Data Breach Roundup (Mar 20 - 26, 2026)

Crunchyroll probes breach after hacker claims to steal 6.8M users' data

Anime streaming service Crunchyroll was contacted by an attacker claiming to have breached the Okta SSO account of a support agent, planted malware, and stolen over 8 million support tickets. The data includes email addresses, user's name, login name, IP address, "general geographic information," and contents of support tickets.

Mazda discloses security breach exposing employee and partner data

Major automobile manufacturer Mazda is reporting a breach that impacted a system related to warehouse management for parts from Thailand. They say the breach only impacted 692 records and none were customers. Impacted data includes user IDs, full names, email addresses, company names, and business partner IDs.

Dutch Ministry of Finance discloses breach affecting employees

There are virtually no details at this time, especially regarding how many people were impacted or what data was stolen. The incident occurred on March 19th and did not impact the systems used for tax collection, regulations, or subsidies. No cybercrime groups have taken credit yet.

Infinite Campus warns of breach after ShinyHunters claims data theft

Infinite Campus is a "K-12 student information system" that manages the data of roughly 11 million students. They were breached after an attacker gained access to an employee's Salesforce account. IC claims most of the data was already public, such as names and contact information for school staff.

HackerOne discloses employee data breach after Navia hack

HackerOne is a well-known platform where cybersecurity researchers can report bugs to companies in exchange for payment. Navia is a benefits administrator. HackerOne is blaming a "Broken Object Level Authorization (BOLA)" at Navia allowing for data access between December 2025 and January 2026. Data impacted includes Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, plan enrollment dates, effective dates, and termination dates for each affected employee and their dependents.

Ajax football club hack exposed fan data, enabled ticket hijack

Ajax is a professional football ("soccer" to Americans) club from Amsterdam. A recent security incident exposed email addresses of "a few hundred" people, as well as names, email addresses, and dates of birth of about 20 people who were banned from the stadium.

Internet Yiff Machine: We hacked 93GB of “anonymous” crime tips

A group calling themselves "Internet Yiff Machine" claims to have stolen data from P3 Global Intel, which is a company that manages anonymous crime tips for police. The data contains names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, Social Security numbers, and criminal histories as well as replies from investigators.