Skip to content

Incidents in country:

United States

138 incidents catalogued

Zero-dayContained

NAIC confirms data breach after Oracle PeopleSoft zero-day exploited by ShinyHunters

The National Association of Insurance Commissioners disclosed on 23 June 2026 that attackers exploited an Oracle PeopleSoft zero-day to access part of its environment, and by 25 June the extortion group ShinyHunters had published the stolen data online, claiming more than 3.1 terabytes.

Victim
National Association of Insurance Commissioners (NAIC)
Supply chainContained

Klue supply-chain breach exposes customers' Salesforce data

A dormant API credential let attackers compromise competitive-intelligence platform Klue and harvest OAuth tokens for customers' connected apps, exfiltrating Salesforce records from firms including Huntress and Recorded Future in a supply-chain attack later tied to the Icarus extortion group.

Victim
Klue (and customers including Huntress and Recorded Future)
Data breachOngoing

Nintendo employee survey data stolen via third-party TinyPulse platform

Nintendo of America confirmed that threat actors stole internal employee survey data from TinyPulse, a third-party HR engagement platform it used, after the SHADOWBYT3$ group claimed to have exfiltrated about 859 MB of data and demanded a US$2 million ransom β€” while stressing that Nintendo's own systems and customer data were not affected.

Victim
Nintendo of America
Credential stuffingOngoing

FortiBleed: leaked dataset exposes VPN credentials for ~74,000 Fortinet firewalls

A dataset dubbed FortiBleed exposed valid Fortinet FortiGate VPN credentials β€” including plaintext passwords β€” for 73,932 firewall URLs across 194 countries, the product of a Russian-speaking crew that reused passwords from earlier breaches and infostealer logs rather than any new Fortinet vulnerability.

Victim
Organizations running Fortinet FortiGate firewalls worldwide
EspionageContained

UNC6508 PRC-nexus medical & defense research espionage campaign

Google's Threat Intelligence Group disclosed that PRC-nexus actor UNC6508 spent more than a year inside U.S. and Canadian medical, academic and military-health research environments, compromising legacy REDCap servers, deploying custom INFINITERED malware and abusing Google Workspace email compliance rules to silently exfiltrate research and defense data.

Victim
U.S. and Canadian medical, academic and military-health research institutions
Supply chainContained

OptinMonster, TrustPulse and PushEngage WordPress plugins backdoored in Awesome Motive CDN supply-chain attack

Attackers stole a CDN API key from Awesome Motive and tampered with JavaScript served to the OptinMonster, TrustPulse and PushEngage WordPress plugins, silently creating rogue administrator accounts and planting backdoors on sites whose logged-in admins loaded the malicious code.

Victim
Awesome Motive (OptinMonster, TrustPulse, PushEngage)
MalwareContained

152 'live wallpaper' Chrome extensions caught harvesting user data and faking Google search traffic

Socket's Threat Research Team uncovered a coordinated family of 152 new-tab 'live wallpaper' Chrome extensions, spread across 38 publisher accounts and three brands, that secretly logged user telemetry and laundered extension-generated visits into fake Google organic search traffic despite declaring they collected no data.

Victim
Google Chrome Web Store users
Supply chainOngoing

'Atomic Arch' supply-chain attack hijacks 400+ Arch Linux AUR packages to deploy a credential stealer and eBPF rootkit

Sonatype researchers uncovered 'Atomic Arch,' a supply-chain campaign in which attackers adopted hundreds of orphaned Arch User Repository packages and rewrote their build scripts to install a malicious npm package that drops a Linux credential stealer with optional eBPF rootkit capabilities.

Victim
Arch User Repository (AUR)
RansomwareContained

Foxconn Nitrogen ransomware breach (2026)

The Nitrogen ransomware group claimed on its dark-web leak site that it had stolen over 11 million files from Foxconn's North American facilities, including confidential information belonging to customers Apple, Dell, Google, Intel, Nvidia, and Sony. Foxconn said affected factories were resuming normal production.

Victim
Foxconn (Hon Hai Precision Industry)
Data breachRansom paid

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools β€” names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim
Instructure (Canvas LMS)
Loss
$10.0M
Records
275.0M
Data breachResolved

Under Armour data breach (2025)

In November 2025, the Everest ransomware group claimed to have stolen 343GB of data from apparel maker Under Armour. After no ransom was paid, customer data was leaked in January 2026, exposing roughly 72.7 million unique email addresses with names, dates of birth, genders, locations and purchase histories. This is a separate incident from the 2018 MyFitnessPal breach.

Victim
Under Armour
Records
72.7M
Data breachContained

Yale New Haven Health data breach (2025)

Suspicious network activity at Yale New Haven Health led to the largest U.S. healthcare data breach of 2025: 5.5 million patients had names, contact details, dates of birth, medical record numbers, and Social Security numbers stolen. The health system later agreed to an $18 million class-action settlement.

Victim
Yale New Haven Health System
Loss
$18.0M
Records
5.6M
Data breachResolved

Hot Topic data breach (2024)

In October 2024, retailer Hot Topic suffered a data breach that exposed 57 million unique email addresses. The impacted data also included physical addresses, phone numbers, purchases, genders, dates of birth and partial credit data containing card type, expiry and last 4 digits.

Victim
Hot Topic
Records
56.9M
EspionageContained

Salt Typhoon US telecom espionage campaign (2024)

China-linked Salt Typhoon infiltrated at least nine U.S. telecom providers β€” Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated, Windstream β€” including the CALEA lawful-intercept systems used for court-authorised wiretaps. Metadata for over a million users was exposed; the U.S. Treasury sanctioned a linked PRC contractor.

Victim
U.S. telecommunications providers (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream)
Data breachResolved

Advance Auto Parts data breach (2024)

In June 2024, Advance Auto Parts confirmed they had suffered a data breach which was posted for sale to a popular hacking forum. Linked to unauthorised access to Snowflake cloud services, the breach exposed a large number of records related to both customers and employees.

Victim
Advance Auto Parts
Records
79.2M
Credential stuffingContained

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
Records
560.0M
RansomwareContained

Ascension Health ransomware attack

Black Basta ransomware crippled Ascension, one of the largest U.S. health systems, after an employee downloaded a malicious file. The attack forced 140 hospitals onto manual operations for weeks, diverted ambulances, and ultimately exposed the data of nearly 5.6 million patients.

Victim
Ascension
Loss
$1.80B
Records
5.6M
Data breachResolved

Neiman Marcus data breach (2024)

In 2024, the luxury retailer Neiman Marcus had data stolen from its Snowflake cloud environment via stolen credentials. The company reported about 64,000 individuals to regulators, but the leaked dataset exposed roughly 31 million unique email addresses along with names, contact details and gift-card numbers.

Victim
Neiman Marcus
Records
31.2M
Supply chainContained

XZ Utils backdoor (CVE-2024-3094)

A multi-year social-engineering campaign by a maintainer persona named 'Jia Tan' planted a hidden SSH backdoor in the XZ Utils compression library (liblzma) versions 5.6.0 and 5.6.1, scoring CVSS 10.0 β€” caught by chance days before it could reach stable Linux releases worldwide.

Victim
XZ Utils / Linux open-source ecosystem
RansomwareContained

Schneider Electric Sustainability Business Cactus ransomware (2024)

Cactus ransomware operators hit Schneider Electric's Sustainability Business division, taking the Resource Advisor consulting platform offline and exfiltrating approximately 1.5 TB of data β€” including passport scans and signed NDAs from customers like Hilton, PepsiCo, and Walmart.

Victim
Schneider Electric β€” Sustainability Business division
RansomwareContained

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim
ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss
$9.00B
RansomwareRansom paid

Caesars Entertainment Scattered Spider ransom payment (2023)

Scattered Spider impersonated a Caesars employee on a call to a third-party IT support vendor and convinced the vendor to grant Okta credentials, then exfiltrated customer loyalty data including SSNs and driver's licences. Caesars paid roughly $15 million ransom; the FBI later froze a substantial portion of the funds with Chainalysis assistance.

Victim
Caesars Entertainment
Loss
$15.0M
EspionageContained

Microsoft Storm-0558 signing-key theft and US government email access (2023)

China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations β€” including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.

Victim
Microsoft customers (US State Department, Department of Commerce, ~25 organisations)
Supply chainResolved

3CX supply-chain attack (DPRK)

North Korea-linked actors trojanized the 3CXDesktopApp softphone client, distributing the SmoothOperator malware through a legitimately-signed update to a customer base of over 600,000 organizations β€” the first documented cascading software supply-chain compromise, itself enabled by a prior breach of trading software X_TRADER.

Victim
3CX (3CXDesktopApp customers)
Supply chainContained

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim
SolarWinds (Orion customers β€” ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss
$100.00B
Data breachResolved

Famm data breach (2020)

In late 2020, the Japanese family photos website Famm suffered a data breach that subsequently exposed 1.3M customer records, including 535k unique email addresses. Impacted data also included names, dates of birth, genders and passwords stored as SHA-256 hashes.

Victim
Famm
Records
535.2K
Data breachResolved

Gravatar data scraping (2020)

In October 2020, a researcher disclosed that Gravatar's profile API could be enumerated without rate limiting. 167 million names, usernames, and email-hash records were scraped, and 114 million of the MD5 hashes were cracked to reveal email addresses.

Victim
Gravatar
Records
114.0M
Data breachResolved

Zynga data breach (2019)

In September 2019, the hacker Gnosticplayers breached game developer Zynga, accessing data for nearly 173 million Words With Friends and Draw Something players. Exposed data included emails, usernames, phone numbers, and salted SHA-1 password hashes.

Victim
Zynga
Records
172.9M
Vulnerability exploitResolved

First American Financial document exposure

An insecure direct object reference (IDOR) flaw on First American Financial's website exposed roughly 885 million title-insurance and mortgage documents β€” including Social Security numbers, bank account details, and driver's-license images β€” dating back to 2003, accessible to anyone without authentication.

Victim
First American Financial Corporation
Loss
$1.5M
Records
885.0M
Data breachContained

Quora data breach

The question-and-answer platform Quora disclosed that an unauthorized third party had accessed the data of approximately 100 million users, including names, email addresses, salted-and-hashed passwords, and imported contact and demographic data.

Victim
Quora
Records
100.0M
Data breachResolved

Dubsmash data breach (2018)

The video-messaging app Dubsmash was breached in December 2018, exposing roughly 162 million accounts with email addresses, usernames and PBKDF2 password hashes that later surfaced for sale on the Dream Market dark-web bazaar via the broker GnosticPlayers.

Victim
Dubsmash
Records
161.7M
EspionageResolved

Marriott / Starwood guest data breach

Chinese state-attributed operators sat undetected on Starwood's guest reservation database from 2014, surviving Marriott's 2016 acquisition. Disclosed 2018: 500 million guest records exposed, including 5.25 million unencrypted passport numbers.

Victim
Marriott International / Starwood Hotels & Resorts
Loss
$200.0M
Records
500.0M
Data breachResolved

HauteLook data breach (2018)

In mid-2018, the fashion shopping site HauteLook was among a raft of sites that were breached and their data then sold in early-2019. The data included over 28 million unique email addresses alongside names, genders, dates of birth and passwords stored as bcrypt hashes.

Victim
HauteLook
Records
28.5M
Data breachResolved

Apollo data exposure (2018)

Sales-engagement startup Apollo left a database of 9 billion data points and over 200 million contact records exposed without a password in 2018; a subset of 126 million unique email addresses was loaded into Have I Been Pwned after researcher Vinny Troia found it.

Victim
Apollo
Records
125.9M
Data breachResolved

Exactis data exposure

Data-marketing firm Exactis left a database of nearly 340 million detailed records on individuals and businesses exposed on a publicly accessible server with no firewall. Each record held up to 400 fields of personal profiling data, from contact details to children's ages, religion, and habits.

Victim
Exactis LLC
Records
340.0M
Data breachResolved

Ticketfly data breach (2018)

In May 2018, the website for the ticket distribution service Ticketfly was defaced by an attacker and was subsequently taken offline. The attacker allegedly requested a ransom to share details of the vulnerability with Ticketfly but did not receive a reply and subsequently posted the breached data…

Victim
Ticketfly
Records
26.2M
Data breachResolved

Houzz data breach (2018)

In mid-2018, the home-design platform Houzz had a file containing user data obtained by an unauthorized third party. The company learned of it in late 2018 and disclosed it in early 2019. Roughly 49 million accounts were exposed, including emails, usernames, salted password hashes and IP-derived locations.

Victim
Houzz
Records
48.9M
Data breachResolved

Poshmark data breach (2018)

In May 2018, the social-commerce marketplace Poshmark was breached and roughly 36 million user accounts were exposed, including email addresses, names, usernames, genders, locations and bcrypt-hashed passwords. The company confirmed the incident in August 2019.

Victim
Poshmark
Records
36.4M
Data breachResolved

Uber 2016 data breach and cover-up

Attackers stole personal data on 57 million Uber riders and drivers in October 2016. Rather than disclose, Uber paid the hackers a $100,000 ransom and disguised it as a bug bounty β€” a cover-up that led to a $148 million multistate settlement and the criminal conviction of Uber's security chief.

Victim
Uber Technologies, Inc.
Loss
$148.0M
Records
57.0M
Data breachResolved

8tracks data breach (2017)

In June 2017, the online playlists service known as 8Tracks suffered a data breach which impacted 18 million accounts. In their disclosure, 8Tracks advised that "the vector for the attack was an employee’s GitHub account, which was not secured using two-factor authentication".

Victim
8tracks
Records
18.0M
Data breachResolved

Edmodo data breach (2017)

In May 2017, the education platform Edmodo was hacked resulting in the exposure of 77 million records comprised of over 43 million unique customer email addresses. The data was consequently published to a popular hacking forum and made freely available.

Victim
Edmodo
Records
43.4M
DDoSResolved

Dyn DNS Mirai DDoS attack

A massive Mirai-botnet DDoS attack against managed DNS provider Dyn knocked Twitter, Netflix, Spotify, GitHub, Reddit, and dozens of other major sites offline across the U.S. and Europe, demonstrating how a botnet of compromised IoT devices could disrupt large swathes of the internet.

Victim
Dyn, Inc.
EspionageResolved

Democratic National Committee hack

Russian GRU Units 26165 (APT28) and 31165 (APT29) compromised the Democratic National Committee, Hillary Clinton campaign, and DCCC. Stolen emails were selectively released via 'DCLeaks', 'Guccifer 2.0', and WikiLeaks to influence the 2016 U.S. presidential election.

Victim
Democratic National Committee + Clinton campaign + DCCC
Loss
$50.0M
Records
50.0K
Data breachResolved

Patreon data breach (2015)

In October 2015, the crowdfunding site Patreon was hacked and over 16GB of data was released publicly. The dump included almost 14GB of database records with more than 2.3M unique email addresses, millions of personal messages and passwords stored as bcrypt hashes.

Victim
Patreon
Records
2.3M
Data breachResolved

JPMorgan Chase data breach

Attackers exploited a server missing two-factor authentication to breach more than 90 JPMorgan Chase servers and steal contact details for 76 million households and 7 million small businesses β€” one of the largest intrusions ever into a U.S. financial institution.

Victim
JPMorgan Chase
Records
83.0M
MalwareResolved

Home Depot POS breach

Attackers used a vendor's stolen credentials and custom point-of-sale malware to harvest about 56 million payment cards and 53 million email addresses from Home Depot's U.S. and Canadian self-checkout systems over five months β€” the largest retail card breach of its time.

Victim
The Home Depot
Loss
$179.0M
Records
56.0M
Data breachResolved

Adobe data breach (2013)

Attackers stole roughly 153 million Adobe account records β€” IDs, emails, weakly encrypted passwords and plaintext password hints β€” along with source code for several Adobe products, in one of the largest software-company breaches on record.

Victim
Adobe Systems
Loss
$1.0M
Records
152.4M
Data breachResolved

Evite data breach (2013)

An archived 2013 database from social-invitations site Evite was accessed by an attacker and later traded online, exposing roughly 101 million unique email addresses along with names, phone numbers, postal addresses, dates of birth and plaintext passwords.

Victim
Evite
Records
101.0M
Data breachResolved

LinkedIn password breach

A 2012 intrusion into LinkedIn exposed user passwords stored as unsalted SHA-1 hashes. Initially reported as 6.5 million credentials, the full scope of 117 million accounts only emerged in 2016 when the data surfaced for sale on the dark web.

Victim
LinkedIn
Loss
$1.3M
Records
117.0M
Data breachResolved

TJX Companies (T.J. Maxx) card breach

Attackers led by Albert Gonzalez sniffed weakly-encrypted in-store Wi-Fi at a Marshalls outlet and pivoted to TJX's central systems, exfiltrating an estimated 94 million payment-card records over an 18-month intrusion β€” the largest U.S. retail data breach of its era.

Victim
The TJX Companies, Inc.
Loss
$256.0M
Records
94.0M