June 2026 made the same point twice over. You don't get breached because someone cracked your encryption. You get breached because a token nobody rotated still works, a database nobody knew was public sits open for months, or one person clicks one link.
The month's single largest exposure was a misconfigured database, not a break-in. Its two largest campaigns reused one idea: find a weakness deployed across hundreds of organizations, scan for it at scale, and walk in everywhere at once. Below are the eight data breaches of June 2026 that mattered most, ranked by scale and impact, followed by the four things actually worth doing about them.
| # | Organization | Scale | Attack type | Threat actor | Confidence |
|---|---|---|---|---|---|
| 1 | 24B credential dump | 24B records, 8 TB | Exposed database | N/A | Confirmed exposure (Cybernews) |
| 2 | Oracle PeopleSoft campaign | 100+ orgs | Exploit chain | ShinyHunters | Confirmed campaign, counts attacker-claimed |
| 3 | Klue / LastPass et al. | 15+ orgs | OAuth supply chain | Icarus | Confirmed by named victims |
| 4 | Texas Parks and Wildlife | 3,087,721 individuals | Third-party vendor | Unknown | Confirmed by agency |
| 5 | Xsolis | 1,396,519 | Phishing | Unknown | Confirmed, HHS-filed |
| 6 | Tata Electronics | Undisclosed | Cyberattack on IT | Unknown | Attack confirmed, file scope unverified |
| 7 | University of Nottingham | 450,000+ | PeopleSoft exploit | ShinyHunters | Confirmed by university |
| 8 | Eastman Kodak | 2.2M claimed | Extortion / data theft | ShinyHunters | Access confirmed, count attacker-claimed |
Discovered June 12, 2026 · Exposed database · Global · No actor (misconfiguration)
On June 12, Cybernews researchers found a publicly exposed database holding more than 24 billion credential records, one of the largest such collections ever left open on the internet. It ran past 8 terabytes, and the majority was infostealer logs: usernames, passwords, and the specific services each pair unlocked. The contents had been aggregated from 36 sources, including Telegram channels, prior breach compilations, and logs harvested directly from infected machines.
The database belonged to a threat intelligence company and was taken offline soon after discovery. Researchers were unable to fully analyze the contents or remove duplicates before it was pulled, leaving open how long it had been reachable and by whom.
What makes this the month's largest exposure is not any single victim. It is the aggregation. Thousands of prior breaches and years of infostealer activity, consolidated into one searchable index, become the raw material for the identity-driven attacks that fill the rest of this list. A leaked password is only useful if it still works, and at this volume, a meaningful share of them will.
The risk is not that this dataset exists. The risk is that too many of the credentials inside it may still work.
Oracle advisory June 10, 2026 · Education and enterprise · Global · ShinyHunters
This was not one organization getting unlucky. It was a single shared enterprise platform turning into a mass target. ShinyHunters claimed to have compromised the Oracle PeopleSoft servers of more than 100 organizations, predominantly colleges and universities, exploiting the suite they rely on for HR, finance, and student administration. In a message to one affected institution, the group itemized what it had taken: names, home addresses, phone numbers, emails, dates of birth, ethnicity, enrollment status, GPAs, majors, and student IDs.
Oracle published a security advisory on June 10, the day the attacks went public, urging immediate mitigation and noting that only supported PeopleTools versions had been tested, with older versions assumed vulnerable as well. The scale here is a confirmed campaign across 100+ organizations; the specific record totals come from ShinyHunters and remain attacker claims until victims verify them individually.
The campaign fits a year-long ShinyHunters method of hunting for one weakness in widely deployed software, then scanning for it everywhere, following earlier waves against Salesforce, Salesloft Drift, Snowflake, and Canvas. Education absorbed the brunt because universities run PeopleSoft widely and patch it slowly. Nottingham, at #7, is the clearest single example of what this looked like on the ground.
ShinyHunters did not need 100 different ideas. One shared platform was enough.
Discovered June 12, 2026 · Supply chain · Global · Icarus
This breach did not start inside any victim's own systems. It started with the access someone else held on their behalf. Klue discovered unauthorized activity in its integration infrastructure on June 12, tracing it to a legacy credential left active from a retired integration. Through that credential, the Icarus extortion group reached the OAuth tokens Klue held to connect into its customers' Salesforce environments, then used them to authenticate directly into customer CRM instances and exfiltrate data in bulk with automated scripts. No victim was phished, no password was cracked, and no vulnerability was exploited on the victims' side.
LastPass confirmed on June 23 that support-case data from its Salesforce environment had been taken, while noting that its products, infrastructure, and password vaults were unaffected. It was one of many. Recorded Future, Tanium, Jamf, Snyk, Sprout Social, Gong, Insurity, HackerOne, and OneTrust all confirmed exposure through the same token pipeline, bringing the confirmed victim count past 15, with Huntress and others warning the list would grow.
That is the defining property of a supply chain attack: a single token theft at one vendor reaches every downstream customer integrated with it, and none of them can see it happen, because the compromise occurs in an environment they have no visibility into.
The victims did not lose data because their Salesforce was broken. They lost it because a trusted integration stayed trusted long after it should have been reviewed.
Disclosed June 19, 2026 · Government · United States · Unknown
This breach did not start inside the agency either. The Texas Parks and Wildlife Department disclosed an incident affecting 3,087,721 individuals, and the compromise occurred not in TPWD's systems but at the third-party vendor that operates its hunting and fishing license platform. Texas Cyber Command detected the intrusion and TPWD was notified on May 13; the department published its formal notification on June 12 and disclosed publicly on June 18. Per TPWD's own notice, the exposed data includes driver's license information, passport numbers where provided, email addresses, phone numbers, and residential addresses, while Social Security numbers, dates of birth, and financial details were not taken.
That data mix is the part worth sitting with. Driver's license and passport numbers cannot be reset the way a password or card can, which is why TPWD is offering a year of Kroll credit monitoring and the Texas Attorney General's breach portal lists the incident among the state's largest this year. And it follows the dominant pattern across June's data breaches: an agency delegates a function, the vendor holds the records, the vendor is compromised, and the agency carries the disclosure for three million people who had no awareness of the vendor and no relationship with it.
A leaked password can be reset overnight. A driver's license number stays exposed for life.
Disclosed June 23, 2026 · Healthcare · United States · Unknown
A single phishing email, sent to one employee on January 20, gave attackers a two-day window inside healthtech firm Xsolis before the activity was detected on January 22. That window was enough to exfiltrate files affecting 1,396,519 individuals, including names, dates of birth, Social Security numbers, health insurance details, and medical treatment records. Xsolis filed the incident to the US Department of Health and Human Services, which posted the count to its breach portal in late June, and downstream health systems including Mayo Clinic confirmed their patients were affected.
Xsolis operates out of view, providing utilization and case management to more than 600 hospitals and insurers. That concentration is precisely why one compromised account exposed patient data across dozens of health systems at once. The initial access required no exploit and no zero-day, only a credential handed over to a phishing message.
One inbox mistake became a healthcare data incident across dozens of downstream organizations.
Confirmed June 22, 2026 · Manufacturing · India · Unknown
June's most significant APAC breach surfaced through leaked files rather than a ransom listing. Material allegedly tied to Apple and Tesla manufacturing began appearing online, threat actors claimed to hold a larger archive, and on June 22 Tata Electronics confirmed to BleepingComputer that it had been targeted in a cyberattack affecting parts of its IT infrastructure. What is established is the attack itself, confirmed by the company. What is not is the origin and full contents of the leaked files, which remained unverified and under investigation as the month closed.
The breach carries weight beyond a typical manufacturing incident because of Tata Electronics' position as a critical link in the global electronics supply chain. A compromise at a contract manufacturer extends to the intellectual property and production data of its brand-name clients, none of whom controlled how their supplier secured its systems.
The clients whose data was exposed never audited Tata's security. They inherited the consequences of it anyway.
Confirmed June 11, 2026 · Education · United Kingdom · ShinyHunters
If the PeopleSoft campaign at #2 is the wave, Nottingham is the clearest look at what it did when it hit shore. The University of Nottingham confirmed that attackers accessed its student records system, exposing data belonging to more than 450,000 current students and alumni. With over 46,000 students and 7,000 staff, the university reported the incident to the UK's Information Commissioner's Office.
What makes Nottingham instructive is the context. It was not singled out. It was simply running an exposed PeopleSoft instance when ShinyHunters scanned for them, and it became the second UK university to disclose within days, following Oxford. Two institutions, the same weakness, the same week.
Nottingham was not targeted for being Nottingham. It was targeted for running the software everyone else was running too.
Listed June 15, 2026 · Manufacturing · United States · ShinyHunters
Two accounts of this incident exist, and the gap between them is the story. ShinyHunters listed Kodak on its leak site on June 15, claiming more than 2.2 million records of customer PII and internal corporate files, and set a June 18 deadline to pay before publication. Kodak's own statement was far narrower: an unauthorized third party briefly accessed a limited amount of company data.
Hold on to that distinction. Kodak confirmed unauthorized access. The 2.2 million record count came from ShinyHunters, so it stays an attacker claim until the data is independently verified, and Kodak has not publicly attributed the breach to the group. The mechanics are otherwise the familiar ShinyHunters sequence, run all year: list a victim, set a deadline, threaten release, escalate, and work several extortion cases at once. Kodak was one of June's.
Confirmed access and a claimed record count are not the same thing, and the difference is worth holding onto until the data is verified.
Strip away the logos and the same three threads run through almost every breach above.
Access was the way in, not exploits against the victim. The credential dump, the Klue token theft, the Xsolis phish, the TPWD vendor. None required breaking the victim's own code. They required a working credential, an un-rotated token, or one click. Standing access nobody is watching is the dominant exposure class of 2026.
Third-party access carries the damage downstream. TPWD, Klue's 15+ customers, Tata's clients, every PeopleSoft and Salesforce victim. The breached organization often wasn't the one holding the weakness. The vendor held the access and the customer absorbed the disclosure, blind to the compromise until data hit a leak site.
One weakness, deployed everywhere, becomes a mass campaign. ShinyHunters didn't find 100 ways into 100 universities. It found one PeopleSoft flaw and scanned for it. Same with the Klue OAuth tokens across Salesforce tenants. When attackers industrialize a single flaw across every org running the affected software, an annual pentest can't keep pace.
So the defense isn't eight different checklists. It's four moves that map to the patterns above:
Strobes perspective
The PeopleSoft campaign is a clean illustration of the real gap. Every breached university had tooling that could see the PeopleSoft instance and list its CVEs. What none of it confirmed was whether that specific instance was actually exploitable from the outside, which is the only question ShinyHunters was asking. A flagged vulnerability and a validated exploit are not the same thing, and the distance between them is where these breaches happened. Scanning tells you what exists; adversarial validation tells you what an attacker can actually reach.
Written by Shubham Jha, Product Marketing Lead at Strobes. Shubham covers the offensive security and exposure management beat for Strobes, tracking the breach campaigns and CVE activity shaping how security teams defend their attack surface.
