Data breach knowledge center

In March 2026, Aura, an identity theft protection provider, suffered a data breach involving nearly 900,000 records. Aura confirmed the incident, saying names and email addresses, as well as the home addresses and phone numbers of some current and former customers, were exposed.

In early 2026, Conduent, a major government technology contractor that processes medical billing and other transactions for government programs, confirmed that a previous large-scale data breach had affected more people than originally estimated. Hackers exposed the names, Social Security numbers, medical data, and health insurance information of more than 25 million people.

In December 2025, 700Credit, a company that provides credit check services to car dealerships across the U.S., confirmed a data breach affecting more than 5.6 million people. Hackers stole personal information including names, Social Security numbers, and addresses. The exposed data could be used for identity theft or financial fraud.

In October 2025, a hacker group claimed to have stolen around one billion customer records from a Salesforce database used by 39 companies, including Qantas, McDonald’s, and AeroMexico. The attackers threatened to release the data unless a ransom was paid. The stolen information may have included names, birthdates, Social Security numbers, and passport numbers, which could be used for identity theft.

In September 2025, Kering, the parent company of luxury brands like Gucci, Balenciaga, and Alexander McQueen, announced a data breach that exposed the personal information of around 7.4 million customers worldwide. The hackers have been identified as the Shiny Hunters group. The stolen information included names, email addresses, home addresses, phone numbers, and spending records.

In October 2025, 5CA, a third-party vendor providing services to Discord, reported a breach that affected approximately 70,000 Discord users. Data that may have been exposed included, among other records, names, Discord usernames, emails, billing information, IP addresses, and images of government IDs used in age verification procedures.

In July 2025, TransUnion, one of the three major credit reporting companies, suffered a data breach that exposed millions of customers’ personal information. Hackers stole sensitive data from a third-party application used for customer support, which includes names, birthdates, and Social Security numbers.

Nearly 16 million PayPal users’ credentials were allegedly posted for sale on the dark web around August 2025. While PayPal disputes this is the result of a recent breach, stating the allegations relate to a 2022 security incident, hackers claim the exposed info includes email addresses and plaintext passwords obtained in May 2025.

Over 16 billion login credentials of Apple, Facebook, and Google users were allegedly exposed around June 2025, potentially making it one of the largest data breaches in history. They were originally stolen using information-stealing malware — malicious software that gathers all the data it can find on a stored device and compiles it.

National Public Data, a data broker that provided online background checks and fraud prevention services, shut down in 2024 in the aftermath of a major data breach that left 2.9 billion records of 170 million people exposed. Leaked data included full names, Social Security numbers, mailing addresses, email addresses, and phone numbers.

Nearly 90 million AT&T customer records were breached in 2024, including full names, Social Security numbers, addresses, phone numbers, and email addresses. In early summer 2025, security experts discovered that these records had been re-packaged and put up for sale on the dark web again.