The data breaches of May 2026 all have one thing in common. The attackers barely had to do anything. They didn't break any code or crack any system. They just walked in through a signup form someone left open, a phone call to the right employee, or a vendor that still had access nobody remembered giving them.
That's the scary part. The attacks are getting easier, and the damage is getting bigger at the same time. You don't need a genius hacker anymore. The way in is already sitting there, in the corner of your systems; nobody is watching.
Everything below is confirmed through an official company notice, a regulatory filing with HHS, the SEC, or a state attorney general, or a direct statement to a primary security outlet.
TL;DR
| # | Organization | Records | Attack type | Threat actor | Status |
|---|---|---|---|---|---|
| 1 | Canvas LMS / Instructure | ~275M claimed | SaaS compromise | ShinyHunters | Confirmed |
| 2 | Carnival Corporation | ~6M confirmed | Social engineering | ShinyHunters | Confirmed |
| 3 | NYC Health + Hospitals | 1.8M confirmed | Third-party vendor | Unknown | Confirmed |
| 4 | GitHub (internal) | ~3,800 repos | Supply chain (VS Code) | TeamPCP | Confirmed |
| 5 | Tabiq / Reqrea | 1M+ documents | Cloud misconfiguration | N/A | Confirmed |
| 6 | NVIDIA GFN Armenia | Regional users | Third-party partner | Unknown | Confirmed |
| 7 | 7-Eleven | 185,300 (HIBP) | Salesforce misconfig | ShinyHunters | Confirmed |
| 8 | Zara / Inditex | 197,400 (HIBP) | Third-party cloud access | ShinyHunters | Confirmed |
Date April 30 to May 7, 2026 • Type SaaS platform compromise • Actor ShinyHunters • Scale ~275M claimed, ~9,000 institutions
Why it matters
The largest confirmed education-sector breach in history. Student names, emails, IDs, and private messages across 9,000 institutions in one incident. The Free-For-Teacher program, an open onboarding path, was the way in.
Instructure confirmed unauthorized access on its status page on May 1, 2026. The company detected the intrusion on April 29, revoked access, engaged third-party forensics, and took Canvas, Canvas Beta, and Canvas Test offline on May 7. Service came back the next day, and the Free-For-Teacher account program was shut down permanently.
ShinyHunters claimed responsibility on May 3 and ran an extortion campaign with a May 7 deadline, later pushed to May 12. The group claimed 3.65 TB of data across roughly 9,000 institutions covering about 275 million users. Instructure confirmed that names, email addresses, student ID numbers, and private messages were exposed, and found no evidence that passwords, dates of birth, government IDs, or financial information were involved.
On May 11, Instructure apologised for a lack of transparency and said it had reached an agreement with the attacker and that the stolen data was destroyed. This was the second ShinyHunters attack on Instructure in eight months. The September 2025 incident hit Salesforce business systems through social engineering.
Free-For-Teacher accounts let educators spin up Canvas tenants without institutional verification. That created weak trust boundaries between those accounts and institutional tenants sharing the same multi-tenant infrastructure. When verification gaps sit at the onboarding layer, logical isolation between tenants breaks down. ShinyHunters used that gap to move laterally into production Canvas data.
Sources: Wikipedia • Bitdefender • Reed Smith • Dataminr
Date April 14, 2026 (disclosed May 27) • Type Social engineering / identity compromise • Actor ShinyHunters (claimed) • Scale 5,995,277 confirmed, Maine AG filing
Why it matters
One employee. One phone call. 6 million customer records. Carnival is the world's largest cruise operator, and this is at least its fifth major security incident since 2019. The method matches ADT in April, Canvas in May, and Match Group in January. The ShinyHunters 2026 campaign runs on social engineering against a single employee account.
Carnival began notifying 5,995,277 customers on May 27, 2026, and filed a formal disclosure with the Maine Attorney General's Office the same day. On April 14, its IT security team spotted unauthorized activity on an employee account. An attacker used social engineering to trick that employee and reach a limited portion of the company's IT systems.
By April 22, Carnival determined the attacker had copied personal information. The company ran a full file analysis to map which data belonged to each person before sending personalised notifications. Exposed data varies by individual and includes names, addresses, dates of birth, email addresses, phone numbers, and government-issued ID numbers.
ShinyHunters listed Carnival on its extortion portal on April 18, claiming 8.7 million records including terabytes of internal corporate data. Have I Been Pwned confirmed the breach, and the final Maine AG filing put the confirmed count at just under 6 million people. Carnival has not publicly attributed the attack to ShinyHunters.
Carnival followed the same playbook as every ShinyHunters identity-first attack in 2026. Compromise one employee account through social engineering, use that access to reach a CRM or customer data store, exfiltrate, set a ransom deadline, and publish when it passes. No exploit. No lateral movement through technical systems. The whole attack surface was one set of credentials.
Sources: BleepingComputer • SecurityWeek • The Register • Help Net Security
Date Nov 25, 2025 to Feb 11, 2026 (disclosed May 19) • Type Third-party vendor breach • Actor Unknown • Scale 1.8M patients, HHS-reported, biometrics stolen
Why it matters
Fingerprint and palm-print biometric data was stolen. Unlike passwords or card numbers, biometrics cannot be changed. This exposure is permanent for 1.8 million people, and it went undetected for nearly three months.
NYC Health + Hospitals, the largest public healthcare system in the United States, published an official breach notice on May 19, 2026, after reporting the incident to the U.S. Department of Health and Human Services on March 24. The HHS filing confirmed at least 1.8 million affected individuals.
The system flagged suspicious activity on February 2, 2026, and secured its network. Forensics found an attacker had access to certain systems between roughly November 25, 2025, and February 11, 2026, through a breach at an unnamed third-party vendor. The attacker copied files holding health insurance data, medical records with diagnoses, medications, tests and imaging, billing and payment data, Social Security numbers, passports, driver's licenses, and precise geolocation data.
The breach also took biometric fingerprint and palm-print scans, the detail that sets it apart from most healthcare breaches. NYC Health + Hospitals runs more than 70 care locations and serves about 1 million patients a year, most of them uninsured or covered under Medicare or Medicaid.
The attacker got in through a vendor that had legitimate network access. The hospital system had no direct visibility into the compromise for three months. This mirrors the Citizens Bank and Frost Bank pattern from April, the Zara and Anodot pattern from May, and every other third-party vendor breach of 2026. The vendor held the keys, the downstream organization bore the impact.
Sources: NYC H+H notice • TechCrunch • Malwarebytes • HIPAA Guide
Date May 18 to 20, 2026 • Type Developer supply chain attack • Actor TeamPCP (UNC6780) • Scale ~3,800 internal repos, CISA KEV CVE-2026-48027
Why it matters
A poisoned VS Code extension was live on the official marketplace for 18 minutes. Auto-update pushed it to thousands of developer machines. One GitHub employee installed it. 3,800 internal repositories were gone. The most efficient supply chain attack of 2026, and the attack surface is every developer's machine.
GitHub confirmed on May 20, 2026, that about 3,800 of its internal repositories had been exfiltrated. The company said the activity stayed within GitHub-internal repositories, with no impact to customer repositories, enterprise accounts, or user data. On May 21, GitHub CISO Alexis Wales named the vector publicly: Nx Console v18.95.0, a VS Code extension with roughly 2.2 million installs.
The malicious version hit the Visual Studio Code Marketplace on May 18 at 12:30 p.m. UTC. Microsoft pulled it 18 minutes later at 12:48 p.m. UTC. In that window, the extension had already auto-pushed to thousands of machines. It ran a shell command that harvested credentials from 1Password vaults, GitHub tokens, SSH keys, and cloud credentials, then used those SSH keys to clone GitHub's internal repositories. TeamPCP listed the stolen data for sale at $50,000.
The attack chain traced back to an earlier TeamPCP compromise of the TanStack npm ecosystem on May 11, where a stolen contributor token pushed a malicious orphan commit to the legitimate nrwl/nx GitHub repository, making the second payload look like it came from a trusted, verified source.
CISA added CVE-2026-45321 (CVSS 9.6, TanStack) and CVE-2026-48027 (CVSS 9.3, Nx Console) to its Known Exploited Vulnerabilities catalog on May 27, with a June 10 patching deadline for Federal Civilian Executive Branch agencies.
VS Code extensions have full access to everything on a developer's machine by design, including credentials, cloud keys, SSH keys, and environment variables. There is no review gate between a publisher pushing an update and it installing on every machine running that extension. Auto-update handed TeamPCP a direct push channel into every developer environment with Nx Console installed. The 18-minute window was enough because distribution was instant and automatic.
Sources: Help Net Security • The Hacker News • Sophos • StepSecurity
Date Discovered May 15, 2026 • Type Cloud storage misconfiguration • Actor N/A, accidental exposure • Scale 1M+ identity documents, investigation ongoing
Why it matters
Passports, driver's licenses, and biometric selfies from hotel guests worldwide, publicly accessible, no password required. Not a sophisticated attack. A misconfigured S3 bucket. This keeps happening because vendors that collect sensitive identity documents for check-in workflows are not held to the same security standard as the data they handle.
Independent security researcher Anurag Sen found that the Amazon S3 bucket used by Tabiq, a hotel check-in platform run by Japan-based startup Reqrea, was set to public. The bucket, named "tabiq," was open to anyone with a browser and the bucket name, no authentication required. The exposed data included more than one million passports, driver's licenses, and selfie verification photos from hotel guests worldwide, with files dating back to early 2020.
Sen alerted TechCrunch, which reported the discovery on May 15, 2026, and notified Reqrea and Japan's national cybersecurity coordination team, JPCERT. Reqrea secured the bucket after being alerted and said it does not know how the bucket became public, noting that Amazon S3 buckets are private by default. An investigation into whether anyone accessed the data before it was locked down was ongoing at the time of disclosure.
Tabiq is used across multiple hotels in Japan and relies on facial recognition and document scanning to check guests in. The system collects government-issued identity documents as part of verification, which is why a single misconfigured bucket held identity documents spanning years and many nationalities.
Sources: TechCrunch • Security Affairs
Date March 20 to 26, 2026 (confirmed May 8) • Type Third-party partner breach • Actor Unknown (ShinyHunters attribution disputed) • Scale Armenia users only, no passwords or payment data
Scope note
This breach is confirmed but limited to Armenia. NVIDIA's global services and infrastructure were not affected. It involved the regional Alliance partner GFN.am, which runs its own local authentication and customer database infrastructure.
NVIDIA confirmed to BleepingComputer on May 8, 2026, that GeForce NOW user information was exposed through a breach of GFN.am, its regional Alliance partner in Armenia. NVIDIA said its investigation found no impact on NVIDIA-operated services, that the issue was limited to systems run by the third-party partner, and that affected users would be notified by GFN.am.
GFN.am published its own breach notice on May 4, 2026. The breach window was March 20 to 26. Exposed data includes full names for users authenticating via Google, email addresses, usernames, dates of birth, and phone numbers for mobile operator registrations. No account passwords or payment data were compromised. Users who registered after March 9, 2026, are not affected.
A threat actor posted the data on a hacker forum claiming to be ShinyHunters, offering the database for $100,000. The post was later deleted. NVIDIA and BleepingComputer both noted the actor is believed to be a ShinyHunters impersonator, since the real group does not operate via forums or Telegram and had not posted the data on its own leak site.
Sources: BleepingComputer • SC Media • Security Boulevard
Date April 8, 2026 (notifications filed May 1) • Type Salesforce misconfiguration • Actor ShinyHunters • Scale 185,300 confirmed (HIBP), 9.4 GB archive published
Why it matters
ShinyHunters used the same Salesforce Aura API misconfiguration they weaponised across 300 to 400 organizations in early 2026. The FBI told victims in May not to pay. 7-Eleven refused, the data was published, and Have I Been Pwned confirmed the real scope at 185,300 individuals, not the 600,000 ShinyHunters claimed.
7-Eleven confirmed in breach notification letters filed with multiple U.S. state attorneys general on May 1, 2026, that on April 8 an unauthorized third party accessed systems used to store franchisee documents. ShinyHunters claimed responsibility on April 17, saying it stole over 600,000 Salesforce records with PII and internal corporate data. After 7-Eleven refused to pay, ShinyHunters published a 9.4 GB archive on its dark web leak site.
Have I Been Pwned analysed the leaked data and confirmed 185,300 unique individuals affected. The confirmed dataset includes names, dates of birth, email addresses, phone numbers, and physical addresses, with a small number of records holding extra data fields. The 600,000 figure includes corporate records and non-PII data, while 185,300 represents confirmed individuals with personal information in the archive.
ShinyHunters exploited the Salesforce Aura API misconfiguration, improperly configured guest user permissions on the /s/sfsites/aura endpoint, using AuraInspector, an open-source auditing tool Mandiant released in January 2026, to scan at scale. By March 2026, ShinyHunters told reporters they had breached between 300 and 400 organizations in this campaign alone.
Sources: BleepingComputer (HIBP) • BleepingComputer • SecurityWeek • The Record
Date April 2026 (data published April 22) • Type Third-party cloud access abuse (Anodot) • Actor ShinyHunters • Scale 197,400 confirmed (HIBP), no passwords or payment data
Why it matters
The Anodot compromise gave ShinyHunters authenticated access to the cloud data of dozens of companies at once, including Rockstar Games, Vimeo, and Zara. One analytics vendor. One set of stolen tokens. Every downstream customer exposed without any direct attack on their own systems. Inherited third-party risk, made visible.
Inditex, the Spanish fashion group behind Zara, Bershka, Pull&Bear, and Massimo Dutti, confirmed unauthorized access to databases hosted by a former technology provider. The company notified authorities and said the compromised databases did not contain names, passwords, payment details, addresses, or phone numbers. ShinyHunters listed Zara on its extortion portal with an April 21 deadline and published a claimed 140 GB archive on April 22 when Inditex did not respond.
Have I Been Pwned confirmed 197,400 unique email addresses in the published data, alongside product SKUs, order IDs, geographic market data, and customer support ticket content. The data came from the Anodot analytics platform compromise, the same entry point used against Vimeo, Rockstar Games, and at least a dozen other Anodot customers. Attackers took authentication tokens Anodot held for customer cloud environments and used them to query BigQuery instances holding historical support ticket data.
Anodot held authenticated, legitimate access to the cloud data of hundreds of customers for analytics. When those tokens were stolen, every downstream customer was exposed at once, and none had direct visibility into the compromise. This mirrors the 2024 Snowflake campaign that hit Ticketmaster (560M records), AT&T (110M records), and Santander (30M customers) through the same inherited access model.
Sources: BleepingComputer • Security Affairs • Security Boulevard • TechRadar
Four attack patterns account for every breach in this roundup. None of them are new. All of them are still working.
NYC Health + Hospitals, Carnival, Zara, and NVIDIA's Armenian partner were all breached through vendors. Each organization had functioning security controls on its own systems. It did not matter. The vendor held access to sensitive data, the vendor was compromised, and the downstream organization had no visibility for weeks or months. The Verizon 2026 DBIR backs this up: third-party incidents rose 60% year over year.
7-Eleven and Zara both started with Salesforce misconfigurations, improperly configured guest user permissions and exposed Aura endpoints that ShinyHunters scanned for at scale. Tabiq was a single misconfigured S3 bucket. No CVE. No zero-day. No clever attack chain. DIVD confirmed the Salesforce Aura misconfiguration is industry-wide and hits any organization that has not explicitly restricted guest user access. Continuous attack surface monitoring finds these before attackers do. Annual audits do not.
The GitHub breach required no compromise of GitHub's own infrastructure. TeamPCP pushed a malicious update to a VS Code extension, waited 18 minutes for auto-update to spread it to thousands of machines, and used one developer's harvested credentials to clone 3,800 internal repositories. VS Code extensions have full machine access by design, install automatically, and come from a marketplace with no mandatory review gate for updates. This is the attack surface of every organization that uses VS Code in its workflow, and it sits alongside the wider wave of software supply chain attacks seen this year.
ShinyHunters has confirmed or claimed involvement in most of this month's breaches: Canvas LMS, Carnival, 7-Eleven, Zara, and the disputed NVIDIA Armenia post. The model is consistent. Find SaaS misconfiguration or third-party access vectors at scale with automated scanning, exfiltrate, set a ransom deadline, publish when it passes. The FBI issued specific guidance in May urging victims not to pay, noting payment offers no guarantee against future publication. Their 2026 campaign has now touched education, retail, cruise, and financial services in a four-month window.
Strobes perspective
The May 2026 breaches did not happen because organizations lacked security tools. They happened because those tools could not see the exposures that mattered: a misconfigured Salesforce endpoint, a vendor holding cloud tokens, an auto-updating VS Code extension. Exposure Management surfaces these before they become incidents. Point-in-time assessments and annual pentests do not run at the speed of the attack surface.
Four controls map directly to this month's breaches. Continuously monitor third-party vendor access instead of reviewing it once a year. Audit Salesforce Experience Cloud guest user permissions and restrict Aura API access explicitly. Govern VS Code extensions by disabling enterprise auto-update and enforcing an approved list. Run anomalous access detection on CRM and customer data platforms so a single account bulk-exporting records triggers immediate review. The common thread is visibility into exposures that scanners and pentests miss, which is the work an exposure management program like Strobes is built to do continuously rather than at a point in time.
The detection gap came from where the access lived. NYC Health + Hospitals was exposed through a vendor for nearly three months before anyone noticed, and the NVIDIA Armenia and Zara incidents sat in partner and former-provider systems the parent organizations could not see into. Internal monitoring does not watch a vendor's environment, so the compromise runs until the vendor reports it or the data appears on a leak site. Closing that gap means mapping every external party that holds your data and the cloud access tied to it, then watching those relationships the way you watch your own network. Strobes treats that external footprint as part of the attack surface so vendor and partner exposures show up before they turn into a disclosure notice.
The breaches this month spanned education (Canvas LMS), retail (7-Eleven, Zara), healthcare (NYC Health + Hospitals), travel (Carnival), gaming (NVIDIA GeForce NOW Armenia), hospitality (Tabiq), and developer infrastructure (GitHub). The spread matters because the attack patterns ignored sector entirely. The same misconfiguration and vendor-access weaknesses showed up whether the target sold hotel check-ins or ran a public hospital system.
Change the password on the affected account and any account that reused it, and turn on multi-factor authentication. Watch for targeted phishing, since breached email addresses and order details feed convincing scams. For breaches involving government IDs, like Carnival or Tabiq, place a fraud alert or credit freeze with the credit bureaus. Biometric exposure, as in the NYC Health + Hospitals breach, cannot be reversed, so treat any service relying only on those biometrics as compromised and add a second factor wherever the option exists.
Stop chasing vulnerabilities. Start reducing exposure.
See how Strobes AI agents validate and fix your most critical exposures automatically. Book a demo.
