SecureSan Technologies
Resources

Breach & Threat Log

Real, sourced incidents from 2026 — what happened, how they got in, and the one control that would have changed the outcome. No vendor fear-mongering, no invented numbers.

Compiled and source-checked 14 July 2026 · 8 incidents

The pattern in 2026 so far

Read the entries below in order and one theme dominates: attackers did not break in — they logged in. Almost every major incident this year started with a person or an identity rather than a software flaw: a help-desk agent talked out of a credential, an employee phished out of an SSO token, a vendor whose access was simply inherited, a developer token left in a repository. Supply-chain compromise and OAuth abuse, not zero-days.

That is why the OWASP Top 10:2025 added Software Supply Chain Failures as a brand-new category, and why non-human identity inventory — service accounts, CI tokens, OAuth grants — has quietly become one of the highest-leverage controls you can implement this quarter.

June 2026 Supply chain · OAuth

Klue

Attackers used compromised legacy credentials to reach Klue's integration environment and obtain OAuth tokens tied to customer platforms, giving them unauthorised access to Salesforce CRM data across multiple customer environments. Salesforce disabled the Klue Battlecards integration on 17 June; Klue revoked the affected credentials, removed unauthorised code and disabled impacted integrations.

The control that would have mattered

Your vendor's OAuth grant is a key to your data. Inventory non-human identities — service accounts, CI tokens, OAuth grants — and rotate them like passwords. Most companies cannot even list theirs.

June 2026 Secrets in repos

Novo Nordisk

A developer token and credentials left in repositories were enough to get in. Clinical-trial data had been pseudonymised, so those records could not be tied back to patients — de-identification did exactly its job. Everything not protected that way (healthcare-professional contact details, source code, AI models) was left fully usable.

The control that would have mattered

This is the clearest argument for data minimisation you will read all year. The same breach was survivable for one dataset and damaging for another, and the only difference was whether the data had been protected before it was stolen.

June 2026 Extortion · ShinyHunters

Eastman Kodak

ShinyHunters listed Kodak on its leak site on 15 June claiming 2.2 million customer and corporate records, with an 18 June deadline. Kodak confirmed an unauthorised third party temporarily accessed a limited amount of company data, engaged external experts and law enforcement, and said there was no ongoing threat to its systems. Kodak has not verified the 2.2 million figure.

The control that would have mattered

Note the gap between the attacker's claim and the company's confirmation. Treat leak-site numbers as marketing until corroborated.

June 2026 Credential exposure

Exposed Elasticsearch database

Researchers found a publicly exposed Elasticsearch instance holding roughly 24 billion stolen credential records — about 8.3TB — including usernames, emails, plaintext passwords and login URLs. Most appeared to come from infostealer logs, Telegram cybercrime channels and earlier breach collections across 36 sources. Researchers could not confirm how many records were duplicates.

The control that would have mattered

Assume your users' passwords are already public. That is the whole argument for MFA and for credential-stuffing throttles — not a hypothetical.

June 2026 Ransomware · Extortion

DentaQuest

ShinyHunters published an alleged 234GB archive tied to the dental-benefits administrator. It began as a May 2026 'pay or leak' extortion campaign and the data was released after negotiations reportedly failed. DentaQuest contained the attack, brought in third-party experts, notified law enforcement and kept systems operational.

The control that would have mattered

Paying is not a strategy and refusing to pay is not a plan either. The plan is immutable, restore-tested backups plus an exercised IR runbook — decided before the ransom note.

March 2026 Destructive · Nation-state

Stryker

Iranian hackers broke into the US medical-technology company and remotely wiped tens of thousands of employee devices in a single operation, disrupting operations for several days. The US government attributed the group to an arm of Iranian intelligence. The breach had a material impact on Stryker's first-quarter earnings.

The control that would have mattered

A marked shift: from espionage and hack-and-leak toward openly destructive attacks. If your threat model assumes attackers want to stay quiet and monetise, it is incomplete.

January 2026 Third party

Match Group

ShinyHunters claimed a breach of the company behind Tinder, Hinge and OkCupid, citing marketing-analytics provider AppsFlyer as the entry point on its leak site. Match described it as a security incident still under investigation.

The control that would have mattered

Another third party, another front door. Your attack surface includes every vendor you have granted access to — whether or not it appears on your asset inventory.

January 2026 Misconfiguration

Exposed cloud database

Researchers discovered a publicly exposed database holding 149 million records — close to 100GB of sensitive information. The cause was a misconfigured cloud environment. No exploit, no zero-day.

The control that would have mattered

Security Misconfiguration is the biggest riser in the OWASP Top 10:2025 (now A02) for exactly this reason. Nobody had to attack anything.

← Back to SecureSan Technologies