BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.
Vimeo confirmed yesterday that user data was exposed when its analytics provider Anodot was breached. The video service hasn't said how many users are affected or what data was exposed beyond 'limited' account information, but Anodot's role suggests the leaked records include event-level user activity tied to Vimeo accounts: video views, account IDs, and the kind of telemetry analytics providers ingest. The pattern is the same as Citizens Bank, Frost Bank, Pitney Bowes, and now Vimeo: customer data leaks through a third-party vendor that the customer never directly signed up with.
Carnival Corporation has been confirmed as a ShinyHunters breach victim, and the data is now public. Have I Been Pwned added the breach on April 23 with 7,531,359 unique email addresses drawn from 8.7 million records. The data comes from the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands, and contains full names, dates of birth, genders, email addresses, and loyalty program status fields. ShinyHunters initially listed Carnival on its 'pay or leak' portal on April 18 with an April 21 deadline alongside Zara, 7-Eleven, and roughly 40 other organizations. When Carnival did not pay, the group published the dataset on its leak site this week. Carnival confirmed to reporters that the initial access came from a phishing compromise of a single employee account - a reminder that ShinyHunters continues to rely on human-layer intrusion rather than novel exploits. For anyone whose email, date of birth, or customer record appears in the dataset, the immediate risk is highly targeted phishing and account-takeover attempts that reference genuine Holland America booking details.
Rituals, the Amsterdam-headquartered cosmetics and home fragrance retailer with roughly 1,000 stores across Europe, the Middle East, and North America, disclosed on April 23 that attackers stole personal information from its 'My Rituals' membership database. The company has not yet said how many members were affected, only that 'personal information' was exfiltrated. No payment card data is reported to have been compromised. Rituals' membership program collects name, email, postal address, and purchase history to drive a loyalty and personalization program, so the exposed fields are ideal material for branded-lookalike phishing and physical-mail fraud referencing real past purchases. The company says it has informed Dutch data protection regulator Autoriteit Persoonsgegevens and is working with an external incident response firm. Rituals did not attribute the breach to a named group and has not described the initial access vector; the disclosure follows a wider April 2026 pattern in which loyalty and membership databases are repeatedly showing up as soft targets for extortion actors looking for PII-heavy datasets.
France Titres (Agence nationale des titres securises, ANTS), the French government agency responsible for issuing driver's licenses, national ID cards, passports, and immigration documents, has confirmed a security incident on the ants.gouv.fr portal. The agency detected the compromise on April 15 and published an acknowledgment April 20, saying individual and professional account data may have been exposed. On April 16, a threat actor using the alias 'breach3d' claimed responsibility on a hacker forum, alleging theft of up to 19 million records. The attacker says the stolen data contains full names, contact details, birth data, home addresses, account metadata, gender, and civil status. ANTS operates under the French Ministry of the Interior and is the authoritative source for official French identity documents, making any data leak a foundational risk for downstream phishing, social engineering, and identity fraud. The agency has notified France's data protection authority (CNIL), the Paris Public Prosecutor, and national cybersecurity agency ANSSI. ANTS is telling users no action is required but to exercise 'extreme caution' with any SMS, phone calls, or emails claiming to come from the agency - the stolen data is ideal raw material for targeted impersonation scams.
TrustStrike Labs