Public breach reports where purchases were listed among exposed data types.
Kemper Corporation had data on approximately 269,000 individuals exposed after the ShinyHunters ransomware group accessed its Salesforce environment via social engineering and published the stolen data in an extortion campaign.
Mytheresa, a luxury fashion e-commerce platform, had data on approximately 84,000 customers exposed after the ShinyHunters extortion group published it following a failed ransom demand in April 2026.
Colombian fintech company Addi suffered a breach in March 2026 affecting over 34 million accounts, exposing financial, identity, and credit-related personal data after the ShinyHunters group claimed responsibility and published the stolen data.
In April 2026, Zara was targeted by the ShinyHunters extortion group, exposing approximately 197,000 unique email addresses along with purchase and support ticket data linked to a compromise of the Anodot analytics platform.
LegionProxy, a commercial residential and ISP proxy network, suffered a data breach in April 2026 that exposed approximately 10,000 accounts including email addresses, names, bcrypt password hashes, and purchase records.
Divine Skins, a League of Legends custom skins service, disclosed a data breach affecting over 105,000 users in March 2026.
Turkish restaurant chain Baydöner suffered a data breach in March 2026 exposing over 1.2 million customer records including names, email addresses, phone numbers, and plaintext passwords.