JCPenney suffered a data breach in June 2026 when ShinyHunters exploited a zero-day vulnerability in Oracle PeopleSoft, exposing personal and HR data for approximately 368,000 current and former employees.
DentaQuest, a dental benefits administrator, had data on approximately 2.6 million individuals publicly leaked by the ShinyHunters group following an extortion campaign in May 2026.
7-Eleven suffered a data breach in April 2026 when the ShinyHunters group conducted an extortion campaign and later published data on approximately 185,000 individuals.
Dragonica Lunaris, a European private game server, suffered a data breach in December 2025 that exposed account data for approximately 126,000 users.
Aman, an ultra-luxury hotel brand, suffered a data breach in April 2026 when ShinyHunters obtained customer records from their Salesforce CRM and later leaked them publicly.
Carnival Corporation suffered a data breach affecting 7.5 million records from its Holland America loyalty program after ShinyHunters claimed to obtain and later published the data.
Turkish restaurant chain Baydöner suffered a data breach in March 2026 exposing over 1.2 million customer records including names, email addresses, phone numbers, and plaintext passwords.
ADT confirmed a data breach affecting 5.5 million customers in April 2026, with ShinyHunters claiming responsibility and threatening to leak the data.