A dataset dubbed FortiBleed exposed valid Fortinet FortiGate VPN credentials β including plaintext passwords β for 73,932 firewall URLs across 194 countries, the product of a Russian-speaking crew that reused passwords from earlier breaches and infostealer logs rather than any new Fortinet vulnerability.
On 21 May 2026, McDonald's France confirmed a credential-stuffing campaign that hijacked customer McDo+ loyalty accounts, with fraudsters draining accumulated points for free orders; no banking data was affected and the company launched a mass password reset.
On 21 February 2026, Innovorder β a French SaaS provider of POS and management software for the foodservice industry β confirmed a data breach after a dataset of around 41,000 records, accessed via credentials compromised in an unrelated breach, was offered on a hacking forum.
In late October 2025, France Travail β France's public employment agency β disclosed a breach in which attackers used credentials harvested by infostealer malware to access job-seeker accounts and exfiltrate sensitive personal, identity and financial data; about 16,479 affected records were catalogued.
In January 2025, French clothing retailer Kiabi disclosed a credential-stuffing attack on its secondhand site (secondemain.kiabi.com) that exposed the names, dates of birth, contact details and IBANs of about 20,000 customers.
In November 2024, the Compagnie des Transports Strasbourgeois (CTS) β Strasbourg's public transport operator β detected fraudulent logins to about 100 of its roughly 350,000 customer accounts via a credential-stuffing attack reusing passwords stolen in unrelated breaches.
On 12 November 2024, French frozen-food retailer Picard disclosed a credential-stuffing attack that compromised the loyalty accounts of around 45,000 customers, exposing personal and loyalty-programme data; no banking data was affected and the company notified the CNIL.
AT&T disclosed that attackers used credentials stolen by infostealers to authenticate into its Snowflake cloud-data-warehouse tenant β which lacked MFA β and exfiltrated call and text metadata covering nearly all 110 million AT&T wireless customers.
A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.
Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
A threat actor used a stolen service-account credential β exposed via an employee's personal Google account β to access Okta's customer support case-management system, reading HAR files that contained session tokens and enabling session-hijacking against customers including 1Password, BeyondTrust and Cloudflare.
Attackers used credentials reused from prior breaches to access 23andMe accounts, then leveraged the 'DNA Relatives' feature to scrape ancestry and genetic profile data on 6.9 million users from compromised relatives' connections.
Threat actor N4ughtySecTU breached TransUnion South Africa using a client account secured with the password 'Password', then demanded a $15 million ransom. TransUnion confirmed millions of consumers' personal data were compromised.
As pandemic lockdowns drove Zoom usage to record highs, over 500,000 Zoom account credentials harvested via credential stuffing were sold or given away on the dark web, while open meetings were hijacked in a wave of disruptive 'zoombombing' incidents.
A 87GB aggregated credential dump posted to the MEGA cloud service exposed 772.9 million unique email addresses and 21.2 million unique passwords, assembled from thousands of prior breaches to fuel credential-stuffing attacks at industrial scale.
Victim
Internet users worldwide (aggregated multi-breach dump)