Account takeover, phishing, and credential harvesting incidents
The LiteLLM PyPI supply chain attack by TeamPCP involved a cascading attack chain: TeamPCP first compromised the Trivy security scanner's GitHub Actions CI/CD pipeline (March 19, 2026), used stolen …
In late March 2026, Handala — an Iranian state-linked hacktivist group that has previously conducted operations attributed to Iran's IRGC — published photographs and alleged personal emails obtained …
A multi-month cyberespionage campaign targeted a Libyan oil refinery in 2026, using commodity (commercially available) malware to maintain persistent covert access for intelligence collection. Oil and …
In April 2026, ShinyHunters disclosed that they had breached Anodot (an Israeli AI analytics company acquired by Glassbox in November 2025), maintaining access 'for some time.' By stealing …
The Department of Government Efficiency (DOGE) — the advisory body established by the Trump administration — was reported to have transferred sensitive Social Security Administration (SSA) data to an …
Between January 19 and February 11, 2026, attackers used phishing pages cloning the Starbucks Partner Central portal to steal employee credentials. Starbucks detected the unauthorized access on …
Attackers bribed at least one overseas customer support agent contracted through third-party vendor TaskUs to access and steal Coinbase customer data from internal support systems. Data stolen on …
On 16 October 2024, attackers executed transferOwnership on Radiant Capital's Pool Provider contract using 3 collected malicious signatures, gaining control of all lending pool contracts on BSC and …
$234.9 million in crypto assets stolen from Indian exchange WazirX on 18 July 2024. Attributed to North Korea's Lazarus Group by joint US/Japan/South Korea statement in January 2025. Attackers created …
North Korean TraderTraitor hackers stole 4,502.9 BTC (~$308 million) from Japanese crypto exchange DMM Bitcoin on 31 May 2024 — the third-largest crypto theft in history. FBI, DC3, and Japan NPA …
Pure Storage, a leading enterprise cloud storage provider, confirmed on June 11, 2024 that attackers breached its Snowflake workspace as part of the broader UNC5537/Sp1d3r campaign targeting Snowflake …
Bausch Health, a Canadian pharmaceutical company, was targeted as part of the 2024 UNC5537/Sp1d3rHunters Snowflake credential-theft campaign. The threat actor 'Sp1d3rHunters' claimed to have stolen …
On 24 April 2024, Dropbox discovered that a threat actor had accessed Dropbox Sign's (formerly HelloSign's) production environment. Dropbox Sign is an e-signature service used by businesses and …
UNC5537 accessed a third-party Snowflake-hosted database used by Santander. Breach began April 17, discovered May 10, disclosed May 14. ShinyHunters listed data on BreachForums claiming 6 million …
UNC5537 accessed Advance Auto Parts' Snowflake environment between April 14 and May 24, 2024. Breach disclosed July 10 via Maine AGO notification affecting 2.3 million current and former employees and …
UNC5537 downloaded AT&T call and text metadata for nearly all ~110 million AT&T wireless customers, covering May–Oct 2022 and a small subset from Jan 2023. Data included call/text metadata and …
UNC5537 (ShinyHunters / Scattered Spider affiliates) used infostealer-harvested credentials to authenticate to Ticketmaster's Snowflake tenant which had no MFA configured. ShinyHunters listed 560 …
UNC5537 threat actor 'Sp1d3r' posted on BreachForums 1 June 2024 claiming 190 million individual records and 3 billion tracking pixel data records (2 TB compressed) stolen from LendingTree's …
Neiman Marcus (US luxury retailer) was breached as part of the UNC5537 mass-Snowflake campaign in May 2024. While the company notified Maine AG of 64,472 individuals, Troy Hunt (HaveIBeenPwned) …
UNC5537 / Scattered Spider / ShinyHunters used credentials stolen by infostealer malware (some dating back to Nov 2020) to access 160+ Snowflake customer environments lacking MFA. Major victims: …
Cylance (a cybersecurity company owned by BlackBerry) confirmed in June 2024 that a data breach occurred involving a third-party cloud platform. The threat actor 'Sp1d3r' claimed to be selling 34 …
UNC5537 accessed Neiman Marcus's Snowflake database between April and May 2024. Official notification to Maine AGO cited 64,472 individuals; however HIBP analysis identified 31 million customer email …
Ticketek Australia (operated by TEG, Ticket Entertainment Group) disclosed a data breach in May/June 2024 involving a third-party cloud platform. A ShinyHunters-linked actor posted ~30 million rows of …
Los Angeles Unified School District had student and teacher data stored in Snowflake accounts maintained by one or more third-party vendors. As part of the UNC5537 / ShinyHunters credential campaign …
Second Roku credential stuffing incident of 2024 (first: ~15,000 accounts in March). Attackers used username/password pairs from prior unrelated breaches to authenticate against Roku accounts. 576,000 …
Tycoon2FA is a sophisticated phishing-as-a-service platform discovered in 2023 and analysed in depth by Sekoia.io in March 2024. The platform operates as a reverse proxy between victims and legitimate …
Nation-state threat actor (attributed to Midnight Blizzard / Cozy Bear / APT29 in some reporting) used one access token and three service account credentials stolen during the Okta support case …
On November 3, 2023, Sumo Logic, a cloud-native security analytics and log management platform, discovered that a compromised AWS access key had been used to gain unauthorized access to their AWS …
Midnight Blizzard (Russian SVR, also known as Nobelium/Cozy Bear/APT29) conducted a password spray attack against a legacy Microsoft test tenant account with no MFA enabled in November 2023. Using …
In January 2024 (revealed for an exposure dating to September 2023), RedHunt Labs security researchers discovered that a GitHub API authentication token belonging to a Mercedes-Benz employee had been …
On 28 September 2023, an attacker used a stolen service account credential to gain access to Okta's customer support case management system. The attacker downloaded a report containing data for all …
Threat actor accessed Okta customer support case management system Sept 28 - Oct 17 2023 using credentials stolen from an employee's personal Google account. 134 Okta customers affected (<1%). Stolen …
In December 2022 (disclosed 4 January 2023), CircleCI — a widely-used CI/CD platform with over 500,000 developer users — discovered that an attacker had stolen customer environment variables, tokens, …
In January 2023, a security researcher discovered that CommuteAir, a US regional airline, had a publicly exposed Jenkins build server with no authentication required. The Jenkins environment contained …
In November-December 2022, attackers who had previously breached LastPass in August 2022 (stealing source code and technical documentation) used that information to identify and target a senior DevOps …
On November 11-12, 2022, within hours of FTX's bankruptcy filing, approximately $400 million was drained from FTX exchange and FTX US wallets in a series of unauthorized transactions. The FTX new …
On 9 October 2022, MyDeal — an Australian online retail marketplace owned by Woolworths Group (acquired in 2022 for A$217 million) — was breached via compromised user credentials that provided access …
18-year-old Lapsus$-affiliated attacker purchased stolen contractor VPN credentials from dark web. Bypassed Duo MFA by bombing target with push notifications for >1 hour then impersonating Uber IT …
On 11 September 2022, an attacker used a sophisticated social engineering technique to gain access to Revolut's customer support system through a Revolut employee. The attacker accessed and …
On September 11, 2022, Revolut — a UK/EU-based neobank and fintech company with over 20 million customers — suffered a brief but significant data breach via a social engineering attack. A threat actor …
In June 2022, Marriott International suffered its third significant data breach in four years (after the 2018 Starwood breach affecting 383M guests and the 2020 employee credential breach affecting …
Twilio employees received smishing SMS impersonating IT dept claiming password expiry. Employees entered credentials on fake Twilio login page with real-time MFA relay bypassing TOTP. 209 Twilio …
On 24 May 2022, a Yanluowang ransomware affiliate (linked to UNC2447/Lapsus$ connections) compromised Cisco Systems through a combination of credential theft from a personal Google account and MFA …
On March 23, 2022, the Lazarus Group (North Korea, DPRK Bureau 121) stole 173,600 ETH and 25.5 million USDC ($625 million at the time) from the Ronin Network — the Ethereum sidechain powering Axie …
On March 20, 2022, LAPSUS$ posted a screenshot on Telegram showing they had access to Microsoft's internal Azure DevOps environment, including source code repositories for Bing, Bing Maps, and …
On February 23, 2022, LAPSUS$ — a cybercriminal extortion group — gained access to NVIDIA's internal systems and exfiltrated approximately 1TB of data. NVIDIA was alerted to the intrusion and …
Lapsus$ accessed Okta's network via compromised Sitel/Sykes contractor support workstation starting Jan 16 2022. Attacker used RDP lateral movement, accessed DomAdmins-LastPass.xlsx via Office 365, …
Football Australia, the governing body for association football (soccer) in Australia, suffered a data breach when AWS IAM credentials were exposed in a misconfigured Amazon S3 bucket. The exposed …
On November 3, 2021, an attacker called Robinhood's customer support line and socially engineered a customer support employee into granting them unauthorized access to the customer support systems. …
On September 6, 2021, an attacker used a compromised password to access GoDaddy's Managed WordPress hosting provisioning system, where they maintained access for over two months before being detected …
UNC2903 is a financially-motivated threat actor tracked by Mandiant/Google Cloud that systematically exploited IMDSv1 vulnerabilities in AWS deployments. Beginning in mid-2021, UNC2903 scanned for and …
In March 2021, a collective including Swiss hacker Tillie Kottmann ('deletescape') gained access to Verkada's global security camera management platform by discovering Verkada 'Super Admin' …
Cisco disclosed in February 2021 that unauthorized actors had compromised AWS IAM credentials associated with the Cisco WebEx Teams video conferencing service. The attackers maintained access from …
In November 2020, security researchers at vpnMentor discovered an unsecured Elasticsearch database containing approximately 380 million records including usernames, passwords, and email addresses that …
On July 15, 2020, attackers hijacked approximately 130 high-profile Twitter accounts including Barack Obama, Joe Biden, Elon Musk, Bill Gates, Apple, Uber, Jeff Bezos, Kanye West, Mike Bloomberg, and …
In June 2020, MEDNAX — a national health solutions company providing physician services management, including neonatology and pediatric subspecialty care, to approximately 120,000 patients annually — …
In June 2020, Drizly (an online alcohol delivery service) suffered a data breach when an attacker discovered AWS credentials stored in a plaintext format in an internal GitHub repository. The …
In approximately June 2020, ShinyHunters — a prolific cybercrime group responsible for multiple major 2020 breaches (Tokopedia, Dave.com, Microsoft GitHub repos) — breached Wattpad and exfiltrated …
In April 2020, 47 Service NSW employee email accounts were compromised through a phishing attack, allowing unauthorized access to customer data processed through those email accounts. Service NSW is …
In April 2020, Nintendo disclosed that approximately 160,000 Nintendo accounts had been accessed without authorisation using a credential stuffing attack against the Nintendo Network ID (NNID) login …
In April 2020, at the height of the COVID-19 pandemic when Zoom usage had surged from approximately 10 million to 300 million daily meeting participants in three months, approximately 530,000 Zoom …
In April 2020, Nintendo disclosed that approximately 160,000 Nintendo Network IDs (NNIDs) — a legacy login system from the Nintendo 3DS and Wii U era — had been compromised via credential stuffing …
In April 2020, cybersecurity firm Cyble reported discovering approximately 530,000 Zoom account credentials being sold on dark web forums for as little as a fraction of a cent each, with some being …
T-Mobile disclosed a breach on March 5 2020 affecting approximately 200,000 customers. Attackers had accessed some T-Mobile employee email accounts containing customer proprietary network information …
In March 2020, Marriott International disclosed a second data breach (separate from the 2018 Starwood breach affecting 383 million guests) in which an attacker used the login credentials of two …
In November 2019, T-Mobile's cybersecurity team identified and shut down unauthorized access to systems containing prepaid customer account information. Approximately 1.26 million prepaid customers …
On May 24, 2019, Canva — the Australian graphic design SaaS platform — suffered a data breach in which threat actor GnosticPlayers exfiltrated approximately 137 million user records. Canva was …
On March 14, 2019, unauthorized parties used credential stuffing techniques — using phone numbers as usernames combined with account PINs — to access an unknown number of Boost Mobile customer …
In late October 2018, Dunkin Donuts — one of the world's largest coffee and baked goods chains — suffered a credential stuffing attack against its DD Perks loyalty rewards program. The attack was …
On 4 July 2018 (US Independence Day), an attacker used a compromised cloud environment credential — which lacked multi-factor authentication — to access Timehop's production cloud environment. Timehop …
In March and May 2018, UnityPoint Health — a major Iowa-based health system operating approximately 32 hospitals and 280 clinics in Iowa, Illinois, and Wisconsin — suffered two related business email …
On January 17, 2019, Troy Hunt (creator of HaveIBeenPwned) disclosed 'Collection #1' — an 87GB aggregated credential dump that had appeared on MEGA cloud storage and hacking forums. It contained …
On June 23–24, 2017, an unknown attacker conducted a sustained brute-force attack against the UK Parliament's Outlook Web Access (OWA) email portal at Westminster. Parliament's IT team detected the …
On 31 May 2017, OneLogin — an enterprise single sign-on and identity management provider serving approximately 2,000 enterprise customers — suffered a breach in which an attacker obtained and used AWS …
Between approximately May 2017 and March 2018 (approximately 10 months), the FIN7 cybercriminal organization's Joker's Stash carding marketplace operators deployed POS malware across the entirety of …
Between approximately April 3 and November 18, 2017 (~7 months), POS malware infected Forever 21 retail store locations in the United States. Forever 21 issued an initial public notice in November …
Between March 24 and April 18, 2017, POS malware infected the majority of approximately 2,250 Chipotle Mexican Grill restaurant locations across 47 U.S. states and Washington D.C., as well as 7 …
In September 2017, security journalist Brian Krebs reported that a large batch of approximately 5 million stolen payment cards linked to Sonic Drive-In locations had appeared on the Joker's Stash dark …
Between approximately October 25, 2016 and January 19, 2017, POS malware infected corporate-owned Arby's restaurant locations across the United States. Franchise locations were not affected. Arby's …
In October-November 2016, two attackers discovered that Uber's private GitHub code repository contained hardcoded AWS credentials. Using those credentials, they accessed an AWS S3 bucket containing a …
Between approximately August 10, 2016 and March 9, 2017, an attacker used a compromised administrator account in Sabre Corporation's SynXis Hospitality Solutions central reservations system — a …
Between approximately August 1 and December 29, 2016, POS malware was deployed at IHG franchise hotel properties across the United States and Puerto Rico. IHG (InterContinental Hotels Group, parent of …
On July 7-8, 2016, DataDog, a cloud monitoring and analytics platform, detected unauthorized access to its internal systems and discovered that AWS access keys had been exposed. DataDog immediately …
Beginning in March 2016, Russian military intelligence operatives from GRU Unit 26165 (Fancy Bear/APT28) and Unit 74455 (Sandworm) conducted a comprehensive hacking campaign against the US Democratic …
On 26 February 2016, a Snapchat payroll department employee received an email purportedly from CEO Evan Spiegel requesting payroll information for employees. The employee complied and emailed payroll …
Vitagene, a consumer DNA and ancestry testing company, left Amazon S3 buckets containing raw genetic data files, health reports, and personal information for customers publicly accessible without …
Between approximately fall 2015 and spring 2016, POS malware was deployed at Wendy's franchise restaurant locations in the United States. Wendy's first disclosed the breach in May 2016 affecting …
Between approximately August 13 and December 8, 2015, POS malware infected payment processing systems at 250 Hyatt-managed hotels across 50 countries, including 100 hotels in 26 U.S. states. Hyatt …
Between January and May 2015, a sophisticated crime ring accessed the IRS's 'Get Transcript' online application — which allowed taxpayers to retrieve prior-year tax returns — and obtained transcripts …
In November 2014, BrowserStack, a cloud-based browser and device testing platform, suffered a breach when an attacker discovered a forgotten, active AWS access key that had been created for a …
On October 10, 2014, Sears Holdings announced that Kmart stores had been the victim of a data breach involving malware installed on point-of-sale systems. The company stated that the breach had been …
In May 2014, a third party accessed an Uber software engineer's private GitHub repository that contained AWS credentials stored in code. Using these credentials, the attacker accessed an Amazon S3 …
P.F. Chang's China Bistro, a US casual dining restaurant chain, confirmed in June 2014 that its payment systems had been compromised by POS malware for approximately 9 months (September 2013 to June …
P.F. Chang's China Bistro, a national casual dining restaurant chain, confirmed in June 2014 that it had suffered a payment card breach after KrebsOnSecurity reported that a large batch of stolen …
Michaels Stores, the US arts and crafts retail chain, confirmed in April 2014 that a data breach between May 8, 2013 and January 27, 2014 (approximately 9 months) had compromised approximately 2.6 …
Michaels Stores, the large arts and crafts retail chain, disclosed in January 2014 that it was investigating a potential data security breach involving payment cards used at its stores. The …
Schnucks, a regional Midwestern grocery chain headquartered in St. Louis, Missouri, with approximately 100 store locations, disclosed in March 2013 that it had suffered a payment card breach at its …
Barnes & Noble, the US bookseller, disclosed in October 2012 that PIN pad payment terminals at 63 retail stores across 9 states had been physically tampered with — skimming devices had been installed …
The Dropbox breach of approximately July 2012 originated from employee password reuse. A Dropbox employee had reused their LinkedIn account password for their corporate Dropbox work account. When the …
Barnes & Noble disclosed in October 2012 that criminals had tampered with at least one PIN pad terminal at each of 63 of its retail bookstore locations across nine states (California, Connecticut, …
On June 6, 2012, eHarmony confirmed that a subset of its member passwords had been compromised and posted to an online password cracking forum. Approximately 1.5 million password hashes were …
eHarmony, the US online dating service, disclosed on June 6, 2012 that a subset of its member passwords had been compromised and posted online. Approximately 1.5 million unsalted MD5 password hashes …
Last.fm, the music discovery and social listening service (owned by CBS Interactive from 2007), suffered a breach of its user database that occurred around 2012 but was not publicly disclosed until …
A Romanian cybercrime group compromised point-of-sale systems at approximately 150 Subway franchise restaurants across the United States, stealing over 80,000 payment card numbers — though some …
In January 2009, a hacker gained access to Twitter's administrative control panel by guessing the password of a Twitter admin account using automated brute force — Twitter had implemented no rate …
RBS WorldPay, the US payment processing division of the Royal Bank of Scotland (distinct from the later Worldpay/FIS entity), suffered a coordinated cyberattack in early November 2008. Attackers …
ShadowCrew was an underground carding forum operating from August 2002 until its takedown on October 26, 2004 in Operation Firewall — a joint US Secret Service operation involving law enforcement …
In December 1999, an attacker known only as 'Maxus' (believed to be a ~19-year-old Eastern European) exploited a vulnerability in the payment processing systems of CD Universe, an early online music …
