2026 continues the year-over-year growth trend in confirmed disclosures. The list below updates as new breaches are reported by Verizon DBIR partners and major security news outlets.
Ben Smith reports: Lawmakers are only now learning that hackers breached a congressional medical contractor more than two months ago. RXNT, a healthcare software company used by the Office of the Attending Physician (OAP
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts a
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: t
A hotel check-in system exposed over 1 million passports, IDs, and selfies online due to a misconfigured cloud storage bucket. A security lapse in the Reqrea’s Tabiq hotel check-in system exposed over 1 million pas
The company, which operates a widely used observability platform, is refusing to pay an extortion demand.
7-Eleven confirmed a breach after ShinyHunters claimed theft of over 600,000 Salesforce records and franchisee data. 7-Eleven has confirmed a data breach after the ShinyHunters hacking group claimed it stole more than 60
Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no custom
Grafana says hackers stole its source code after accessing a GitHub token, but no customer data or systems were affected.
The Supreme Court of California has ruled in J.M. v. Illuminate Education, Inc., a case closely watched by those concerned about holding edtech vendors liable in the event of a data breach. As background on the case: In
OpenAI said the TanStack supply chain attack compromised two employee devices and exposed credentials from code repositories. OpenAI confirmed that the recent TanStack supply chain attack compromised two employee devices
Google’s Threat Intelligence Group writes: Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the “BlackFile” brand
Microsoft Exchange Server Cross-Site Scripting Vulnerability — Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditi
On the Spot News reports: An investigation has revealed than nearly 50 staff at a Merseyside hospital group accessed horrific details of the condition of those attacked in Southport. The investigation has only just come
The non-bank lender discovered a ransomware attack nearly one year ago, but only recently completed its investigation. The post American Lending Center Data Breach Affects 123,000 Individuals appeared first on SecurityWe
OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual p
A popular npm package called node-ipc has been compromised, with hackers publishing malicious versions that bundle credential stealing malware. The root cause of the compromise was an expired domain name that attackers m
Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability. [...]
During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat
The House Committee on Homeland Security sent a letter about the Canvas cyberattack, the same day that the edtech company said it reached an "agreement" with the ShinyHunters cybercriminals.
Other noteworthy stories that might have slipped under the radar: Nvidia cloud gaming data breach, Android 17 security upgrades, FBI warning after ShinyHunters hacks Canvas. The post In Other News: Big Tech vs Canada Enc
On the first day of Pwn2Own Berlin 2026, security researchers collected $523,000 in cash awards after exploiting 24 unique zero-days. [...]
The company confirmed data was stolen and encrypted by the attackers.
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability — Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass a
711,099 records exposed — Email addresses, Employers, Job titles, Names and 2 more