The incidents index.
Every incident catalogued, newest first. Stubs are added the day a breach becomes public. Deep-dives are filled in once post-incident reports are available — sometimes weeks or months later. Filter by sector, attack type, or severity.
France Titres (ANTS) — 11.7 million citizen records via IDOR
French national ID-document portal exposed up to 19 million records via an IDOR flaw; 15-year-old hacker detained, charged by Paris prosecutors.
Citizens Financial Group and Frost Bank — shared-vendor Everest ransomware breach
Everest ransomware compromised a shared third-party vendor handling statement printing for Citizens and tax document fulfilment for Frost, exposing roughly 3.65 million customer records.
Pitney Bowes — Salesforce CRM phishing breach, ShinyHunters dump
ShinyHunters publicly dumped 8.2 million Pitney Bowes customer records harvested from a Salesforce CRM compromised via a phishing-stolen employee email account.
Carnival Corporation — Holland America Mariner Society phishing breach
ShinyHunters publicly dumped 7.5 million unique Mariner Society loyalty-programme email addresses after Carnival refused extortion following a single-user phishing compromise.
Medtronic — corporate IT breach, ShinyHunters extortion claim
Medical-device giant filed Form 8-K confirming corporate IT breach; ShinyHunters subsequently published the dataset alongside ~40 other victims after Medtronic refused extortion.
UK Biobank — 500,000-volunteer dataset listed on Alibaba
De-identified data on 500,000 UK Biobank volunteers listed on Alibaba; trail traced to three Chinese research institutions previously granted bulk access.
Bitwarden CLI — npm supply-chain compromise (downstream of Checkmarx)
Malicious @bitwarden/cli 2026.4.0 published to npm for ~90 minutes; payload harvested CI secrets; root cause was a compromised Checkmarx GitHub Action.
University of Mississippi Medical Center — Medusa ransomware
Medusa ransomware took Mississippi's only Level I trauma centre offline for nine days, demanded $800,000, and claimed exfiltration of more than 1 TB.
Stryker — Handala wiper attack via Microsoft Intune
Iran-linked Handala compromised a Microsoft Intune admin account at Stryker and remotely wiped roughly 200,000 employee devices across 79 countries.
Conduent — SafePay ransomware (govtech contractor)
Govtech contractor Conduent confirmed a January 2025 ransomware breach now exposed personal data of more than 25 million Americans across multiple US states.
Wynn Resorts — ShinyHunters Oracle PeopleSoft breach
ShinyHunters exploited an unpatched Oracle PeopleSoft flaw at Wynn Resorts in 2025, exfiltrating 800,000 employee records and demanding $1.5M — confirmed months later when the listing went public.
Singapore telecommunications — UNC3886 espionage
Singapore's Cyber Security Agency confirmed UNC3886 had persistent rootkit access across all four major Singapore telcos; the eviction operation took eleven months.
Coupang — South Korea customer data exposure
South Korea's largest e-commerce platform reported 33.7 million customer accounts exposed; Korean police identified a former employee as the principal suspect.
Red Hat Consulting — Crimson Collective repository theft
Crimson Collective claimed 570 GB exfiltrated from 28,000 internal Red Hat consulting repositories, including 800 customer engagement reports naming IBM, NSA, Cisco and the DoD.
Jaguar Land Rover — production halt
Vishing calls and stale infostealer credentials gave attackers admin access to JLR's SAP systems; ransomware halted five-plant production for five weeks on the UK's busiest plate-change day.
SalesLoft Drift OAuth supply-chain breach
Stolen OAuth tokens from the Drift conversational marketing platform let attackers query Salesforce environments at major enterprises and exfiltrate CRM data at scale.
Microsoft SharePoint — ToolShell zero-days
Two chained zero-days in on-premises SharePoint enabled unauthenticated remote code execution; incomplete patches kept attackers in for months.
Qantas — Salesforce-connected CRM exfiltration
Around 5.7 million Qantas customer records exfiltrated via a third-party platform integrated with the airline's Salesforce environment.
16-billion credential exposure
Researchers compiled roughly 16 billion login credentials from infostealer logs, phishing kits and prior breaches — the largest credential exposure ever disclosed.
Coinbase — overseas-contractor breach
Attackers bribed overseas Coinbase customer-support contractors to extract internal data on a subset of customers; Coinbase refused a $20M ransom and offered a counter-bounty.
Marks & Spencer
A Scattered Spider operation pivoted through M&S's third-party IT helpdesk into the retailer's Active Directory, halting online ordering for six weeks and exposing customer data.
Bybit
Approximately $1.46B in Ethereum drained from Bybit cold-wallet infrastructure via a compromised Safe{Wallet} signing flow — the largest cryptocurrency theft on record.
US Treasury — BeyondTrust supply-chain breach
Silk Typhoon used a stolen BeyondTrust API key to access US Treasury workstations including those of the sanctions team at OFAC and the foreign-investment reviewers at CFIUS.
Radiant Capital — cross-chain lending exploit
DPRK's UNC4736 operators delivered macOS malware via a fake-contractor Telegram message, compromised three of eleven multi-signature key-holders, and drained $50M from Radiant Capital's cross-chain lending pools.
US telecoms — Salt Typhoon espionage campaign
Salt Typhoon, a Chinese state-sponsored group, compromised lawful-intercept systems at nine US telecom carriers, reading wiretap lists and senior officials' communications for months before detection.
WazirX — multi-signature wallet compromise
Attackers compromised four multi-signature co-signers protecting WazirX's Liminal Custody wallet and used a smart-contract upgrade to drain $235M, forcing India's largest crypto exchange into Singapore restructuring.
CDK Global — auto-dealer SaaS ransomware
BlackSuit ransomware took CDK Global offline for two weeks, halting transactions at 15,000 North American auto dealerships; CDK reportedly paid a $25M ransom rather than rebuild from backup.
DMM Bitcoin — hot wallet compromise
North Korean TraderTraitor operatives compromised a Ginco wallet engineer via a fake LinkedIn job offer, then stole $305M from the DMM Bitcoin exchange.
Snowflake-customer mass credential-stuffing
Infostealer-harvested credentials with no MFA gave attackers access to roughly 165 Snowflake customer environments including Ticketmaster and Santander, exposing hundreds of millions of records.
Ascension Health — Black Basta ransomware
Black Basta ransomware hit Ascension Health's 140 hospitals after a contractor opened a malicious file, forcing paper-based clinical care and exposing 5.6 million patient records.
Change Healthcare — ALPHV/BlackCat ransomware
ALPHV ransomware took US healthcare-claims clearinghouse Change Healthcare offline for weeks, blocked a third of US claims processing, and exposed 190M individuals' health records.
LoanDepot — ALPHV ransomware
ALPHV ransomware encrypted LoanDepot's systems in January 2024, forcing a multi-week portal outage and exposing full mortgage dossiers on 16.9 million customers.
KyberSwap — concentrated-liquidity exploit
An attacker exploited a tick-boundary rounding flaw in KyberSwap Elastic's concentrated-liquidity contracts to drain $54M across six chains, then demanded total governance control of the protocol.
ICBC Financial Services — LockBit ransomware
LockBit ransomware disabled ICBC's US broker-dealer arm via the Citrix Bleed vulnerability in November 2023, disrupting US Treasury market settlement and forcing manual trade processing.
British Library — Rhysida ransomware
Rhysida ransomware encrypted the British Library's systems in October 2023; the Library refused to pay, lost 600GB of data to publication, and faced a £6–7M recovery bill.
Boeing — LockBit ransomware leak
LockBit accessed Boeing via the Citrix Bleed vulnerability in October 2023, exfiltrated 43GB of data, and published it after Boeing declined to pay the ransom.
23andMe — credential-stuffing breach
Attackers credential-stuffed 14,000 23andMe accounts, then exploited the DNA Relatives feature to harvest profile data on 6.9 million users including ancestry and health predisposition records.
Mixin Network — cloud-provider key compromise
Attackers breached the third-party cloud database used by Mixin Network's deposit infrastructure, obtained the credentials it contained, and drained $200M — the single largest crypto loss of 2023.
MGM Resorts — Scattered Spider ransomware
A LinkedIn search and a helpdesk phone call gave Scattered Spider domain-admin access to MGM Resorts; ransomware halted casino operations for ten days and cost over $100M.
Caesars Entertainment — Scattered Spider extortion
Scattered Spider socially engineered an IT support contractor, exfiltrated the Caesars Rewards loyalty database, and reportedly received a $15M ransom payment to prevent data publication.
Stake.com — hot wallet compromise
FBI-attributed Lazarus Group operators obtained Stake.com hot-wallet private keys and drained $41M in ETH, BTC and stablecoins across multiple networks in September 2023.
Curve Finance — Vyper compiler exploit
A reentrancy bug in specific Vyper compiler versions drained $70M from multiple Curve Finance pools; the attacker voluntarily returned a portion of the stolen funds.
Multichain — bridge collapse
Five days after Chinese police detained Multichain's CEO — sole custodian of the bridge keys — $130M drained from bridge contracts; the protocol shut down permanently.
Atomic Wallet — multi-chain user theft
Lazarus Group operators drained approximately $100M from 5,500 Atomic Wallet user accounts across eight blockchains simultaneously — the largest known theft from a non-custodial wallet application to date.
MOVEit Transfer — Cl0p mass exploitation
Cl0p exploited a SQL-injection zero-day in MOVEit Transfer before it was patched, silently exfiltrating data from over 2,600 organisations including US government agencies and major corporations.
US critical infrastructure — Volt Typhoon pre-positioning
Chinese state-sponsored Volt Typhoon silently pre-positioned inside US water, power and communications infrastructure for years, building persistent access for potential future use.
Euler Finance — flash-loan exploit
A flash-loan attack exploited a flaw in Euler's liquidation logic to drain $197M across six tokens; the attacker later returned nearly all funds after on-chain negotiations.
Royal Mail — LockBit ransomware
LockBit ransomware encrypted Royal Mail's international export systems in January 2023, suspending overseas deliveries for six weeks; Royal Mail refused to pay the $80M ransom demand.
LastPass — encrypted vault exfiltration
Attackers compromised a LastPass DevOps engineer's home computer to harvest credentials to the vault backup, then exfiltrated customer vault data including encrypted passwords.
Medibank Private — REvil-affiliated extortion
Russian-attributed actors stole the complete health-claims database of Australia's largest private health insurer and published sensitive records including abortion and addiction data after Medibank refused to pay.
Mango Markets — oracle-manipulation drain
Avi Eisenberg manipulated Mango Markets' oracle to inflate collateral 13×, borrowed $114M against it, and publicly argued the theft was legal — until a federal jury disagreed.
BNB Chain Token Hub bridge exploit
An attacker forged IAVL proofs to mint $570M in BNB; validators paused the entire blockchain to freeze most of it, limiting unrecovered losses to approximately $100M.
Optus — Australian telco 9.8M-customer breach
An unauthenticated public API let an attacker enumerate 9.8 million Optus customer records — roughly 40% of Australia's population — including government identity document numbers.
Uber — 2016 cover-up + 2022 social-engineering breach
Uber concealed a 2016 breach of 57M records by paying the attacker as a bug bounty; a 2022 Lapsus$ intrusion exposed internal systems and executive Slack messages.
Nomad Bridge — open-door exploit
A routine upgrade accidentally set Nomad bridge's trusted root to zero, making every withdrawal message valid; opportunistic attackers drained $190M in a chaotic free-for-all within hours.
Harmony Horizon Bridge
Lazarus Group compromised two of the five multi-signature keys guarding the Harmony Horizon bridge and drained $100M in a single transaction.
Beanstalk Farms — flash-loan governance exploit
An attacker used flash loans to acquire a temporary governance supermajority and voted to drain $182M from Beanstalk Farms in a single on-chain transaction.
Ronin Network — Axie Infinity bridge theft
DPRK operators compromised Ronin Network validators and an Axie DAO key to authorise a $625M drain of ETH and USDC from the Axie Infinity bridge.
Okta — Lapsus$ support-engineer breach
Lapsus$ compromised a Sitel support engineer with Okta customer-tooling access and sat inside the environment for months; Okta's delayed public response compounded the reputational damage.
Wormhole — Solana bridge exploit
A signature-verification bypass in the Wormhole cross-chain bridge let an attacker mint 120,000 wrapped ETH from nothing and drain $320M — the second-largest DeFi exploit at the time.
BitMart — hot wallet compromise
Attackers stole BitMart's hot-wallet private keys and drained $196M across 20+ tokens — a breach first detected by an external researcher on Twitter, not BitMart's own monitoring.
Robinhood — 2021 vishing breach
An attacker social-engineered a Robinhood customer-support agent into granting account access, exposing email addresses for 5 million and full personal data for 310 users.
Cream Finance — flash-loan exploit
An attacker exploited a price-oracle flaw in Cream's lending protocol via flash-loan-borrowed yUSDVault tokens, drained $130M across multiple assets, and exited through Tornado Cash.
Coinbase — SMS 2FA recovery bypass
Attackers combined stolen credentials with a Coinbase SMS recovery flaw to take over 6,000 accounts and drain balances; the 2020 breach wasn't disclosed to users until October 2021.
T-Mobile US — recurring data breaches 2018-2023
T-Mobile US disclosed at least eight data breaches between 2018 and 2023; the 2021 incident exposed 76.6 million records via an exposed gateway and produced a $350M settlement.
Poly Network — cross-chain bridge exploit
A privilege-escalation flaw in the Poly Network bridge let an attacker appoint themselves contract administrator and drain $611M — then the attacker returned all funds over two weeks.
Kaseya VSA — REvil supply-chain ransomware
REvil exploited a zero-day authentication bypass in Kaseya VSA to push ransomware through managed service providers to roughly 1,500 downstream businesses in July 2021.
JBS Foods — REvil ransomware
REvil ransomware took JBS Foods — the world's largest meat processor — offline globally; JBS paid an $11M ransom to restore operations within days, then disclosed it.
Ireland's HSE — Conti ransomware
Conti ransomware entered Ireland's Health Service Executive via a phishing email, encrypted core clinical systems, and forced hospitals to cancel tens of thousands of appointments.
Colonial Pipeline — DarkSide ransomware
DarkSide ransomware encrypted Colonial Pipeline's billing, prompting a six-day shutdown of the largest US East Coast fuel pipeline; Colonial paid $4.4M, DOJ recovered $2.3M.
Microsoft Exchange — Hafnium ProxyLogon
Chinese state-sponsored Hafnium exploited four chained Exchange zero-days (ProxyLogon) before patches were available; over 250,000 servers were compromised by multiple actors within days of disclosure.
SolarWinds — Sunburst supply-chain compromise
Russian SVR operators compromised SolarWinds' Orion build server and pushed the Sunburst backdoor via a signed software update to 18,000 customers including nine federal agencies.
KuCoin — hot wallet compromise
Attackers obtained KuCoin's hot-wallet private keys and drained $281M across BTC, ETH and dozens of tokens; on-chain freezes and project-team co-operation recovered most of the funds.
Garmin — WastedLocker ransomware
WastedLocker ransomware took Garmin's consumer, aviation and marine services offline for several days; Garmin reportedly paid the $10M ransom to restore operations.
Twitter — verified-account Bitcoin scam
A 17-year-old social-engineered Twitter employees into admin tool access, hijacked 130 high-profile accounts including Obama and Musk to run a Bitcoin scam, and collected $120,000.
Travelex — Sodinokibi ransomware
A New Year's Eve ransomware deployment took Travelex's foreign-exchange systems offline for weeks, contributed to its August 2020 administration, and forced UK store closures.
Pulse Secure VPN — mass exploitation of CVE-2019-11510
CVE-2019-11510 in Pulse Secure VPN went unpatched at thousands of enterprises; criminal and nation-state actors exploited it for years, breaching Travelex, US federal agencies and defence contractors.
Capital One — AWS misconfiguration breach
A misconfigured web application firewall let a former AWS employee exfiltrate personal data on 100 million US and 6 million Canadian Capital One credit-card applicants.
First American Financial — 885M document exposure
An IDOR vulnerability in First American's document portal exposed 885 million mortgage and title records publicly online — no authentication required to access any document.
Norsk Hydro — LockerGoga ransomware
LockerGoga ransomware was pushed via Active Directory to every Norsk Hydro Windows workstation simultaneously, halting aluminium production globally and costing the company over $70M to recover.
Marriott / Starwood — 500M guest records
Chinese state-sponsored actors spent four years inside Starwood's reservation system — surviving the Marriott acquisition — and exfiltrated passport numbers and stay records on 500 million guests.
Cosmos Bank — FASTCash ATM cashout
Lazarus compromised Cosmos Bank's ATM payment switch and co-ordinated 14,000 simultaneous withdrawals across 28 countries, stealing $13.5M in 13 hours — the canonical FASTCash demonstration.
Banco de Chile — MBR wiper and SWIFT theft
Lazarus deployed a master-boot-record wiper across 9,000 Banco de Chile workstations as a diversion, then issued $10M in fraudulent SWIFT transfers while responders focused on restoring desktops.
Equifax — 147M consumer record breach
An unpatched Apache Struts flaw in Equifax's web portal exposed personal data on 147 million Americans, plus UK and Canadian consumers, in a 76-day intrusion.
A.P. Moller-Maersk — NotPetya collateral damage
NotPetya, deployed by Russian military intelligence through Ukrainian tax software, destroyed Maersk's global IT estate in hours; the shipping giant reported $300M in losses and rebuilt 45,000 PCs.
NotPetya — Ukrainian-targeted destructive wiper
A destructive wiper disguised as ransomware spread via a poisoned Ukrainian M.E.Doc tax software update, propagated through EternalBlue and credential theft, causing $10B+ globally.
WannaCry — global SMB-worm ransomware
A North Korean ransomware worm using leaked NSA EternalBlue tooling encrypted 200,000+ Windows systems across 150 countries, including a third of NHS England Trusts.
Ukrainian power grid — BlackEnergy + Industroyer
Russian Sandworm operators twice cut Ukrainian electricity using custom ICS malware — BlackEnergy in 2015 and Industroyer in 2016 — the first confirmed cyberattacks to cause power outages.
Tesco Bank — debit-card fraud weekend
Attackers exploited a predictable card-number pattern and an authorisation flaw to drain £2.26M from 9,000 Tesco Bank accounts in a single weekend, earning the first FCA cyber fine.
Yahoo — three-billion account breach
Two breaches in 2013 and 2014, disclosed only in 2016, ultimately exposed all 3 billion Yahoo accounts — the largest user-data exposure ever disclosed.
Bitfinex — 119,756 BTC theft
Attackers exploited Bitfinex's BitGo multi-signature integration to steal 119,756 BTC worth $72M — later recovered by US authorities in 2022 as the largest crypto seizure in history.
The DAO — recursive-call exploit
A reentrancy flaw in The DAO contract let an attacker drain 3.6M ETH worth roughly $50M; the Ethereum community's hard fork to reverse the theft remains controversial.
Bangladesh Bank — SWIFT heist
Lazarus Group operators issued $951M in fraudulent SWIFT transfers from Bangladesh Bank's Federal Reserve account; $81M cleared via Manila before the heist was detected.
US Office of Personnel Management — federal records breach
Chinese state-sponsored actors exfiltrated 21.5 million federal personnel records from the Office of Personnel Management, including security-clearance files with detailed background investigation data.
Carbanak / FIN7 — multi-bank ATM and SWIFT campaign
A multi-year campaign against banks combined spear-phishing, lateral movement and direct manipulation of payment infrastructure to steal $1B+ through ATM cash-outs and SWIFT transfers.
Anthem — 78.8M health-insurance records
Chinese state-sponsored actors spear-phished into Anthem's data warehouse and exfiltrated personal data on 78.8 million current and former health-insurance customers.
Sony Pictures Entertainment — Guardians of Peace wiper
North Korean Lazarus operators wiped Sony Pictures' IT estate, leaked unreleased films and executive emails, and threatened cinema chains — the first nation-state attack on a media company.
Home Depot — 56M card breach
Vendor credentials gave attackers network access nine months after the identical Target playbook was public; custom BlackPOS malware ran undetected for five months and captured 56 million cards.
JPMorgan Chase — 2014 customer data breach
Attackers compromised a JPMorgan server missed by the bank's two-factor authentication rollout and exfiltrated contact details for 76M households and 7M small businesses.
Mt. Gox — 850,000 BTC theft
The largest Bitcoin exchange of the early 2010s lost 850,000 BTC to multi-year wallet theft, filed for bankruptcy in 2014, producing a decade-long creditor process.
Target Corporation — 2013 card breach
Attackers entered Target's network through an HVAC supplier's stolen credentials, deployed memory-scraping malware on point-of-sale terminals, and exfiltrated 40M cards and 70M customer records.
Adobe — 153M user credentials
Attackers stole 153 million Adobe user records and source code for multiple products; weak password encryption meant the full credential database was effectively exposed.
Saudi Aramco — Shamoon wiper
A Shamoon wiper deployed on the night of Lailat al-Qadr destroyed master boot records and overwrote files on 35,000 Saudi Aramco workstations, rendering them permanently inoperable.
LinkedIn — 2012 password leak + 2021 scrape
A 2012 breach exposed 117 million LinkedIn password hashes stored without salting, which were cracked and used for credential-stuffing attacks for years after the original incident.
RSA SecurID — APT seed-record exfiltration
Spear-phishing via a malicious Excel attachment exploiting an Adobe Flash zero-day gave attackers RSA's SecurID seed database, compromising two-factor tokens used by defence contractors.
Stuxnet — Natanz uranium-enrichment sabotage
A US/Israeli joint operation deployed a Windows worm with four zero-day exploits to physically destroy Iranian uranium centrifuges by manipulating their Siemens PLCs — the first cyber weapon.
Operation Aurora — Google + 30 US technology firms
Chinese state-sponsored attackers exploited an Internet Explorer zero-day to breach Google, Adobe and at least 30 other companies, targeting source code and human-rights activists' accounts.
Heartland Payment Systems — 2008 card breach
A SQL-injection attack on Heartland's web platform seeded memory-resident sniffers across the payment processor's network, exposing 130 million cards across 250,000 merchants.
Hannaford Bros — point-of-sale card breach
Memory-scraping malware installed by the Albert Gonzalez crew on Hannaford supermarket POS systems harvested 4.2 million card numbers over three months without the company's knowledge.
Estonia — 2007 nation-scale DDoS
Three weeks of DDoS attacks against Estonian government, banking and media infrastructure following the relocation of a Soviet war memorial became the first nation-state cyber conflict.
TJX Companies — 94M card breach
Albert Gonzalez cracked the WEP network at a Marshalls store, pivoted to TJX's servers, and stole 45.6 million card numbers in the largest retail breach of its era.