About this site.
atthacked.com is a reference library of cyber incidents — breaches, ransomware, supply-chain compromises, and nation-state operations. Think of it as IMDb for cyber attacks. A short stub goes up the day an incident becomes public. A deeper write-up follows when the post-incident reports, advisories, and forensics are out — which often takes weeks or months. The index stays current; the depth grows over time.
It is not a daily news site, not a publication with editorial staff, and not a vendor blog. It exists because the cyber community lacks a single, consistently-formatted, technically-honest catalogue of who got hit, how, and what defenders can usefully take from each one.
What gets covered
An incident makes the index if at least one of three things is true. It involved a public-interest organisation — a listed company, government body, critical-infrastructure operator, or major service provider. It exposed material data, money, or operational capability — measured in customer records, currency, or hours of downtime. Or it represents a meaningful technique, threat actor, or chain of events that defenders should learn from.
Routine credential-stuffing, low-volume phishing, and small-business breaches are out of scope. So are unverified claims on leak sites where the victim has neither confirmed nor publicly disclosed. If the only evidence is a screenshot on Telegram, it sits in a watch-list, not the index.
The desks
Two editorial sections sit alongside the catalogue. The News Desk is reactive — short pieces written off the morning cyber briefing, picking a story off the daily feed and adding the defender-side take that the news write-up usually leaves to the reader. Roughly daily, sometimes less.
The Controls Desk is proactive. One control per page, drawn from regulator and framework guidance — NCSC, NIST, CIS, CISA, ACSC, ISO, MITRE — and pinned to the named incidents in the catalogue the control would have changed the outcome of. Sorted by ease against impact, with the quick wins first. Vendor-neutral by policy: the sources cited are standards bodies, regulators and government agencies only, never vendors. Where the control happens to touch segmentation or Zero Trust territory, the same rule applies — it's framed against the cited framework, not against any product.
Both desks link back into the catalogue. A News Desk piece that points at a Controls Desk entry should link to it; a Controls Desk entry names every catalogued incident the control would have prevented or limited the blast radius of. The catalogue is the receipts; the desks are the synthesis.
How incidents are sourced
Primary sources first. The site prioritises the affected organisation's own disclosure, SEC 8-K Item 1.05 filings, and government advisories from CISA, NCSC, CERT-EU and equivalents. For depth, post-incident reports from Mandiant, Microsoft Threat Intelligence, CrowdStrike, Sophos, and the major IR firms are paraphrased and cited. Reporting from BleepingComputer, The Record, Reuters, the Financial Times and Bloomberg fills in financial and operational impact.
Sources are listed at the foot of every incident page. Direct quotes are used sparingly — only where the exact wording carries technical or legal weight. Everything else is paraphrased.
Severity grading
Severity is editorial. It is a composite judgement made from four factors: the volume and sensitivity of data lost, the financial impact, the operational disruption to the victim or downstream customers, and the geopolitical or systemic significance. The four bands are deliberately coarse.
Critical — landmark incidents that shift the threat landscape or affect tens of millions of people. Bybit's $1.46B Ethereum heist. Singapore's UNC3886 telco eviction. High — significant operational or data impact at a recognisable organisation. Jaguar Land Rover's production halt. The SalesLoft Drift OAuth supply-chain wave. Medium — material breaches that warrant a write-up but did not redefine anything. Low — included for completeness or because the technique is instructive.
Editorial independence
atthacked.com is run independently by Andy Harcup, who works in cybersecurity sales as Regional Sales Director at Illumio. The site is editorially independent of his employer.
Coverage does not promote Illumio, attack Illumio's competitors unfairly, or compromise the confidentiality of Illumio customers. The site does not take sponsorship from segmentation vendors. Where commentary touches on segmentation or Zero Trust — areas Andy works in professionally — it is labelled as such and held to the same standard of evidence as the rest of the page.
If you spot coverage that looks like a hit piece on a competitor, a soft-pedal on an Illumio customer's incident, or any other failure of independence, please flag it through the contact form.
Corrections
Cyber incidents move fast and early reporting is often wrong. If you spot an error — a misattributed threat actor, an outdated number, a mis-cited source — flag it through the contact form and it will be corrected with a dated note on the page in question.
Contact
Editorial messages, tips, and corrections all go through the contact form. Messages route directly to the editor; sources are respected as on-the-record, on-background, or off-the-record per your preference. PGP available on request.