Data Breach Roundup (Feb 20 – Feb 26, 2026)

PayPal discloses data breach that exposed user info for 6 months

This impacted the PayPal Working Capital loan app, which provides small business loans to users. Customer names, email address, phone numbers, business address, Social Security numbers, and dates of birth were exposed between July 1 and December 12, 2025. This appears to be have been caused by a "code change" and it does appear attackers found and took advantage of at least some of the information, leading to unauthorized transactions.

PayPal discloses data breach that exposed user info for 6 months

PayPal is notifying customers of a data breach after a software error in a loan application exposed their sensitive personal information, including Social Security numbers, for nearly 6 months last year.

BleepingComputerSergiu Gatlan

Data breach at French bank registry impacts 1.2 million accounts

This was the result of a credential leak that gave attackers access to a database of all bank accounts opened in French banking institutions. Data included bank details "including RIBs/IBANs," account holder identity, physical address, and in some cases taxpayer identification number.

Data breach at French bank registry impacts 1.2 million accounts

The French Ministry of Finance has published an announcement informing of a cybersecurity incident that has impacted 1.2 million accounts.

BleepingComputerBill Toulas

Ad tech firm Optimizely confirms data breach after vishing attack

Optimizely serves over 10,000 businesses, including brands like H&M, PayPal, Toyota, Vodafone, Shell, Salesforce, and Nike. The firm claims that "basic business contact information" was compromised, and not any sensitive customer data or personal information. No other datils have been provided at this time.

Ad tech firm Optimizely confirms data breach after vishing attack

New York-based ad tech company Optimizely has notified an undisclosed number of customers of a data breach after threat actors compromised some of its systems in a voice phishing attack.

BleepingComputerSergiu Gatlan

CarGurus data breach exposes information of 12.4 million accounts

CarGuru is an "automotive research and shopping company." The data breached includes email address, IP address, full name, phone numbers, physical address, user account ID, finance application data, dealer account details, and subscription information.

CarGurus data breach exposes information of 12.4 million accounts

The ShinyHunters extortion group has published personal information in more than 12 million records allegedly stolen from CarGurus, a U.S.-based digital auto platform.

BleepingComputerBill Toulas

Wynn Resorts confirms employee data breach after extortion threat

Wynn has not confirmed details in the article, but the attackers claimed to have stolen "PII (SSNs, etc) and employee data" for over 800,000 records. There aren't a lot of other details at this time.

Wynn Resorts confirms employee data breach after extortion threat

Wynn Resorts has confirmed that a hacker stole employee data from its systems after the company was listed on the ShinyHunters extortion gang’s data leak site.

BleepingComputerLawrence Abrams

Hacker Used Anthropic’s Claude to Steal Mexican Data Trove

An unknown attacker used Claude to pull of an attack on the Mexican tax authority's systems. The article is light on specifics, but says the Claude repeatedly resisted the prompts and the user had to perform extensive jailbreaking. 150 GB of government data was stolen, including 195 million taxpayer records, voter records, government employee credentials, and civil registry files.

Hacker Used Anthropic’s Claude to Steal Mexican Data Trove

A hacker exploited Anthropic PBC’s artificial intelligence chatbot to carry out a series of attacks against Mexican government agencies, resulting in the theft of a huge trove of sensitive tax and voter information, according to cybersecurity researchers.

BloombergAndrew Martin

Olympique Marseille confirms 'attempted' cyberattack after data leak

Olympique Marseille is a top tier French football team. They recently confirmed a data breach that impacted 400,000 individuals including names, addresses, order information, email addresses, and phone numbers.

Olympique Marseille confirms ‘attempted’ cyberattack after data leak

French professional football club Olympique de Marseille has confirmed a cyberattack after a threat actor claimed on Monday that it breached the club’s systems earlier this month.

BleepingComputerSergiu Gatlan

European DIY chain ManoMano data breach impacts 38 million customers

ManoMano is a French e-commerce firm with over 50 million unique visitors per month. The data stolen includes full name, email address, phone number, and customer service communications.

European DYI chain ManoMano data breach impacts 38 million customers

DIY store chain ManoMano is notifying customers of a data breach personal data, which was caused by hackers compromising a third-party service provider.

BleepingComputerBill Toulas

Conduent data breach grows, affecting at least 25M people

This is an update from January 2025. Conduent is one of the largest US government contractors providing a variety of services across various government agencies. Original disclosures put the victim count at around 15.4 million. Impacted data includes names, dates of birth, addresses, Social Security numbers, health insurance information, and medical data.

Conduent data breach grows, affecting at least 25M people | TechCrunch

The number of people affected by a data breach at government contractor giant Conduent is growing, as millions of people continue to receive notices warning them that hackers stole their personal data.

TechCrunchZack Whittaker