Email addresses data breaches

American Tower had data on over 216,000 employees, contractors, customers, and leads exposed after a ShinyHunters extortion campaign in June 2026.

Madison Square Garden Sports had data on nearly 10 million accounts exposed after the ShinyHunters group carried out a pay-or-leak extortion campaign and published the stolen data online.

JCPenney suffered a data breach in June 2026 when ShinyHunters exploited a zero-day vulnerability in Oracle PeopleSoft, exposing personal and HR data for approximately 368,000 current and former employees.

Ralph Lauren had data on approximately 140,000 individuals exposed after the ShinyHunters group claimed to have extracted records from the company's Salesforce instance and published them as part of an extortion campaign.

International law enforcement, coordinated through Europol and Eurojust, disrupted the SocGholish malware network on 18 June 2026, providing HIBP with approximately 154,000 affected email addresses and over 500,000 previously unseen passwords.

CFGI, a financial consulting and advisory firm, had data on approximately 248,000 individuals exposed after the ShinyHunters group conducted an extortion campaign and subsequently published corporate contact information.

Infinite Campus, a student information system, had data on approximately 137,000 accounts stolen and published by the ShinyHunters group in March 2026 following an extortion campaign.

Berkadia, a commercial real estate finance company, had data from its Salesforce instance published by the ShinyHunters group in March 2026, exposing over 300,000 individuals' contact and employer information.

Baker Distributing Company had data on approximately 103,000 accounts exposed after the ShinyHunters extortion group published information allegedly taken from the company's SharePoint and Salesforce systems in May 2026.

BCD Travel, a corporate travel management company, had data on approximately 396,000 individuals exposed after ShinyHunters claimed the company as a victim of an extortion campaign and published the data publicly in early June 2026.

DentaQuest, a dental benefits administrator, had data on approximately 2.6 million individuals publicly leaked by the ShinyHunters group following an extortion campaign in May 2026.

Edmunds, the automotive research and car-shopping platform, had data on approximately 178,000 accounts exposed after the ShinyHunters hacking group claimed a breach in January 2026.

Atlas Menu, a GTA V and CS2 cheat service, had its database published to a public GitHub repository in May 2026, exposing data for approximately 64,000 accounts.

Charter Communications had data on approximately 4.9 million accounts exposed after the ShinyHunters group threatened extortion and subsequently published the stolen data.

Kemper Corporation had data on approximately 269,000 individuals exposed after the ShinyHunters ransomware group accessed its Salesforce environment via social engineering and published the stolen data in an extortion campaign.

Mytheresa, a luxury fashion e-commerce platform, had data on approximately 84,000 customers exposed after the ShinyHunters extortion group published it following a failed ransom demand in April 2026.

Ameriprise Financial had data from approximately 500,000 accounts exposed after the ShinyHunters group exfiltrated over 200GB from its Salesforce and SharePoint systems and published it following failed extortion negotiations.

Colombian fintech company Addi suffered a breach in March 2026 affecting over 34 million accounts, exposing financial, identity, and credit-related personal data after the ShinyHunters group claimed responsibility and published the stolen data.

7-Eleven suffered a data breach in April 2026 when the ShinyHunters group conducted an extortion campaign and later published data on approximately 185,000 individuals.

In January 2021, the Windows93 parody site's Myspace93 sub-site was breached via an exploited beta application, exposing data from approximately 46,000 accounts.

Dragonica Lunaris, a European private game server, suffered a data breach in December 2025 that exposed account data for approximately 126,000 users.

In April 2026, data allegedly taken from CTT, Portugal's national postal service, was posted to a public hacking forum, affecting approximately 468,000 accounts.

Abrigo, a fintech software company, had data from its Salesforce instance published by the ShinyHunters group in April 2026, exposing business contact information for over 711,000 individuals.

Canada Life suffered a data breach in April 2026 when the ShinyHunters group stole and published data on over 237,000 customers, including names, email addresses, phone numbers, physical addresses, and support tickets.

In May 2026, real estate services firm Cushman & Wakefield had data on approximately 310,000 accounts exposed after the ShinyHunters group carried out an extortion campaign and published stolen corporate contact records.

In April 2026, Zara was targeted by the ShinyHunters extortion group, exposing approximately 197,000 unique email addresses along with purchase and support ticket data linked to a compromise of the Anodot analytics platform.

Woflow, an AI-driven merchant data platform, had data on approximately 447,593 accounts exposed after the ShinyHunters extortion group published files allegedly stolen from the company in March 2026.

LegionProxy, a commercial residential and ISP proxy network, suffered a data breach in April 2026 that exposed approximately 10,000 accounts including email addresses, names, bcrypt password hashes, and purchase records.

In April 2026, the ShinyHunters extortion group published data from a third-party analytics vendor breach affecting approximately 119,000 Vimeo user email addresses and names.

Reborn Gaming, an online gaming community, suffered a data breach in April 2026 that exposed 126 accounts' email addresses, IP addresses, and Steam IDs due to a vulnerability in cPanel and WHM.

Marcus & Millichap, a commercial real estate brokerage, had data on approximately 1.8 million individuals exposed after being named as an alleged victim of the ShinyHunters hacking group in April 2026.

ZenBusiness, a business formation platform, had data on approximately 5.1 million accounts exposed after the hacker group ShinyHunters claimed to have exfiltrated records from multiple platforms and publicly released the data following an unpaid ransom demand.

Aman, an ultra-luxury hotel brand, suffered a data breach in April 2026 when ShinyHunters obtained customer records from their Salesforce CRM and later leaked them publicly.

Udemy suffered a data breach affecting 1.4 million accounts, with customer and instructor information including email addresses, names, addresses, phone numbers, and payment methods exposed.

SUCCESS, a personal development media brand, suffered a data breach in March 2026 exposing approximately 253,510 accounts with names, email addresses, phone numbers, and other personal information.

Sound Radix disclosed a data breach in March 2026 affecting approximately 293,000 user accounts.

SongTrivia2, a music trivia platform, suffered a data breach in April 2026 affecting approximately 292,000 accounts, with data subsequently published to a public hacking forum.

Scuf Gaming suffered a data breach in June 2015 that exposed approximately 129,000 user accounts including email addresses, usernames, display names, IP addresses, and password hashes.

RuneScape Boards, a vBulletin-based forum, suffered a data breach in 2011 that exposed approximately 223,000 user accounts.

Provecho, a recipe and meal planning service, suffered a data breach in early 2026 affecting approximately 713,000 users.

Pitney Bowes suffered a data breach in April 2026 affecting approximately 8.2 million individuals, with ShinyHunters claiming responsibility and publicly releasing the stolen data.

McGraw Hill confirmed a data breach in April 2026 affecting 13.5 million accounts, exposing email addresses, names, phone numbers, and physical addresses due to a Salesforce misconfiguration.

Lovora, a couples and relationship app, suffered a data breach in February 2026 that exposed approximately 496,000 user accounts.

Hallmark suffered a breach in March 2026 after attackers accessed data stored in Salesforce, exposing approximately 1.7 million customer records.

Divine Skins, a League of Legends custom skins service, disclosed a data breach affecting over 105,000 users in March 2026.

Crunchyroll suffered a data breach in March 2026 affecting approximately 1.2 million email addresses, with additional personal information exposed from the company's Zendesk support system.

Carnival Corporation suffered a data breach affecting 7.5 million records from its Holland America loyalty program after ShinyHunters claimed to obtain and later published the data.

BreachForums Version 5, a hacking forum, suffered a breach in March 2026 exposing approximately 340,000 user accounts with email addresses, usernames, and password hashes.

Turkish restaurant chain Baydöner suffered a data breach in March 2026 exposing over 1.2 million customer records including names, email addresses, phone numbers, and plaintext passwords.

Aura disclosed a data breach in March 2026 affecting over 900,000 customer records, primarily from a marketing tool associated with a previously acquired company.

Amtrak suffered a data breach in April 2026 affecting over 2.1 million accounts, with the hacking group ShinyHunters claiming responsibility and later publishing the stolen data.

ADT confirmed a data breach affecting 5.5 million customers in April 2026, with ShinyHunters claiming responsibility and threatening to leak the data.