{"uuid": "fc39c48d-0184-4461-a5ab-c7626da456bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-35273", "type": "seen", "source": "https://gist.github.com/alexshescp/873380551e7174db194e6617da981b13", "content": "# Top 50 Major Cyberattacks H1 2026 \u2014 Western Countries\n\n**Covering major incidents across Europe, USA, and Canada \u2014 January through June 2026**\n\n## Executive Overview\nThe first half of 2026 saw 896 indexed cybersecurity incidents globally, with ransomware and extortion groups \u2014 led by ShinyHunters, Qilin, and Everest \u2014 dominating the threat landscape. Data theft and \"leak-or-pay\" extortion replaced traditional ransomware encryption as the dominant business model, affecting telecoms, retail, healthcare, education, and critical infrastructure across Western nations. [insights.integrity360]\n\n---\n\n## \ud83c\uddf3\ud83c\uddf1 ODIDO \u2014 The Largest Dutch Breach in History\nOdido (formerly T-Mobile NL) suffered the most significant cybersecurity incident in Dutch history in early February 2026. The ShinyHunters group used multi-stage social engineering \u2014 impersonating ICT staff to bypass MFA \u2014 to access a Salesforce customer contact system between February 7\u20138, 2026.\n\n*   **6.5 million+ customers and 600,000 companies** affected.\n*   **Data stolen:** full names, addresses, IBANs, dates of birth, passport/driver's license metadata, and sensitive internal customer service notes.\n*   **ShinyHunters demanded a ransom exceeding \u20ac1 million.**\n*   **Odido refused to pay;** hackers began leaking data on 26 February, and published the complete dataset on 01 March 2026.\n*   The breach included sensitive residence permit data for diplomats and high-profile administrators.\n*   **Official Response:** Dutch Public Prosecution Service, the RDI (Rijksinspectie Digitale Infrastructuur), and the Autoriteit Persoonsgegevens (AP) all opened formal investigations.\n*   The breach occurred while Odido was preparing for an IPO valued at over \u20ac1 billion.\n*   Affected customers received 24 months of free digital security monitoring.\n\n---\n\n## \ud83d\udd34 Tier 1: Critical Scale (10M+ records / major operational disruption)\n\n| # | Organization | Country | Sector | Threat Actor | Data / Impact | Date |\n|:---|:---|:---|:---|:---|:---|:---|\n| 1 | Odido / Ben NL | \ud83c\uddf3\ud83c\uddf1 NL | Telecom | ShinyHunters | 6.5M customers; IBANs, passports, PII | Feb 2026 |\n| 2 | Match Group | \ud83c\uddfa\ud83c\uddf8 USA | Dating/Tech | ShinyHunters | ~10M records (via AppsFlyer) | Jan 2026 |\n| 3 | Canadian Tire | \ud83c\udde8\ud83c\udde6 CAN | Retail | Unknown | 38M+ accounts breached | Feb 2026 |\n| 4 | Instructure Canvas | \ud83c\uddfa\ud83c\uddf8 USA | EdTech | ShinyHunters | Millions of student records | May 2026 |\n| 5 | Target | \ud83c\uddfa\ud83c\uddf8 USA | Retail | WorldLeaks | 860 GB source code; credential theft | Jan 2026 |\n| 6 | Telus | \ud83c\udde8\ud83c\udde6 CAN | Telecom | ShinyHunters | PII, call data, recordings, source code | Mar 2026 |\n| 7 | SpeedX | \ud83c\uddfa\ud83c\uddf8 USA | Logistics | Misconfig | 840M+ delivery files (Azure Blob) | Mar 2026 |\n| 8 | Infutor | \ud83c\uddfa\ud83c\uddf8 USA | Data | Misconfig | 676.8M rows (Elasticsearch) | Mar 2026 |\n| 9 | Panera Bread | \ud83c\uddfa\ud83c\uddf8 USA | Food | ShinyHunters | 5.1M+ customer emails | Jan 2026 |\n| 10 | Rockstar Games | \ud83c\uddfa\ud83c\uddf8 USA | Gaming | Snowflake | ~78.6M rows (Snowflake path) | Apr 2026 |\n\n## \ud83d\udfe0 Tier 2: High Severity (Sector disruption, sensitive data, major brands)\n\n| # | Organization | Country | Sector | Threat Actor | Data / Impact | Date |\n|:---|:---|:---|:---|:---|:---|:---|\n| 11 | Nike | \ud83c\uddfa\ud83c\uddf8 USA | Retail | WorldLeaks | 1.4 TB internal design/IP files | Jan 2026 |\n| 12 | MyFitnessPal | \ud83c\uddfa\ud83c\uddf8 USA | Fitness | Everest | ~72.7M emails recirculated | Jan 2026 |\n| 13 | Charter (Spectrum) | \ud83c\uddfa\ud83c\uddf8 USA | Telecom | ShinyHunters | 4.9M emails; 85K employee directory | May 2026 |\n| 14 | Stryker | \ud83c\uddfa\ud83c\uddf8 USA | MedTech | Iran APT | Device wiping, data theft | Mar 2026 |\n| 15 | L'Or\u00e9al / Alinto | \ud83c\uddeb\ud83c\uddf7 FR | Beauty/Tech | Unknown | ~40M rows SMTP metadata | Apr 2026 |\n| 16 | Novo Nordisk | \ud83c\udde9\ud83c\uddf0 DK | Pharma | FulcrumSec | Clinical trial data; $25M ransom | Jun 2026 |\n| 17 | Eastman Kodak | \ud83c\uddfa\ud83c\uddf8 USA | Tech | ShinyHunters | 2.2M+ records | Jun 2026 |\n| 18 | JCPenney | \ud83c\uddfa\ud83c\uddf8 USA | Retail | ShinyHunters | ~368K staff emails | Jun 2026 |\n| 19 | Ralph Lauren | \ud83c\uddfa\ud83c\uddf8 USA | Fashion | ShinyHunters | 220 GB data claim | Jun 2026 |\n| 20 | One Medical | \ud83c\uddfa\ud83c\uddf8 USA | Health | ShinyHunters | 8.8 TB data claim | Jun 2026 |\n| 21 | West Pharma | \ud83c\uddfa\ud83c\uddf8 USA | Pharma | Ransomware | Material encryption | May 2026 |\n| 22 | Council of Europe | \ud83c\uddeb\ud83c\uddf7 FR | Govt | ShinyHunters | 297 GB HR/payroll data | Jun 2026 |\n| 23 | Tchap | \ud83c\uddeb\ud83c\uddf7 FR | Govt | Unknown | 73K users; govt messaging hijack | Jun 2026 |\n| 24 | U. Nottingham | \ud83c\uddec\ud83c\udde7 UK | Edu | Unknown | 454K student/alumni records | H1 2026 |\n| 25 | HCRG Care Group | \ud83c\uddec\ud83c\udde7 UK | Health | Medusa | PHI exposure | Jun 2026 |\n\n## \ud83d\udfe1 Tier 3: Significant Incidents (Notable sectors, confirmed breaches)\n\n| # | Organization | Country | Sector | Threat Actor | Data / Impact | Date |\n|:---|:---|:---|:---|:---|:---|:---|\n| 26 | Texas Parks & Wild | \ud83c\uddfa\ud83c\uddf8 USA | Govt | Unknown | 3M+ anglers; DL/Passport data | Jun 2026 |\n| 27 | Nintendo | \ud83c\uddfa\ud83c\uddf8 USA | Gaming | ShadowByte$ | TinyPulse employee data | H1 2026 |\n| 28 | GrayRobinson | \ud83c\uddfa\ud83c\uddf8 USA | Legal | Unknown | 65K records notified | Apr 2026 |\n| 29 | Global Schools | \ud83c\uddec\ud83c\udde7 UK | Edu | FulcrumSec | 183K student rows | Jun 2026 |\n| 30 | IC Security | \ud83c\uddfa\ud83c\uddf8 USA | Cyber | ShinyHunters | 2.7M+ records | Jun 2026 |\n| 31 | Mercedes-Benz UK | \ud83c\uddec\ud83c\udde7 UK | Auto | Forum Actor | 130K records | May 2026 |\n| 32 | Fiserv | \ud83c\uddfa\ud83c\uddf8 USA | Fintech | Everest | Scope unconfirmed | May 2026 |\n| 33 | Symcor | \ud83c\udde8\ud83c\udde6 CAN | Fintech | Everest | Financial processor | May 2026 |\n| 34 | Epiq Global | \ud83c\uddfa\ud83c\uddf8 USA | Legal | Everest | Legal processing services | May 2026 |\n| 35 | Huntress/Tanium | \ud83c\uddfa\ud83c\uddf8 USA | Cyber | Icarus | Salesforce CRM data | Jun 2026 |\n| 36 | Klue | \ud83c\udde8\ud83c\udde6 CAN | SaaS | Icarus | OAuth token theft | Jun 2026 |\n| 37 | Blue Fish Peds | \ud83c\uddfa\ud83c\uddf8 USA | Health | Unknown | 41K patient records | Jun 2026 |\n| 38 | S. Texas Spinal | \ud83c\uddfa\ud83c\uddf8 USA | Health | Gentlemen | Patient records | H1 2026 |\n| 39 | Athens Ortho | \ud83c\uddfa\ud83c\uddf8 USA | Health | Gentlemen | Patient records | H1 2026 |\n| 40 | Mastra npm | \ud83c\uddfa\ud83c\uddf8 USA | Dev | Typosquat | 141 packages backdoored | Jun 2026 |\n\n## \ud83d\udd35 Tier 4: Notable / Sector-Significant\n\n| # | Organization | Country | Sector | Threat Actor | Impact | Date |\n|:---|:---|:---|:---|:---|:---|:---|\n| 41 | FortiBleed | Global | Network | Infostealer | 75K admin/SSL VPN creds | Jun 2026 |\n| 42 | Roth Industries | \ud83c\uddfa\ud83c\uddf8 USA | Mfg | Qilin | Ransomware | May\u2013Jun |\n| 43 | Pro-MEC Eng | \ud83c\uddec\ud83c\udde7 UK | Eng | Qilin | Ransomware | May\u2013Jun |\n| 44 | Sparkle Pools | \ud83c\uddfa\ud83c\uddf8 USA | SMB | Qilin | Ransomware | May\u2013Jun |\n| 45 | ALS Limited | \ud83c\udde6\ud83c\uddfa AUS | Testing | Aurora | Ransomware | H1 2026 |\n| 46 | Calipage Humblet | \ud83c\udde7\ud83c\uddea BE | Retail | Gentlemen | Data exposure | H1 2026 |\n| 47 | Kyushu Electric | \ud83c\uddef\ud83c\uddf5 JP | Util | Physical | 10.9M records (lost SSD) | May 2026 |\n| 48 | Oracle PeopleSoft | Global | ERP/HR | ShinyHunters | HR/Payroll data exposure | Jun 2026 |\n| 49 | Coupang | \ud83c\uddf0\ud83c\uddf7/\ud83c\uddfa\ud83c\uddf8 | Retail | Unknown | 37.55M accounts; massive fine | Feb 2026 |\n| 50 | Serasa / AT&T | \ud83c\uddfa\ud83c\uddf8 USA | Credit | Forum Recirc | 223M+ records/SSN | Apr 2026 |\n\n---\n\n## Key Threat Actors H1 2026\n\n| Group | Model | Primary Western Victims |\n|:---|:---|:---|\n| **ShinyHunters** | SocEng + Extortion | Odido, Telus, Match, Canvas, Charter |\n| **WorldLeaks** | Data Theft | Nike, Target |\n| **Everest Group** | Data Extortion | Under Armour, Fiserv, Symcor |\n| **FulcrumSec** | Pharma/Education | Novo Nordisk, Global Schools Group |\n| **Qilin** | SMB Ransomware | Roth, Pro-MEC, Sparkle Pools |\n| **Icarus** | Supply Chain (OAuth) | Klue, Huntress, Tanium, Jamf |\n| **TheGentlemen** | Health/Legal | Spinal Clinic, Orthopedic, Calipage |\n| **Iran-APT** | Wiper/Destructive | Stryker |\n\n---\n\n## H1 2026 Attack Pattern Analysis\nFive dominant attack vectors defined the first half of the year:\n\n1.  **Social engineering bypass of MFA:** The Odido breach is the textbook case: impersonation of IT staff to defeat authentication controls.\n2.  **OAuth/SaaS supply chain:** The Klue \u2192 Salesforce cascade showed that compromising one SaaS integrator can expose dozens of enterprise customers simultaneously.\n3.  **Cloud misconfiguration:** Azure Blob (SpeedX) and Elasticsearch (Infutor) exposed massive datasets without any sophisticated exploitation.\n4.  **Infostealer-to-enterprise:** FortiBleed\u2019s 75,000 verified firewall credentials and Target\u2019s workstation compromise demonstrate how commodity malware feeds targeted intrusions.\n5.  **HR/payroll as crown jewels:** Oracle PeopleSoft CVE-2026-35273 and ShinyHunters' June HR corpus made payroll systems the most targeted enterprise data category in Q2.\n\n---\n\n## Regulatory & Legal Fallout\nThe Odido breach triggered a landmark regulatory response in the Netherlands: formal investigations were opened simultaneously by the Autoriteit Persoonsgegevens (AP), the Rijksinspectie Digitale Infrastructuur (RDI), and the Openbaar Ministerie, with the AP and RDI signing a formal cooperation agreement. \n\nIn South Korea, Coupang received a record \u20a9624.6 billion fine from the PIPC. The Global Schools Group breach prompted a Bombay High Court injunction protecting children's mental-health data \u2014 signaling that courts are increasingly willing to intervene pre-emptively in data breach scenarios.", "creation_timestamp": "2026-06-26T08:42:13.192697Z"}