π«
eVent Medical β a company founded in March 2000 by respiratory therapists and engineers specializing in high-performance, cost-effective ventilators.
The companyβs data breach includes 32 GB of leaked documents, primarily containing financial records related to equipment purchases and sales, as well as internal transaction details, vendor agreements, and procurement contracts.
60 Empire Dr, Lake Forest, CA 92630, United States πΊπΈ
π½ βοΈ
eVent Medical β a company founded in March 2000 by respiratory therapists and engineers specializing in high-performance, cost-effective ventilators.
The companyβs data breach includes 32 GB of leaked documents, primarily containing financial records related to equipment purchases and sales, as well as internal transaction details, vendor agreements, and procurement contracts.
60 Empire Dr, Lake Forest, CA 92630, United States πΊπΈ
π½ βοΈ
π«
Automha (founded in 1979) is a company that develops automated data storage systems for warehouses. Automha's corporate office is located at Via Emilia, 6, Azzano San Paolo, Lombardy, 24052, Italy and has 114 employees. The total volume of leaked data is 308.9 GB. The leaked data includes personal data of employees, access to work accounts, email newsletters, certificates, licenses, financial statements, accounting records, invoices, customer documentation, confidential information and reporting, data on the contents of warehouses and storage facilities, a list of owners and regular customers.
π½
Automha (founded in 1979) is a company that develops automated data storage systems for warehouses. Automha's corporate office is located at Via Emilia, 6, Azzano San Paolo, Lombardy, 24052, Italy and has 114 employees. The total volume of leaked data is 308.9 GB. The leaked data includes personal data of employees, access to work accounts, email newsletters, certificates, licenses, financial statements, accounting records, invoices, customer documentation, confidential information and reporting, data on the contents of warehouses and storage facilities, a list of owners and regular customers.
π½
On January 21, 2026, the Clop group claimed responsibility for the attack on mcmathlaw.com.
McMath Woods P.A. (allegedly founded in 1953, Little Rock, Arkansas. Actual documents confirm activity since 2006) β a personal injury and consumer protection law firm. Staff: 7 partners + associated attorneys (12+ employees total). Offices in Little Rock and Fayetteville.
Leaked archive size: 855 GB
More than 350 GB is useless junk (police bodycam videos, police photos, etc.)
What leaked:
* Personal data of clients (including medical records) and employees
* Documentation of 5,000+ personal injury claims
* Internal correspondence and case strategy
* Financials, accounting, invoices, contracts, fee data
* Access to work accounts and corporate email
* Insurance payout databases, expert reports, client lists
* Litigation records and unpublished rulings
π Publication status:
The dataset has been published in open access.
π«
McMath Woods P.A. (allegedly founded in 1953, Little Rock, Arkansas. Actual documents confirm activity since 2006) β a personal injury and consumer protection law firm. Staff: 7 partners + associated attorneys (12+ employees total). Offices in Little Rock and Fayetteville.
Leaked archive size: 855 GB
More than 350 GB is useless junk (police bodycam videos, police photos, etc.)
What leaked:
* Personal data of clients (including medical records) and employees
* Documentation of 5,000+ personal injury claims
* Internal correspondence and case strategy
* Financials, accounting, invoices, contracts, fee data
* Access to work accounts and corporate email
* Insurance payout databases, expert reports, client lists
* Litigation records and unpublished rulings
π Publication status:
The dataset has been published in open access.
π«
On January 25, 2026, the ransomware group Clop claimed responsibility for the attack on excelas1.com.
Excelas LLC (founded in 2005, Cleveland, Ohio, USA) is a medical-legal company that provides medical record analysis and organization services for insurance firms, lawyers, and healthcare institutions. The company has 35 employees.
Total leaked archive size: 250 GB
What leaked:
* Medical records and patient medical histories
* Personal data of employees and patients
* Legal documentation related to medical claims and lawsuits
* Internal correspondence and case strategy
* Contracts, invoices, financial statements
* Access to work accounts and corporate email
* Insurance payout databases and expert reports
The full leak has been published.
Excelas LLC (founded in 2005, Cleveland, Ohio, USA) is a medical-legal company that provides medical record analysis and organization services for insurance firms, lawyers, and healthcare institutions. The company has 35 employees.
Total leaked archive size: 250 GB
What leaked:
* Medical records and patient medical histories
* Personal data of employees and patients
* Legal documentation related to medical claims and lawsuits
* Internal correspondence and case strategy
* Contracts, invoices, financial statements
* Access to work accounts and corporate email
* Insurance payout databases and expert reports
The full leak has been published.
π
Date: January 21, 2026
(date of Clop group's public claim)
π¦ Attacker: Clop ransomware group
π― Compromised domain: KCDWORLDWIDE.COM
π’ About the company:
KCD Worldwide is an international communications agency specializing in PR, event production, and digital marketing for the fashion, beauty, and luxury goods industries. The company has offices in New York, London, and Paris and works with leading global brands and designers.
π¦ Total leaked archive size: ~ 6.79 TB
π What leaked:
β’ Contracts and commercial proposals
β’ Personal data of employees and freelancers
β’ Applicant resumes
β’ Event plans and promotional materials
β’ Installation and fashion show schematics
β’ Financial documentation β mostly useless garbage like taxi and hotel receipts
πΈ Leak highlight:
The majority of the leak consists of photo materials. But if you look at them β don't be surprised that the company refused to pay the ransom. Because the photographers working for this company have two left hands. π€·ββοΈ
π½
(date of Clop group's public claim)
π¦ Attacker: Clop ransomware group
π― Compromised domain: KCDWORLDWIDE.COM
π’ About the company:
KCD Worldwide is an international communications agency specializing in PR, event production, and digital marketing for the fashion, beauty, and luxury goods industries. The company has offices in New York, London, and Paris and works with leading global brands and designers.
π¦ Total leaked archive size: ~ 6.79 TB
π What leaked:
β’ Contracts and commercial proposals
β’ Personal data of employees and freelancers
β’ Applicant resumes
β’ Event plans and promotional materials
β’ Installation and fashion show schematics
β’ Financial documentation β mostly useless garbage like taxi and hotel receipts
πΈ Leak highlight:
The majority of the leak consists of photo materials. But if you look at them β don't be surprised that the company refused to pay the ransom. Because the photographers working for this company have two left hands. π€·ββοΈ
π½
π¨ In early 2026, Match Group, the owner of major dating apps, faced two major incidents: a hacker attack and a regulatory settlement with US authorities. Here's what you need to know.
1οΈβ£ Data breach (January 2026)
The hacker group ShinyHunters breached Match Group's systems using a vishing (voice phishing) attack.
β Hackers tricked an employee into giving up login credentials for Okta (single sign-on platform).
β This allowed access to internal dashboards and the AppsFlyer marketing platform.
What was stolen:
β«οΈ ~85,000 user email addresses
β«οΈ ~2 million mobile advertising IDs (MAIDs)
β«οΈ Internal documents, OkCupid logs, Hinge subscription transaction data
Important: passwords, financial data, and personal chat history were not compromised.
β οΈ Main risk: phishing emails sent to the leaked email addresses.
2οΈβ£ FTC settlement (March 2026)
The US Federal Trade Commission reached a settlement with OkCupid (a Match Group subsidiary) over hidden data sharing.
1οΈβ£ Data breach (January 2026)
The hacker group ShinyHunters breached Match Group's systems using a vishing (voice phishing) attack.
β Hackers tricked an employee into giving up login credentials for Okta (single sign-on platform).
β This allowed access to internal dashboards and the AppsFlyer marketing platform.
What was stolen:
β«οΈ ~85,000 user email addresses
β«οΈ ~2 million mobile advertising IDs (MAIDs)
β«οΈ Internal documents, OkCupid logs, Hinge subscription transaction data
Important: passwords, financial data, and personal chat history were not compromised.
β οΈ Main risk: phishing emails sent to the leaked email addresses.
2οΈβ£ FTC settlement (March 2026)
The US Federal Trade Commission reached a settlement with OkCupid (a Match Group subsidiary) over hidden data sharing.
π FROST BANK DATA LEAK
π Incident date: April 20, 2026
(date of data sample publication by the Everest group)
π¦ Attacker: Everest ransomware group (Russian-speaking RaaS operation)
π― Affected organization: Frost Bank β a major bank headquartered in San Antonio, Texas, with branches across the state
π₯ Customers affected: Over 250,000 people (according to hackers)
π What leaked (based on data samples):
β’ Full customer names
β’ Social Security numbers (SSN)
β’ Tax Identification Numbers (TIN)
β’ Home addresses
β’ Income and taxable amount data
β’ Mortgage interest rates
β’ Investment profits
β οΈ Important note: Experts from Cybernews who analyzed the data samples could not confirm with absolute certainty that the data belongs to Frost Bank.
π’ Bank's official position:
A Frost Bank representative stated that a third-party vendor notified the bank of "unauthorized access to their systems." According to the bank, its own systems were not compromised.
βοΈ Legal consequences:
The law firm Goldenberg Schneider, LPA is investigating the incident and is already accepting inquiries from affected customers to assess their rights to compensation.
π Publication status:
Data samples were published on the Dark Web. The total volume of the leaked archive has not been disclosed at this time.
π Update as of April 27, 2026:
The notice about this leak has been removed from the Everest group's website.
π Incident date: April 20, 2026
(date of data sample publication by the Everest group)
π¦ Attacker: Everest ransomware group (Russian-speaking RaaS operation)
π― Affected organization: Frost Bank β a major bank headquartered in San Antonio, Texas, with branches across the state
π₯ Customers affected: Over 250,000 people (according to hackers)
π What leaked (based on data samples):
β’ Full customer names
β’ Social Security numbers (SSN)
β’ Tax Identification Numbers (TIN)
β’ Home addresses
β’ Income and taxable amount data
β’ Mortgage interest rates
β’ Investment profits
β οΈ Important note: Experts from Cybernews who analyzed the data samples could not confirm with absolute certainty that the data belongs to Frost Bank.
π’ Bank's official position:
A Frost Bank representative stated that a third-party vendor notified the bank of "unauthorized access to their systems." According to the bank, its own systems were not compromised.
βοΈ Legal consequences:
The law firm Goldenberg Schneider, LPA is investigating the incident and is already accepting inquiries from affected customers to assess their rights to compensation.
π Publication status:
Data samples were published on the Dark Web. The total volume of the leaked archive has not been disclosed at this time.
π Update as of April 27, 2026:
The notice about this leak has been removed from the Everest group's website.
π INCIDENT: ANSTECHINC.COM
π Date: February 10, 2026
(date of Clop group's public claim)
π― Compromised domain: ANSTECHINC.COM
π’ About the company:
A US-based company.
π¦ Total leaked archive size: 232 (259) GB
π What leaked:
β’ Contracts and commercial proposals
β’ Personal data of employees (fewer than 10 people)
β’ Financial documentation
β’ Credit card statements
β’ Candidate resumes
!?! β’ Product photos and prices from a small retail chain !?! (160 GB of garbage)
β’ Certificates of Insurance
β οΈ Leak status:
The full leak has been published β which is quite expected, because the archive contains nothing valuable enough to pay for.
π€· The only mystery about this little outfit is that it amounts to nothing.
I think these idiots were hacked just for laughs.
π Date: February 10, 2026
(date of Clop group's public claim)
π― Compromised domain: ANSTECHINC.COM
π’ About the company:
A US-based company.
π¦ Total leaked archive size: 232 (259) GB
π What leaked:
β’ Contracts and commercial proposals
β’ Personal data of employees (fewer than 10 people)
β’ Financial documentation
β’ Credit card statements
β’ Candidate resumes
!?! β’ Product photos and prices from a small retail chain !?! (160 GB of garbage)
β’ Certificates of Insurance
β οΈ Leak status:
The full leak has been published β which is quite expected, because the archive contains nothing valuable enough to pay for.
π€· The only mystery about this little outfit is that it amounts to nothing.
I think these idiots were hacked just for laughs.
π1
π INCIDENT: MCDONALD'S INDIA
π Incident date: January 20, 2026
(date of Everest group's dark web claim)
π― Affected organization: McDonald's India β Indian subsidiary of the fast-food giant. Operates through two entities: Connaught Plaza Restaurants (North & East) and Hardcastle Restaurants (West & South)
π¦ Alleged leaked archive size: 861 GB
π What allegedly leaked (according to hackers):
β’ Financial reports and audit trails
β’ Pricing data
β’ Sensitive internal communications
β’ Contact database of investors and partners from the US, UK, Singapore, and India
β’ Internal store-level data including manager names and contact numbers for dozens of outlets
β’ Customer personal data
β’ Access to accounting/ERP systems (month-by-month directory breakdown)
β οΈ Leak status:
The full leak has been published.
π Context (previous incidents):
β’ 2017: ~2.2 million customer records leaked via McDelivery app
β’ 2024: API vulnerabilities in delivery system allowed ordering for $0.01, order hijacking, and driver tracking (fixed in September)
π Incident date: January 20, 2026
(date of Everest group's dark web claim)
π― Affected organization: McDonald's India β Indian subsidiary of the fast-food giant. Operates through two entities: Connaught Plaza Restaurants (North & East) and Hardcastle Restaurants (West & South)
π¦ Alleged leaked archive size: 861 GB
π What allegedly leaked (according to hackers):
β’ Financial reports and audit trails
β’ Pricing data
β’ Sensitive internal communications
β’ Contact database of investors and partners from the US, UK, Singapore, and India
β’ Internal store-level data including manager names and contact numbers for dozens of outlets
β’ Customer personal data
β’ Access to accounting/ERP systems (month-by-month directory breakdown)
β οΈ Leak status:
The full leak has been published.
π Context (previous incidents):
β’ 2017: ~2.2 million customer records leaked via McDelivery app
β’ 2024: API vulnerabilities in delivery system allowed ordering for $0.01, order hijacking, and driver tracking (fixed in September)
π‘ FLYBOYS FLIGHT CENTER DATA BREACH
π― Organization: FlyBoys Flight Center (USA)
π Leak volume: 5.41 GB
π Incident date: July 2024
π¦ Attacker: Medusa ransomware group
π Content: According to the source, the archive contains training programs, courses, certificates, financial reports, and other internal documentation.
π Publication status: The data was published on Medusa's leak site in July 2024. A 5.41 GB file archive is currently in open access.
π― Organization: FlyBoys Flight Center (USA)
π Leak volume: 5.41 GB
π Incident date: July 2024
π¦ Attacker: Medusa ransomware group
π Content: According to the source, the archive contains training programs, courses, certificates, financial reports, and other internal documentation.
π Publication status: The data was published on Medusa's leak site in July 2024. A 5.41 GB file archive is currently in open access.
π TOKOPARTS.COM DATA BREACH β 79 GB
π― Organization: Tokoparts (PT Suku Cadang Oto Sejahtera) β Indonesian auto parts supplier
π Volume: 79 GB, 29,425 files
π Data period: 2020β2026
π What leaked:
β’ Financial reports: P&L, balance sheets for 2024β2025, consolidation package for Mitsubishi Corporation (April 10, 2026)
β’ Banking data: BCA and MUFG statements, all transactions
β’ Taxes: SPT PPh 21,23,26 filings, VAT (PPN) for 2022β2024
β’ Customer database: 463 corporate clients, 11,272 invoices, AR outstanding 10.5 billion IDR (87% overdue)
β’ Orders: 33,041 orders from 381 buyers (66 fields per record)
β’ Delivery documents: 15,000+ photos of delivery slips (signatures, addresses, couriers) β latest dated April 7, 2026
β’ Supplier pricing: Toyota, Honda, Mitsubishi, Mercedes-Benz, Shell, Denso, Isuzu, Mazda, and others
β’ Active NDAs: with Mitsubishi Corp (valid until June 2026), with MUC Consulting (perpetual term)
β’ Personal data: passport of President Director (Japanese national), KTP IDs, bank account details of supplier directors, data of 20+ Tokoparts employees
β’ SAP HANA, WMS, supply chain data, business plans, forecasts
β οΈ Note: All three NDAs were active at the time of the breach. Data includes documents submitted to Mitsubishi Corporation just days before publication.
π Status: 79 GB archive is publicly available.
π― Organization: Tokoparts (PT Suku Cadang Oto Sejahtera) β Indonesian auto parts supplier
π Volume: 79 GB, 29,425 files
π Data period: 2020β2026
π What leaked:
β’ Financial reports: P&L, balance sheets for 2024β2025, consolidation package for Mitsubishi Corporation (April 10, 2026)
β’ Banking data: BCA and MUFG statements, all transactions
β’ Taxes: SPT PPh 21,23,26 filings, VAT (PPN) for 2022β2024
β’ Customer database: 463 corporate clients, 11,272 invoices, AR outstanding 10.5 billion IDR (87% overdue)
β’ Orders: 33,041 orders from 381 buyers (66 fields per record)
β’ Delivery documents: 15,000+ photos of delivery slips (signatures, addresses, couriers) β latest dated April 7, 2026
β’ Supplier pricing: Toyota, Honda, Mitsubishi, Mercedes-Benz, Shell, Denso, Isuzu, Mazda, and others
β’ Active NDAs: with Mitsubishi Corp (valid until June 2026), with MUC Consulting (perpetual term)
β’ Personal data: passport of President Director (Japanese national), KTP IDs, bank account details of supplier directors, data of 20+ Tokoparts employees
β’ SAP HANA, WMS, supply chain data, business plans, forecasts
β οΈ Note: All three NDAs were active at the time of the breach. Data includes documents submitted to Mitsubishi Corporation just days before publication.
π Status: 79 GB archive is publicly available.
π BEST PRICE FINANCIAL SERVICES DATA BREACH
π Incident date: July 23β25, 2025
π¦ Attacker: Everest ransomware group
π― Affected organization: Best Price Financial Services β a UK-based independent financial services provider, regulated by the Financial Conduct Authority (FCA). The company offers life insurance, income protection, critical illness coverage, and operates an online price comparison tool.
π What leaked (based on initial publication):
β’ Internal documents (screenshots published on dark web leak site)
β’ Potentially client data, internal communications, financial records
β οΈ Important note: The full dataset has been published.
π Publication status: The victim was added to Everest's dark web leak site on July 25, 2025.
βοΈ Regulatory consequences: As an FCA-regulated financial services provider, the company handles sensitive client financial data. A full leak could trigger regulatory fines and client compensation claims.
π Incident date: July 23β25, 2025
π¦ Attacker: Everest ransomware group
π― Affected organization: Best Price Financial Services β a UK-based independent financial services provider, regulated by the Financial Conduct Authority (FCA). The company offers life insurance, income protection, critical illness coverage, and operates an online price comparison tool.
π What leaked (based on initial publication):
β’ Internal documents (screenshots published on dark web leak site)
β’ Potentially client data, internal communications, financial records
β οΈ Important note: The full dataset has been published.
π Publication status: The victim was added to Everest's dark web leak site on July 25, 2025.
βοΈ Regulatory consequences: As an FCA-regulated financial services provider, the company handles sensitive client financial data. A full leak could trigger regulatory fines and client compensation claims.
π CITIZENS BANK DATA BREACH
π Incident date: April 2026
π¦ Attacker: Everest ransomware group
π― Organization affected: Citizens Bank (major U.S. bank, corporate HQ in Providence, Rhode Island)
π₯ Customers affected (bank's statement): "several thousand"
π Attackers' claim: ~3.4 million records (bank calls this figure "generally inaccurate")
π What leaked (per Citizens Bank's official statement):
β’ Customer names
β’ Home addresses
β’ Bank account numbers (data found on a paper check)
β Social Security numbers (SSN) β NOT compromised
Customer class-action lawsuits claim that credit card numbers and passport numbers may also have been affected, but there is no official confirmation from the bank.
π Publication status:
The publication timer on Everest's leak site has been reset twice. As of now, no public links to the stolen data have been released.
π Note: The breach occurred at a third-party vendor, not within Citizens Bank's own network.
π Incident date: April 2026
π¦ Attacker: Everest ransomware group
π― Organization affected: Citizens Bank (major U.S. bank, corporate HQ in Providence, Rhode Island)
π₯ Customers affected (bank's statement): "several thousand"
π Attackers' claim: ~3.4 million records (bank calls this figure "generally inaccurate")
π What leaked (per Citizens Bank's official statement):
β’ Customer names
β’ Home addresses
β’ Bank account numbers (data found on a paper check)
β Social Security numbers (SSN) β NOT compromised
Customer class-action lawsuits claim that credit card numbers and passport numbers may also have been affected, but there is no official confirmation from the bank.
π Publication status:
The publication timer on Everest's leak site has been reset twice. As of now, no public links to the stolen data have been released.
π Note: The breach occurred at a third-party vendor, not within Citizens Bank's own network.
π NISSAN MOTOR CORPORATION DATA BREACH
π Incident date: January 10, 2026 (attackers' public disclosure)
π¦ Attacker: Everest ransomware group
π― Organization affected: Nissan Motor Corporation (Japanese automaker, North American operations β USA and Canada)
π₯ Affected (attackers' claim): 900β910 GB of data (17+ million VIN numbers)
Based on DataBreach.com analysis of leaked files:
β’ 17,119,482 VIN numbers
β’ 4,193,509 full names
β’ 4,055,146 postal addresses
β’ 2,685,720 phone numbers
β’ 2,045,754 email addresses
β’ 2,736 dates of birth
β οΈ IMPORTANT NOTE:
The breach occurred at a third-party vendor (GCSSD) that serviced Nissan and Infiniti dealerships in North America β not at Nissan itself.
π Incident date: January 10, 2026 (attackers' public disclosure)
π¦ Attacker: Everest ransomware group
π― Organization affected: Nissan Motor Corporation (Japanese automaker, North American operations β USA and Canada)
π₯ Affected (attackers' claim): 900β910 GB of data (17+ million VIN numbers)
Based on DataBreach.com analysis of leaked files:
β’ 17,119,482 VIN numbers
β’ 4,193,509 full names
β’ 4,055,146 postal addresses
β’ 2,685,720 phone numbers
β’ 2,045,754 email addresses
β’ 2,736 dates of birth
β οΈ IMPORTANT NOTE:
The breach occurred at a third-party vendor (GCSSD) that serviced Nissan and Infiniti dealerships in North America β not at Nissan itself.
π INCIDENT: ITARCHITECHS.COM
π Attacker's claim date: February 10, 2026 (Clop group)
π Data publication date: February 14, 2026
π― Compromised domain: ITARCHITECHS.COM
π’ About the company: Technology services provider / IT company based in the United States.
π¦ Total leaked archive size: 52.2 GB
π What leaked:
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Client information
β’ Operational data
β οΈ Leak status: Fully published. As of now, 52.2 GB of data is publicly available.
π Attacker's claim date: February 10, 2026 (Clop group)
π Data publication date: February 14, 2026
π― Compromised domain: ITARCHITECHS.COM
π’ About the company: Technology services provider / IT company based in the United States.
π¦ Total leaked archive size: 52.2 GB
π What leaked:
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Client information
β’ Operational data
β οΈ Leak status: Fully published. As of now, 52.2 GB of data is publicly available.
π INCIDENT: HUDSON EXECUTIVE CAPITAL LP
π Attacker's claim date: February 10, 2026 (Clop group)
π― Compromised domain: HUDSONEXECUTIVE.COM
π’ About the company: Hudson Executive Capital LP β SEC-registered investment adviser based in New York, USA. Specializes in strategic investments across Financials, Healthcare, Technology, and Media sectors.
π¦ Total leaked archive size: Not specified (detailed corporate compliance dump)
π What leaked (based on detailed analysis of published data):
The attackers have released a detailed dump of the corporate compliance department folder β practically a complete copy of Hudson Executive Capital's internal documentation.
1. Full Compliance Control Structure (Crown Jewel)
Documents revealing how the company monitors employees and reports to regulators (SEC, FINRA):
Personal Trading / Code of Ethics:
Detailed logs of employee trading requests for approval (HEC - Employee Trading Requests)
Employee personal brokerage account statements (with account numbers)
Annual holdings certifications β showing what employees owned and traded
CEO Partners:
Folder dedicated to former CEOs serving as fund advisors
Personal data including affiliations, signed conflict of interest certificates, conflict clearances for deal participation
Passport copies / photos (CEO Partners - Photos)
Policies & Procedures:
Complete archive of internal policies: Code of Ethics, Compliance Manual, AML Policy, Cybersecurity Policy, Business Continuity Plan β the blueprint of their compliance system
Internal Investigations and Incidents:
"Memos to File" and "Violation of compliance policy" folders
Contains memos about unintentional information disclosure, trading errors, potential internal rule violations (e.g., trading on spouse's personal account)
2. Confidential Correspondence and External Communications
Email files (.msg) revealing sensitive discussions:
Marketing Material Approvals:
Email chains where CEO or CCO approve investor presentations and fact sheets (Marketing Review folders) β revealing what and how they told investors
Regulator and Auditor Communications:
Correspondence with SEC, FINRA, Walkers lawyers (Cayman Islands) regarding AML, FATCA, Private Funds Law
Draft responses to FINRA requests
3. Investment Structure and Financial Information
SPV and Fund Details:
HEC SPV I, II, III, IV folders containing incorporation documents, PPMs (Private Placement Memorandums), side letters with investors β revealing deal structures and terms for specific LPs
Valuation of Private Assets:
Compliance - Committee - Valuation folder containing memos and Excel models explaining how private portfolio companies (e.g., Flexis, Paige) were valued β revealing how the fund calculates NAV
Deal-Specific Correspondence and Documents:
PDF presentations and working models for Pluto, Akoya, HeartFlow, Mindmaze (from user Sai.Nanduri files) β operational analysis of current and potential deals
4. Operational and Technical Information
Cybersecurity:
Penetration test reports, phishing campaign results, external scan results, cybersecurity briefs β essentially a map of their vulnerabilities
Data Privacy:
GDPR and Cayman Islands Data Privacy Law (DPL) documents
SPAC Website Backups:
Complete backup of their corporate websites (archive copies) in the Website\SPAC websites folder
π½π«
π Attacker's claim date: February 10, 2026 (Clop group)
π― Compromised domain: HUDSONEXECUTIVE.COM
π’ About the company: Hudson Executive Capital LP β SEC-registered investment adviser based in New York, USA. Specializes in strategic investments across Financials, Healthcare, Technology, and Media sectors.
π¦ Total leaked archive size: Not specified (detailed corporate compliance dump)
π What leaked (based on detailed analysis of published data):
The attackers have released a detailed dump of the corporate compliance department folder β practically a complete copy of Hudson Executive Capital's internal documentation.
1. Full Compliance Control Structure (Crown Jewel)
Documents revealing how the company monitors employees and reports to regulators (SEC, FINRA):
Personal Trading / Code of Ethics:
Detailed logs of employee trading requests for approval (HEC - Employee Trading Requests)
Employee personal brokerage account statements (with account numbers)
Annual holdings certifications β showing what employees owned and traded
CEO Partners:
Folder dedicated to former CEOs serving as fund advisors
Personal data including affiliations, signed conflict of interest certificates, conflict clearances for deal participation
Passport copies / photos (CEO Partners - Photos)
Policies & Procedures:
Complete archive of internal policies: Code of Ethics, Compliance Manual, AML Policy, Cybersecurity Policy, Business Continuity Plan β the blueprint of their compliance system
Internal Investigations and Incidents:
"Memos to File" and "Violation of compliance policy" folders
Contains memos about unintentional information disclosure, trading errors, potential internal rule violations (e.g., trading on spouse's personal account)
2. Confidential Correspondence and External Communications
Email files (.msg) revealing sensitive discussions:
Marketing Material Approvals:
Email chains where CEO or CCO approve investor presentations and fact sheets (Marketing Review folders) β revealing what and how they told investors
Regulator and Auditor Communications:
Correspondence with SEC, FINRA, Walkers lawyers (Cayman Islands) regarding AML, FATCA, Private Funds Law
Draft responses to FINRA requests
3. Investment Structure and Financial Information
SPV and Fund Details:
HEC SPV I, II, III, IV folders containing incorporation documents, PPMs (Private Placement Memorandums), side letters with investors β revealing deal structures and terms for specific LPs
Valuation of Private Assets:
Compliance - Committee - Valuation folder containing memos and Excel models explaining how private portfolio companies (e.g., Flexis, Paige) were valued β revealing how the fund calculates NAV
Deal-Specific Correspondence and Documents:
PDF presentations and working models for Pluto, Akoya, HeartFlow, Mindmaze (from user Sai.Nanduri files) β operational analysis of current and potential deals
4. Operational and Technical Information
Cybersecurity:
Penetration test reports, phishing campaign results, external scan results, cybersecurity briefs β essentially a map of their vulnerabilities
Data Privacy:
GDPR and Cayman Islands Data Privacy Law (DPL) documents
SPAC Website Backups:
Complete backup of their corporate websites (archive copies) in the Website\SPAC websites folder
π½π«
π INCIDENT: Proactive Medical Inc
π Attacker's claim date: February 10, 2026 (Clop group)
π¦ Attacker: CLOP (Clop) ransomware group β Russian-speaking RaaS group
π― Compromised domain: PROACTIVEMEDICAL.COM
π’ About the company: Proactive Medical Products / Proactive Medical Inc. β medical equipment and healthcare products. Headquarters: Lindenhurst, New York, USA. Proactive Medical Products was founded in 2008, specializing in patient care products that help prevent and treat conditions such as bedsores and infections.
π¦ Publication status: 1.08 TB β data published in full
π WHAT LEAKED β DETAILED ANALYSIS
π¨ Scale: Catastrophic
Full copies of work folders, including system directories, were exposed in the breach. This is a classic sign of total encryption and theft, not a single email account compromise.
1. HIGHLY SENSITIVE CLIENT AND PARTNER DATA
What leaked Examples / Details
Direct contracts and purchase orders TWIN MED PO# PO057528_files, FEDEX SHIPPING LABEL SO#114439_files, Invoice for Order #21... β complete transaction data
Patient data (indirect) POD_files (Proof of Delivery) and BOL FOR PALLETS folders β delivery addresses violate medical confidentiality (HIPAA)
2. COMPLETE BUSINESS AND REPUTATIONAL DAMAGE
What leaked Details
Trade secrets Customer Price List, BENT METAL DME AND MANUALS (training materials, product assembly instructions)
Competitor data Folders named McKesson, Medline, AdaptHealth inside CUSTOMERS - yossi β pricing policy and strategy
Internal documentation HR DEPARTMENT - UPDATED (employee personal data), Payroll Reports (salaries), FDA (regulatory documents), Instruction Manuals (intellectual property)
3. EMPLOYEE AND MANAGEMENT PERSONAL DATA
What leaked Details
Employee work folders Folders by name: JANET, BRIAN, KRISTINA Stuff, PATRICIA, MIKE, YOSSI β personal correspondence, notes
Document scans scans\Yossi\Yossi iphone\DCIM β photos from employee's phone
Personal files Music, videos (movies\Game of Thrones), workout programs (Workout\P90X) β employees used work computers for personal purposes, expanding the scope of the leak
π VERDICT
This is not just a "document leak."
This is a digital copy of the entire enterprise.
From this archive, one could reconstruct all commercial, financial, operational, and personnel activities of Proactive Medical Products, as well as a significant portion of their relationships with partners.
π Attacker's claim date: February 10, 2026 (Clop group)
π¦ Attacker: CLOP (Clop) ransomware group β Russian-speaking RaaS group
π― Compromised domain: PROACTIVEMEDICAL.COM
π’ About the company: Proactive Medical Products / Proactive Medical Inc. β medical equipment and healthcare products. Headquarters: Lindenhurst, New York, USA. Proactive Medical Products was founded in 2008, specializing in patient care products that help prevent and treat conditions such as bedsores and infections.
π¦ Publication status: 1.08 TB β data published in full
π WHAT LEAKED β DETAILED ANALYSIS
π¨ Scale: Catastrophic
Full copies of work folders, including system directories, were exposed in the breach. This is a classic sign of total encryption and theft, not a single email account compromise.
1. HIGHLY SENSITIVE CLIENT AND PARTNER DATA
What leaked Examples / Details
Direct contracts and purchase orders TWIN MED PO# PO057528_files, FEDEX SHIPPING LABEL SO#114439_files, Invoice for Order #21... β complete transaction data
Patient data (indirect) POD_files (Proof of Delivery) and BOL FOR PALLETS folders β delivery addresses violate medical confidentiality (HIPAA)
2. COMPLETE BUSINESS AND REPUTATIONAL DAMAGE
What leaked Details
Trade secrets Customer Price List, BENT METAL DME AND MANUALS (training materials, product assembly instructions)
Competitor data Folders named McKesson, Medline, AdaptHealth inside CUSTOMERS - yossi β pricing policy and strategy
Internal documentation HR DEPARTMENT - UPDATED (employee personal data), Payroll Reports (salaries), FDA (regulatory documents), Instruction Manuals (intellectual property)
3. EMPLOYEE AND MANAGEMENT PERSONAL DATA
What leaked Details
Employee work folders Folders by name: JANET, BRIAN, KRISTINA Stuff, PATRICIA, MIKE, YOSSI β personal correspondence, notes
Document scans scans\Yossi\Yossi iphone\DCIM β photos from employee's phone
Personal files Music, videos (movies\Game of Thrones), workout programs (Workout\P90X) β employees used work computers for personal purposes, expanding the scope of the leak
π VERDICT
This is not just a "document leak."
This is a digital copy of the entire enterprise.
From this archive, one could reconstruct all commercial, financial, operational, and personnel activities of Proactive Medical Products, as well as a significant portion of their relationships with partners.
## π INCIDENT: Smith IP Services
π Attackerβs Claim Date: February 10, 2026 (CL0P group)
π¦ Attacker: CL0P ransomware group
π― Compromised Domain: SMITHIPSERVICES.COM
π’ About the Company: Smith IP Services β a U.S.-based company specializing in Intellectual Property (IP)
π¦ Total size of the leaked archive: 97 GB
## π WHAT WAS LEAKED :
β Thousands of patent applications
(US, Europe, China, Brazil, Australia, Canada, Argentina, Mexico, and others)
β Trademarks in dozens of countries
β Correspondence with clients β including strategy, financials, and legal recommendations
β Patent assignment records
β Internal company documents (HR, payroll, etc.)
β Personal files of employees
---
## π§Ύ STATUS
The leak is complete and total β not only current cases have been compromised, but also archived files and those previously transferred to other law firms.
The archive allows for a full reconstruction of the commercial, financial, and patent activities of the IP firm and its clients.
β οΈ Leak status: Published
π Attackerβs Claim Date: February 10, 2026 (CL0P group)
π¦ Attacker: CL0P ransomware group
π― Compromised Domain: SMITHIPSERVICES.COM
π’ About the Company: Smith IP Services β a U.S.-based company specializing in Intellectual Property (IP)
π¦ Total size of the leaked archive: 97 GB
## π WHAT WAS LEAKED :
β Thousands of patent applications
(US, Europe, China, Brazil, Australia, Canada, Argentina, Mexico, and others)
β Trademarks in dozens of countries
β Correspondence with clients β including strategy, financials, and legal recommendations
β Patent assignment records
β Internal company documents (HR, payroll, etc.)
β Personal files of employees
---
## π§Ύ STATUS
The leak is complete and total β not only current cases have been compromised, but also archived files and those previously transferred to other law firms.
The archive allows for a full reconstruction of the commercial, financial, and patent activities of the IP firm and its clients.
β οΈ Leak status: Published
π INCIDENT: ENVIRONMENTAL CORPORATION OF AMERICA (ECA)
π Attacker's claim date: January 2026
π¦ Attacker: CLOP (Clop) ransomware group β Russian-speaking RaaS group
π― Compromised domain: ECA-USA.COM
π’ About the company:
Environmental Corporation of America (ECA) β technology and aerospace industry company
Headquarters: USA
π WHAT LEAKED :
β Client data - Contracts, purchase orders (PO), invoices, shipping/delivery information
β Aerospace industry -Technical documentation, specifications, drawings (ITAR/EAR sensitive data)
β Finance - Pricing, payment data, salaries, financial reports
β HR / Personnel - Employee personal data, document scans, resumes
β Internal documentation - Policies, procedures, internal correspondence
β IP / Intellectual Property - Patents, technological developments, source code
β οΈ SECTOR RISK β CRITICAL
The aerospace industry is particularly vulnerable due to:
* High value of intellectual property
* Export control regulations (ITAR / EAR)
ITAR (International Traffic in Arms Regulations) β sensitive defense-related data. Leak of ITAR-controlled information can have national security implications and result in massive regulatory fines.
π¨ Leak status: Published
π Attacker's claim date: January 2026
π¦ Attacker: CLOP (Clop) ransomware group β Russian-speaking RaaS group
π― Compromised domain: ECA-USA.COM
π’ About the company:
Environmental Corporation of America (ECA) β technology and aerospace industry company
Headquarters: USA
π WHAT LEAKED :
β Client data - Contracts, purchase orders (PO), invoices, shipping/delivery information
β Aerospace industry -Technical documentation, specifications, drawings (ITAR/EAR sensitive data)
β Finance - Pricing, payment data, salaries, financial reports
β HR / Personnel - Employee personal data, document scans, resumes
β Internal documentation - Policies, procedures, internal correspondence
β IP / Intellectual Property - Patents, technological developments, source code
β οΈ SECTOR RISK β CRITICAL
The aerospace industry is particularly vulnerable due to:
* High value of intellectual property
* Export control regulations (ITAR / EAR)
ITAR (International Traffic in Arms Regulations) β sensitive defense-related data. Leak of ITAR-controlled information can have national security implications and result in massive regulatory fines.
π¨ Leak status: Published
π INFORMATIONAL: THE CLOP GROUP
Context of CLOP Activity in 2025β2026
The CLOP (Clop) ransomware group is one of the most active and dangerous Russian-speaking RaaS (Ransomware-as-a-Service) groups. They specialize in mass-scale attacks using zero-day vulnerabilities in popular enterprise software:
Target Software Number of Victims Period
MOVEit Transfer ~2,773 organizations 2023
GoAnywhere MFT 100+ organizations 2023
Accellion FTA Dozens of organizations 2020β2021
Oracle E-Business Suite Dozens of organizations 2025
In 2025, CLOP exploited a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) , stealing data from dozens of organizations worldwide.
Confirmed victims of that campaign include:
* Harvard University
* The Washington Post
* Logitech
* Schneider Electric
* Emerson
* American Airlines (Envoy Air)
* GlobalLogic (data breach of 10,500+ employees)
Context of CLOP Activity in 2025β2026
The CLOP (Clop) ransomware group is one of the most active and dangerous Russian-speaking RaaS (Ransomware-as-a-Service) groups. They specialize in mass-scale attacks using zero-day vulnerabilities in popular enterprise software:
Target Software Number of Victims Period
MOVEit Transfer ~2,773 organizations 2023
GoAnywhere MFT 100+ organizations 2023
Accellion FTA Dozens of organizations 2020β2021
Oracle E-Business Suite Dozens of organizations 2025
In 2025, CLOP exploited a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) , stealing data from dozens of organizations worldwide.
Confirmed victims of that campaign include:
* Harvard University
* The Washington Post
* Logitech
* Schneider Electric
* Emerson
* American Airlines (Envoy Air)
* GlobalLogic (data breach of 10,500+ employees)
CLOP's tactic: "Double extortion" β data theft + threat of public release. The group gives victims a limited window for negotiations, after which they publish the stolen data in open access on their Tor leak site.
Why the Presence of Microsoft 365 Is Important Context, Not Proof of a Breach
CLOP is not just a ransomware operator β it is a group engaged in data theft and extortion. Their target model is to infiltrate the victim's network by any means and exfiltrate as much information as possible. If the victim's network includes Microsoft 365, then gaining access to it is a "gold mine": C-level emails, Teams discussions of deals, SharePoint, OneDrive.
In 2026, there are at least three documented methods to gain full access to Microsoft 365 without hacking Microsoft's own servers:
1. Session Interception via Compromised Routers (APT28)
In April 2026, an operation by Russian hackers (GRU) was confirmed: between 18,000 and 40,000 routers were compromised worldwide. The technique β DNS spoofing and adversary-in-the-middle (AiTM). An employee thinks they are logging into Outlook, but in reality, they are sending their login, password, and MFA token directly to the hackers. This works even with two-factor authentication enabled.
2. Device Code Phishing (OAuth 2.0 Attack)
A user receives a phishing email asking them to go to the legitimate Microsoft site https://aka.ms/devicelogin and enter a short code. Once they do, they authorize a malicious application (e.g., "Microsoft Security Scanner"). The hackers receive a Refresh Token and gain full access to the victim's email, Teams, and files. The user voluntarily and legitimately completes the MFA process.
3. Vulnerabilities in "Edge" File Transfer Systems (MOVEit, GoAnywhere)
This is classic CLOP. They don't break into Microsoft 365 directly. Instead, they compromise a vendor or an adjacent system (e.g., a corporate portal), and from there "move laterally" into Microsoft 365 using legitimate integrations.
4. What "Victim Uses Microsoft 365" Means β An Indicator of the Scale of Damage
The presence of Microsoft 365 at a victim organization is not proof that the breach occurred through it. However, it is a critically important indicator for assessing potential damage.
In the context of the "What leaked" section:
Scenario - What leaked?
* Victim does NOT use M365 Only server files (standard documents)
* Victim DOES use M365 In addition to server folders β all corporate correspondence (Outlook), chat history (Teams), files from OneDrive and SharePoint
Thus, "uses Microsoft 365" is not evidence of the hack itself β it is a marker of potential catastrophe. If CLOP gains access to a victim's network that includes M365, the volume of the leak increases exponentially due to cloud-based communications.
Why the Presence of Microsoft 365 Is Important Context, Not Proof of a Breach
CLOP is not just a ransomware operator β it is a group engaged in data theft and extortion. Their target model is to infiltrate the victim's network by any means and exfiltrate as much information as possible. If the victim's network includes Microsoft 365, then gaining access to it is a "gold mine": C-level emails, Teams discussions of deals, SharePoint, OneDrive.
In 2026, there are at least three documented methods to gain full access to Microsoft 365 without hacking Microsoft's own servers:
1. Session Interception via Compromised Routers (APT28)
In April 2026, an operation by Russian hackers (GRU) was confirmed: between 18,000 and 40,000 routers were compromised worldwide. The technique β DNS spoofing and adversary-in-the-middle (AiTM). An employee thinks they are logging into Outlook, but in reality, they are sending their login, password, and MFA token directly to the hackers. This works even with two-factor authentication enabled.
2. Device Code Phishing (OAuth 2.0 Attack)
A user receives a phishing email asking them to go to the legitimate Microsoft site https://aka.ms/devicelogin and enter a short code. Once they do, they authorize a malicious application (e.g., "Microsoft Security Scanner"). The hackers receive a Refresh Token and gain full access to the victim's email, Teams, and files. The user voluntarily and legitimately completes the MFA process.
3. Vulnerabilities in "Edge" File Transfer Systems (MOVEit, GoAnywhere)
This is classic CLOP. They don't break into Microsoft 365 directly. Instead, they compromise a vendor or an adjacent system (e.g., a corporate portal), and from there "move laterally" into Microsoft 365 using legitimate integrations.
4. What "Victim Uses Microsoft 365" Means β An Indicator of the Scale of Damage
The presence of Microsoft 365 at a victim organization is not proof that the breach occurred through it. However, it is a critically important indicator for assessing potential damage.
In the context of the "What leaked" section:
Scenario - What leaked?
* Victim does NOT use M365 Only server files (standard documents)
* Victim DOES use M365 In addition to server folders β all corporate correspondence (Outlook), chat history (Teams), files from OneDrive and SharePoint
Thus, "uses Microsoft 365" is not evidence of the hack itself β it is a marker of potential catastrophe. If CLOP gains access to a victim's network that includes M365, the volume of the leak increases exponentially due to cloud-based communications.