Incidents - The Cyber Security Incident Database (CSIDB)

Advanced Search
Jun 2026	Texas Parks & Wildlife	United States of America	The Texas Parks & Wildlife Department experienced a data breach after attackers gained unauthorized access to a third‑party vendor system that processes hunting and fishing license transactions. The compromise exposed driver’s license numbers, passport numbers, email addresses, phone numbers and residential addresses of over three million individuals. Investigators found no evidence of malware, ransomware or phishing, and the attack was classified as a supply chain compromise with no threat actor identified. The incident prompted regulatory review and public notification efforts concerning the exposed personal data.
Jun 2026	The Credit Pros	None	A threat actor identified as Icarus claimed responsibility for compromising The Credit Pros' Salesforce environment, gaining access to employee, customer, and confidential business data. The exposed data reportedly includes names, contact information, dates of birth, addresses, credit and debit card details, Social Security numbers, and bank account information. Individuals who received breach notifications may face heightened risk of identity theft and fraud, prompting a national class action law firm to investigate potential litigation.
Jun 2026	Nintendo Co., Ltd.	United States of America	Nintendo confirmed that a third‑party survey tool, TinyPulse, used for internal employee feedback at its North American division was accessed, exposing a limited set of internal survey data belonging to a small subset of employees and mostly dating back several years. The company stated that its own systems were not compromised and that no customer or financial information was involved. The hacker group ShadowByt3$ claimed to have taken 859 MB of employee data including names, bank statements, IDs and analytics and demanded a $2 million ransom. The company said it is working with the service provider to resolve the issue and noted that employees outside North America were not affected.
Jun 2026	Council of Europe	France	ShinyHunters claims to have breached the Council of Europe, exfiltrating nearly 300 gigabytes of data comprising over 429,000 files from departments such as HR, Secretariat, Parliamentary Assembly and the European Directorate for the Quality of Medicines and HealthCare. The stolen material reportedly includes payroll information for more than ten thousand employees, upwards of fourteen thousand curricula vitae, contract and purchase order records, absence and illness reports, bank account details, performance evaluations and payroll exports, together with personal identifiers such as names, IDs, addresses, phone numbers, dates of birth, tax and social security numbers and medical records. The group has threatened to publish the data unless contacted to negotiate, and it notes that the same actors have been associated with a series of extortion incidents targeting various organizations, including a recent campaign that leveraged a zero‑day flaw in Oracle PeopleSoft affecting roughly one hundred entities.
Jun 2026	One Medical	United States of America	One Medical reported a data breach involving a third‑party file storage system that stored archived information from Iora Health, a primary care provider it had acquired. An unauthorized party accessed the system, resulting in the exposure of patient files for a limited number of individuals associated with the company's senior care clinics and the legacy Iora Health population. The company said it immediately deactivated the storage system, revoked all access, and launched an investigation that confirmed no other company or Amazon systems were affected. Affected patients are being notified directly, and additional safeguards are being implemented to prevent similar incidents.
Jun 2026	Gong	United States of America	Klue, a marketing intelligence platform, was breached by the Icarus cybercriminal group which accessed the system through a legacy credential linked to an integration tool and stole client data such as names, email addresses, phone numbers, job titles and account details; the group threatened to publish the information unless a ransom was paid. Among the affected clients were several cybersecurity firms including Gong, HackerOne, Snyk, Recorded Future, Jamf, OneTrust and Tanium. Klue has enlisted CrowdStrike to investigate, has disabled external integrations and has not disclosed whether it will meet the ransom demand.
Jun 2026	LastPass	United States of America	LastPass disclosed that hackers obtained customer names, phone numbers, email addresses, physical addresses, customer support case records and sales‑related data after breaching technology partner Klue, while the company’s own systems and password vaults remained unaffected. The breach at Klue was claimed by the extortion group Icarus, which threatened to release the stolen information unless a ransom was paid. The company noted that its previous incident exposed encrypted password vaults, allowing attackers with weak master passwords to brute‑force them and access stored credentials, a situation that has been linked to subsequent cryptocurrency thefts. The firm reports serving tens of millions of users, with a substantial base of paying subscribers.
Jun 2026	JCPenney	United States of America	JCPenney and Catalyst Brands disclosed that a cybercrime group known as ShinyHunters claimed to have stolen a large volume of records containing Social Security numbers, dates of birth, W-2 tax forms, payroll records, driver's licenses, government-issued ID scans, and other personally identifiable information. The breach prompted Edelson Lechtzin LLP to launch an investigation into potential class action claims on behalf of individuals whose data may have been exposed.
Jun 2026	HackerOne	United States of America	The Icarus cybercriminal group breached the Klue marketing intelligence platform, exfiltrating client data that included business contacts such as names, email addresses, phone numbers, job titles and account details from companies like HackerOne, Snyk, Recorded Future, Jamf, OneTrust, Tanium and Gong. The attackers entered through a legacy credential tied to an integration tool that connects client cloud data to Klue, which gave them access to associated Salesforce databases. Klue has enlisted CrowdStrike to investigate, disabled all external integrations and faces a ransom demand with a threatened public leak if payment is not made.


Jun 2026	Insurity	United States of America	A hacking group compromised Klue’s integration infrastructure using a stolen legacy credential, obtained OAuth tokens, and accessed the Salesforce environments of several Klue customers, including the insurance service provider Insurity. The attackers exfiltrated business contact information and other data, claimed responsibility under the name Icarus, and threatened to release the information unless a ransom was paid, while Klue revoked tokens, disabled affected integrations, enlisted CrowdStrike for forensics, and notified law enforcement. The affected insurance provider confirmed the data theft and warned customers to watch for phishing attempts leveraging the stolen information.
Jun 2026	Sprout Social	United States of America	The breach of Klue’s infrastructure allowed an unauthorized actor to obtain OAuth tokens through a compromised legacy credential and use them to access connected Salesforce environments, including that of the social media analytics platform Sprout Social. The attacker impersonated Klue within those systems, exfiltrating customer data before the activity was detected and contained. Klue revoked the affected credentials and tokens, removed unauthorized code, disabled impacted integrations, notified law enforcement and engaged a forensic firm to investigate. Affected clients, among them several cybersecurity firms and other businesses, were informed of the incident and advised to monitor for potential misuse of the exposed information, such as phishing attempts leveraging the stolen data. The incident was claimed by an extortion group that set a deadline for victims to respond before threatening to release the data.
Jun 2026	Novo Nordisk	Denmark	Novo Nordisk experienced a cyberattack that led to the exfiltration of data from its internal systems, including clinical trial and healthcare provider information. The exposed patient data consisted of deidentified identifiers, sex, biomarkers, health and immunogenicity details, and lifestyle factors such as BMI, smoking status, and alcohol use, while provider data included names, registration numbers, contact emails, phone numbers, office locations, and WhatsApp details. Because the patient information was pseudonymized, the company said individuals cannot be identified without additional data, and no immediate risk to patients was believed to exist; meanwhile, affected providers are being notified and advised to watch for phishing or social engineering attempts. Certain systems were taken offline as a precaution, but core business operations continued unaffected, and the forensic investigation remains ongoing with the total number of impacted individuals still undetermined.
Jun 2026	Tanium	None	A supply chain compromise of the market intelligence platform Klue allowed attackers to obtain OAuth tokens for its Salesforce integration and access the Salesforce environments of several of its customers, including the cybersecurity firm Tanium. The intruders exfiltrated business contact data such as names, email addresses, job titles, phone numbers and business addresses from those CRM systems. Klue revoked the compromised credentials, disabled the affected integrations and worked with CrowdStrike and law enforcement to investigate the breach. Salesforce subsequently disabled the Klue integration, and another platform, Gong, took similar action after discovering its own Klue‑linked access had been used. A threat actor identifying itself as Icarus claimed responsibility for the intrusion and threatened to release the stolen data unless negotiations occurred.
Jun 2026	Jamf	None	A supply chain attack on the market intelligence platform Klue allowed threat actors to use compromised legacy credentials to obtain OAuth tokens for its Salesforce integration, which they then used to access the Salesforce instances of several Klue customers. Among those customers, Jamf, HackerOne, Huntress, OneTrust, Recorded Future, Snyk, Tanium, Insurity and Sprout Social disclosed that business information such as names, email addresses, job titles, phone numbers and business addresses was exfiltrated from their Salesforce CRMs. Klue revoked the compromised credentials and tokens, disabled the affected integrations and is investigating the incident with CrowdStrike and law enforcement, noting that no data stored within the Klue platform itself was affected. Salesforce subsequently disabled the Klue integration, and a threat actor identifying as Icarus claimed responsibility and threatened to release the stolen data.
Jun 2026	Recorded Future	United States of America	Hackers compromised Klue’s backend servers and pushed a malicious update that harvested OAuth tokens from its integrations, prompting Klue to deactivate those tokens and disable connections with platforms such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack. The attackers then used the Salesforce REST API to extract large volumes of CRM data, including business contacts, price quotes and sales‑related information from the accounts of Huntress and Recorded Future, while no threat data, passwords, payment card details or engineering files were accessed. Salesforce subsequently disabled the Klue Battlecards app after detecting unusual activity, and Huntress reported extortion attempts from a threat actor linked to the Icarus group, whose leak site displayed data allegedly taken from Salesforce. The breach was confined to the Klue‑Salesforce link, with no intrusion into the internal networks of the affected firms, and resembles earlier supply‑chain incidents though it appears to involve a new threat actor.
Jun 2026	Klue	None	Klue experienced a supply chain attack in which threat actors compromised its backend servers and deployed a malicious update to harvest OAuth tokens for its integrations, prompting the company to revoke those tokens and disable connections to Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack. The attackers then abused the Salesforce REST API to exfiltrate substantial CRM data, including business contacts, price quotes and sales‑related information, from affected customers such as Huntress and Recorded Future, while Salesforce subsequently disabled the Battlecards app integration after detecting unusual activity. Huntress reported receiving extortion attempts from a threat actor identified as Mr Brean, associated with the Icarus group, whose leak site displayed data allegedly taken from Salesforce, and the incident was confined to the integration with Salesforce with no breach of the victims’ internal systems.
Jun 2026	Huntress	United States of America	Threat actors compromised Klue's Battlecards application, using a long‑disused but still active credential to inject a malicious code update that harvested OAuth tokens and accessed Salesforce instances of integrated customers. The breach enabled a rapid series of nearly a thousand queries within a short window, leading to the exfiltration of business contacts and sales‑related data from at least one victim, Huntress. Klue responded by revoking all OAuth credentials and disabling its Salesforce integration, while the Icarus Extortion Group claimed responsibility and demanded payment to prevent public release of the stolen information.
Jun 2026	The Midland Theatre	United States of America	The Midland Theatre, a historic venue in Newark, Ohio, was recently identified as a victim of the Akira ransomware group. The incident appears on a list of recent compromises where the theatre is noted alongside other organizations affected by the same threat actor. No further details about the scope or impact of the attack are provided in the source.
Jun 2026	K & E Distributing	None	K & E Distributing was targeted by the Pear ransomware group. The incident is recorded on a ransomware leak site that lists recent victims with icons indicating the attack vector, sector, and whether data was leaked or a ransom amount known. The entry is marked as AI‑generated with no additional details such as leak size or ransom amount provided. The site also shows that the discovery occurred recently, placing the victim among other organizations compromised around the same time.
Jun 2026	Tata Electronics	India	Tata Electronics disclosed a cybersecurity incident after researchers said the ransomware group World Leaks posted more than 200,000 files totaling over 630 gigabytes on the dark web, claiming they contained Apple and Tesla trade secrets, employee emails, event logs and passport copies. The company said its response protocols were activated and operations remained unaffected, while Apple and Tesla were reviewing the alleged data and the company had informed some iPhone plant employees about the breach.
Advanced Search

Jun 2026

United States of America

The Texas Parks & Wildlife Department experienced a data breach after attackers gained unauthorized access to a third‑party vendor system that processes hunting and fishing license transactions. The compromise exposed driver’s license numbers, passport numbers, email addresses, phone numbers and residential addresses of over three million individuals. Investigators found no evidence of malware, ransomware or phishing, and the attack was classified as a supply chain compromise with no threat actor identified. The incident prompted regulatory review and public notification efforts concerning the exposed personal data.

Jun 2026

The Credit Pros

None

A threat actor identified as Icarus claimed responsibility for compromising The Credit Pros' Salesforce environment, gaining access to employee, customer, and confidential business data. The exposed data reportedly includes names, contact information, dates of birth, addresses, credit and debit card details, Social Security numbers, and bank account information. Individuals who received breach notifications may face heightened risk of identity theft and fraud, prompting a national class action law firm to investigate potential litigation.

Jun 2026

Nintendo Co., Ltd.

United States of America

Nintendo confirmed that a third‑party survey tool, TinyPulse, used for internal employee feedback at its North American division was accessed, exposing a limited set of internal survey data belonging to a small subset of employees and mostly dating back several years. The company stated that its own systems were not compromised and that no customer or financial information was involved. The hacker group ShadowByt3$ claimed to have taken 859 MB of employee data including names, bank statements, IDs and analytics and demanded a $2 million ransom. The company said it is working with the service provider to resolve the issue and noted that employees outside North America were not affected.

Jun 2026

Council of Europe

France

ShinyHunters claims to have breached the Council of Europe, exfiltrating nearly 300 gigabytes of data comprising over 429,000 files from departments such as HR, Secretariat, Parliamentary Assembly and the European Directorate for the Quality of Medicines and HealthCare. The stolen material reportedly includes payroll information for more than ten thousand employees, upwards of fourteen thousand curricula vitae, contract and purchase order records, absence and illness reports, bank account details, performance evaluations and payroll exports, together with personal identifiers such as names, IDs, addresses, phone numbers, dates of birth, tax and social security numbers and medical records. The group has threatened to publish the data unless contacted to negotiate, and it notes that the same actors have been associated with a series of extortion incidents targeting various organizations, including a recent campaign that leveraged a zero‑day flaw in Oracle PeopleSoft affecting roughly one hundred entities.

Jun 2026

One Medical

United States of America

One Medical reported a data breach involving a third‑party file storage system that stored archived information from Iora Health, a primary care provider it had acquired. An unauthorized party accessed the system, resulting in the exposure of patient files for a limited number of individuals associated with the company's senior care clinics and the legacy Iora Health population. The company said it immediately deactivated the storage system, revoked all access, and launched an investigation that confirmed no other company or Amazon systems were affected. Affected patients are being notified directly, and additional safeguards are being implemented to prevent similar incidents.

Jun 2026

Gong

United States of America

Klue, a marketing intelligence platform, was breached by the Icarus cybercriminal group which accessed the system through a legacy credential linked to an integration tool and stole client data such as names, email addresses, phone numbers, job titles and account details; the group threatened to publish the information unless a ransom was paid. Among the affected clients were several cybersecurity firms including Gong, HackerOne, Snyk, Recorded Future, Jamf, OneTrust and Tanium. Klue has enlisted CrowdStrike to investigate, has disabled external integrations and has not disclosed whether it will meet the ransom demand.

Jun 2026

LastPass

United States of America

LastPass disclosed that hackers obtained customer names, phone numbers, email addresses, physical addresses, customer support case records and sales‑related data after breaching technology partner Klue, while the company’s own systems and password vaults remained unaffected. The breach at Klue was claimed by the extortion group Icarus, which threatened to release the stolen information unless a ransom was paid. The company noted that its previous incident exposed encrypted password vaults, allowing attackers with weak master passwords to brute‑force them and access stored credentials, a situation that has been linked to subsequent cryptocurrency thefts. The firm reports serving tens of millions of users, with a substantial base of paying subscribers.

Jun 2026

JCPenney

United States of America

JCPenney and Catalyst Brands disclosed that a cybercrime group known as ShinyHunters claimed to have stolen a large volume of records containing Social Security numbers, dates of birth, W-2 tax forms, payroll records, driver's licenses, government-issued ID scans, and other personally identifiable information. The breach prompted Edelson Lechtzin LLP to launch an investigation into potential class action claims on behalf of individuals whose data may have been exposed.

Jun 2026

HackerOne

United States of America

The Icarus cybercriminal group breached the Klue marketing intelligence platform, exfiltrating client data that included business contacts such as names, email addresses, phone numbers, job titles and account details from companies like HackerOne, Snyk, Recorded Future, Jamf, OneTrust, Tanium and Gong. The attackers entered through a legacy credential tied to an integration tool that connects client cloud data to Klue, which gave them access to associated Salesforce databases. Klue has enlisted CrowdStrike to investigate, disabled all external integrations and faces a ransom demand with a threatened public leak if payment is not made.

Jun 2026

Insurity

United States of America

A hacking group compromised Klue’s integration infrastructure using a stolen legacy credential, obtained OAuth tokens, and accessed the Salesforce environments of several Klue customers, including the insurance service provider Insurity. The attackers exfiltrated business contact information and other data, claimed responsibility under the name Icarus, and threatened to release the information unless a ransom was paid, while Klue revoked tokens, disabled affected integrations, enlisted CrowdStrike for forensics, and notified law enforcement. The affected insurance provider confirmed the data theft and warned customers to watch for phishing attempts leveraging the stolen information.

Jun 2026

Sprout Social

United States of America

The breach of Klue’s infrastructure allowed an unauthorized actor to obtain OAuth tokens through a compromised legacy credential and use them to access connected Salesforce environments, including that of the social media analytics platform Sprout Social. The attacker impersonated Klue within those systems, exfiltrating customer data before the activity was detected and contained. Klue revoked the affected credentials and tokens, removed unauthorized code, disabled impacted integrations, notified law enforcement and engaged a forensic firm to investigate. Affected clients, among them several cybersecurity firms and other businesses, were informed of the incident and advised to monitor for potential misuse of the exposed information, such as phishing attempts leveraging the stolen data. The incident was claimed by an extortion group that set a deadline for victims to respond before threatening to release the data.

Jun 2026

Novo Nordisk

Denmark

Novo Nordisk experienced a cyberattack that led to the exfiltration of data from its internal systems, including clinical trial and healthcare provider information. The exposed patient data consisted of deidentified identifiers, sex, biomarkers, health and immunogenicity details, and lifestyle factors such as BMI, smoking status, and alcohol use, while provider data included names, registration numbers, contact emails, phone numbers, office locations, and WhatsApp details. Because the patient information was pseudonymized, the company said individuals cannot be identified without additional data, and no immediate risk to patients was believed to exist; meanwhile, affected providers are being notified and advised to watch for phishing or social engineering attempts. Certain systems were taken offline as a precaution, but core business operations continued unaffected, and the forensic investigation remains ongoing with the total number of impacted individuals still undetermined.

Jun 2026

Tanium

None

A supply chain compromise of the market intelligence platform Klue allowed attackers to obtain OAuth tokens for its Salesforce integration and access the Salesforce environments of several of its customers, including the cybersecurity firm Tanium. The intruders exfiltrated business contact data such as names, email addresses, job titles, phone numbers and business addresses from those CRM systems. Klue revoked the compromised credentials, disabled the affected integrations and worked with CrowdStrike and law enforcement to investigate the breach. Salesforce subsequently disabled the Klue integration, and another platform, Gong, took similar action after discovering its own Klue‑linked access had been used. A threat actor identifying itself as Icarus claimed responsibility for the intrusion and threatened to release the stolen data unless negotiations occurred.

Jun 2026

Jamf

None

A supply chain attack on the market intelligence platform Klue allowed threat actors to use compromised legacy credentials to obtain OAuth tokens for its Salesforce integration, which they then used to access the Salesforce instances of several Klue customers. Among those customers, Jamf, HackerOne, Huntress, OneTrust, Recorded Future, Snyk, Tanium, Insurity and Sprout Social disclosed that business information such as names, email addresses, job titles, phone numbers and business addresses was exfiltrated from their Salesforce CRMs. Klue revoked the compromised credentials and tokens, disabled the affected integrations and is investigating the incident with CrowdStrike and law enforcement, noting that no data stored within the Klue platform itself was affected. Salesforce subsequently disabled the Klue integration, and a threat actor identifying as Icarus claimed responsibility and threatened to release the stolen data.

Jun 2026

Recorded Future

United States of America

Hackers compromised Klue’s backend servers and pushed a malicious update that harvested OAuth tokens from its integrations, prompting Klue to deactivate those tokens and disable connections with platforms such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack. The attackers then used the Salesforce REST API to extract large volumes of CRM data, including business contacts, price quotes and sales‑related information from the accounts of Huntress and Recorded Future, while no threat data, passwords, payment card details or engineering files were accessed. Salesforce subsequently disabled the Klue Battlecards app after detecting unusual activity, and Huntress reported extortion attempts from a threat actor linked to the Icarus group, whose leak site displayed data allegedly taken from Salesforce. The breach was confined to the Klue‑Salesforce link, with no intrusion into the internal networks of the affected firms, and resembles earlier supply‑chain incidents though it appears to involve a new threat actor.

Jun 2026

Klue

None

Klue experienced a supply chain attack in which threat actors compromised its backend servers and deployed a malicious update to harvest OAuth tokens for its integrations, prompting the company to revoke those tokens and disable connections to Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack. The attackers then abused the Salesforce REST API to exfiltrate substantial CRM data, including business contacts, price quotes and sales‑related information, from affected customers such as Huntress and Recorded Future, while Salesforce subsequently disabled the Battlecards app integration after detecting unusual activity. Huntress reported receiving extortion attempts from a threat actor identified as Mr Brean, associated with the Icarus group, whose leak site displayed data allegedly taken from Salesforce, and the incident was confined to the integration with Salesforce with no breach of the victims’ internal systems.

Jun 2026

Huntress

United States of America

Threat actors compromised Klue's Battlecards application, using a long‑disused but still active credential to inject a malicious code update that harvested OAuth tokens and accessed Salesforce instances of integrated customers. The breach enabled a rapid series of nearly a thousand queries within a short window, leading to the exfiltration of business contacts and sales‑related data from at least one victim, Huntress. Klue responded by revoking all OAuth credentials and disabling its Salesforce integration, while the Icarus Extortion Group claimed responsibility and demanded payment to prevent public release of the stolen information.

Jun 2026

The Midland Theatre

United States of America

The Midland Theatre, a historic venue in Newark, Ohio, was recently identified as a victim of the Akira ransomware group. The incident appears on a list of recent compromises where the theatre is noted alongside other organizations affected by the same threat actor. No further details about the scope or impact of the attack are provided in the source.

Jun 2026

K & E Distributing

None

K & E Distributing was targeted by the Pear ransomware group. The incident is recorded on a ransomware leak site that lists recent victims with icons indicating the attack vector, sector, and whether data was leaked or a ransom amount known. The entry is marked as AI‑generated with no additional details such as leak size or ransom amount provided. The site also shows that the discovery occurred recently, placing the victim among other organizations compromised around the same time.

Jun 2026

Tata Electronics

India

Tata Electronics disclosed a cybersecurity incident after researchers said the ransomware group World Leaks posted more than 200,000 files totaling over 630 gigabytes on the dark web, claiming they contained Apple and Tesla trade secrets, employee emails, event logs and passport copies. The company said its response protocols were activated and operations remained unaffected, while Apple and Tesla were reviewing the alleged data and the company had informed some iPhone plant employees about the breach.

Menu