What's happening in cyber, in plain English
We pull from NCSC, CISA, Have I Been Pwned and the NVD every six hours, then summarise each item into what it is, who it affects, and what you can do about it.
- MediumBreachHave I Been Pwned — public breach catalog· 24 Apr 2026· summary pending
Carnival — 7.5M accounts
In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked. The following week, th
- MediumBreachHave I Been Pwned — public breach catalog· 17 Apr 2026· summary pending
Amtrak — 2.1M accounts
In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak . The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. They subsequently published the al
- HighBreachHave I Been Pwned — public breach catalog· 16 Apr 2026· summary pending
McGraw Hill — 13.5M accounts
In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt . Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platfor
- MediumBreachHave I Been Pwned — public breach catalog· 12 Apr 2026· summary pending
Hallmark — 1.7M accounts
In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallm
- HighBreachHave I Been Pwned — public breach catalog· 8 Apr 2026· summary pending
My Lovely AI — 106K accounts
In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users . The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames.
- MediumBreachHave I Been Pwned — public breach catalog· 4 Apr 2026· summary pending
Crunchyroll — 1.2M accounts
In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users . The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, ge
- MediumBreachHave I Been Pwned — public breach catalog· 4 Apr 2026· summary pending
SongTrivia2 — 292K accounts
In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum . The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the
- MediumBreachHave I Been Pwned — public breach catalog· 1 Apr 2026· summary pending
SUCCESS — 254K accounts
In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach . The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hash
- HighBreachHave I Been Pwned — public breach catalog· 31 Mar 2026· summary pending
Cuties AI — 144K accounts
In March 2026, the NSFW AI companion platform Cuties AI suffered a data breach that was subsequently published to a public hacking forum . The incident exposed 144k unique email addresses along with display names, avatars, prompts and descriptions used to gene
- MediumBreachHave I Been Pwned — public breach catalog· 27 Mar 2026· summary pending
BreachForums Version 5 — 340K accounts
In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed . The incident exposed 340k unique email addresses along with usernames and argon2 password hashes.
- MediumBreachHave I Been Pwned — public breach catalog· 26 Mar 2026· summary pending
Scuf Gaming — 129K accounts
In June 2015, custom gaming controller maker Scuf Gaming suffered a data breach . The incident exposed 129k unique email addresses along with usernames, display names, IP addresses and password hashes.
- MediumBreachHave I Been Pwned — public breach catalog· 26 Mar 2026· summary pending
Sound Radix — 293K accounts
In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP . The incident impacted 293k unique email addresses and names. Sound Radix advised that it is possible that additional data incl
- MediumBreachHave I Been Pwned — public breach catalog· 23 Mar 2026· summary pending
RuneScape Boards — 223K accounts
In around 2011, the now defunct RuneScape Boards forum (also known as RSBoards) suffered a data breach that was later redistributed as part of a larger corpus of data . The vBulletin-based service exposed 223k unique email addresses along with usernames, IP ad
- MediumBreachHave I Been Pwned — public breach catalog· 18 Mar 2026· summary pending
Aura — 903K accounts
In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses . The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exp
- MediumBreachHave I Been Pwned — public breach catalog· 15 Mar 2026· summary pending
Divine Skins — 106K accounts
In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach . The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all sk
- MediumBreachHave I Been Pwned — public breach catalog· 15 Mar 2026· summary pending
Baydöner — 1.3M accounts
In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum . The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext pa
- MediumBreachHave I Been Pwned — public breach catalog· 3 Mar 2026· summary pending
Provecho — 713K accounts
In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed. Provecho
- MediumBreachHave I Been Pwned — public breach catalog· 2 Mar 2026· summary pending
Lovora — 496K accounts
In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of
- HighBreachHave I Been Pwned — public breach catalog· 2 Mar 2026· summary pending
Quitbro — 23K accounts
In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time. The app’s maker
- MediumBreachHave I Been Pwned — public breach catalog· 2 Mar 2026· summary pending
KomikoAI — 1.1M accounts
In February, the AI-powered comic generation platform KomikoAI suffered a data breach . The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual
- MediumBreachHave I Been Pwned — public breach catalog· 26 Feb 2026· summary pending
Odido — 6.1M accounts
In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt . Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days. The exposed data includes names,
- HighBreachHave I Been Pwned — public breach catalog· 25 Feb 2026· summary pending
Canadian Tire — 38.3M accounts
In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subs
- HighBreachHave I Been Pwned — public breach catalog· 22 Feb 2026· summary pending
CarGurus — 12.5M accounts
In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters . Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple fi
- MediumBreachHave I Been Pwned — public breach catalog· 20 Feb 2026· summary pending
CarMax — 431K accounts
In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.
- MediumBreachHave I Been Pwned — public breach catalog· 18 Feb 2026· summary pending
Figure — 967K accounts
In February 2026, data obtained from the fintech lending platform Figure was publicly posted online . The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of bir
- MediumBreachHave I Been Pwned — public breach catalog· 17 Feb 2026· summary pending
Canada Goose — 582K accounts
In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly . The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and parti
- MediumBreachHave I Been Pwned — public breach catalog· 16 Feb 2026· summary pending
University of Pennsylvania — 624K accounts
In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand , largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online
- MediumBreachHave I Been Pwned — public breach catalog· 16 Feb 2026· summary pending
APOIA.se — 451K accounts
In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum . In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical ad
- LowBreachHave I Been Pwned — public breach catalog· 10 Feb 2026· summary pending
Toy Battles — 1K accounts
In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.
- LowBreachHave I Been Pwned — public breach catalog· 10 Feb 2026· summary pending
Association Nationale des Premiers Secours — 6K accounts
In January 2026, a data breach impacting the French non-profit Association Nationale des Premiers Secours (ANPS) was posted to a hacking forum . The breach exposed 5.6k unique email addresses along with names, dates of birth and places of birth. ANPS self-subm
Sources are pulled directly from each provider's public feed and never modified. AI summaries are produced for plain-English readability and are clearly labelled — always follow the source link for the authoritative advisory.