Data Breach Roundup (Apr 10-16, 2026)

New Booking.com data breach forces reservation PIN resets

Booking.com is - as the name suggests - a website that allows users to book travel including flights, car rentals, hotels, and more. They are one of the largest such sites. Users have reported getting emails from noreply@booking.com informing them of a "cybersecurity incident" that may have exposed full names, email addresses, postal addresses, phone numbers, and communication with property providers. Booking.com is not being transparent about the number of users impacted, but said all users will be individually notified. They are also resetting user reservation PINs out of caution.

European Gym giant Basic-Fit data breach affects 1 million members

Basic-Fit is one of the largest gym chains in Europe with over 1700 clubs and 430 franchises in 12 countries. In a disclosure published on their website, they have announced a cyberattack that impacted full name, physical address, email address, phone number, date of birth, bank account details, and "other membership information." It appears to have impacted about 1 million members.

McGraw-Hill confirms data breach following extortion threat

McGraw-Hill is an education company that offers textbooks, online portals, and systems for K-12 schools and universities. This attack appears to have come from a misconfigured Salesforce page. McGraw-Hill says the data exposed was "limited and non-sensitive," but the attacker claims to have 45 million records containing personally identifiable information.

Crypto-exchange Kraken extorted by hackers after insider breach

Kraken says that attackers are threatening to release a video that shows internal systems that host client data. The article is a bit unclear but it does seem that the attackers were showing that they had actual access to the data, though it seems it was through inside employees and not via a technical hack (such as a vulnerability). Kraken said that funds are safe and employees have been terminated. They say the breach was limited to about 2,000 customers but have not shared what information was impacted.

Fashion retailer Express left customers’ personal data and order details exposed to the internet

This was a flaw appears to have been an "insecure direct object reference" vulnerability - where simply tweaking the web address is enough to pull up other pages you may not necessarily have been meant to see. In this case a researcher was able to access other users' order confirmation pages, which included names, phone numbers, email addresses; postal, billing, and delivery addresses; order details including the items that a customer purchased, and partial payment card information including the card type and the last four-digits.

Fiverr Exposes Private Information of its Users Publicly on Google Search Results

From our own staff writer Fria, a researcher on Hacker News claimed that Fiverr - a freelancer job board - was exposing sensitive personal documents such as tax forms containing Social Security Numbers. The data could easily be found by searching site:fiverr-res.cloudinary.com [keywords of choice, such as "form 1040" or a name] on most search engines including Google and even DuckDuckGo. According to our internal news chat, the data itself does appear to have been secured. Privacy Guides Executive Director Jonah Aragon was unable to reproduce the results on Google, but both Jonah and Fria were able to find the results on DuckDuckGo, though they no longer linked to a valid address.