French authorities confirmed that an attacker hijacked a Tchap user account to access public chat rooms on the French state's secure messaging platform, with the intruder claiming to have scraped tens of thousands of accounts and hundreds of thousands of messages.
On 29 January 2026, Match Group β parent of Hinge, Match and OKCupid β disclosed a breach after the ShinyHunters group used a vishing attack to hijack an employee Okta SSO account; exposed PII included names, dates of birth, phone numbers and IP addresses.
In August 2025, Google confirmed that a Salesforce CRM instance holding contact data for small-business Google Ads prospects was breached by ShinyHunters (UNC6040) via a vishing attack, exposing roughly 2.55 million records of business names, emails and phone numbers.
A junior developer at C&M Software β a Central Bank-authorized provider of Pix instant-payment connectivity β was paid roughly R$5,000 to hand over credentials. Attackers used the access to drain approximately R$800 million ($148 million) from reserve accounts at six Brazilian financial institutions in 2.5 hours.
On 8 March 2024, France's national employment agency France Travail disclosed a data breach exposing the personal data of up to 43 million jobseekers registered over the previous 20 years, including names, dates of birth, social security numbers and contact details.
A teenage Lapsus$ member breached Rockstar Games' internal Slack and developer systems via social engineering, then leaked roughly 90 in-development clips of the unreleased Grand Theft Auto VI β one of the largest leaks in video-game history.
An 18-year-old affiliated with Lapsus$ socially engineered an Uber contractor, defeated MFA through an hour-long push-bombing campaign, then found hardcoded admin credentials on an internal share that unlocked Uber's AWS, G-Suite, Slack, and HackerOne dashboards.
The Lapsus$ extortion group compromised a laptop belonging to a support engineer at Okta subprocessor Sitel, gaining a 25-minute window of access in January 2022 that touched two customer tenants. The breach only became public when Lapsus$ posted screenshots in March.
Over 700 customers of the Philippines' largest bank, BDO Unibank, lost money through unauthorized online transfers routed to UnionBank accounts under the alias 'Mark Nagoyo'; five suspects were later arrested and BDO reimbursed victims.
A phishing campaign compromised 47 Service NSW staff email accounts, exposing 738 GB of data and roughly 3.8 million documents; about 104,000 customers had personal information including driver's licences and birth certificates stolen.
A fraudster posing as a legitimate Experian client obtained the personal data of 24 million South Africans and 793,749 businesses in what became one of the largest data breaches in South African history.
Attackers used phone spear-phishing against Twitter employees to reach an internal admin 'agent' tool, hijacked 130 high-profile accounts including Obama, Musk, Bezos, and Apple, and posted a Bitcoin-doubling scam that netted roughly $118,000.
Political consultancy Cambridge Analytica improperly obtained the personal data of up to 87 million Facebook users via a personality-quiz app, exploiting Facebook's permissive third-party API to harvest friend networks and build voter-targeting profiles. The scandal triggered a record $5 billion FTC penalty.
A spear-phishing email carrying PlugX malware breached Japan's largest travel agency JTB, exposing personal data β including thousands of passport numbers β for up to 7.93 million customers.
South Korean police attributed a breach of online retailer Interpark β exposing the personal data of more than 10 million shoppers β to North Korea's intelligence agency, which used spearphishing and then demanded a multi-million-dollar bitcoin ransom.
A targeted phishing email carrying malware breached the Japan Pension Service, leaking the names, IDs, addresses, and birth dates of about 1.25 million pension enrollees and forcing a national rethink of public-sector cybersecurity.