Indian Breaches 🇮🇳

🇨🇿 A threat actor has advertised the alleged sale of a database linked to jidlopodnos.cz, a Czech food delivery and restaurant ordering platform, claiming exposure of more than 1.3 million order-related records and user account information. According to the post, the dataset is described as originating from the Czech Republic in 2026 and allegedly contains approximately 1.3 million lines of data alongside a separate user database with around 107,000 records. The exposed data may include: Customer names Email addresses Phone numbers Physical delivery addresses Order histories Restaurant and food order metadata Login usernames Password hashes Social login identifiers Device and application information Loyalty/reward account fields Registration and account activity details Sample rows shared in the screenshots appear to contain food delivery order records, customer contact information, addresses within the Czech Republic, and references to user account structures including authentication-related fields. The dataset appears to be structured as exported SQL/CSV-style records combining operational order data and user account information. The actor also references password-related fields, though the hashing format and security posture cannot be independently verified from the screenshots alone. If authentic, potential risks may include: Credential stuffing attacks against reused passwords Targeted phishing and scam campaigns Exposure of customer location and ordering habits Account takeover attempts Identity and privacy risks tied to delivery addresses Social engineering using order history metadata Fraud involving loyalty or reward systems Food delivery and e-commerce platforms are frequently targeted because they store large amounts of customer PII, operational logistics data, and authentication records that can be monetized for fraud or credential abuse. At the time of writing, there is no public confirmation from jidlopodnos.cz regarding the authenticity or scope of the alleged breach. The screenshots alone do not independently verify whether the data originated directly from the company’s systems or from a third-party provider. The authenticity, scope, and recency of the alleged dataset remain unverified. #CzechRepublic #DataLeak #CyberSecurity #ThreatIntel #FoodDelivery #PII #Infosec #BreachForums #CredentialStuffing

🇻🇳 A threat actor has claimed a full compromise of FiniHome.vn, a Vietnamese homestay self-check-in platform based in Can Tho, alleging theft of the company’s SQL databases, customer KYC information, and financial records. According to the post, the incident allegedly occurred in May 2026 and involved the exfiltration of approximately 8,028 files totaling around 16 GB of data. The exposed data may include: SQL database backups Customer KYC documents Full names Email addresses Bank account details Identity card/ID card images Payment information Booking histories Survey and transaction data Password-related fields Internal operational records The screenshots shared by the actor appear to contain SQL dump fragments and payment-related records referencing customer names, email addresses, booking histories, and banking metadata. Some sample rows also appear to reference Vietnamese banking institutions and partial financial transaction details. The dataset appears to be structured as SQL export data combined with uploaded document records, potentially indicating access to both backend databases and associated storage systems. If authentic, potential risks may include: Identity theft using KYC and ID documents Financial fraud targeting affected customers Phishing and impersonation attacks Unauthorized account access attempts Exposure of travel and booking histories Abuse of banking metadata for scams or social engineering Regulatory and compliance consequences involving personal data handling Travel and hospitality platforms are frequently targeted because they often store high volumes of sensitive customer identity documents, payment records, and reservation data in centralized systems. At the time of writing, there is no public confirmation from FiniHome.vn regarding the authenticity or scope of the alleged breach. The screenshots alone do not independently verify whether the exposed data originated directly from FiniHome systems or from a connected third-party provider. The authenticity, scope, and recency of the alleged dataset remain unverified. #Vietnam #FiniHome #DataLeak #CyberSecurity #ThreatIntel #KYC #PII #Hospitality #Infosec #BreachForums

🇺🇸 A ransomware/extortion group has listed Trellix — the cybersecurity company formed from the merger of McAfee Enterprise and FireEye — on its leak portal, claiming to possess internal company data and infrastructure screenshots allegedly taken from enterprise systems. According to the leak page, the group claims the organization was “encrypted” on April 17, 2026, and published multiple screenshots as purported evidence of compromise. The exposed material shown in the screenshots appears to include: VMware vSphere infrastructure panels Rubrik backup management dashboards Dell EMC DD System Manager interfaces Internal cluster and inventory information Virtual machine inventory and host details Storage usage and filesystem statistics Internal naming conventions and environment structures Administrative account/session screenshots The screenshots appear to reference infrastructure associated with legacy FireEye-branded environments, including VMware vCenter systems and enterprise backup platforms. One screenshot allegedly shows an internal vSphere environment with more than 1,000 virtual machines and multiple clustered environments. The dataset or files themselves were not publicly displayed in the screenshots, and the leak page only references “evidence packs” rather than publishing raw archives directly. If authentic, potential risks may include: Exposure of internal infrastructure topology Increased risk of follow-on intrusions Credential abuse or privilege escalation attempts Intelligence gathering against enterprise customers Operational disruption from ransomware deployment Exposure of backup and disaster recovery architecture Potential targeting of connected client environments Because Trellix operates in the cybersecurity sector and serves government and enterprise customers globally, any confirmed compromise could attract significant attention from both threat actors and defenders due to the sensitivity of the environments involved. At the time of writing, there is no public confirmation from Trellix regarding the authenticity or scope of the alleged incident. The screenshots alone do not independently confirm full network compromise, data exfiltration, or ransomware deployment. The authenticity, scope, and impact of the alleged breach remain unverified. #Trellix #FireEye #McAfee #Ransomware #CyberSecurity #DataBreach #ThreatIntel #VMware #Rubrik #Infosec

🇫🇷 A threat actor has published an alleged database linked to Deezer, the French music streaming platform, claiming exposure of more than 2.5 million user records. According to the post, the dataset allegedly contains approximately 2,557,577 records and was shared in CSV format. The actor describes Deezer as a global music streaming service offering songs, albums, podcasts, and radio streaming through mobile and web platforms. The exposed data may include: Full names Email addresses Dates of birth Gender information Country/location details User identifiers Additional profile metadata Sample rows shared in the post appear to contain user profile information associated with Russian-language accounts, including names, birth dates, email addresses, and regional indicators. The dataset appears to be structured as a flat CSV export containing personally identifiable information (PII). No passwords, payment card information, or authentication tokens were visible in the provided samples. If authentic, potential risks may include: Credential stuffing attacks against reused accounts Targeted phishing and spam campaigns Social engineering using demographic data Privacy exposure of subscriber information Account enumeration and profiling Increased risk of identity fraud when combined with other breaches Music streaming platforms are attractive targets for threat actors due to their large user bases, global reach, and the value of verified email/profile datasets for phishing operations and credential attacks. At the time of writing, there is no public confirmation from Deezer regarding the authenticity of the alleged dataset. The screenshots alone do not independently verify whether the information originated from Deezer systems, a third-party integration, or previously aggregated leaks. The authenticity, scope, and recency of the alleged dataset remain unverified. #Deezer #France #DataLeak #CyberSecurity #ThreatIntel #PII #Streaming #Infosec #BreachForums #Privacy

🇦🇪 A threat actor has advertised the alleged sale of a database linked to Namshi, a major Middle East fashion and e-commerce platform owned by Noon Group, claiming exposure of hundreds of thousands of user records. According to the post, the leaked dataset allegedly contains around 428,000 customer records. The exposed data may include: Usernames Full names Surnames Email addresses Phone numbers Gender information City and country details PO Box information Account status indicators Account creation timestamps Last login dates The actor describes the dataset as “fresh” and shared sample rows allegedly showing customer information associated with multiple UAE locations including Dubai, Abu Dhabi, Sharjah, Ajman, Fujairah, Ras Al Khaimah, and Umm Al Quwain. The dataset appears to be structured in CSV/database-export format, with records containing personally identifiable information (PII) and account metadata. No passwords or payment card details were shown in the provided samples. If authentic, potential risks may include: Targeted phishing and SMS-based scams Account takeover attempts using credential stuffing Social engineering attacks against UAE residents Privacy exposure of customer activity and location data Fraudulent marketing or spam campaigns Identity profiling using combined personal metadata E-commerce platforms are frequently targeted because customer databases can be monetized for phishing, advertising abuse, and credential attacks, especially when combined with previously leaked passwords from unrelated breaches. At the time of writing, there is no public confirmation from Namshi or Noon Group regarding the authenticity of the alleged database. The screenshots alone do not independently verify whether the data originated from Namshi systems, a third-party service provider, or historical data aggregation. The authenticity, scope, and recency of the alleged dataset remain unverified. #Namshi #UAE #DataLeak #CyberSecurity #ThreatIntel #Ecommerce #Noon #PII #Infosec #BreachForums

🇧🇪 A threat actor has posted an alleged database sale targeting a Belgian sports/fitness-related organization, claiming exposure of customer records containing sensitive banking information, including IBAN details. According to the post, the exposed data may include: Customer IDs and account numbers Full names Dates of birth and age information Gender and customer status Street addresses and ZIP codes City/location information Phone numbers Email addresses IBAN numbers BIC/SWIFT banking identifiers Account holder names Financial/account balance-related fields Check-in or activity timestamps The actor claims the dataset contains approximately 105,000 customer records and is offering portions of the database for sale individually or in bulk. The screenshots appear to show structured JSON-style customer data, including Belgian IBAN formats and personal identity details. The referenced organization name in the post is vague (“SPORT”), making independent attribution difficult. If authentic, potential risks may include: Banking fraud and unauthorized payment attempts Phishing or vishing attacks using accurate customer data Identity theft and financial impersonation Social engineering targeting fitness club members Fraudulent SEPA payment or direct debit abuse Credential attacks if reused emails/passwords exist elsewhere Financially linked customer databases are highly valuable in underground markets because attackers can combine banking metadata with personal information to create convincing fraud campaigns. At the time of writing, there are no publicly confirmed statements or major real-time news reports linked to this alleged Belgian sports-sector database leak. The screenshots alone do not independently confirm whether the data originates from a compromised gym chain, sports club platform, or third-party membership management system. The authenticity, ownership, scope, and freshness of the alleged dataset remain unverified. #Belgium #IBAN #Banking #CyberSecurity #DataLeak #ThreatIntel #Infosec #FinancialFraud #BreachForums #PII

🇫🇷 A threat actor has posted an alleged “CRM Bisnis Prancis” database leak, claiming exposure of French business contact and customer relationship management (CRM) data totaling approximately 1.07 GB. According to the post, the exposed data may include: Full names Business email addresses Mobile and landline phone numbers Company names Job titles and departments Business addresses City and regional information Industry classifications Company size and annual revenue details Lead source information CRM contact status Last activity dates Internal notes and comments The screenshots suggest the dataset may originate from a CRM or sales intelligence platform containing B2B contact and lead management information rather than a direct breach of a single government system. If authentic, potential risks may include: Business email compromise (BEC) campaigns Spear-phishing against executives and employees Corporate profiling and competitive intelligence abuse Fraud targeting sales and procurement teams Spam and unsolicited marketing activity Social engineering using internal CRM notes and lead data The structure of the data resembles information commonly stored in CRM ecosystems such as Salesforce, HubSpot, Zoho, or similar customer management platforms, although the screenshots do not confirm the exact source platform. At the time of writing, there are no publicly confirmed statements or major real-time news reports tied to this alleged French CRM dataset leak. It also remains unclear whether the data was obtained through direct compromise, third-party aggregation, exposed databases, or scraped business intelligence sources. The authenticity, ownership, scope, and freshness of the alleged dataset remain unverified. #France #CRM #CyberSecurity #DataLeak #ThreatIntel #Infosec #CyberThreats #B2B #OSINT #BreachForums

🇵🇭 A threat actor has claimed to be selling an alleged database belonging to Philippine e-commerce platform BeautyMNL, a retailer focused on beauty, health, and lifestyle products. According to the post, the exposed data may include: Usernames Email addresses First and last names Contact numbers Account creation dates Shipping addresses City, region, and postal code information Phone numbers tied to deliveries Courier and shipping method details Tracking numbers Delivery status and order information Order amounts and activity status The actor claims the database contains approximately 431,000 records and references both customer contact information and shipping-related datasets. The screenshots suggest the data may be structured from customer order and logistics systems. If authentic, potential risks may include: Phishing attacks targeting online shoppers Delivery scam campaigns using real order information Identity theft and account takeover attempts SMS-based fraud and fake courier notifications Credential stuffing if passwords were exposed elsewhere Increased targeting of customers through social engineering The exposure of shipping and logistics data can be particularly dangerous because threat actors can craft convincing fraud messages using accurate delivery details, courier names, and order activity. At the time of writing, there are no publicly confirmed statements from BeautyMNL or Philippine authorities regarding the alleged breach. No verified technical evidence confirming direct compromise of the platform has been independently established from the screenshots alone. There are also no major real-time news reports currently confirming this incident. However, Southeast Asian e-commerce platforms continue to face increasing cyber threats due to the high value of customer and logistics data in underground markets. The authenticity, scope, and freshness of the alleged dataset remain unverified. #Philippines #BeautyMNL #Ecommerce #CyberSecurity #DataLeak #ThreatIntel #Infosec #CyberThreats #PII #BreachForums

🇲🇽 A threat actor has claimed a breach involving Sunset World Resorts, a Mexican hospitality and resort group operating hotels in Cancun and the Riviera Maya, alleging the theft of internal corporate and operational data. According to the post, the exposed data may include: Contracts with customers and suppliers Financial documents Oracle database contents Employee records Legal documents The actor claims approximately 257 GB of “retrieved unique data” was obtained from the organization. The post describes Sunset World Group as a long-established hospitality business operating multiple resort properties in major tourist destinations across Mexico. If authentic, potential risks may include: Exposure of guest and employee personal information Fraud targeting hotel customers and travel partners Leakage of financial and contractual information Business email compromise (BEC) attacks Exposure of internal operational systems or Oracle database credentials Reputational and regulatory impacts for the hospitality group The hospitality and travel sector has increasingly become a target for cybercriminals due to the large volumes of customer data processed by hotels and resort operators, including payment details, passports, reservation records, and loyalty information. At the time of writing, there are no publicly confirmed statements from Sunset World Resorts or Mexican authorities verifying the alleged breach. The screenshots do not include technical proof-of-access, ransomware notes, or verifiable database samples. There are also no currently confirmed mainstream news reports specifically tied to this alleged Sunset World Resorts incident. However, the tourism and hospitality industry in Mexico has experienced growing cyber targeting in recent years, particularly against organizations handling international traveler data. The authenticity, scope, and recency of the alleged data remain unverified. #Mexico #Hospitality #Hotels #CyberSecurity #DataLeak #ThreatIntel #Infosec #CyberThreats #Oracle #BreachForums

🇵🇭 A threat actor has claimed a breach involving Philippine-based insurer “GGI Insurance” (ggipinsurance.com), alleging the theft of hundreds of gigabytes of internal and customer-related data. According to the post, the exposed data may include: Financial documents Employee records Customer and supplier contracts Strategic planning documents Confidential corporate information Personal data Insurance compensation-related records The actor claims approximately 325 GB of “unique data” was obtained from the organization. The forum post references GGI Insurance as a provider of general and life insurance services, including motor, fire, marine, and health insurance products. If authentic, potential risks may include: Exposure of customer personally identifiable information (PII) Insurance fraud and identity theft Financial scams targeting policyholders Business email compromise (BEC) campaigns Leakage of sensitive corporate and contractual information Regulatory and compliance implications for the affected organization At the time of writing, there are no publicly confirmed statements or verified disclosures from the company or Philippine authorities regarding this alleged breach. No ransomware group attribution or technical intrusion details were provided in the screenshot. The claim emerges amid a broader increase in attacks targeting insurance providers globally, where threat actors often seek access to financial records, claims data, customer identities, and internal communications due to their high black-market value. The authenticity, scope, and recency of the alleged data remain unverified. The screenshots alone do not confirm whether the threat actor possesses legitimate internal company data or is recycling previously exposed information. #Philippines #Insurance #CyberSecurity #DataLeak #ThreatIntel #Infosec #CyberThreats #PII #BreachForums #GGIInsurance

🇨🇳 A threat actor has posted a massive alleged data leak tied to Shanghai government-related systems, claiming exposure of citizen records, police files, and food delivery datasets associated with “SHGA.gov.cn” and national police-linked data repositories. According to the post, the exposed data may include: Names Home addresses Birthplaces Chinese National ID numbers Mobile and phone numbers Ethnicity information Education details Organization/employer data Citizen registry information Alleged police/case-related records Food delivery-related datasets The actor claims the leak contains: Data on approximately 970 million Chinese citizens Around 1 billion alleged police-related files Roughly 500GB of food delivery-related data Several billion case records overall The screenshots shared in the forum appear to show SQL/database table references and sample citizen entries written in Chinese, including structured fields commonly associated with identity registries. This claim closely resembles previous large-scale China data leak narratives that have circulated in cybercrime communities over the past few years, including the widely discussed Shanghai police database leak that drew international attention in 2022. Some threat actors frequently recycle, repackage, or re-market previously leaked datasets while presenting them as “new” or “exclusive.” At the time of writing, there are no newly confirmed official statements from Chinese authorities verifying this specific forum post or confirming a fresh compromise involving Shanghai government infrastructure. Chinese government agencies historically provide limited public disclosure regarding cyber incidents, making independent verification difficult. If authentic, potential risks may include: Large-scale identity theft Financial fraud and SIM swap attacks State employee targeting Surveillance and intelligence exploitation Social engineering against Chinese citizens and organizations Blackmail or profiling using sensitive personal records The authenticity, scope, and freshness of the alleged dataset remain unverified. Based on the screenshots alone, it is not possible to determine whether the data is newly compromised, partially recycled, aggregated from earlier breaches, or fabricated. #China #Shanghai #CyberSecurity #DataLeak #ThreatIntel #Infosec #CyberThreats #BreachForums #OSINT #ChinaLeak

🇮🇱 A threat actor has posted an alleged “DATABASE WARGA ISRAEL” dataset on a cybercrime forum, claiming to contain personal information associated with Israeli individuals. The post appears to advertise a structured database including contact and profile-related information. According to the post, the exposed data may include: Phone numbers User IDs (UIDs) Email addresses First and last names Gender information Registration dates Birthdays Location and hometown data Relationship status Education-related details Workplace and social/group associations Page/activity metadata Account creation and last update timestamps The dataset appears to resemble scraped or aggregated social/profile data rather than a direct breach of a single government platform. The screenshots suggest the information may originate from older social-network-style records or previously compiled datasets. If authentic, potential risks may include: Targeted phishing and impersonation attacks Social engineering campaigns using personal profile data Doxxing and harassment risks Credential stuffing attempts if reused emails are involved Intelligence gathering against individuals or organizations There are currently no confirmed public statements from Israeli authorities or officially verified breach disclosures directly tied to this specific forum claim at the time of writing. However, Israel has continued to face elevated cyber activity amid ongoing geopolitical tensions and hacktivist campaigns targeting public and private entities. The authenticity, scope, and freshness of the data have not yet been independently verified. Some records shown in the screenshots appear dated, which may indicate portions of the dataset are historical, aggregated, or recycled from earlier leaks. #Israel #CyberSecurity #DataLeak #BreachForums #ThreatIntel #CyberThreats #OSINT #Infosec

🇵🇭 A threat actor using the alias “MDGhost” has claimed responsibility for an alleged breach involving passenger records associated with Clark International Airport in the Philippines. According to the forum post, the seller claims to possess approximately 2 million passenger-related records allegedly linked to “clarkinternationalairport.com.” The dataset is being advertised for sale in CSV format, with a smaller sample reportedly shared publicly. The exposed data may include: • Passport numbers • Full names • Dates of birth • Phone numbers • Gender information • Residential addresses • Travel-related passenger details The sample records shown in the post appear to contain: • Philippine passenger identities • Contact information • Address records across multiple provinces • Passport-associated identifiers • Structured CSV-style travel database entries Air travel and passenger datasets are considered highly sensitive because they can potentially be abused for: • Identity theft • Passport fraud • Travel-related phishing scams • Social engineering operations • Account recovery abuse • Cross-border fraud activity The aviation and transportation sectors continue to face elevated cyber risks globally, particularly involving: • Passenger information systems • Booking and reservation platforms • Third-party travel integrations • Airport administration systems • Loyalty and identity verification platforms Recent cybersecurity discussions in Southeast Asia have increasingly focused on: • Protection of passenger information • Aviation sector ransomware threats • Data exposure involving travel systems • Risks associated with large-scale identity datasets If authentic, potential risks may include: • Exposure of traveler identities • Passport misuse • Fraud targeting affected passengers • Spear-phishing campaigns using travel context • Identity verification abuse • Long-term privacy and security concerns Notably, the threat actor claims the database contains approximately 2 million records while simultaneously advertising paid access and public samples — a common tactic in underground data marketplaces intended to attract buyers and validate authenticity. At the time of writing, there is no independent verification confirming the authenticity, origin, or scope of the alleged dataset. No public statement from Clark International Airport or Philippine authorities regarding the claims was identified during analysis. No major real-time public news coverage specifically confirming this alleged breach was identified at the time of writing, suggesting the claims currently remain limited to underground forum activity. Status: Unverified — based on underground forum claims and publicly shared samples. #CyberSecurity #Philippines #DataBreach #AviationSecurity #TravelSecurity #ThreatIntel #Infosec #Privacy #DarkWeb #PassengerData

🇫🇷 A threat actor using the alias “fuzzedffmpeg” has claimed responsibility for an alleged breach involving “Action Populaire,” the social platform associated with the French political movement La France Insoumise (LFI). According to the post, the actor claims to have leaked internal platform data allegedly extracted from the movement’s backend infrastructure, including membership, messaging, event participation, and payment-related information. The exposed data may include: • Email addresses • Phone numbers • Full names • Personal addresses • Private messages • Group and event memberships • Subscription and payment details • Donation/payment amounts • Internal platform metadata The threat actor claims the dataset contains: • Approximately 120,000 unique email addresses • Around 20,000 phone numbers • Group membership exports • Payment-related data dumps • Messaging-related archives The post references multiple archive files allegedly containing: • Group communications • Event participation data • Payment information • Internal membership exports Notably, the actor also hints at a possible remote code execution (RCE) vulnerability and criticizes the platform’s “outdated backend stack,” suggesting the alleged compromise may have originated through exploitable infrastructure weaknesses. Political organizations and activist platforms across Europe have increasingly become targets for: • Hacktivist campaigns • Ideologically motivated attacks • Espionage attempts • Data theft and doxxing operations • Disinformation and influence operations Recent cybersecurity discussions in France have focused heavily on: • Protection of political organizations • Election-related cyber risks • Foreign interference concerns • Exposure of activist and donor information • Security of political communication platforms If authentic, potential risks may include: • Exposure of political affiliations • Targeted harassment or doxxing • Phishing campaigns against members • Disclosure of private communications • Financial privacy concerns involving donations • Reputational and operational damage The exposure of payment and membership information could be particularly sensitive given the political nature of the organization and the potential for ideological targeting. At the time of writing, there is no independent verification confirming the authenticity or full scope of the alleged breach. No official public statement from La France Insoumise or Action Populaire regarding the claims was identified during analysis. No major real-time public news coverage specifically confirming this alleged incident was identified at the time of writing, suggesting the claims are currently circulating primarily within underground communities. Status: Unverified — based on underground forum claims and publicly shared descriptions. #CyberSecurity #France #DataBreach #ThreatIntel #PoliticalSecurity #Infosec #Privacy #DarkWeb #Hacktivism #LaFranceInsoumise

🇺🇸 A threat actor using the alias “boltak” is advertising what they claim is full administrative access to a major US non-emergency medical transportation (NEMT) platform affecting more than 500,000 patient records and hundreds of transportation providers. According to the post, the seller claims the access is not a static database leak but a “live operational control panel” capable of managing and manipulating the transportation ecosystem in real time. The exposed systems allegedly include: • Full administrative dashboards • Provider onboarding systems • Trip and billing management portals • Live dispatch functionality • Operational reporting systems • Backend source code access • Patient transportation databases The exposed data may include: • Patient names • Personally identifiable information (PII) • Insurance-related information • Medicaid/Medi-Cal transportation records • Transportation schedules • Ride assignments • Billing and invoicing data • Provider details • Driver and subcontractor information • Real-time operational metadata The threat actor specifically claims the platform supports: • More than 200 providers • Large-scale subcontractor networks • Integrations with Lyft, Uber Health, and related transportation ecosystems • Automated billing workflows • Remote operational access Of particular concern, the seller openly describes potential criminal abuse scenarios, including: • Fraudulent billing operations • Creation of fake provider entities • Manipulation of transportation assignments • Extraction of sensitive healthcare-related records • Market intelligence gathering against competitors If authentic, this would represent a highly sensitive healthcare-sector compromise because non-emergency medical transportation systems often process: • Medicaid and Medicare-related information • Healthcare appointment logistics • Patient mobility data • Insurance billing workflows • Protected health information (PHI) Recent cybersecurity reporting in the United States has shown increasing attacks against: • Healthcare logistics providers • Ambulance and transportation systems • Medical scheduling platforms • Third-party healthcare vendors • Insurance-integrated healthcare applications Healthcare transportation systems are especially attractive to threat actors because operational disruption can directly impact patient care, appointment access, and insurance reimbursement pipelines. Potential risks may include: • Healthcare fraud • Insurance fraud • Exposure of protected health information • Manipulation of patient transportation services • Operational disruption for medical providers • Targeted attacks against vulnerable patients • Regulatory consequences under HIPAA and state privacy laws The post also suggests the actor may still possess ongoing operational access rather than historical data alone, significantly increasing potential impact if the claims are accurate. At the time of writing, no specific healthcare provider or NEMT platform was publicly identified in the forum post, and there is currently no independent public confirmation validating the claims. No directly linked real-time public news coverage regarding this specific alleged breach was identified during analysis, though healthcare-sector cyberattacks continue to rise across the US healthcare ecosystem. Status: Unverified — based on underground forum claims and screenshots. #CyberSecurity #Healthcare #HIPAA #DataBreach #ThreatIntel #Infosec #MedicalData #UnitedStates #HealthcareSecurity #DarkWeb

🇷🇴 A threat actor using the alias “moxzey” has listed an alleged database belonging to Romanian e-commerce platform “medialgaxy.ro” for sale on an underground cybercrime forum. According to the post, the dataset allegedly contains 86,283 user records dated May 2026. The seller claims the data is being offered privately and requests proof of funds before sharing additional information. The exposed data may include: • Full names • Phone numbers • Billing names • Billing phone numbers • Billing addresses • Billing cities and postal codes • Shipping phone numbers • Shipping addresses • Shipping cities and postal codes • Payment method information • Currency references • Internal customer identifiers Sample records shown in the post appear to reference: • Romanian customer addresses • Order and payment metadata • Shipping details • Contact information • Local billing information tied to transactions The dataset appears to resemble structured e-commerce or order-management database exports containing customer fulfillment and payment-related records. Romania has experienced a growing number of cyber incidents affecting retail, logistics, and online commerce platforms in recent years, particularly involving: • Customer databases • Delivery systems • Payment processing platforms • Loyalty and account management systems • Third-party e-commerce integrations E-commerce datasets are highly valuable in underground markets because they can enable: • Identity theft • SMS phishing campaigns • Financial fraud • Social engineering attacks • Account takeover attempts • Delivery and payment scams If authentic, potential risks may include: • Exposure of customer contact details • Fraud targeting Romanian consumers • Phishing using shipping or payment themes • Identity misuse involving billing information • Increased spam and scam activity • Credential-stuffing attempts if reused passwords exist elsewhere At the time of writing, there is no independent verification confirming the authenticity or scope of the alleged database. There has also been no public confirmation from medialgaxy.ro regarding the claims shown in the forum listing. No major real-time public news coverage related specifically to this alleged breach was identified at the time of analysis, suggesting the incident may currently be limited to underground forum activity. Status: Unverified — based on underground forum sale claims and publicly shared samples. #CyberSecurity #DataBreach #Romania #Ecommerce #ThreatIntel #Infosec #Privacy #DarkWeb #DataLeak #CyberCrime

🇲🇽 A threat actor using the alias “Alameda_slim” has claimed responsibility for an alleged breach involving Mexican clinical laboratory provider “Laboratorios Ceflo,” with the actor advertising what appears to be sensitive patient testing data on a cybercrime forum. According to the post, the attacker claims to have accessed and leaked approximately 21,000 medical test records allegedly linked to Laboratorios Ceflo. The threat actor specifically references positive diagnostic results related to HIV, syphilis, COVID-19, and other medical conditions. The exposed data may include: • Full names • Dates of birth • Phone numbers • Email addresses • Test dates • Test types • Laboratory result details • Internal patient identifiers • Medical analysis metadata • Analyst and validation references The sample data shown in the post appears to reference: • HIV antibody tests • Syphilis-related testing • COVID-era diagnostic entries • Patient demographic details • Clinical validation records The dataset appears to contain structured laboratory database exports, including internal table fields, timestamps, result statuses, and patient-associated metadata. This alleged breach is particularly concerning because healthcare-related exposures involving sexually transmitted infections (STIs) and diagnostic results can have severe privacy and reputational consequences for affected individuals. Recent cybersecurity reporting across Latin America has highlighted: • Increased targeting of healthcare providers • Weak protection of laboratory systems • Growth in medical data trafficking on underground forums • Ransomware and extortion operations targeting clinics and hospitals • Abuse of exposed medical APIs and patient portals Medical data remains one of the highest-valued categories on cybercrime markets because it can be used for: • Identity theft • Insurance fraud • Medical fraud • Blackmail and extortion • Highly targeted phishing attacks • Social engineering operations If authentic, potential risks may include: • Exposure of highly sensitive medical conditions • Patient privacy violations • Reputational damage • Extortion attempts against affected individuals • Regulatory scrutiny under health data protection laws • Long-term misuse of patient information Notably, the threat actor openly stated they “specialize in stealing medical data,” and the post appears designed both to distribute leaked records and advertise additional healthcare-related datasets. At the time of writing, there is no independent verification confirming the authenticity or full scope of the alleged breach. There has also been no public confirmation from Laboratorios Ceflo regarding the claims presented in the underground forum post. Status: Unverified — based on underground forum claims and publicly shared sample data. #CyberSecurity #DataBreach #Healthcare #Mexico #MedicalData #Privacy #ThreatIntel #Infosec #DarkWeb #HIV #HealthcareSecurity

🇺🇾 A threat actor operating under the name “LaPampaLeaks” has claimed responsibility for a major breach allegedly affecting Antel’s TuID Digital platform in Uruguay — a government-linked digital identity and citizen authentication system operated by the state-owned telecommunications provider Antel. According to the post, the attackers claim they maintained long-term access to TuID Digital infrastructure through exposed API credentials and backend files stored on Antel servers. The threat actor alleges they were able to retrieve citizen data, access digital signatures, and potentially modify account-related information. The exposed data may include: • National identity numbers (CI/Cédula) • Full names and surnames • Dates of birth • Email addresses • Phone numbers • Residential addresses • Biometric validation status • Registration metadata • Digital signature information • Government authority references • Internal identifiers and account metadata • API keys and backend configuration data The post further claims that approximately 8GB of internal files were obtained, including: • Internal legal documents • Employee feedback • Technical infrastructure information • Small databases and backend files • API credentials related to TuID Digital services The threat actor also published screenshots allegedly showing API responses containing citizen records and metadata associated with public officials, cybersecurity personnel, journalists, and other individuals described as “persons of interest.” Notably, Uruguay’s digital identity ecosystem has previously been the subject of public cybersecurity concerns. In 2024 and 2025, local media and security researchers reported multiple incidents involving exposure of government systems, citizen data access issues, and debates surrounding AGESIC’s cyber governance framework. Recent reporting in Uruguay has increasingly focused on: • Government digital identity security • National cyber resilience • Public sector API exposure risks • Protection of citizen biometric and identity data • Oversight of AGESIC and related state systems If authentic, this incident could represent one of the most sensitive government-related data exposures reported in Uruguay due to the combination of identity records, digital signatures, and authentication infrastructure. Potential risks may include: • Identity theft • Government impersonation • Fraud involving digital signatures • Targeted phishing and extortion • Exposure of sensitive government personnel • Abuse of citizen authentication systems • Long-term trust erosion in digital identity platforms At the time of writing, there is no independent verification confirming the authenticity, scale, or full impact of the alleged breach. There has also been no public confirmation from Antel or Uruguayan authorities regarding the claims shown in the forum post. Status: Unverified — based on underground forum claims and publicly shared screenshots. #CyberSecurity #DataBreach #Uruguay #ThreatIntel #Government #IdentityTheft #Infosec #DigitalIdentity #Privacy #DarkWeb

🇧🇷 A threat actor has allegedly leaked a database linked to app3.transmitenota.com.br, a Brazilian electronic invoicing and document transmission platform, on a cybercrime forum. According to the post, the dataset was allegedly shared in SQL format and is claimed to contain over 20 million rows of data associated with the platform and its users. The exposed data may include: • Full names • Email addresses • Phone numbers • Business-related information • Account/contact records • Company names • Customer identifiers • Internal database entries The threat actor claims the dataset contains approximately 20,151,364 rows and references around 141,000 email addresses. Sample records shared in the post appear to include Brazilian contact information and company-related entries. The platform name and sample content suggest the dataset may be associated with invoice transmission, accounting workflows, or fiscal/business communication systems commonly used in Brazil. Brazil has experienced a significant increase in cyber incidents targeting financial technology, accounting, taxation, and invoicing platforms in recent years, as attackers continue to focus on systems handling sensitive business and customer records. If authentic, potential risks may include: • Business email compromise (BEC) • Phishing and financial fraud campaigns • Exposure of sensitive business/customer information • Identity theft and impersonation • Abuse of invoicing and accounting-related data • Credential stuffing against reused accounts At the time of writing, there is no independent verification confirming the authenticity, origin, or full scope of the allegedly leaked database. Status: Unverified — based on underground forum activity. #CyberSecurity #ThreatIntel #DataBreach #Brazil #Infosec #Privacy #DarkWeb #PII

🇺🇸 A threat actor has allegedly shared an internal database linked to USAGummies, a U.S.-based cannabis edible retailer, on a cybercrime forum. According to the post, the dataset appears to contain multiple internal JSON-formatted files allegedly associated with ope rational, automation, communication, and administrative systems used by the company. The exposed data may include: • Internal chat history logs • Email-related records • Automation and workflow data • Department and employee-related information • Evaluation and analytics records • Competitor tracking data • Executive role information • Cost and operational logs • Communication metadata • Internal process documentation The post references numerous .json files with names suggesting the data may originate from internal business tooling, analytics systems, or AI/automation-related workflows. Cannabis and CBD-related businesses have increasingly become targets for cybercrime due to the volume of customer, payment, and operational data they process, alongside varying regulatory and security maturity levels across the sector. If authentic, potential risks may include: • Exposure of sensitive internal business operations • Disclosure of employee or executive communications • Competitive intelligence abuse • Targeted phishing against staff members • Potential compromise of customer-related systems or workflows • Reputational and operational damage At the time of writing, there is no independent verification confirming the authenticity, scope, or source of the allegedly leaked data. Status: Unverified — based on underground forum activity. #CyberSecurity #ThreatIntel #DataBreach #USA #Cannabis #Infosec #Privacy #DarkWeb