top of page
ALL POSTS
University of Nottingham Data Breach: 454,635 Accounts Compromised in ShinyHunters Leak
Key Findings University of Nottingham suffered a significant data breach in June 2026 affecting approximately 454,635 accounts Attack attributed to ShinyHunters group operating a "pay or leak" extortion campaign Over 40GB of sensitive data stolen including student records from UK, China, and Malaysia campuses Exposed data includes email addresses, names, addresses, phone numbers, passport numbers, National Insurance numbers, and financial records Both current students and alu
Jun 112 min read
UNC3753 Escalates Campaign Against US Legal Firms: Vishing, Remote Access Tools, and Physical Intrusions
Key Findings UNC3753 (Luna Moth, Chatty Spider, Silent Ransom Group) conducted extortion campaign targeting US legal, financial, and professional services firms from January to May 2026 Attack chain relies entirely on social engineering and voice phishing with no malware or ransomware involved Threat actors escalated tactics to include physical office intrusions where operatives pose as IT technicians and insert USB drives to steal data Stolen data typically includes tax reco
Jun 83 min read
Luxury and Financial Services - 586,705 breached accounts
Key Findings ShinyHunters group conducted two separate "pay or leak" extortion campaigns against major companies in early 2026 Mytheresa luxury fashion platform: 84,108 breached accounts containing emails, names, phone numbers, addresses, purchase history, and partial credit card data Ameriprise Financial: 502,597 breached accounts with emails, names, phone numbers, addresses, and employer information from Salesforce and SharePoint systems Both companies had ransom demands th
May 272 min read
Grafana Rejects Ransom Demand Following Source Code Theft in GitHub Breach
Key Findings Grafana Labs suffered a breach allowing attackers to download source code after compromising a GitHub token No customer data exposure or impact to customer systems was found during investigation An attacker demanded ransom in exchange for not releasing the stolen code Grafana rejected the extortion demand, citing FBI guidance against paying ransoms Compromised credentials have been revoked and new security safeguards implemented The company plans to release addit
May 182 min read
Grafana GitHub Token Breach Results in Codebase Theft and Extortion Plot
Key Findings Unauthorized party obtained a GitHub token granting access to Grafana's environment and downloaded company source code Attacker demanded ransom to prevent stolen code from being published; Grafana refused to pay No customer data, personal information, or impact to customer systems was identified CoinbaseCartel, a data extortion group that emerged in September 2025, has claimed responsibility Grafana invalidated compromised credentials and implemented additional s
May 172 min read
Abrigo - 711,099 Accounts Breached
Key Findings ShinyHunters group conducted "pay or leak" extortion campaigns against at least two major companies in April 2026 Abrigo suffered a breach exposing 711,099 records from its Salesforce instance, containing business contact information Canada Life experienced a separate incident resulting in 237,810 breached records including customer personal data Both breaches involved similar extortion tactics followed by public data release when demands were not met Combined in
May 142 min read
TeamPCP Claims Sale of Mistral AI Repositories During Mini Shai-Hulud Attack
Key Findings TeamPCP-linked forum account claims to be selling roughly 5GB of internal Mistral AI repositories and source code The alleged archive contains approximately 450 repositories covering training systems, inference infrastructure, and enterprise AI projects No independent verification of the authenticity of the claimed repositories has been established The sale announcement surfaced days after Mini Shai-Hulud supply chain attacks compromised hundreds of npm and PyPI
May 133 min read
US Cybersecurity Experts Face Prison Time in Major Ransomware Conspiracy Case
Key Findings Two US cybersecurity professionals, Ryan Goldberg and Kevin Martin, sentenced to four years in prison for supporting BlackCat ransomware attacks Both pleaded guilty to conspiracy and extortion charges related to attacks between April and December 2023 Third accomplice Angelo Martino pleaded guilty and awaits sentencing scheduled for July 9 The trio deployed ALPHV BlackCat ransomware against multiple US victims and extorted approximately $1.2 million in Bitcoin De
May 32 min read
Former Cybersecurity Professionals Sentenced to 4 Years for BlackCat Ransomware Attacks
Key Findings Ryan Goldberg and Kevin Martin sentenced to four years in prison each for facilitating BlackCat ransomware attacks in 2023 Both defendants were employed in legitimate cybersecurity roles at the time of their crimes The pair, along with co-conspirator Angelo Martino, extorted approximately $1.3 million from a medical company in a single attack Goldberg fled to Europe after being interviewed by the FBI but was tracked across 10 countries and arrested in Mexico City
May 13 min read
ADT – 5,488,888 Accounts Breached
Key Findings ShinyHunters conducted two major "pay or leak" extortion campaigns in April 2026 targeting ADT and Udemy ADT breach exposed 5.5 million unique email addresses plus names, phone numbers, and physical addresses Small percentage of ADT records also contained dates of birth and last four digits of Social Security numbers or Tax IDs Udemy breach exposed 1.4 million unique email addresses belonging to customers and instructors Udemy data included names, addresses, phon
Apr 272 min read
Ransomware Negotiator Guilty of Secretly Supporting BlackCat Extortion Operations
Key Findings Angelo Martino, 41-year-old ransomware negotiator from Florida, pleaded guilty to assisting the BlackCat ransomware group while employed at a U.S. incident response firm Martino leaked confidential client information including insurance limits and negotiation strategies to BlackCat operators, enabling higher ransom demands across five victim cases starting April 2023 He conspired with two other cybersecurity professionals, Ryan Goldberg and Kevin Martin, to deplo
Apr 213 min read
Hackers claim control of Venice's San Marco anti-flood pumps
Key Findings Threat actors claiming to be "Infrastructure Destruction Squad" or "Dark Engine" breached Venice's San Marco flood defense system in late March 2026 Attackers claim to have maintained administrative access and stated they could disable flood defenses and inundate coastal areas Group offered full root access to the system for $600 USD, demonstrating both severity of breach and low barrier to further exploitation Italian authorities confirmed critical systems prote
Apr 132 min read
Mandiant Finds ShinyHunters Using Vishing to Steal MFA and Breach SaaS Platforms
Key Findings Mandiant has identified an "expansion in threat activity" using tactics consistent with extortion-themed attacks orchestrated by the ShinyHunters hacking group The attacks leverage advanced voice phishing (vishing) and fake credential harvesting sites to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes The end goal is to target cloud-based software-as-a-service (SaaS) applications
Feb 12 min read
bottom of page
