[April-21-2026] Daily Cybersecurity Threat Report

1. Executive Summary

This comprehensive threat intelligence report details a highly active 24-hour period in the global cyber threat landscape, based on a dataset of recent cybersecurity incidents. The observed events span across multiple attack vectors, including massive data breaches, the widespread distribution of credential combolists, state-sponsored cyber espionage, hacktivist defacements, and the sale of initial access and malicious tools.

A significant portion of the recorded activity involves the free distribution and sale of billions of compromised credentials, driven largely by prolific threat actors operating on dark web forums and Telegram channels. High-profile corporate breaches were a major feature of the reporting period, with severe incidents affecting major technology platforms such as Vercel and Match Group. Furthermore, government and critical infrastructure entities across the globe—ranging from the United States Federal Bureau of Investigation (FBI) to the Israeli Institute for National Security Studies (INSS) and various Indonesian regional agencies—experienced severe data exposures and cyber-kinetic attacks.

This report provides a detailed, categorized analysis of these incidents, exploring the methodologies of the threat actors, the geographic and industry impacts, and the specific nature of the compromised data, strictly based on the provided intelligence data.

2. High-Impact Data Breaches and Corporate Compromises

The reporting period saw a multitude of high-impact data breaches affecting cloud infrastructure providers, SaaS platforms, financial institutions, and retail organizations globally.

2.1 The Vercel Compromise by ShinyHunters

One of the most critical incidents involves Vercel, a major cloud platform used by developers worldwide. A threat actor identified as ShinyHunters allegedly breached the platform and offered Vercel data for sale, including source code, database access, authentication tokens, and email:password credentials, for $250,000 USD. The threat actor claimed the dataset amounted to 3TB of data.

The breach reportedly originated around April 12, 2026, when a senior Vercel engineer authenticated with a fake third-party AI tool via a malicious Google Workspace OAuth application. Vercel’s official knowledge base bulletin confirmed a security incident involving unauthorized access to internal systems, stating the attack was initiated through the compromise of a third-party tool named Context.ai used by an employee, which allowed access to certain environment variables.

ShinyHunters claimed to possess an internal database containing 170,000 lines of data, which included employee email:password hashes, user records (id, name, displayName, email, active, admin, guest, timezone, createdAt, updatedAt, lastSeen), source code (Next.js, Turborepo, SWC), Git permissions, API tokens, and project configurations. The actor demanded $100,000 USD for this specific internal database. Furthermore, ShinyHunters announced the upcoming free release of a Linear database associated with Vercel, containing over 170,000 issues, over 400,000 comments, and reportedly multiple open vulnerabilities. The threat actor also claimed that Vercel’s systems crashed during the data exfiltration process.

2.2 The Match Group Vishing Attack

ShinyHunters was also responsible for an alleged breach of Match Group, the owner of major dating applications including OkCupid and Hinge, which reportedly occurred in January 2026. The attack was executed using a vishing (voice phishing) technique, where hackers tricked an employee into surrendering Okta SSO credentials. This granted the attackers access to internal dashboards and the AppsFlyer marketing platform.

The stolen data includes approximately 85,000 user email addresses, roughly 2 million mobile advertising IDs (MAIDs), internal documents, OkCupid logs, and Hinge subscription transaction data. Passwords, financial data, and personal chat history were reportedly not compromised in this incident. The primary risk associated with this breach is the potential for targeted phishing campaigns utilizing the leaked email addresses.

2.3 Additional Corporate and Enterprise Breaches

Numerous other corporate entities suffered significant data breaches:

Hatica (India): A threat actor named FulcrumSec exploited an exposed GitHub token to access the private ‘haticahq’ GitHub organization. The leak included 75 private repositories, a 5.7 GB production database, 4,700 Slack workspace bot tokens, and plaintext production credentials across 15 services. The breach impacted associated products (DixiApp/PyjamaHR, Posium/QAKit) and exposed data from customers such as JP Morgan, BrowserStack, GE Healthcare, Disney, and MIT.
Salesforce (United States): ShinyHunters posted partial Salesforce data with download links and provided official contact verification to warn against impersonators.
Agoda (Malaysia): Threat actor ‘hackboy’ offered an alleged database dump of 82 million Agoda.com customer records. The data included full names, email addresses, phone numbers, Malaysian national identity card numbers (IC numbers), and full physical addresses.
Emaar Properties and Select Group (UAE): A threat actor ‘ksa901’ sold a dataset containing over 700,000 records of property owners and rental information (car details, parking info, addresses, phone numbers, emails). The leak included 7GB of documents, SMTP credentials, API keys, and data on high-profile individuals. Another actor, ‘RubiconH4ck’, sold 200,000 property owner records from Dubai covering Business Bay, DIFC, and Downtown Dubai.
Thai Banking Sector: Threat actor ‘taomarita’ sold customer data sourced from seven Thai banks: Bangkok Bank, Kasikorn Bank, Siam Commercial Bank, TMBThanachart Bank, CIMB Thai Bank, Krung Thai Bank, and United Overseas Bank. Data included account balances, numbers, debt amounts, addresses, phone numbers, and national ID card copies exfiltrated from user workstations and OneDrive shares.
Taiseer (Egypt): Actor ‘Sorb’ sold a database from the gold investment platform taiseer.co, containing 71,000 unique user records (names, emails, phones, national IDs, bcrypt-hashed passwords, employment details, transaction history) and 27,000 national ID card scans.
Timber Mart (Canada): Actor ‘Databroker1’ sold a database of 485,000 records from timbermart.ca, including customer PII, store locations, inventory, and financial transaction records with payment methods and the last four digits of payment cards.
Premmiere (Indonesia): Actor ‘Kyy’ sold an 18GB+ database dump from the e-commerce platform premmiere.co.id, exposing supplier information linked to the government procurement portal e-katalog.lkpp.go.id.
Champhunt (India): Actor ‘888’ sold the database and source code of cricket social media platform Champhunt.com, exposing 224,300 records (emails, bcrypt passwords, JWT tokens, mobile numbers) and an admin account with active session tokens.
Sozcu (Turkey): Actor ‘rape’ leaked the claimed full database of the major Turkish news outlet Sozcu.com.tr via Google Drive.
Sistema Rifa: Actor ‘@0xy0um0m’ / ‘[Mod] Tanaka’ leaked 200,000 customer records from the lottery platform sistemarifa.com, including bcrypt-hashed credentials.
Master Brusque (Brazil): Actor ‘DarkMafiaX’ shared a 10MB SQL dump containing administrative and user records, including accounts associated with the ‘Sway’ organization.

3. Government, Defense, and Public Sector Exposures

Government institutions and national security entities were heavily targeted, resulting in the exposure of highly sensitive classified information and citizen data.

3.1 The INSS Classified Data Leak

A major national security breach occurred in Israel, where a threat actor group identifying as Sumud Cyber Command claimed to have leaked 15.92 terabytes of classified documents from the Institute for National Security Studies (INSS). The dump contained over 9.7 million files, purportedly sourced from secure research servers and analyst workstations. The exposed materials allegedly included strategic intelligence reports, Iran-related analysis, proxy force intelligence, military planning, and internal policy documents. This archive was made available for free download on darknet forums.

3.2 United States Intelligence and Citizen Data

Threat actor ‘RubiconH4ck’ claimed to have leaked approximately 2TB of sensitive data sourced from internal directories of the Federal Bureau of Investigation (FBI) and the Central Intelligence Agency (CIA), covering the 2024-2025 period. Sample data included full names, job titles, direct phone numbers, and official government email addresses (@ic.fbi.gov) of FBI Special Agents, Task Force Officers, and Contractors.

Additionally, a threat actor named ‘aliladz213’ allegedly offered a database containing the personally identifiable information (PII) of 38 million United States citizens, including Social Security Numbers (SSNs), full names, phones, addresses, and dates of birth. Another actor, ‘hexvior’, sold a database of 71,367 US individual records described as “fullz,” containing SSNs, full names, addresses, driver’s license details, and SSN photocopies.

3.3 Indonesian Government Data Breaches

Indonesian government infrastructure was systematically targeted by an actor operating under the alias ‘Xyph0rix’. The leaked databases included:

Polda Jawa Tengah (Central Java Regional Police): A structured personnel database containing officer IDs, NRP (registry numbers), names, ranks, assignments, phone numbers, emails, and bcrypt-hashed passwords.
TVRI (Televisi Republik Indonesia): A database containing highly sensitive PII of employees of the national public broadcaster, including national ID numbers (NIK/NIP), job titles, civil servant ranks, bank account numbers, and tax identifiers.
Polri Litbang: A database belonging to the Indonesian Regional Police Research and Development (litbang.go.id), exposing user names and email addresses, accompanied by an anti-corruption message.
PMI Sidoarjo: A database from the government-affiliated organization (pmi-sidoarjo.go.id) containing names, emails, and addresses.
Banjar City Defense Office: A database from the West Java government entity (go.id).

3.4 Global Public Sector Breaches

Venezuela (Farmapatria): A database containing approximately 3 million Venezuelan citizen records was leaked. The JSON-formatted data included sensitive medical information such as national ID numbers (cédulas), phone numbers, and detailed COVID-19 vaccination records (vaccine brand Sinopharm VERO CELL, dose dates, lot numbers).
Mexico (SSEDOMEX): Actor ‘gordo’ sold an emergency call database from the Secretaría de Seguridad del Estado de México. It contained 3,652 Excel files covering 911 and 089 calls from 2016 to 2026, detailing incident types, geographic coordinates, and unit dispatch info for $1,200 USD.
Turkey (SGK Türkiye): Actor ‘SCTH’ sold a database belonging to the Turkish Social Security Institution with over 20 million retiree records (TC Kimlik No, names, coverage type) for $200.
Nigeria (Bureau of Public Enterprises): Actors ‘NullsecNg’ and ‘ki4t’ leaked scraped data including web configuration backups (webconfig.bak), admin configuration files, and user source code.
Colombia (Valle del Cauca Government): Threat actors NyxarGroup, ArcRaidersPlayer, and Petro_Escobar sold a database exfiltrated from the ‘IISSAR’ portal, exposing citizens’ banking info, national ID numbers (C.C.), employment status, and educational qualifications.
Iraq: A threat actor claimed to have breached a modern vehicle registration database covering all Iraqi provinces. Another group claimed access to an Iraqi government server, extracting identity and family records.
China: Actor ‘xorcat’ leaked a JSON database of licensed stamp and seal B2B manufacturers across Liaoning Province (Shenyang, Dalian, Anshan, Fushun), exposing business registration codes and responsible person names.

4. Education and Academic Institution Breaches

The education sector suffered multiple data exposures:

Universitas Islam Kadiri (UNISKA), Indonesia: Actor ‘MaxiZERO’ sold a database for $20 containing student, lecturer, and employee records with national ID numbers, religion, gender, and academic details.
Pakiza Knowledge City, India: Actor ‘DarkMafiaX’ leaked a 10MB SQL dump containing administrator and staff records, plaintext passwords, physical addresses, and Super Admin credentials spanning student management, finance, and admissions.
SMJK Katholik (CHS), Malaysia: Actor ‘OrangeIce’ sold a database for RM 2,500 ($550 USD) containing over 800 JSON records of staff and students, including IC numbers and official school email addresses (@moe-dl.edu.my).
Chartered Institute of Bankers of Nigeria (CIBN): Actor ‘Rabid’ leaked a 250GB database including member PII, source code, and identity documents (ID cards, certificates).
IGCPS (Vocational Training): Actor ‘nearlevrai’, in collaboration with ‘NormalLeVrai’, scraped the webmail system, recovering 112 emails and 11 attachments.
Programmemoi.ca (Canada): Actor ‘fent888’ sold 317 account credentials with associated loyalty/reward points for $2.

5. The Credential Threat Landscape: Combolists and Logs

The most pervasive threat activity recorded involved the mass distribution of “combolists” (combinations of usernames/emails and passwords) and information-stealer logs. These datasets fuel credential stuffing attacks, account takeovers, and initial access brokerage. The sheer volume of credentials exchanged during this 24-hour period measures in the billions.

5.1 The Multi-Billion Record Combolist (AlienTxTBase)

The largest single dataset identified was distributed by a threat actor named ‘txtlog_alien’. The actor provided a combolist dubbed “AlienTxTBase Global,” which claimed to contain approximately 6.4 billion URL:login:password (ULP) credential records. The dataset totaled 377GB in size and was freely distributed via a Mediafire link. The data format suggests it is an aggregated collection of stealer logs rather than a single organizational breach. Another actor, ‘Markus7’, distributed an archive of 6 million ULP credential lines across MEGA, Gofile, and MediaFire. Furthermore, actor ‘Mustukaral’ advertised a 1.300GB to 1.4TB collection of ULP combolists, offering an online search robot to query targets without downloading files, filtering by country.

5.2 Threat Actor Profile: CODER

A highly prolific threat actor operating under the alias ‘CODER’ engaged in the mass distribution of combolists via various Telegram channels (e.g., t.me/Combo445544, t.me/Coder554455) and the CrackingX forum. Their activity focused on volume and platform variety, distributing credentials for free. The datasets released by CODER included:

15 million social media credentials.
14 million mixed credential pairs.
13 million mixed email and password pairs.
11 million business/corporate email credentials.
11 million Office-related credentials.
11 million SMTP credential pairs.
9 million credential pairs targeting eBay, PayPal, Amazon, Facebook, Twitter, and LinkedIn.
3 million business and corporate domain credentials.
Combolists targeting the education sector.
Spotify combolists.
Free corporate email combolists.

5.3 Threat Actor Profile: HQcomboSpace

The actor ‘HQcomboSpace’ specialized in localized and corporate combolists, primarily utilizing Mega.nz file links for distribution on CrackingX. Their releases included:

1.14 million credentials targeting European and German users.
1.3 million Hotmail credentials.
1.18 million lines targeting German users.
943,343 lines of Hotmail credentials.
756,116 credentials sourced from German-domain accounts.
586,879 lines targeting German shopping-related accounts.
448,999 lines targeting German social and shopping platforms.
173,811 corporate email and password combinations.
121,667 lines of corporate email credentials (MailPass format) validated against SMTP servers.
58,451 mixed corporate credential pairs.

5.4 Threat Actor Profile: thejackal101

Operating on DemonForums and promoting a Telegram channel (@elite_cloud1), ‘thejackal101’ distributed geographically sorted combolists described as “FRESH” and “HQ”. Their localized dumps included:

575,000+ credential pairs sourced from Brazil.
219,000+ pairs targeting Colombian users.
219,000+ pairs targeting Canadian accounts.
126,000 pairs sourced from Bulgaria.
96,000 pairs associated with Chilean users.
26,000 pairs sourced from China.
17,000 pairs described as British Indian in origin.

5.5 Targeting Microsoft: The Hotmail Combolist Trend

A highly specific and recurrent trend observed was the targeted distribution of Hotmail (Microsoft) credentials. Multiple actors released combolists specifically focused on Hotmail accounts, often categorized by quality (“hits”, “valids”, “UHQ”, “inboxed targets”).

ValidMail: Released 40,000 Hotmail credentials validated against forums.
VegaM: Released 51,000 and 24,730 valid Hotmail credentials.
UniqueCombo: Released 13,000 Hotmail credentials.
RandomUpload: Released 8,135 valid Hotmail credentials.
Roronoa044: Released 4,629 UHQ Hotmail combinations.
redcloud: Released 3,100 UHQ Hotmail credentials.
Angiecrax: Released 2,162 HQ Hotmail valids.
alphaxdd: Released 1,616 and 1,472 premium Hotmail hits.
KiwiShio: Released 1,565 Hotmail credentials.
Steveee36: Released 1,049 Hotmail credentials.
Megacloud: Released 850 fresh Hotmail hits.
HollowKnight07: Released 790 and 690 Hotmail credential samples.
Larry_Uchiha: Released 760 Hotmail pairs targeting the US, Europe, Asia, and Russia.
Hotmail Cloud: Released 497 and 347 UHQ inbox-verified targets.
Jelooos: Released 2,500 fully valid/unabused Hotmail credentials.
lpbPrivate: Released 200 Hotmail credential hits.
WhiteMelly: Released 400 Hotmail/Microsoft ULP lines.
noir: Released an X1942 Valid UHQ Mix containing Hotmail credentials.

5.6 Extensive Mixed Combolist Activity

Beyond structured datasets, threat actors flooded forums with “mixed” combolists targeting various platforms and geographies:

NightFall: 5.5 million UHQ credential pairs.
Ra-Zi: 170,000 pairs targeting Netflix, Minecraft, Uplay, Steam, Hulu, Spotify. Also 126,000 AOL credentials.
carlos080: 170,000 pairs from AOL, Yahoo, Hotmail, Outlook targeting France, UK, Germany, USA, Spain, Italy, Canada, Australia.
Immanuel_Kant: 121,000 Hong Kong records and 73,000 New Zealand records.
idsfgofdu213: 110,665 daily free lines via Cloudberry ULP.
Haydayx/MTx_Hu: 82,000 fresh pairs sourced from MTX CLOUD PRIVATE, sold via subscription ($5-$40).
Browzchel: 76,079 mixed lines.
MarkVesto: 56,000 mixed email credentials.
NmChk: 52,000 fresh email access credentials.
StrawHatBase: 48,000 and 38,000 valid mail access pairs.
Megacloud: 47,000 mixed full mail access credentials , 46,000 German email credentials , and 2,500 validated US email credentials.
TeraCloud1: 27,000 and 13,000 valid email credentials.
WhiteMelly: Distributed a 10GB collection of ULP lines from stealer logs targeting Hotmail, Live, Outlook, MSN in the EU, UK, France, Poland, Germany, and Italy. Also distributed a 1.3GB collection and 20,000 mixed lines.
karaokecloud: 13,500 pairs (Germany, US, UK, Japan, Poland) and 11,800 mixed European credentials (France, Germany, Poland, Italy).
Ebbicloud: 10,900 mixed pairs.
MailAccesss: 6,400 and 2,700 Japanese email credentials , 1,900 French credentials , and 1,300 Brazilian credentials.
RandomUpload: 6,531 mixed mail access pairs.
alphacloud: 4,673 premium mix mail hits.
NotSellerxd: 4,115 mixed entries.
Larry_Uchiha: Mixed platform credentials for Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook.
hangover934: WordPress login credentials and mixed USA/Europe hits.
zod: VIP ULP 1 , WordPress combolist , and 694 Microsoft lines.

6. Info-Stealer Logs and Aggregated Databases

Information stealer malware provides the raw data that feeds into combolists. Several threat actors distributed these logs:

S0uxsd: Shared massive database collections totaling 591.89 GB and 388.29 GB via BitTorrent magnet links, containing credential lists, logs, premium account data, and documents.
HighWayToShell: Leaked 5,000 logs collected via RedLine Stealer v2, targeting systems in Spain running Windows Server 2019 and Brave browser, exposing credentials, cookies, and autofill data.
UP_DAISYCLOUD: Made 5,715 stealer logs available via Pixeldrain.
fatetraffic: Shared 1,540 mixed stealer logs.
tuzelity: Sold combolists, cookies, and stealer logs for multiple platforms including Hotmail, Gmail, Yahoo, Facebook, Instagram, LinkedIn, Netflix, PayPal, Amazon, eBay, Steam, iCloud, TikTok, Airbnb, Booking, and Verizon.
Moon Cloud: Distributed free stealer logs via Telegram photo attachments.

A notable development in this ecosystem was the release of a Telegram-based OSINT bot by actor ‘devil_mae’, which claimed to index over 12 billion records aggregated from combolists, database dumps, and public leaks. The bot allowed users to perform free millisecond lookups by domain, email, or username, returning associated data as text files.

7. Hacktivism, Defacements, and Cyber Warfare

Geopolitically motivated cyber activity and mass defacements were prominent during the reporting period, targeting critical infrastructure, retail, and government assets.

7.1 Geopolitical Cyber Conflicts

Russia/Ukraine Conflict: Ukrainian hackers reportedly infiltrated a classified session held by Russia’s Ministry of Industry and Trade concerning drone (UAV) manufacturing. This breach allowed unauthorized access to sensitive government discussions regarding defense-industrial activities.
Israel Cyber Escalation: Gil Missing, head of cybersecurity staff at Check Point Israel, reported an increase in daily cyberattacks, reconnaissance, and intelligence collection targeting Israeli critical infrastructure and security personnel. Hacktivist group M-17SEC (operation OpsResurrect1) claimed to have compromised the SCADA systems of Israeli telecommunications firm Partner Communication Ltd, referencing hashtags #OpsIsrael and #TheGarudaEye.
Iran Resilience: Despite the conflict, Iran’s Central Bank Deputy of Payment Systems announced that Bank Melli and Bank Sepah sustained and resisted both cyber and physical attacks without service interruption to payment infrastructure.
Turkey/Armenia Tensions: A threat actor operating under the ‘Armenian code’ channel claimed to have hacked a Turkish pumping station’s ICS/OT/SCADA control system, disconnecting the pump and posting a photo as proof of Turkish digital security weaknesses.
OpPoland: The pro-Russian hacktivist group NoName057(16) claimed to have compromised surveillance CCTV cameras at Polish retail stores as part of their ongoing #OpPoland campaign, mockingly referencing a “Hidden Camera” show format.

7.2 Mass Defacement Campaigns

Babayo Eror System / Mr.PIMZZZXploit: This threat actor claimed extensive defacements across global domains. Targets included the Dumai City Regional Parliament (dprd.dumaikota.go.id), where they posted a political anti-corruption message. They also defaced 12 URLs across Italy, Indonesia, Saudi Arabia, Brazil, and Romania (e.g., chatgptitalia.cc, unicc.com.sa, globe.akoma.online) , as well as gerrit.97fan.club.
OpsShadowStrike: In collaboration with TengkorakCyberCrew, MalaysiaHacktivist, and EagleCyberCrew, this group executed politically motivated defacements referencing the Palestine and Iran-Israel conflict. Targets included US solar industry website powervision.net and Indian educational institution KM Academy Asarganj (kmacademyasarganj.com).
jatengblekhet / tirz4sec: Defaced waterlinksltd.com, a water/utilities company.

8. Initial Access, Exploits, and Malicious Tooling

Threat actors actively brokered initial access to corporate networks and distributed specialized exploitation tools.

8.1 API Exploitation and Identity Tools by ‘xorcat’

The threat actor ‘xorcat’ released several tools specifically targeting Chinese infrastructure and APIs:

Chinese National ID Parser: An OSINT algorithm that decodes 18-digit Chinese resident ID numbers (Shenfenzheng) based on the GB11643-1999 standard, extracting dates of birth, gender, and regional location codes.
SMS Flooding Tool: Exploited a lack of rate limiting on the SMS verification endpoint of the Chinese mobile app app2.100520.com, sending ~200 SMS messages per minute via GET request flooding with spoofed Android headers.
WeChat Identity API Exploit: Targeted fws.xuanyanmeng.com using a hardcoded token to bypass KYC and match real names against WeChat account IDs without rate limiting.
Corporate Registry Dumper: Exploited an unauthenticated API (sdnj.lcwl4.com) to map Chinese company names to legal representative identities and business credit codes.

8.2 Initial Access Brokers (IAB)

GhostByte: Sold super admin-level VPN and firewall access to an Indian-American technology consulting firm (sub-$5M revenue, Active Directory, 5+ Windows servers) for $300.
epsten: Recruited penetration testers on the Tier1 forum, offering access to compromised web RDP sessions, bots, SonicWall/FortiGate devices, and VPNs, providing closed exploits and EDR killer tools to partners.
World Of Shells / Lei_BF: Brokered webshell access across 68 domains and specifically offered backdoor access to sites like avonavig80rz.com, diabease.com, and teenxindia.com.
Pharaohs Team: Advertised access or SEO manipulation for Indian educational site mitm.edu.in and 13 other domains across Switzerland, Liechtenstein, and India.
Babayo Eror System: Offered fresh administrator access to Indonesian government domains dprd.dumaikota.go.id and disdik.sulselprov.go.id.

8.3 Brute-Forcing and Cracking Tools

ZeroDay: Sold multi-threaded brute-force and checker tools targeting VPN platforms (Fortinet, Cisco, SonicWall, WatchGuard, GlobalProtect), SSH, VNC, and RDP services, with optional CVE exploit integration.
ananalbzoor: Shared ‘Btc_AI_Genprivatekey’, a tool that claims to generate Bitcoin private keys based on recent blockchain blocks and check wallet balances.
makitabosch: Distributed a tool named ‘CryptoChecker NC’.

8.4 Financial Fraud and Forgery Services

boker: Sold forged French identity documents (old/new CNI, passports), utility bills in PSD/PDF formats, and homemade MRZ band calculators.
m13gang / ColdApollo: Sold verified PayPal accounts with balances of $2,000 to $10,000 (priced $150-$600) including SOCKS proxies. The actor also sold payment card dumps (Track 1/2 data with PINs) from the US, UK, Canada, Australia, and EU for $60-$80.
JAYYMME10: Advertised non-OTP credit cards with high balances, bank logs, Apple Pay BINs, fullz, and identity documents.
TerrellWhitte: Sold stolen credit cards, bank logs, checks, and compromised Cash App, PayPal, and Apple Pay accounts.
hehe: Actively distributed counterfeit currency via Telegram.
POSEIDONN: Shared single-individual full financial and personal records (credit cards, CVV, PII) of victims located in Irvine (CA), Petaluma (CA), Gambrills (MD), and other US locations.

9. Single-Target Data Leaks & Miscellaneous Exposures

Several smaller-scale but highly targeted data leaks occurred:

FiveM Gaming Platform: Actor ‘nearlevrai’ shared 24,300 SQL files containing records for 208,454 players across registered game servers.
Israeli Facebook Users: A dataset compiled from public sources containing names, phone numbers, and location data of Israeli users was published on the dark web.
French Physics Textbook: Actor ‘Barrendero0’ shared a PDF/EPUB copy of an educational textbook with exercises and solutions.

10. Conclusion

The cyber threat events recorded on April 20, 2026, demonstrate a highly volatile and severe security environment. The data highlights a systemic vulnerability to credential stuffing, evidenced by the free distribution of billions of ULP combinations and Hotmail-specific lists by actors like CODER and HQcomboSpace. This indicates that initial access via reused or weak credentials remains the path of least resistance for threat actors.

Simultaneously, top-tier actors such as ShinyHunters and Sumud Cyber Command demonstrated the capacity to execute devastating attacks against critical SaaS platforms (Vercel) and national security entities (INSS), respectively. The use of vishing by ShinyHunters to breach Match Group underlines the persistent threat of social engineering bypassing technical controls like SSO.

Furthermore, the data reveals active cyber warfare and hacktivism operating parallel to physical geopolitical conflicts, with noticeable ICS/SCADA targeting (Israel, Turkey) and mass defacements carrying political messaging. The thriving underground market for initial access (VPN/RDP), specialized API exploits (xorcat), and financial fraud data (m13gang) ensures that less sophisticated actors have the tools necessary to execute damaging attacks. Organizations globally must urgently prioritize identity and access management, robust multi-factor authentication, employee anti-vishing training, and proactive credential monitoring to defend against these pervasive threats.

Detected Incidents Draft Data

Alleged leak of European and German mixed combolist with 1.1 million credentials
Category: Combo List
Content: A threat actor operating under the handle HQcomboSpace has shared a mixed combolist containing approximately 1.14 million lines of credentials targeting European and German users. The combolist was made available as a free download via a Mega.nz link on the cracking forum CrackingX. No specific victim organization or service has been identified.
Date: 2026-04-20T23:44:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72727/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data with personal information
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen payment card record belonging to a US-based individual. The data includes a full card number with expiration date and CVV, along with the cardholders name, billing address, phone number, and email address. The victim is associated with a New Jersey address and a Florida-area phone number.
Date: 2026-04-20T23:41:33Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwwwwwwwww.2927999/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Crédit Mutuel Customer Database Affecting 523,000 French Records
Category: Data Leak
Content: A threat actor on the AE forum has made available an alleged database dump containing over 523,000 records attributed to Crédit Mutuel, a French banking institution. The leaked data reportedly includes full names, addresses, dates of birth, banking information, and IBAN numbers. The actor is distributing the data for free via a Telegram channel and requires forum replies to access the hidden download link.
Date: 2026-04-20T23:39:34Z
Network: openweb
Published URL: https://altenens.is/threads/523k-france-database-credit-mutuel-full-name-address-dob-bank-infos-iban.2928002/unread
Screenshots:
None
Threat Actors: aliladz213
Victim Country: France
Victim Industry: Banking and Financial Services
Victim Organization: Crédit Mutuel
Victim Site: creditmutuel.fr
Alleged Data Leak of sistemarifa.com Customer and User Database
Category: Data Leak
Content: A threat actor known as @0xy0um0m allegedly leaked a database dump from sistemarifa.com, a raffle/lottery platform, containing approximately 200,000 customer records. The leaked data includes multiple CSV files covering users, customers, directions, payments, sells, sold tickets, and cellphone carriers, with fields such as names, phone numbers, email addresses, professions, and bcrypt-hashed credentials including usernames and passwords. The data was made available on the SP – Databases forum on
Date: 2026-04-20T23:33:41Z
Network: openweb
Published URL: https://spear.cx/Thread-sistemarifa-com-200K-customers
Screenshots:
None
Threat Actors: [Mod] Tanaka
Victim Country: Unknown
Victim Industry: Lottery / Raffle Services
Victim Organization: Sistema Rifa
Victim Site: sistemarifa.com
Alleged Data Leak of Farmapatria.com.ve Venezuelan COVID-19 Vaccination Records
Category: Data Leak
Content: A threat actor has leaked a database allegedly belonging to Farmapatria.com.ve containing approximately 3 million Venezuelan citizen records. The data includes sensitive personal and medical information such as full names, national ID numbers (cédulas), dates of birth, phone numbers, addresses, states, municipalities, and detailed COVID-19 vaccination records including vaccine brand (Sinopharm VERO CELL), dose dates, and lot numbers. The data is distributed in JSON format and appears to originat
Date: 2026-04-20T23:12:48Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-Farmapatria-com-ve-3M
Screenshots:
None
Threat Actors: [Mod] Tanaka
Victim Country: Venezuela
Victim Industry: Healthcare
Victim Organization: Farmapatria
Victim Site: farmapatria.com.ve
Alleged leak of US individuals financial and personal data
Category: Data Leak
Content: A threat actor operating under the alias POSEIDONN shared what appears to be a single individuals payment card details along with personally identifiable information on a carding forum. The exposed data includes a full credit card number with expiration date and CVV, the cardholders name, email address, phone number, physical address, and location details in Irvine, California, United States. The nature and source of the breach remain unknown.
Date: 2026-04-20T23:01:44Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwwwwwww.2927985/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist including Netflix, Steam, and Spotify accounts
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi has shared a combolist of approximately 170,000 email:password credential pairs targeting multiple streaming and gaming platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The content is made available via a hidden download link on the forum, requiring registration or login to access. The actor also advertises paid high-quality combolists through a Telegram channel and a dedicated cracking website, offering credentials segment
Date: 2026-04-20T22:43:40Z
Network: openweb
Published URL: https://demonforums.net/Thread-170k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–201099
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Technology / Entertainment
Victim Organization: Netflix, Minecraft, Uplay, Steam, Hulu, Spotify
Victim Site: Unknown
Alleged leak of US individuals financial and personal data
Category: Data Leak
Content: A threat actor operating under the alias POSEIDONN shared what appears to be a single individuals full financial and personal record on a carding forum. The exposed data includes a credit card number with expiration date and CVV, full name, physical address, email address, IP address, date of birth, and phone number. The individual is located in Petaluma, California, United States.
Date: 2026-04-20T22:40:10Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwwwwwwwwwwwwww-huge.2927983/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 51,000 Hotmail credentials
Category: Data Leak
Content: A threat actor known as VegaM shared a combolist of approximately 51,000 alleged valid Hotmail credentials on the AE – Combo List forum. The credential list was made available via an external paste sharing service (pasteview.com). The post claims the credentials are valid Hotmail account logins, though this claim is unverified.
Date: 2026-04-20T22:37:57Z
Network: openweb
Published URL: https://altenens.is/threads/51k-valid-hotmail-access.2927976/unread
Screenshots:
None
Threat Actors: VegaM
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 170,000 mixed email credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias carlos080 has made available a combolist containing approximately 170,000 email:password credential pairs on the forum AE (altenens.is). The combolist is described as fresh and high quality, containing mixed credentials from various email providers including AOL, Yahoo, Hotmail, and Outlook, targeting users across multiple countries including France, UK, Germany, USA, Spain, Italy, Canada, and Australia. The actor also advertises additional credenti
Date: 2026-04-20T22:37:37Z
Network: openweb
Published URL: https://altenens.is/threads/170k-fresh-hq-combolist-email-pass-mixed.2927981/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of IGCPS Webmail Emails and Attachments
Category: Data Leak
Content: A threat actor known as nearlevrai claims to have scraped the webmail system of IGCPS, a vocational training institute. The actor states they recovered 112 emails and 11 attachments, which have been made available for free download via an external file-sharing link. The operation was reportedly conducted in collaboration with another actor identified as NormalLeVrai.
Date: 2026-04-20T22:31:17Z
Network: openweb
Published URL: https://breached.st/threads/webmail-igcps-scraped.86149/unread
Screenshots:
None
Threat Actors: nearlevrai
Victim Country: Unknown
Victim Industry: Education and Training
Victim Organization: IGCPS
Victim Site: Unknown
Alleged leak of Hotmail credential combolist targeting forum users
Category: Combo List
Content: A threat actor operating under the alias ValidMail has made available a combolist of approximately 40,000 Hotmail email credentials on the cracking forum CrackingX. The post claims the credentials are valid and targets forum members. Full content requires registration or sign-in to access.
Date: 2026-04-20T22:20:32Z
Network: openweb
Published URL: https://crackingx.com/threads/72724/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor operating under the alias Megacloud has shared a combolist of approximately 850 Hotmail credentials on the AE combo list forum. The post claims the credentials are fresh and valid as of April 20th. Access to the hidden content requires forum engagement via replies, suggesting a gated free distribution model.
Date: 2026-04-20T22:16:24Z
Network: openweb
Published URL: https://altenens.is/threads/850x-hotmail-fresh-hits-just-valid-mail-20-04.2927973/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of US individuals financial and personal data
Category: Data Leak
Content: A threat actor on a carding forum shared what appears to be a single individuals financial and personal record, including a credit card number with expiration date and CVV, full name, email address, phone number, physical address, ZIP code, and US state. The data pertains to an individual located in Gambrills, Maryland, United States. No organization or source of the breach has been identified.
Date: 2026-04-20T21:57:32Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwwwwwwwwwwwwwww.2927971/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of stealer logs distributed via cloud storage
Category: Logs
Content: A threat actor operating under the alias UP_DAISYCLOUD has made available a collection of 5,715 stealer logs via the file-sharing platform Pixeldrain. The logs, dated April 20, are offered as a free download with a password-protected archive. Stealer logs typically contain credentials, browser-saved passwords, cookies, and other sensitive data harvested from compromised systems.
Date: 2026-04-20T21:48:19Z
Network: openweb
Published URL: https://darkforums.su/Thread-%F0%9F%9A%80-5715-LOGS-CLOUD-%E2%98%81-20-APRIL-%E2%9D%A4%EF%B8%8F-FRESH-LOGS%E2%9D%97%EF%B8%8F
Screenshots:
None
Threat Actors: UP_DAISYCLOUD
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Masterbrusque.com.br Database
Category: Data Breach
Content: A threat actor operating under the alias DarkMafiaX has shared what appears to be a SQL database dump from the Brazilian e-commerce site masterbrusque.com.br. The leaked data, approximately 10MB in size, contains administrative and user account records including names, email addresses, usernames, hashed passwords with salts, login timestamps, and session metadata. The sample data reveals accounts associated with the Sway organization, including administrative-level users, suggesting a backen
Date: 2026-04-20T21:46:23Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Database-Of-The-Site-Masterbrusque-com-br
Screenshots:
None
Threat Actors: DarkMafiaX
Victim Country: Brazil
Victim Industry: E-commerce / Retail
Victim Organization: Master Brusque
Victim Site: masterbrusque.com.br
Alleged Data Leak of Pakiza Knowledge City Educational Platform Database
Category: Data Leak
Content: A threat actor known as DarkMafiaX has made available a 10MB SQL database dump from the Indian educational platform Pakizaknowlegecity.in. The leaked data includes administrator and staff records containing names, usernames, plaintext passwords, mobile numbers, email addresses, physical addresses, and granular access control permissions across multiple branch locations. The sample data reveals Super Admin credentials with full system access spanning student management, admissions, finance, and l
Date: 2026-04-20T21:45:54Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Database-Of-The-Site-Pakizaknowlegecity-in-India
Screenshots:
None
Threat Actors: DarkMafiaX
Victim Country: India
Victim Industry: Education
Victim Organization: Pakiza Knowledge City
Victim Site: pakizaknowlegecity.in
Alleged leak of 58.47 million URL:Login:Password credentials
Category: Combo List
Content: A threat actor known as Daxus has made available a large combolist containing approximately 58.47 million URL:login:password credential pairs on the cracking forum CX. The data is being distributed via the Daxus.pro website and an associated Telegram channel (@DaxusProBot). No specific victim organization or country has been identified, as the combolist appears to aggregate credentials from multiple sources.
Date: 2026-04-20T21:38:12Z
Network: openweb
Published URL: https://crackingx.com/threads/72721/
Screenshots:
None
Threat Actors: Daxus
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed domain credential combolist targeting multiple countries
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist containing approximately 13,500 credential pairs on the cracking forum CrackingX. The combolist reportedly includes accounts from multiple countries including Germany, the United States, the United Kingdom, Japan, and Poland, among others. The credentials are described as good combo mix domains access, suggesting they are active and verified email:password combinations spanning various online services.
Date: 2026-04-20T21:37:55Z
Network: openweb
Published URL: https://crackingx.com/threads/72722/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-site credential combolist via Cloudberry ULP
Category: Data Leak
Content: A threat actor on the AE forum has freely shared a URL:Login:Password combolist containing over 110,665 credential pairs, dated April 26, 2020. The post is labeled as a Daily Free Lines release associated with the Cloudberry ULP tool, requiring forum replies to access the download link. No specific victim organization or targeted site is identified, suggesting this is an aggregated credential list sourced from multiple origins.
Date: 2026-04-20T21:34:29Z
Network: openweb
Published URL: https://altenens.is/threads/url-login-pass-20-04-26-daily-free-lines-110-665-fresh-cloudberry-ulp.2927964/unread
Screenshots:
None
Threat Actors: idsfgofdu213
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Jelooos has shared an alleged combolist containing 2,500 Hotmail credentials described as full valid and unabused on the cracking forum CX. The post directs users to a Telegram channel to access the content. No pricing information is provided, suggesting the credentials are being distributed for free.
Date: 2026-04-20T21:15:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72719/
Screenshots:
None
Threat Actors: Jelooos
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of German domain credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing 756,116 credential pairs allegedly sourced from German-domain accounts. The combolist was shared freely via a Mega.nz file link on the cracking forum CrackingX. No specific organization or industry has been identified as the source of the leaked credentials.
Date: 2026-04-20T21:14:51Z
Network: openweb
Published URL: https://crackingx.com/threads/72720/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Forged French Identity Documents, Passports, and MRZ Calculators
Category: Initial Access
Content: A threat actor operating under the alias boker on the forum Sellers Place is selling forged French identity documents including old and new CNI (national identity cards), French passports, and utility bills in both digital and editable PSD/PDF formats. The seller also offers homemade MRZ band calculators compatible with old CNI, new CNI, and French passports, available individually or as a bundle. Contact is facilitated via a Telegram channel, with escrow accepted as a payment safeguard.
Date: 2026-04-20T20:13:12Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-FAUSSAIRE-CNI-PASSEPORT-FACTURES
Screenshots:
None
Threat Actors: boker
Victim Country: France
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack by 313 Team (Islamic Cyber Resistance – Iraq)
Category: Cyber Attack
Content: The 313 Team, an Iraqi Islamic cyber resistance group affiliated with the Beamed Network, posted a photo with a caption implying they have forced a target to download more updates, suggesting a successful disruptive cyber attack or defacement. The exact victim is not identified in the message.
Date: 2026-04-20T20:01:52Z
Network: telegram
Published URL: https://t.me/c/2250158203/1055
Screenshots:
None
Threat Actors: 313 Team
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist of 347 alleged premium Hotmail credential hits, described as ultra-high quality (UHQ). The post includes separate downloads for inboxed targets and country-sorted credentials, suggesting the accounts have been verified as active and categorized by region.
Date: 2026-04-20T20:00:29Z
Network: openweb
Published URL: https://crackingx.com/threads/72718/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Multiple
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged Data Breach of Egyptian Gold Investment Platform Taiseer.co
Category: Data Breach
Content: A threat actor known as Sorb is selling a database allegedly stolen from taiseer.co, an Egyptian gold investment platform. The dataset reportedly contains 71,000 unique user records including full names, email addresses, phone numbers, national ID card numbers, bcrypt-hashed passwords, home addresses, employment details, gender, date of birth, and financial information such as balances and transaction history. Additionally, approximately 27,000 records include national ID card scans. The datab
Date: 2026-04-20T19:54:36Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-Egypt-taiseer-co-gold-investors
Screenshots:
None
Threat Actors: Sorb
Victim Country: Egypt
Victim Industry: Financial Services / Investment
Victim Organization: Taiseer
Victim Site: taiseer.co
Alleged data breach of Vercel with source code, database, auth tokens, and credentials for sale
Category: Data Breach
Content: A threat actor identified as ShinyHunters is allegedly selling Vercel data including source code, database access, authentication tokens, and email:password credentials for $250,000 USD for 3TB of data. The listing is posted on BreachForums.
Date: 2026-04-20T19:53:22Z
Network: telegram
Published URL: https://t.me/c/3500620464/7147
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Technology / Cloud Services
Victim Organization: Vercel
Victim Site: vercel.com
Alleged Data Breach of Vercel Exposing Employee Records via Malicious OAuth App
Category: Data Breach
Content: A threat actor claims to have breached Vercel, a major web deployment platform. According to the post, a senior Vercel engineer authenticated with a fake third-party AI tool through a malicious Google Workspace OAuth application, resulting in unauthorized access. The breach is reported to have occurred around April 12, 2026. The threat actor allegedly obtained records of all Vercel employees and shared sample data including information about CEO Guillermo Rauch. The actor characterized Vercels security as poor, consistent with Vercels own disclosure referenced in the post.
Date: 2026-04-20T19:50:21Z
Network: telegram
Published URL: https://t.me/IntCyberDigest/452
Screenshots:
None
Threat Actors: Unknown
Victim Country: United States
Victim Industry: Technology / Cloud Infrastructure
Victim Organization: Vercel
Victim Site: vercel.com
Alleged Data Leak of Sozcu.com.tr Full Database
Category: Data Leak
Content: A threat actor using the handle rape has made available what is claimed to be the full database of Sozcu.com.tr, a major Turkish news outlet, via a Google Drive link. The data is offered as a free download protected by a password shared in the post. No record count or specific data fields were disclosed in the post.
Date: 2026-04-20T19:50:07Z
Network: openweb
Published URL: https://breached.st/threads/2023-sozcu-com-tr-full-data.86146/unread
Screenshots:
None
Threat Actors: rape
Victim Country: Turkey
Victim Industry: Media & News
Victim Organization: Sozcu
Victim Site: sozcu.com.tr
Alleged leak of Spotify credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a Spotify combolist via Telegram channels. The actor is making credential lists available for free through two Telegram groups and is also accepting direct requests via Telegram handle CODER5544. The post is gated behind registration on the crackingx.com forum, suggesting the combolist may contain email and password combinations for Spotify accounts.
Date: 2026-04-20T19:21:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72717/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Entertainment & Media
Victim Organization: Spotify
Victim Site: spotify.com
Alleged leak of mixed European email credentials (France, Germany, Poland, Italy)
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist of approximately 11,800 email credentials on a cracking forum. The dataset is described as a mixed base of mail access credentials spanning users from France, Germany, Poland, and Italy. The content is being offered as a free download with no price indicated.
Date: 2026-04-20T19:02:48Z
Network: openweb
Published URL: https://crackingx.com/threads/72715/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist with 200 hits
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a combolist containing 200 alleged valid credential hits for Hotmail accounts. The post is gated behind registration, suggesting the content is available to forum members. The leaked data likely consists of email and password pairs verified against Hotmail services.
Date: 2026-04-20T19:02:31Z
Network: openweb
Published URL: https://crackingx.com/threads/72716/
Screenshots:
None
Threat Actors: lpbPrivate
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Sale of Fresh USA Fullz Database with PII and Identity Documents
Category: Data Breach
Content: A threat actor operating under the alias hexvior is selling a database of 71,367 US individual records described as fullz, containing SSN, full name, address, phone, email, drivers license details, and SSN photocopies. The price is available upon direct message. The actor maintains a Telegram presence with associated breach and OSINT channels.
Date: 2026-04-20T18:16:42Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-Fresh-USA-Fullz-for-sale
Screenshots:
None
Threat Actors: hexvior
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of the Chartered Institute of Bankers of Nigeria (CIBN) Database
Category: Data Leak
Content: A threat actor operating under the alias Rabid has leaked what is claimed to be the entire database of the Chartered Institute of Bankers of Nigeria (CIBN), totaling over 250GB of data. The leaked data allegedly includes members personal information such as names, email addresses, membership details, source code, and identity documents including ID cards and certificates. The data has been made available for free download via external file-sharing links.
Date: 2026-04-20T18:14:56Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-THE-CHARTERED-INSTITUTE-OF-BANKERS-OF-NIGERIA-CIBN-DATABASE-LEAK
Screenshots:
None
Threat Actors: Rabid
Victim Country: Nigeria
Victim Industry: Financial Services / Banking Education
Victim Organization: Chartered Institute of Bankers of Nigeria (CIBN)
Victim Site: cibn.org
Alleged Sale of Initial Access to Multiple Compromised Domains via Webshells
Category: Initial Access
Content: A threat actor forwarded from World Of Shells is offering access to multiple compromised domains including avonavig80rz.com, ageconceptsinternationale.com, ageconceptshop.com, diabease.com, teenxindia.com, morsecodefilms.com, and loveberi.com. Each domain is listed with Domain Authority (DA) and Page Authority (PA) metrics, suggesting these are webshell or backdoor accesses being brokered. Interested buyers are directed to contact @Lei_BF via DM.
Date: 2026-04-20T18:05:28Z
Network: telegram
Published URL: https://t.me/worldofshells/31
Screenshots:
None
Threat Actors: World Of Shells
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: avonavig80rz.com, ageconceptsinternationale.com, ageconceptshop.com, diabease.com, teenxindia.com, morsecodefilms.com, loveberi.com
Alleged leak of 13 million mixed credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a mixed combolist containing approximately 13 million credential pairs on the cracking forum CrackingX. The combolist is being distributed freely via Telegram channels and direct contact. No specific victim organization or industry has been identified, suggesting the credentials are aggregated from multiple sources.
Date: 2026-04-20T17:57:48Z
Network: openweb
Published URL: https://crackingx.com/threads/72713/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email access combolist with 48,000 credentials
Category: Combo List
Content: A threat actor known as StrawHatBase shared a mixed email access combolist containing approximately 48,000 email and password combinations on DemonForums. The post is categorized under combolists and claims the credentials are valid mail access. No specific victim organization, country, or industry could be identified from the available post content.
Date: 2026-04-20T17:42:10Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-48K-GOOD-MAIL-ACCESS-MIX
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 27,000 valid email credentials
Category: Combo List
Content: A threat actor operating under the alias TeraCloud1 shared a combolist of approximately 27,000 allegedly valid email credentials on a cybercrime forum. The post was made in the combolists section of DemonForums, suggesting the credentials were made available for free download or distribution. No further details regarding the targeted organizations, geographic scope, or data origin were provided.
Date: 2026-04-20T17:39:47Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-27K-VALID-MAIL-ACCESS–201072
Screenshots:
None
Threat Actors: TeraCloud1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of AOL targeted combolist containing 126,000 credentials
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi has made available a targeted combolist of 126,000 AOL credentials in email:password format on a cybercrime forum. The post includes a hidden download link and promotes additional combolist sales covering multiple email providers and geographic regions including Yahoo, Hotmail, Outlook, and others. The actor advertises further credential list purchases via Telegram handle @KOCsupport and an associated cracking community website.
Date: 2026-04-20T17:36:59Z
Network: openweb
Published URL: https://demonforums.net/Thread-126K-AOL-TARGETED-COMBOLIST–201074
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: United States
Victim Industry: Technology
Victim Organization: AOL
Victim Site: aol.com
Alleged sale of fresh mixed credential combolist including Hotmail accounts
Category: Combo List
Content: A threat actor operating under the alias MTx_Hu is selling a fresh mixed combolist containing approximately 82,000 credential pairs, including Hotmail accounts. The combolist is advertised as clean, verified, and updated daily, with subscription tiers ranging from $5 for a 3-day trial to $40 for 3 months, with payments accepted in cryptocurrency. The seller claims lines are sourced from a private cloud service called MTX CLOUD PRIVATE with no reposted or junk entries.
Date: 2026-04-20T17:35:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72712/
Screenshots:
None
Threat Actors: Haydayx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email service credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias alphacloud has made available a combolist containing 4,673 alleged valid email credentials, including Hotmail accounts, described as premium mix mail hits. The content is shared freely on the forum with a reply-to-view mechanism, and the actor promotes a Telegram channel (alphaaxd) for further distribution. No specific victim organization or targeted service beyond mixed email providers is identified.
Date: 2026-04-20T17:32:11Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagehigh-voltage-4673x-premium-mix-mail-hitshigh-voltagehigh-voltage.2927916/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of PMI Sidoarjo Government Database
Category: Data Leak
Content: A threat actor known as Xyph0rix has leaked a database allegedly belonging to PMI Sidoarjo, an Indonesian government-affiliated organization operating under the go.id domain. The leaked data includes fields such as names, email addresses, phone numbers, full names, and addresses. The database has been made available for free download via a shared link on the Breached forum.
Date: 2026-04-20T17:28:41Z
Network: openweb
Published URL: https://breached.st/threads/database-pmi-sidoarjo-go-id.86143/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: PMI Sidoarjo
Victim Site: pmi-sidoarjo.go.id
Alleged Data Leak of Banjar City Defense Office Database
Category: Data Leak
Content: A threat actor known as Xyph0rix claims to have obtained and leaked the database of the Banjar City Defense Office, a government entity located in West Java, Indonesia. The database was made available for free download via a link shared on the Breached forum. The targeted domain falls under Indonesias official government (.go.id) domain space.
Date: 2026-04-20T17:28:10Z
Network: openweb
Published URL: https://breached.st/threads/database-banjar-city-defense-office-go-id.86144/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Banjar City Defense Office
Victim Site: go.id
Alleged data breach of Banjar City Defense Office (go.id)
Category: Data Breach
Content: A threat actor identified as Xyph0rix on BreachForums allegedly leaked or published a database belonging to the Banjar City Defense Office, an Indonesian government entity accessible via go.id domain. The post includes a link to the BreachForums thread and the actors profile page.
Date: 2026-04-20T17:25:28Z
Network: telegram
Published URL: https://t.me/Xyph0rix_CaypbaraXploit/174
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Banjar City Defense Office
Victim Site: go.id
Alleged leak of corporate email credentials combolist with 121,667 lines
Category: Combo List
Content: A threat actor on CrackingX shared a free combolist containing 121,667 lines of corporate email credentials (MailPass format) via a Mega.nz link. The post indicates the list has been validated against SMTP servers and contains confirmed working corporate email and password combinations. No specific victim organization or country has been identified.
Date: 2026-04-20T17:17:52Z
Network: openweb
Published URL: https://crackingx.com/threads/72707/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 11 million business email credentials in combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an alleged combolist containing 11 million business email and password combinations via Telegram channels. The post directs users to free Telegram groups (t.me/Combo445544 and t.me/Coder554455) to obtain the credential list. The specific organizations or industries affected are not identified in the post.
Date: 2026-04-20T17:17:36Z
Network: openweb
Published URL: https://crackingx.com/threads/72708/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email access credentials (6,531 records)
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has shared a mixed combolist containing 6,531 email access credentials on the cracking forum CrackingX. The post is gated behind registration, limiting visibility into specific details such as targeted providers or data origin. The combolist appears to contain credentials for various email services, as indicated by the mixed mail access designation.
Date: 2026-04-20T17:17:18Z
Network: openweb
Published URL: https://crackingx.com/threads/72710/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of French physics textbook with exercises and solutions
Category: Data Leak
Content: A user on a hacking forum shared a free download of a French-language physics book titled Physique MP MPI PC Annales Corrigees X-ENS-ESPCI in PDF and EPUB formats. The content includes exercises and solutions targeted at French-speaking physics students. A SHA256 hash was provided for the distributed ZIP archive.
Date: 2026-04-20T17:11:02Z
Network: openweb
Published URL: https://breached.st/threads/pdf-epub-physique_mp_mpi_pc_annales_corrigees_x-ens-espci_frenchedition.86142/unread
Screenshots:
None
Threat Actors: Barrendero0
Victim Country: Unknown
Victim Industry: Publishing / Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 1,472 alleged valid Hotmail credentials on the cracking forum CX. The post describes the credentials as premium hits from a private cloud mix, suggesting they have been verified as active. The actor also promotes a Telegram contact handle alphaaxd for further communication.
Date: 2026-04-20T16:58:48Z
Network: openweb
Published URL: https://crackingx.com/threads/72706/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor operating under the alias Angiecrax has shared an alleged combolist of 2,162 validated Hotmail credentials on the AE (AlteNens) cybercrime forum. The post requires users to reply before accessing the hidden download link, a common gating mechanism on such forums. The credentials are described as HQ (high quality) valids, suggesting they have been verified as active.
Date: 2026-04-20T16:55:29Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagehigh-voltage-2162x-hq-hotmail-valids-high-voltagehigh-voltage.2927907/unread
Screenshots:
None
Threat Actors: Angiecrax
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Japanese credential combolist
Category: Data Leak
Content: A threat actor known as Angiecrax shared a combolist allegedly containing valid credentials associated with Japanese users on the AE forum. The combolist was made available via Pasteview, a text-sharing platform. No specific victim organization or record count was identified in the post.
Date: 2026-04-20T16:55:01Z
Network: openweb
Published URL: https://altenens.is/threads/japan-valid-combolist.2927908/unread
Screenshots:
None
Threat Actors: Angiecrax
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach Exposing 200,000 Dubai Property Owner Records
Category: Data Breach
Content: A threat actor known as RubiconH4ck is allegedly selling a database of 200,000 property owner records from Dubai, updated as of January 2024. The database covers multiple high-profile areas including Business Bay, DIFC, and Downtown Dubai, and contains sensitive personal and property details such as full names, mobile numbers, email addresses, PO box addresses, and property transaction data. The records include owners from multiple nationalities including UAE, Russia, Lebanon, Iran, and the Unit
Date: 2026-04-20T16:51:15Z
Network: openweb
Published URL: https://breached.st/threads/200-000-records-of-properties-owner-in-dubai.86140/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: United Arab Emirates
Victim Industry: Real Estate
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email access combolist with 56,000 credentials
Category: Combo List
Content: A threat actor known as MarkVesto has shared a mixed mail access combolist containing approximately 56,000 email credentials on the crackingx.com forum. The combolist appears to aggregate credentials from multiple sources across various providers. The actor also promotes a Telegram channel, likely used to distribute additional stolen data.
Date: 2026-04-20T16:40:40Z
Network: openweb
Published URL: https://crackingx.com/threads/72703/
Screenshots:
None
Threat Actors: MarkVesto
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Non-OTP Credit Cards, Financial Logs, and Identity Documents
Category: Combo List
Content: A threat actor operating under the alias JAYYME10 is advertising non-OTP credit cards with high balances, fullz, bank logs, Apple Pay BINs, PayPal logs, drivers licenses, passports, and account opening services via Telegram. The actor claims to offer free replacements for non-functional cards and positions the offerings as suitable for online payment fraud. No specific victim organization or country has been identified.
Date: 2026-04-20T16:40:23Z
Network: openweb
Published URL: https://crackingx.com/threads/72704/
Screenshots:
None
Threat Actors: JAYYMME10
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of FBI and CIA employee directory database
Category: Data Leak
Content: A threat actor known as RubiconH4ck claims to have leaked approximately 2TB of sensitive data allegedly sourced from FBI and CIA internal directories covering the 2024-2025 period. The sample data includes full names, job titles, direct phone numbers, and official government email addresses (@ic.fbi.gov) of FBI personnel including Special Agents, Task Force Officers, Contractors, and other staff. No price was mentioned, suggesting the data is being freely distributed.
Date: 2026-04-20T16:33:37Z
Network: openweb
Published URL: https://breached.st/threads/fbi-and-cia-database.86138/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: United States
Victim Industry: Government / Law Enforcement
Victim Organization: Federal Bureau of Investigation (FBI) / Central Intelligence Agency (CIA)
Victim Site: ic.fbi.gov
Alleged Data Leak of Bureau of Public Enterprises Nigeria Configuration Files
Category: Data Leak
Content: A threat actor operating under the alias NullsecNg has made available scraped data allegedly obtained from Nigerias Bureau of Public Enterprises. The leaked files include a web configuration backup (webconfig.bak) and admin configuration files, which may expose sensitive infrastructure details. The data has been shared via a public download link on LimeWire.
Date: 2026-04-20T16:28:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-Bureau-of-public-of-Enterprises-scraped-data-Nigeria
Screenshots:
None
Threat Actors: NullsecNg
Victim Country: Nigeria
Victim Industry: Government
Victim Organization: Bureau of Public Enterprises
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist with inbox verification
Category: Combo List
Content: A threat actor has made available a combolist of 497 claimed premium Hotmail credentials described as UHQ hits, meaning high-quality verified accounts. The leak includes inbox-verified targets and credentials sorted by country, suggesting active email accounts with confirmed inbox access.
Date: 2026-04-20T16:19:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72701/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of Education sector credential combolist
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist targeting the education sector via Telegram channels. The credentials are being made available for free through two Telegram groups and a cracking forum. The actor directs interested parties to their Telegram handle CODER5544 for access to the combolist.
Date: 2026-04-20T16:19:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72702/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of VPN and Firewall Admin Access to Indian-American Technology Consulting Firm
Category: Initial Access
Content: A threat actor identified as GhostByte is selling super admin-level VPN and firewall access to an Indian-founded technology consulting company with operations in the United States. The victim organization reportedly has a revenue under $5 million and an internal network consisting of Active Directory and more than five Windows servers. The access is being offered for $300, with escrow accepted.
Date: 2026-04-20T16:11:44Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-FULL-VPN-FIREWALL-ADMIN-ACCESS-INDIAN-AMERICAN-COMPANY
Screenshots:
None
Threat Actors: GhostByte
Victim Country: United States
Victim Industry: Technology Consulting
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist with forum-validated accounts
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist of approximately 40,000 Hotmail email credentials on the cracking forum CrackingX. The list is claimed to contain valid accounts, specifically verified against forums. The content requires registration or login to access, limiting full verification of the claims.
Date: 2026-04-20T16:01:58Z
Network: openweb
Published URL: https://crackingx.com/threads/72699/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed email and password combolist (13 million records)
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a mixed combolist containing approximately 13 million email and password credential pairs. The content is shared freely via Telegram channels and groups associated with the actor. No specific victim organization or country has been identified, as the combolist appears to aggregate credentials from multiple sources.
Date: 2026-04-20T16:01:37Z
Network: openweb
Published URL: https://crackingx.com/threads/72700/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 47,000 mixed email account credentials
Category: Data Leak
Content: A threat actor known as Megacloud has made available a combolist containing approximately 47,000 allegedly fresh and valid email account credentials with full mail access on the AE forum. The file, approximately 1.55 MB in size, was shared via MEGA file hosting and is described as a mixed collection of email accounts dated April 20. No specific targeted organization or country has been identified, suggesting the credentials span multiple providers.
Date: 2026-04-20T15:58:14Z
Network: openweb
Published URL: https://altenens.is/threads/47k-fresh-valid-full-mail-access-mix-20-04.2927900/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of webshells across 68 domains
Category: Initial Access
Content: A threat actor is offering 68 random webshells across various domains for sale, forwarded via the Nullsec Philippines channel. Contact handle @Lei_BF is provided for purchase inquiries.
Date: 2026-04-20T15:55:26Z
Network: telegram
Published URL: https://t.me/worldofshells/30
Screenshots:
None
Threat Actors: Lei_BF
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Cyber and Physical Attacks on Iranian Banks Melli and Sepah During Recent Conflict
Category: Cyber Attack
Content: The Deputy of Payment Systems and New Technologies at Irans Central Bank announced that Bank Melli (National Bank) and Bank Sepah were targeted by both cyberattacks and physical attacks during the recent war. Despite the attacks, the countrys payment infrastructure maintained resilience and banking services continued without interruption. The official also noted rapid response to resolve issues and emphasized the need to establish defensive committees within the banking network and strengthen security measures to prevent future disruptions.
Date: 2026-04-20T15:55:12Z
Network: telegram
Published URL: https://t.me/c/1283513914/21300
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Iran
Victim Industry: Banking & Finance
Victim Organization: Bank Melli Iran, Bank Sepah
Victim Site: Unknown
Alleged sale of large-scale URL-login-password credential database
Category: Combo List
Content: A threat actor on CrackingX is offering access to a claimed 1,300GB URL-login-password (ULP) combolist dataset, advertised as a private and frequently updated collection. The offering includes an online search interface to query credentials without downloading files, with options to filter by country. The post claims the dataset contains historical and fresh credential records with automated updates.
Date: 2026-04-20T15:45:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72695/
Screenshots:
None
Threat Actors: Mustukaral
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias KiwiShio has made available a combolist of 1,565 alleged Hotmail credentials on the cracking forum CrackingX. The post offers a free download of what is claimed to be fresh, high-quality email and password combinations. The origin and validity of the credentials have not been verified.
Date: 2026-04-20T15:45:02Z
Network: openweb
Published URL: https://crackingx.com/threads/72696/
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail and mixed credentials combolist
Category: Combo List
Content: A threat actor operating under the alias noir on the cracking forum CrackingX has made available a combolist described as X1942 Valid UHQ Mix, containing alleged valid Hotmail credentials and a mixed private cloud credential list. The content is offered as a free download via a forum post. The actor also promotes a Telegram channel (@noiraccesss) likely used for distribution and communication.
Date: 2026-04-20T15:44:46Z
Network: openweb
Published URL: https://crackingx.com/threads/72697/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Data Breach of SGK Türkiye Retirement Database Affecting 20 Million Records
Category: Data Breach
Content: A threat actor identified as SCTH is allegedly selling a database purportedly belonging to SGK Türkiye (Turkish Social Security Institution) containing over 20 million records. The database appears to target retirees (emekli) and includes fields such as national ID number (TC Kimlik No), full name, gender, relationship, date of birth, and coverage type. The actor is offering the dataset for $200 and provides 2 million sample records for download, with contact via Telegram.
Date: 2026-04-20T15:38:40Z
Network: openweb
Published URL: https://breached.st/threads/20-million-sgk-turkiye-database.86137/unread
Screenshots:
None
Threat Actors: SCTH
Victim Country: Turkey
Victim Industry: Government / Social Security
Victim Organization: SGK Türkiye (Sosyal Güvenlik Kurumu)
Victim Site: sgk.gov.tr
Alleged Data Leak of Salesforce Data by ShinyHunters
Category: Data Breach
Content: Threat actor claiming to be ShinyHunters posted what appears to be partial Salesforce data with download links provided. The actor also posted official contact verification information including Telegram handles (@shinycorph, @shinyc0rpsss), XMPP address, and a Session ID, warning users of impersonators and requesting PGP verification for authenticity.
Date: 2026-04-20T15:34:25Z
Network: telegram
Published URL: https://t.me/c/3500620464/7139
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology / SaaS
Victim Organization: Salesforce
Victim Site: salesforce.com
Alleged Data Leak of Bureau of Public Enterprises Nigeria Source Code and Configuration Files
Category: Data Leak
Content: A threat actor operating under the alias ki4t has leaked data allegedly belonging to the Bureau of Public Enterprises in Nigeria. The leaked content reportedly includes web configuration backup files (Webconfig.bak), user source code, and other unspecified files. The data has been made available for free download via a link hosted on Limewire.
Date: 2026-04-20T15:20:55Z
Network: openweb
Published URL: https://breached.st/threads/bureau-of-public-of-enterprises-src-nigeria.86136/unread
Screenshots:
None
Threat Actors: ki4t
Victim Country: Nigeria
Victim Industry: Government
Victim Organization: Bureau of Public Enterprises
Victim Site: Unknown
Alleged leak of mixed credential combolist by threat actor Steveee36
Category: Combo List
Content: A threat actor operating under the alias Steveee36 has made available a mixed combolist containing approximately 1,405 credential entries on the cracking forum CrackingX. The post is categorized under Combolists & Dumps and offers the file as a free download. No specific victim organization, industry, or country has been identified, suggesting the credentials are aggregated from multiple sources.
Date: 2026-04-20T15:09:16Z
Network: openweb
Published URL: https://crackingx.com/threads/72692/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Large Multi-Source Database Collection (388.29 GB)
Category: Data Leak
Content: A threat actor known as S0uxsd has made available a large collection of databases totaling 388.29 GB via a BitTorrent magnet link on the Breached forum. The collection, labeled leaks, is distributed freely through multiple public torrent trackers. No specific victim organizations, industries, or countries have been identified from the available post content.
Date: 2026-04-20T15:03:28Z
Network: openweb
Published URL: https://breached.st/threads/database-collection-388-29-gb.86135/unread
Screenshots:
None
Threat Actors: S0uxsd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a combolist claimed to contain 8,135 valid Hotmail credentials. The post offers access to the credential list to registered forum users at no apparent cost. The credentials are described as fresh and valid, suggesting recent harvesting or verification.
Date: 2026-04-20T14:53:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72685/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credential combolist by threat actor NightFall
Category: Combo List
Content: A threat actor operating under the alias NightFall has shared a mixed-mail combolist containing approximately 5.5 million credential pairs via a paste site. The combolist is described as fresh and UHQ (ultra-high quality), suggesting recently harvested or validated credentials. The content is being made available for free on the cracking forum CrackingX.
Date: 2026-04-20T14:53:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72686/
Screenshots:
None
Threat Actors: NightFall
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with 76,079 lines
Category: Combo List
Content: A threat actor known as Browzchel has shared a mixed combolist containing 76,079 lines of credentials on the cracking forum CrackingX. The content is described as fresh and is being made available to registered forum users. The actor also promotes a Telegram channel (@BossBrowz) likely used for further distribution of similar content.
Date: 2026-04-20T14:53:08Z
Network: openweb
Published URL: https://crackingx.com/threads/72687/
Screenshots:
None
Threat Actors: Browzchel
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of corporate email credentials combolist
Category: Combo List
Content: A threat actor operating under the handle HQcomboSpace has made available a combolist containing approximately 173,811 corporate email and password combinations via a Mega.nz file sharing link. The combolist is described as targeting corporate mail accounts, suggesting potential risk to enterprise environments. No specific organizations, industries, or countries have been identified as victims.
Date: 2026-04-20T14:52:51Z
Network: openweb
Published URL: https://crackingx.com/threads/72688/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 46,000 German email credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias Megacloud has made available a combolist containing approximately 46,000 allegedly valid email credentials targeting German users, dated April 20. The post is hosted on the AE (Altenens) forum and requires a reply to access the hidden download link. The data appears to consist of email address and password combinations purported to be fresh and valid.
Date: 2026-04-20T14:49:53Z
Network: openweb
Published URL: https://altenens.is/threads/46k-germany-fresh-valid-mail-access-20-04.2927883/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor known as Lexser has shared a mixed-mail combolist containing approximately 1,500 fresh credential pairs on the cracking forum CrackingX. The combolist, labeled as UHQ (ultra-high quality), was made available via a paste-sharing link. The credentials span multiple email providers with no specific targeted organization identified.
Date: 2026-04-20T14:35:59Z
Network: openweb
Published URL: https://crackingx.com/threads/72682/
Screenshots:
None
Threat Actors: Lexser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the handle HollowKnight07 has made available a sample combolist of 790 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link, suggesting this is a sample release likely intended to demonstrate the quality of a larger credential set. The data appears to consist of email and password combinations associated with Hotmail accounts.
Date: 2026-04-20T14:35:44Z
Network: openweb
Published URL: https://crackingx.com/threads/72683/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Japanese email access credentials
Category: Combo List
Content: A threat actor on CrackingX has made available a list of approximately 6,400 purportedly valid Japanese email account credentials. The post, dated April 20, describes the content as full valid mail access entries. The credential list appears to be restricted to registered forum users.
Date: 2026-04-20T14:35:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72684/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Compromised PayPal Accounts with Balances
Category: Data Breach
Content: A threat actor operating under the alias m13gang (contact: ColdApollo on Telegram) is selling verified PayPal accounts with associated balances ranging from $2,000 to $10,000, priced between $150 and $600. Each account listing includes email address, PayPal password, and SOCKS proxy IP for anonymized access. The actor claims to be a verified seller on the Breached forum and advertises the accounts as suitable for fraudulent purchases.
Date: 2026-04-20T14:28:53Z
Network: openweb
Published URL: https://breached.st/threads/paypal-instant-transfer-verified-paypal-accounts-with-funds.86132/unread
Screenshots:
None
Threat Actors: m13gang
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: PayPal
Victim Site: paypal.com
Alleged Sale of Payment Card Dumps with PINs Targeting Multiple Countries
Category: Data Breach
Content: A threat actor operating under the alias m13gang is selling payment card dumps including Track 1 and Track 2 data with PINs sourced from the US, UK, Canada, Australia, and EU. Prices range from $60 to $80 per card depending on the country of origin. The seller claims the dumps are firsthand and fresh, and can be contacted via Telegram handle @ColdApollo.
Date: 2026-04-20T14:28:12Z
Network: openweb
Published URL: https://breached.st/threads/track-201-track-101-dumps-with-pins-first-hand-fresh-valid-201-101-legit.86134/unread
Screenshots:
None
Threat Actors: m13gang
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of large-scale database collection including credentials and documents
Category: Data Leak
Content: A threat actor operating under the alias S0uxsd has made available a 591.89 GB collection of alleged data leaks via a BitTorrent magnet link on the Breached forum. The collection reportedly includes credential lists, logs, premium account data, passwords, and documents sourced from multiple breaches. No specific victim organization or country has been identified, suggesting this is an aggregated multi-source data dump.
Date: 2026-04-20T14:11:59Z
Network: openweb
Published URL: https://breached.st/threads/database-colletion-link-591-89-gb.86130/unread
Screenshots:
None
Threat Actors: S0uxsd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential combolist (ULP) shared via Telegram
Category: Combo List
Content: A threat actor operating under the alias zod has shared a combolist labeled VIP ULP 1 on the cracking forum CrackingX. The content is gated behind registration or sign-in, with the password distributed via a Telegram channel (t.me/zoooddddd). ULP (URL:Login:Password) combolists typically contain credential pairs harvested from stealer logs or previous breaches, though no specific victim organization or record count has been identified.
Date: 2026-04-20T13:43:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72676/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hong Kong credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Immanuel_Kant has made available a combolist purportedly containing approximately 121,000 credential records associated with Hong Kong users. The data was shared for free on the cracking forum CrackingX, with access restricted to registered members. No specific victim organization or targeted platform has been identified.
Date: 2026-04-20T13:43:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72677/
Screenshots:
None
Threat Actors: Immanuel_Kant
Victim Country: Hong Kong
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of WordPress credentials/combolist
Category: Combo List
Content: A threat actor operating under the alias zod has shared what is claimed to be a WordPress-related combolist or credential dump on the CrackingX forum. Access to the content requires registration or sign-in, with a password distributed via a Telegram channel (t.me/zoooddddd). No further details regarding the scope, origin, or record count of the data are available from the post.
Date: 2026-04-20T13:43:10Z
Network: openweb
Published URL: https://crackingx.com/threads/72678/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of 15 million social media combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist allegedly containing 15 million social media credentials via Telegram channels. The post directs users to contact the actor via Telegram handle CODER5544 or join free combo and tools distribution groups. No specific victim organization or platform is confirmed, and no price is mentioned, suggesting the content is being freely shared.
Date: 2026-04-20T13:42:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72679/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of New Zealand credentials or combolist data
Category: Combo List
Content: A threat actor known as Immanuel_Kant has shared a combolist or credential list allegedly containing approximately 73,000 records associated with New Zealand users on the cracking forum CrackingX. The content is made available as a free download for registered forum users. No specific victim organization or targeted service has been identified.
Date: 2026-04-20T13:42:15Z
Network: openweb
Published URL: https://crackingx.com/threads/72681/
Screenshots:
None
Threat Actors: Immanuel_Kant
Victim Country: New Zealand
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Initial Access Sales and Recruitment of Penetration Testers by Threat Actor epsten
Category: Initial Access
Content: A threat actor operating under the alias epsten on the Tier1 forum is recruiting experienced offensive security operators, offering access to compromised assets including web RDP sessions, bots, SonicWall and FortiGate devices, and VPN credentials. The actor claims to provide closed exploits and EDR killer tools to vetted partners, with compensation offered as either a fixed payment or a percentage of the full attack lifecycle. Contact is solicited via Tox, with a Tox ID provided in the post.
Date: 2026-04-20T13:40:40Z
Network: openweb
Published URL: https://tier1.life/thread/163
Screenshots:
None
Threat Actors: epsten
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 52,000 email access credentials (combolist)
Category: Data Leak
Content: A threat actor operating under the alias NmChk has made available a combolist containing approximately 52,000 alleged fresh and valid email access credentials on the AE forum. The list was shared via Pasteview, a text-sharing platform. No specific victim organization or country has been identified, suggesting the credentials may span multiple services or providers.
Date: 2026-04-20T13:38:48Z
Network: openweb
Published URL: https://altenens.is/threads/52k-fresh-mail-access-valids.2927864/unread
Screenshots:
None
Threat Actors: NmChk
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Cyber Attack on Turkish Pumping Station Control System
Category: Cyber Attack
Content: A threat actor operating under the Armenian code channel claims to have hacked a pumping stations control system and disconnected the pump. The post includes a photo as alleged proof and frames the attack as a demonstration of Turkish digital security weaknesses, suggesting a politically/ethnically motivated cyber attack against Turkish critical infrastructure (ICS/OT/SCADA).
Date: 2026-04-20T13:30:34Z
Network: telegram
Published URL: https://t.me/c/3628793212/146
Screenshots:
None
Threat Actors: Armenian code
Victim Country: Turkey
Victim Industry: Water & Utilities
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of multi-platform combolists, cookies, and logs by tuzelity
Category: Logs
Content: A threat actor operating under the handle tuzelity is advertising the sale of combolists, cookies, and stealer logs for numerous platforms including Hotmail, Gmail, Yahoo, AOL, Comcast, Windstream, Spectrum, ATT, Facebook, Instagram, LinkedIn, Netflix, PayPal, Amazon, eBay, Steam, iCloud, TikTok, Airbnb, Booking, Verizon, and many others. The contact handle referenced is @QQHB99.
Date: 2026-04-20T13:27:59Z
Network: telegram
Published URL: https://t.me/c/2613583520/66308
Screenshots:
None
Threat Actors: tuzelity
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of mixed combolist containing 14 million credentials
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a mixed combolist containing approximately 14 million credential pairs via Telegram. The combolist is being made available for free through Telegram channels and direct contact. No specific victim organization or industry has been identified, suggesting the credentials are aggregated from multiple sources.
Date: 2026-04-20T13:26:15Z
Network: openweb
Published URL: https://crackingx.com/threads/72674/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Liaoning Province seal manufacturer B2B company records
Category: Data Leak
Content: A threat actor known as xorcat has made available a structured JSON database containing B2B company records of licensed stamp and seal manufacturers across Liaoning Province, China. The leaked data includes company names, business registration codes, physical addresses, contact phone numbers, registration dates, region codes, and partially masked responsible person names. The dataset covers multiple cities including Shenyang, Dalian, Anshan, and Fushun, and is being distributed via a Telegram
Date: 2026-04-20T13:16:26Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-LIAONING-PROVINCE-SEAL-MANUFACTURERS-B2B-COMPANY-RECORDS-CONTACTS
Screenshots:
None
Threat Actors: xorcat
Victim Country: China
Victim Industry: Manufacturing
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as wingoooW has made available a combolist of alleged Hotmail email and password credentials via a paste sharing site. The post claims the credentials are valid and high quality. No record count or additional context was provided.
Date: 2026-04-20T13:08:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-VALID-HQ-HOTMAIL
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor known as HollowKnight07 has made available a sample combolist of 690 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link described as a sample, suggesting it may be a preview of a larger credential set. The data likely consists of email and password combinations for Hotmail accounts.
Date: 2026-04-20T13:08:08Z
Network: openweb
Published URL: https://crackingx.com/threads/72673/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist targeting multiple regions
Category: Data Leak
Content: A threat actor known as Larry_Uchiha has shared a combolist containing approximately 760 Hotmail credential pairs on the AE forum. The list reportedly includes accounts from users across the United States, Europe, Asia, and Russia. The credentials are being made available for free to forum members who reply to the thread, with a Telegram channel referenced for further distribution.
Date: 2026-04-20T13:05:15Z
Network: openweb
Published URL: https://altenens.is/threads/760x-hotmail-access-combo-usa-europe-asia-russian.2927851/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Multiple
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed email provider credential combolist
Category: Data Leak
Content: A threat actor known as Larry_Uchiha has shared a mixed email combolist on the AE forum, containing credentials for multiple email providers including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live. The combolist appears to be freely distributed to forum members who reply to the thread. The actual record count and origin of the credentials are unknown.
Date: 2026-04-20T13:04:42Z
Network: openweb
Published URL: https://altenens.is/threads/mix-mail-combo-hotmail-outlook-aol-gmx-inbox-icloud-live-2026-4-16.2927855/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed platform credentials combolist including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook
Category: Data Leak
Content: A threat actor known as Larry_Uchiha has shared a mixed-platform combolist on the AlteNens forum, containing credential pairs for multiple services including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook. The post requires forum engagement to access the hidden download link, which is distributed via Telegram. The combolist appears to be a free leak targeting users across several major consumer platforms.
Date: 2026-04-20T13:04:09Z
Network: openweb
Published URL: https://altenens.is/threads/mix-account-combo-netflix-onlyfans-chatgpt-xbox-sony-discord-facebook-2026-4-16.2927853/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Netflix, OnlyFans, OpenAI, Xbox, Sony, Discord, Facebook
Victim Site: Unknown
Alleged Sale of Stolen Credit Cards, Bank Logs, and Financial Account Credentials
Category: Initial Access
Content: A threat actor operating under the alias TerrellWhitte is allegedly selling stolen credit cards (high and low balance), bank logs, checks, gift cards, and compromised financial account credentials including Cash App, PayPal, and Apple Pay accounts. The actor advertises carding services, open-ups, and recook services, and can be reached via Telegram, Discord, Gmail, and WhatsApp. No specific victim organization or record count has been identified.
Date: 2026-04-20T13:02:27Z
Network: openweb
Published URL: https://xforums.st/threads/tele-terrellwhitte-discord-activealphagod24hrs-gmail-sosaboy959-gmail-com-whatsapp-1-425-531-1773.609042/
Screenshots:
None
Threat Actors: boiarov68
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias StrawHatBase has shared a combolist containing approximately 38,000 mixed email credentials (email:password pairs) on the cybercrime forum Demonforums. The content is hidden behind a registration or login requirement, suggesting it is available to forum members. No specific victim organization or geographic target has been identified.
Date: 2026-04-20T12:49:48Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-38K-GOOD-MIX-MAIL-ACCESS
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor operating under the alias NotSellerxd has shared a mixed email combolist containing approximately 4,115 entries on the cracking forum CrackingX. The combolist appears to aggregate credentials from multiple sources. The data has been made available as a free download with no payment required.
Date: 2026-04-20T12:49:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72672/
Screenshots:
None
Threat Actors: NotSellerxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Universitas Islam Kadiri (UNISKA) Student and Staff Database
Category: Data Breach
Content: A threat actor operating under the alias MaxiZERO is selling a database allegedly stolen from Universitas Islam Kadiri (UNISKA), an Indonesian Islamic university. The data includes multiple datasets covering students, lecturers, KKN registrants, PMB applicants, and employees, containing personally identifiable information such as full names, national ID numbers, dates of birth, addresses, phone numbers, religion, gender, and academic details. The database is being offered for sale at $20.
Date: 2026-04-20T12:42:35Z
Network: openweb
Published URL: https://breached.st/threads/indonesia-uniska-universitas-islam-kadiri-database.86129/unread
Screenshots:
None
Threat Actors: MaxiZERO
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Universitas Islam Kadiri (UNISKA)
Victim Site: uniska-kediri.ac.id
Alleged data breach of Match Group by ShinyHunters via Vishing Attack
Category: Data Breach
Content: The threat actor group ShinyHunters allegedly breached Match Group (owner of major dating apps including OkCupid and Hinge) in January 2026 using a vishing (voice phishing) attack. Hackers tricked an employee into surrendering Okta SSO credentials, gaining access to internal dashboards and the AppsFlyer marketing platform. Stolen data includes approximately 85,000 user email addresses, approximately 2 million mobile advertising IDs (MAIDs), internal documents, OkCupid logs, and Hinge subscription transaction data. Passwords, financial data, and personal chat history were reportedly not compromised. Primary risk identified is phishing campaigns targeting the leaked email addresses.
Date: 2026-04-20T12:41:29Z
Network: telegram
Published URL: https://t.me/c/1861685334/265
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology / Dating Applications
Victim Organization: Match Group
Victim Site: match.com
Alleged release of Chinese National ID (Shenfenzheng) parser tool for identity metadata extraction
Category: Data Leak
Content: A threat actor operating under the alias xorcat has made available a Chinese National Identity Card (Shenfenzheng) parsing tool on a dark web forum. The tool algorithmically decodes 18-digit Chinese resident ID numbers based on the GB11643-1999 standard, extracting personally identifiable information including date of birth, gender, age, and administrative region/location codes. The tool is distributed for free via a Telegram channel and is positioned as an OSINT utility for processing Chinese
Date: 2026-04-20T12:39:09Z
Network: openweb
Published URL: https://darkforums.su/Thread-Source-Code-CHINESE-NATIONAL-ID-PARSER-SHENFENZHENG-DECODER-EXTRACT-DOB-GENDER-LOCATION
Screenshots:
None
Threat Actors: xorcat
Victim Country: China
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged SMS Flooding Tool Targeting Chinese Mobile Platform app2.100520.com
Category: DDoS
Content: A threat actor has shared source code for an SMS flooding tool targeting a Chinese mobile platform at app2.100520.com. The tool exploits a lack of rate limiting on the SMS verification endpoint, enabling approximately 200 SMS messages per minute via GET request flooding with spoofed Android headers. The exploit can be used for phone number harassment and causes financial damage to the platform through SMS gateway fees.
Date: 2026-04-20T12:38:29Z
Network: openweb
Published URL: https://darkforums.su/Thread-Source-Code-SMS-BOMBER-CHINESE-APP-API-FLOOD-NO-RATE-LIMIT-MASS-SMS-SPAM-APR-2026
Screenshots:
None
Threat Actors: xorcat
Victim Country: China
Victim Industry: Technology
Victim Organization: Unknown
Victim Site: app2.100520.com
Alleged leak of 13,000 valid email credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias TeraCloud1 has made available a combolist containing approximately 13,000 allegedly valid email credentials on a cybercrime forum. The post is gated behind registration or login, obscuring further details about the targeted services or origin of the credentials. No specific victim organization, country, or pricing information was disclosed.
Date: 2026-04-20T12:30:27Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-13K-VALID-MAIL-ACCESS–201045
Screenshots:
None
Threat Actors: TeraCloud1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 2,700 Chinese email access credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist containing approximately 2,700 allegedly valid email access credentials associated with Chinese accounts, dated April 20. The post is restricted to registered forum users, limiting full visibility into the contents. No specific email provider or organization has been identified as the source.
Date: 2026-04-20T12:29:54Z
Network: openweb
Published URL: https://crackingx.com/threads/72670/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed corporate credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing 58,451 credential pairs via a Mega.nz file-sharing link on the crackingx.com forum. The combolist is described as targeting mixed corporate sources and is labeled for 2026. No specific victim organizations, industries, or countries have been identified.
Date: 2026-04-20T12:29:39Z
Network: openweb
Published URL: https://crackingx.com/threads/72671/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of brute-force and checker tools targeting VPN, SSH, VNC, and RDP services
Category: Initial Access
Content: A threat actor operating under the alias ZeroDay on the Tier1 forum is selling offensive security tools including credential checkers and brute-force utilities targeting VPN platforms (Fortinet, Cisco, SonicWall, WatchGuard, GlobalProtect), SSH, VNC, and RDP services. The tools are described as fast and multi-threaded, with optional CVE exploit integration either embedded within checkers or as standalone software. Interested buyers are directed to contact the seller via private message.
Date: 2026-04-20T12:28:23Z
Network: openweb
Published URL: https://tier1.life/thread/39
Screenshots:
None
Threat Actors: ZeroDay
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Indonesian Central Java Police (Polda Jateng) Personnel Database
Category: Data Leak
Content: A threat actor operating under the alias MaxiZERO has leaked a structured personnel database belonging to the Indonesian Central Java Regional Police (Polda Jawa Tengah). The exposed data includes officer personal and professional details such as personnel IDs, NRP (registry numbers), names, ranks, positions, unit assignments, phone numbers, email addresses, dates of birth, religion, bcrypt-hashed passwords, and operational task assignments. The data appears to originate from an internal polic
Date: 2026-04-20T12:22:48Z
Network: openweb
Published URL: https://breached.st/threads/indonesia-police-jateng-dataset-nrp-email-handphone.86128/unread
Screenshots:
None
Threat Actors: MaxiZERO
Victim Country: Indonesia
Victim Industry: Government / Law Enforcement
Victim Organization: Polda Jawa Tengah (Central Java Regional Police)
Victim Site: Unknown
Alleged KYC bypass exploit and identity enumeration tool targeting WeChat Identity Verification API
Category: Data Leak
Content: A threat actor operating as xorcat has made available an exploit tool targeting a WeChat identity verification API hosted at fws.xuanyanmeng.com. The tool leverages a hardcoded API token requiring no authentication to query and match real names against WeChat account IDs, enabling mass KYC bypass and identity enumeration without rate limiting. The exploit targets the /api/wechat/updataInfo and /api/wechat/xcx_register endpoints and is being distributed via Telegram.
Date: 2026-04-20T12:20:24Z
Network: openweb
Published URL: https://darkforums.su/Thread-Source-Code-WECHAT-IDENTITY-API-PWNED-HARDCODED-TOKEN-MASS-KYC-BYPASS-ENUM-ANY-USER-2026
Screenshots:
None
Threat Actors: xorcat
Victim Country: China
Victim Industry: Technology
Victim Organization: WeChat / Xuanyanmeng Identity Verification Service
Victim Site: fws.xuanyanmeng.com
Alleged Leak of Chinese Corporate Registry Enumeration Tool Exposing CEO-to-Company Mappings
Category: Data Leak
Content: A threat actor operating under the alias xorcat has shared a Chinese corporate registry enumeration script that exploits an unauthenticated public API endpoint to map company names to real individual identities, including legal representative names and business credit codes. The tool targets sdnj.lcwl4.com and requires no authentication or rate limiting to operate. The script has been made available via a Telegram channel and is described as useful for business intelligence gathering, social e
Date: 2026-04-20T12:19:55Z
Network: openweb
Published URL: https://darkforums.su/Thread-Source-Code-CHINESE-CORP-REGISTRY-DUMPER-LINK-CEOs-TO-COMPANIES-NO-AUTH-REQUIRED
Screenshots:
None
Threat Actors: xorcat
Victim Country: China
Victim Industry: Government / Corporate Registry
Victim Organization: China Mainland Corporate Registry
Victim Site: sdnj.lcwl4.com
Alleged leak of 2,500 valid US email credentials
Category: Data Leak
Content: A threat actor known as Megacloud has made available a combolist containing approximately 2,500 validated US email credentials on the forum AE (altenens.is). The post is dated April 20th and claims all entries represent active, valid email account accesses. Access to the content requires forum engagement, suggesting it is being freely distributed rather than sold.
Date: 2026-04-20T12:09:01Z
Network: openweb
Published URL: https://altenens.is/threads/2-5k-usa-just-valid-mail-access-20-04.2927839/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of RedLine Stealer v2 logs containing credentials and cookies
Category: Data Leak
Content: A threat actor operating under the alias HighWayToShell has shared approximately 5,000 stealer logs collected via RedLine Stealer v2, targeting systems geolocated in Spain running Windows Server 2019 with the Brave browser. The leaked data includes credentials, cookies, and autofill data, made available for free download via a password-protected archive with the password siberian-shelves.
Date: 2026-04-20T12:07:50Z
Network: openweb
Published URL: https://xforums.st/threads/url-login-pass-redline-stealer-v2-5000-logs.609032/
Screenshots:
None
Threat Actors: HighWayToShell
Victim Country: Spain
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of WaterLinks Ltd by tirz4sec (jatengblekhet)
Category: Defacement
Content: On April 20, 2026, threat actor tirz4sec operating under the team jatengblekhet defaced a page on waterlinksltd.com, a company likely associated with water or utilities services. The defacement was a targeted single-page incident affecting a text file on the server. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-20T12:03:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/911508
Screenshots:
None
Threat Actors: tirz4sec, jatengblekhet
Victim Country: Unknown
Victim Industry: Water/Utilities
Victim Organization: WaterLinks Ltd
Victim Site: waterlinksltd.com
Alleged leak of 11 million Office credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an alleged combolist containing 11 million Office-related credentials on the cracking forum CX. The content is gated behind registration but is promoted as free via Telegram channels and groups. The actor also advertises additional free combo resources through associated Telegram channels.
Date: 2026-04-20T11:53:22Z
Network: openweb
Published URL: https://crackingx.com/threads/72667/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Microsoft credentials combolist
Category: Combo List
Content: A threat actor operating under the alias zod shared a combolist allegedly containing 694 lines of Microsoft credentials on the cracking forum CrackingX. The content is gated behind registration or sign-in, with the password distributed via a Telegram channel linked to the actor. The post references a Telegram bot (@hello_zod_bot) associated with the distribution of the credential list.
Date: 2026-04-20T11:53:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72668/
Screenshots:
None
Threat Actors: zod
Victim Country: United States
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: microsoft.com
Alleged Data Breach of SMJK Katholik (CHS) Malaysia School Database
Category: Data Breach
Content: A threat actor operating under the alias OrangeIce is selling a purported database dump from SMJK Katholik (CHS), a Malaysian secondary school, for RM 2,500 / $550 USD in Litecoin. The dataset allegedly contains over 800 records in JSON format, including staff full names, IC numbers, and official school email addresses (@moe-dl.edu.my), as well as student full names, IC numbers, class information, and gender. Payment and delivery are facilitated via the SESSION encrypted messaging platform.
Date: 2026-04-20T11:50:50Z
Network: openweb
Published URL: https://altenens.is/threads/wts-malaysia-smjk-katholik-chs-full-db-2026-staff-email-ic-students-ic.2927836/unread
Screenshots:
None
Threat Actors: OrangeIce
Victim Country: Malaysia
Victim Industry: Education
Victim Organization: SMJK Katholik (CHS)
Victim Site: Unknown
Alleged Distribution of CryptoChecker Cracking Tool
Category: Data Leak
Content: A forum post on DemonForums in the Cracking Tools section advertises a tool called CryptoChecker NC with multiple download mirrors. The post contains minimal technical detail and includes an unrelated adult dating site link, suggesting possible spam or low-quality content. No victim, data type, or specific threat details are identifiable from the available information.
Date: 2026-04-20T11:34:56Z
Network: openweb
Published URL: https://demonforums.net/Thread-CryptoChecker-NC
Screenshots:
None
Threat Actors: makitabosch
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1,900 French email access credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a list of approximately 1,900 valid French email account credentials, dated April 20. The post is categorized under combolists and dumps, suggesting these are email access credentials likely in login:password format. The content is restricted to registered forum users.
Date: 2026-04-20T11:33:43Z
Network: openweb
Published URL: https://crackingx.com/threads/72666/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged request for United Kingdom criminal records database
Category: Data Breach
Content: A threat actor on the Breached forum is seeking a database containing criminal records from the United Kingdom. The post does not specify a particular organization or source for the data. No details regarding record count, pricing, or specific data fields were provided.
Date: 2026-04-20T11:24:59Z
Network: openweb
Published URL: https://breached.st/threads/need-criminal-database-of-uk.86127/unread
Screenshots:
None
Threat Actors: enolajames851
Victim Country: United Kingdom
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack on Polish store surveillance cameras by NoName057(16)
Category: Cyber Attack
Content: The hacktivist group NoName057(16) claims to have compromised all surveillance cameras at a Polish store as part of their ongoing OpPoland campaign. The post uses humorous language referencing a TV show concept (Hidden Camera) and is signed with hashtags #FuckEastwood, #TimeOfRetribution, and #OpPoland, consistent with NoName057(16)s known hacktivist operations targeting Poland.
Date: 2026-04-20T11:12:44Z
Network: telegram
Published URL: https://t.me/c/3584758467/781
Screenshots:
None
Threat Actors: NoName057(16)
Victim Country: Poland
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist containing 10,900 entries
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a mixed combolist containing approximately 10,900 credential pairs on the forum AE – Combo List. The list is described as valid and fresh, and is being distributed via a Pasteview link. No specific victim organization or targeted service has been identified.
Date: 2026-04-20T11:11:31Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagevalid-fresh-10900-mix-high-voltage-private-high-voltage-ebbi_cloudhigh-voltage.2927827/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack on Polish retail store CCTV systems by NoName057(16)
Category: Cyber Attack
Content: The hacktivist group NoName057(16) claims to have successfully compromised all CCTV cameras at an unspecified Polish store. The post references operation hashtags #OpPoland and #TimeOfRetribution, suggesting this is part of an ongoing campaign targeting Polish infrastructure. The group humorously references launching a show called UNHIDDEN CAMERA, implying they have access to live or recorded surveillance footage.
Date: 2026-04-20T11:07:54Z
Network: telegram
Published URL: https://t.me/c/3087552512/1776
Screenshots:
None
Threat Actors: NoName057(16)
Victim Country: Poland
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged mass defacement of multiple websites by Mr.PIMZZZXploit
Category: Defacement
Content: Threat actor Mr.PIMZZZXploit, affiliated with Babayo Eror System, claims to have defaced multiple websites across various domains including sites in Italy, Indonesia, Saudi Arabia, Brazil, Romania, and others. A total of 12 URLs are listed as defaced targets.
Date: 2026-04-20T11:07:23Z
Network: telegram
Published URL: https://t.me/c/3865526389/519
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: chatgptitalia.cc, binus.site.bpjs-kesehatan.pw, unicc.com.sa, 2.jnc.co.id, renobtp.lahad.shop, restaurantes.influup.com.br, bluerock-whealth.cc, test.97fan.club, allura.ro.unicads.ro, prothombaby.hambleit.com, hutch-diesel.repairlift.site, globe.akoma.online
Alleged Data Leak of Hatica Engineering Platform Including Source Code, Credentials, and Customer Data
Category: Data Leak
Content: A threat actor claiming to have exploited a single exposed GitHub token with access to the private haticahq GitHub organisation has leaked the complete contents of 75 private repositories, a 5.7 GB production database, 4,700 Slack workspace bot tokens, and plaintext production credentials across 15 services. The breach also impacts Haticas associated products DixiApp/PyjamaHR and Posium/QAKit, exposing data from customers including JP Morgan, BrowserStack, GE Healthcare, Disney, and MIT. The
Date: 2026-04-20T11:05:05Z
Network: openweb
Published URL: https://darkforums.su/Thread-FRESH-BREACH-HATICA-including-data-from-JP-Morgan-BrowserStack-GE-Healthcare
Screenshots:
None
Threat Actors: FulcrumSec
Victim Country: India
Victim Industry: Software / Technology
Victim Organization: Hatica
Victim Site: hatica.io
Alleged sale of administrator access to Indonesian government websites
Category: Initial Access
Content: A threat actor is offering fresh administrator access to two Indonesian government domains: dprd.dumaikota.go.id (Dumai City Regional Legislative Council) and disdik.sulselprov.go.id (South Sulawesi Provincial Education Department). Contact provided via Telegram handle @DongHyunShiz.
Date: 2026-04-20T10:59:39Z
Network: telegram
Published URL: https://t.me/c/3865526389/518
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Dumai City Regional Legislative Council / South Sulawesi Provincial Education Department
Victim Site: dprd.dumaikota.go.id, disdik.sulselprov.go.id
Alleged defacement of gerrit.97fan.club by Mr.PIMZZZXploit
Category: Defacement
Content: A threat actor using the handle Mr.PIMZZZXploit, affiliated with Babayo Eror System, claims to have defaced the website gerrit.97fan.club. The post includes a photo as proof of the defacement.
Date: 2026-04-20T10:46:41Z
Network: telegram
Published URL: https://t.me/c/3865526389/516
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: gerrit.97fan.club
Alleged leak of Israeli Facebook users data on dark web
Category: Data Leak
Content: A dataset containing information on Facebook users in Israel has been published on the dark web. The data reportedly includes names, phone numbers, user IDs, and location data. Analysis suggests the data was compiled from public sources and prior aggregations, with no evidence of password exposure or direct system intrusion.
Date: 2026-04-20T10:38:45Z
Network: telegram
Published URL: https://t.me/c/1283513914/21295
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Israel
Victim Industry: Social Media
Victim Organization: Facebook
Victim Site: facebook.com
Alleged Bitcoin Private Key Generator Tool Shared for Cryptocurrency Theft
Category: Initial Access
Content: A threat actor on the AE cracking forum has shared a tool called Btc_AI_Genprivatekey that claims to generate Bitcoin private keys based on the latest blockchain blocks. The tool allegedly checks wallet balances and saves results in a BTC address format, targeting cryptocurrency wallets potentially holding significant funds. The actor suggests that higher computational power increases the likelihood of successfully generating a valid private key with a balance.
Date: 2026-04-20T10:38:35Z
Network: openweb
Published URL: https://altenens.is/threads/btc_ai_genprivatekey-generates-private-keys-based-on-the-latest-blocks-of-blockchain.2927813/unread
Screenshots:
None
Threat Actors: ananalbzoor
Victim Country: Unknown
Victim Industry: Cryptocurrency
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed stealer logs by threat actor fatetraffic
Category: Logs
Content: A threat actor operating under the alias fatetraffic has made available a collection of 1,540 mixed stealer logs dated April 20, 2026, via a Pixeldrain file-sharing link. The logs are freely accessible with a password and likely contain credentials and browser data harvested from information-stealing malware. No specific victim organization or country has been identified, suggesting the logs span multiple victims across various regions.
Date: 2026-04-20T10:33:28Z
Network: openweb
Published URL: https://darkforums.su/Thread-%F0%9F%93%97-FATETRAFFIC-1540-MIX-20-04-2026-STEALER-LOGS
Screenshots:
None
Threat Actors: fatetraffic
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach and Sale of Champhunt.com Database and Source Code
Category: Data Breach
Content: A threat actor identified as 888 is selling the database and source code of Champhunt.com, a cricket-focused social media platform. The breach reportedly contains 224,300 unique user records including email addresses, bcrypt-hashed passwords, JWT authentication tokens, names, mobile numbers, dates of birth, gender, location data, and platform-specific fields such as follower counts and virtual currency balances. The leaked data also includes an admin account with active session tokens, signifi
Date: 2026-04-20T10:32:15Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Champhunt-com-Database-Source-Code
Screenshots:
None
Threat Actors: 888
Victim Country: India
Victim Industry: Social Media / Entertainment
Victim Organization: Champhunt
Victim Site: champhunt.com
Alleged Data Breach of Valle del Cauca Government Education Portal (SERVERIISSAR)
Category: Data Breach
Content: Threat actors NyxarGroup, ArcRaidersPlayer, and Petro_Escobar are selling a database allegedly exfiltrated from the Valle del Cauca regional governments IISSAR portal in Colombia. The leaked data includes users banking information, user lists, applicant lists, internal documents, and confidential company documents. Sample records expose personally identifiable information of Colombian citizens including full names, national ID numbers (C.C.), gender, employment status, and educational qualific
Date: 2026-04-20T10:31:23Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-CO-SERVERIISSAR-VALLEDELCAUCA-GOV-CO
Screenshots:
None
Threat Actors: NyxarGroup
Victim Country: Colombia
Victim Industry: Government
Victim Organization: Valle del Cauca Government – IISSAR
Victim Site: serveriissar.valledelcauca.gov.co
Alleged Data Breach of Premmiere.co.id with 18GB Database Offered for Sale
Category: Data Breach
Content: A threat actor operating under the alias Kyyzo is selling an alleged 18GB+ database dump belonging to the Indonesian e-commerce platform Premmiere (premmiere.co.id). The post includes sample data files and exposes supplier information including names, phone numbers, and product specifications linked to government procurement portal e-katalog.lkpp.go.id. The actor can be contacted via Telegram at @Kyyzo.
Date: 2026-04-20T10:30:52Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-18GB-DATABASE-PREMMIERE-CO-ID
Screenshots:
None
Threat Actors: Kyy
Victim Country: Indonesia
Victim Industry: E-Commerce / Retail
Victim Organization: Premmiere
Victim Site: premmiere.co.id
Alleged Data Breach of Agoda.com Exposing 82 Million Malaysian Customer Records
Category: Data Breach
Content: A threat actor operating under the alias hackboy is selling an alleged database dump of 82 million Agoda.com customer records on a dark web forum. The dataset includes sensitive personal information such as full names, email addresses, phone numbers, Malaysian national identity card numbers (IC numbers), and full physical addresses. The actor accepts middleman/escrow arrangements and can be contacted via Telegram for pricing and samples.
Date: 2026-04-20T10:30:22Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Malaysia-agoda-com-82-million-records
Screenshots:
None
Threat Actors: hackboy
Victim Country: Malaysia
Victim Industry: Travel & Hospitality
Victim Organization: Agoda
Victim Site: agoda.com
Alleged leak of mixed email and password combolist
Category: Combo List
Content: A threat actor operating under the alias wingoooW has freely shared a mixed combolist containing approximately 15,000 alleged valid email and password credential pairs on DemonForums. The combolist is described as mixed, indicating credentials originating from multiple sources or organizations. The download is hosted on an external paste service and is available without payment.
Date: 2026-04-20T10:22:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-15K-VALID-MIXED-LEAK
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged free distribution of corporate email combolists
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing free combolists containing corporate email credentials via Telegram channels. The actor promotes two Telegram groups offering free combo lists and tools. No specific victim organization or record count has been disclosed.
Date: 2026-04-20T10:21:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72659/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German social and shopping platform credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 448,999 credential lines targeting German social and shopping platforms. The data is described as HQ (high quality) and has been shared via a Mega.nz file link on the cracking forum CrackingX. The combolist appears to aggregate credentials from multiple German-targeted sources across social and e-commerce sectors.
Date: 2026-04-20T10:21:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72660/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail & Social Media
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Vercel Internal Database
Category: Data Breach
Content: A threat actor claims to have exfiltrated Vercels internal database, allegedly causing the platform to crash in the process. The actor shared media files as purported proof and provided contact details via XMPP or Session for further communication. Vercel is a major cloud platform used by developers worldwide.
Date: 2026-04-20T10:13:09Z
Network: telegram
Published URL: https://t.me/c/3500620464/7129
Screenshots:
None
Threat Actors: Breach
Victim Country: United States
Victim Industry: Technology / Cloud Infrastructure
Victim Organization: Vercel
Victim Site: vercel.com
Alleged leak of Brazilian email access credentials
Category: Combo List
Content: A threat actor operating under the alias MailAccesss has made available a combolist containing approximately 1,300 allegedly valid email account credentials targeting Brazilian users. The post was shared on the cracking forum CrackingX and is dated April 20. No specific email provider or organization is identified, and the content is restricted to registered forum members.
Date: 2026-04-20T10:02:10Z
Network: openweb
Published URL: https://crackingx.com/threads/72658/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Vercel Internal Database with Employee Credentials and Source Code
Category: Data Breach
Content: A threat actor identified as shinyc0rpsss is claiming to sell an alleged internal Vercel database containing 170,000 lines of data including employee email:password hashes, user records (id, name, displayName, email, active, admin, guest, timezone, createdAt, updatedAt, lastSeen), source code (Next.js, Turborepo, SWC), Git permissions, API tokens, and project configurations. The actor is asking $100,000 USD and can be contacted via XMPP, Telegram, or Session protocol. The actor also claims Vercels systems crashed during the alleged data exfiltration.
Date: 2026-04-20T10:01:45Z
Network: telegram
Published URL: https://t.me/c/3500620464/7130
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: United States
Victim Industry: Technology / Cloud Infrastructure
Victim Organization: Vercel
Victim Site: vercel.com
Alleged leak of Polish mail access credentials
Category: Logs
Content: A threat actor known as MegaCloud has shared a combolist containing approximately 1,200 Polish mail access credentials on an underground forum. The post, dated April 20, indicates the credential list is available for registered forum members. No specific mail provider or organization has been identified as the source of the compromised accounts.
Date: 2026-04-20T09:57:29Z
Network: openweb
Published URL: https://xforums.st/threads/1-2kpoland-mail-access-20-04.609019/
Screenshots:
None
Threat Actors: MegaCloud
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Iraq Modern Vehicle Registration Database
Category: Data Breach
Content: A threat actor claims to have breached a modern vehicle registration database covering all provinces of Iraq, allegedly obtained in 2026. The post is authored by karllllllllX on a known data breach forum and references comprehensive coverage of Iraqi governorates. No record count or pricing information was provided in the post.
Date: 2026-04-20T09:55:20Z
Network: openweb
Published URL: https://breached.st/threads/modern-public-car-base-2026-iraq.86126/unread
Screenshots:
None
Threat Actors: karllllllllX
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Iraq Modern Vehicle Registration System
Victim Site: Unknown
Alleged leak of Hotmail credential combolist with forum-validated accounts
Category: Combo List
Content: A threat actor operating under the alias ValidMail shared a combolist of approximately 40,000 Hotmail email credentials on the cracking forum CrackingX. The post claims the credentials have been validated against forums, suggesting active and working accounts. The content is gated behind forum registration or sign-in, indicating it may be distributed as a free resource to registered members.
Date: 2026-04-20T09:45:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72656/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged Data Leak of FiveM Gaming Platform Player and Server Database
Category: Data Leak
Content: A threat actor operating under the alias nearlevrai has freely shared a collection of FiveM gaming platform database dumps, comprising 24,300 SQL files totaling 54.46 MB. The dataset reportedly contains records for 208,454 players across 24,300 registered game servers. The data has been made available via an anonymous file-sharing link.
Date: 2026-04-20T09:39:12Z
Network: openweb
Published URL: https://breached.st/threads/scrapper-fivem-2k26.86125/unread
Screenshots:
None
Threat Actors: nearlevrai
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: FiveM
Victim Site: fivem.net
Alleged Data Leak of Institute for National Security Studies (INSS) Classified Documents
Category: Data Leak
Content: A threat actor identifying as Sumud Cyber Command claims to have leaked 15.92 terabytes of classified documents from the Institute for National Security Studies (INSS), an Israeli national security think-tank. The alleged dump, comprising over 9.7 million files, purportedly includes strategic intelligence, Iran-related analysis, and internal research materials from secure servers and analyst workstations. The content has been made available for free download via darknet forums, with the group
Date: 2026-04-20T09:36:31Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-ISRAEL-INSS-NATIONAL-SECURITY-MEGA-BREACH-15-TB-CLASSIFIED-DOCUMENTS-LEAK
Screenshots:
None
Threat Actors: SumudCyberCommand
Victim Country: Israel
Victim Industry: Government & National Security Research
Victim Organization: Institute for National Security Studies (INSS)
Victim Site: inss.org.il
Vercel April 2026 security incident | Vercel Knowledge Base
Category: Cyber Attack
Content: Vercel disclosed that it experienced a security incident involving unauthorized access to some of its internal systems. The attack was initiated through the compromise of a third-party tool, Context.ai, used by an employee, enabling access to certain environment variables not marked as sensitive. The attack was claimed by ShinyHunters.
Date: 2026-04-20T09:34:09Z
Network: openweb
Published URL: https://vercel.com/kb/bulletin/vercel-april-2026-security-incident
Screenshots:
None
Threat Actors:
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Vercel
Victim Site: vercel.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has made available a combolist containing approximately 13,000 Hotmail credentials on the cracking forum CrackingX. The post is listed under the Combolists & Dumps section, suggesting the content consists of email and password pairs. Full content requires registration or sign-in to access.
Date: 2026-04-20T09:27:38Z
Network: openweb
Published URL: https://crackingx.com/threads/72655/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged defacement of multiple websites by Mr.PIMZZZXploit / Babayo Eror System
Category: Defacement
Content: Threat actor Mr.PIMZZZXploit operating under the group Babayo Eror System claims to have defaced multiple websites including web-order.sukriya.top, seguridadmeva.com, globe.akoma.online, and seguridadmeva.com.ideedigital.mx. Defacement mirrors are archived on defacer.id with IDs 303287–303292.
Date: 2026-04-20T09:26:13Z
Network: telegram
Published URL: https://t.me/c/3865526389/515
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: web-order.sukriya.top, seguridadmeva.com, globe.akoma.online, seguridadmeva.com.ideedigital.mx
Alleged data breach of Vercel by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters claims to have successfully exfiltrated Vercels internal database. According to the post, Vercels systems crashed during the download and subsequently cut off all connections. The actor implies the breach was completed before the disruption.
Date: 2026-04-20T09:22:24Z
Network: telegram
Published URL: https://t.me/c/3737716184/1469
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Cloud Infrastructure / Developer Platforms
Victim Organization: Vercel
Victim Site: vercel.com
Alleged free distribution of Moon Cloud stealer logs
Category: Logs
Content: A threat actor is distributing stealer logs for free, referred to as Moon Cloud free logs, shared via photo attachment in the Breach channel.
Date: 2026-04-20T09:22:18Z
Network: telegram
Published URL: https://t.me/c/3500620464/7127
Screenshots:
None
Threat Actors: Moon Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-country sorted URL credential combolist
Category: Combo List
Content: A threat actor operating under the alias WashingtonDC has made available a credential combolist on the cracking forum CrackingX. The archive, hosted on MediaFire, contains URL:login:password entries reportedly sorted by country, spanning countries A through V. The content appears to be a compiled combolist aggregated from multiple sources rather than a single organization breach.
Date: 2026-04-20T09:11:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72653/
Screenshots:
None
Threat Actors: WashingtonDC
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of WordPress credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias hangover934 on the AE forum has made available a combolist containing WordPress login credentials in URL:login:password format. The post claims the credentials are valid and includes associated URLs for the compromised WordPress installations. No specific victim organization or record count was disclosed.
Date: 2026-04-20T08:51:59Z
Network: openweb
Published URL: https://altenens.is/threads/check-mark-buttonstarwordpresscheck-mark-buttonstarvalidstarurlsstarlogin-pass.2927787/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist containing 1,616 alleged valid Hotmail credentials on a cybercrime forum. The post describes the content as premium hits with mixed mail formats, shared via hidden content accessible to registered forum members. The actor also references a Telegram handle alphaaxd as a point of contact.
Date: 2026-04-20T08:38:51Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-1616x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 6 million URL:Login:Password credential lines
Category: Data Leak
Content: A threat actor known as Markus7 has freely distributed a large combolist containing approximately 6 million URL:login:password credential pairs across multiple file-sharing platforms including MEGA, Gofile, MediaFire, and others. The archive is approximately 400MB compressed and is associated with Telegram channels @StarLinkClouds and @StarLinkClub. No specific victim organization or country has been identified, suggesting this is an aggregated credential collection.
Date: 2026-04-20T08:32:54Z
Network: openweb
Published URL: https://breached.st/threads/url-log-pass-6-013-350-million-lines-400mb.86124/unread
Screenshots:
None
Threat Actors: Markus7
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Institute for National Security Studies (INSS) classified intelligence archive
Category: Data Leak
Content: A threat actor group calling itself Sumud Cyber Command claims to have leaked 15.92 terabytes of classified data from the Institute for National Security Studies (INSS), an Israeli national security think tank. The alleged dump contains approximately 9.78 million files purportedly sourced from a secure research server and multiple analyst workstations, including strategic intelligence reports on Iran, proxy forces, and military planning. The archive has been made available for free download on a
Date: 2026-04-20T08:31:11Z
Network: openweb
Published URL: https://breached.st/threads/israel-inss-national-security-mega-breach-15-tb-classified-iran-proxy-strategic-intelligence-fully-leaked.86123/unread
Screenshots:
None
Threat Actors: SumudCyberCommand
Victim Country: Israel
Victim Industry: Government & Defense Think Tank
Victim Organization: Institute for National Security Studies (INSS)
Victim Site: inss.org.il
Alleged data leak of Institute for National Security Studies (INSS) classified research archive
Category: Data Leak
Content: A threat actor operating as Sumud Cyber Command claims to have leaked 15.92 terabytes of classified data from the Institute for National Security Studies (INSS), an Israeli national security think-tank. The alleged dump contains approximately 9.78 million files purportedly sourced from a secure research server and multiple analyst workstations, reportedly including strategic intelligence, Iran-related analysis, and internal policy documents. The archive has been made available for free downloa
Date: 2026-04-20T08:15:38Z
Network: openweb
Published URL: https://breached.st/threads/israel-inss-national-security-mega-breach-15-tb-classified-iran-proxy-strategic-intelligence-archive-fully-leaked.86121/unread
Screenshots:
None
Threat Actors: SumudCyberCommand
Victim Country: Israel
Victim Industry: Government & Defense Think-Tank
Victim Organization: Institute for National Security Studies (INSS)
Victim Site: inss.org.il
Alleged leak of SMTP credential combolist containing 11 million records
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a large SMTP combolist containing approximately 11 million credential pairs via Telegram. The content is being made available for free through Telegram channels and groups linked to the actor. No specific victim organization or targeted service has been identified.
Date: 2026-04-20T08:04:59Z
Network: openweb
Published URL: https://crackingx.com/threads/72647/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of large-scale URL-login-password credential combolist with online search access
Category: Combo List
Content: A threat actor on CrackingX is advertising a claimed 1.4TB collection of URL-login-password (ULP) credential combolists, described as a historical aggregation with ongoing updates. The offering includes access to an online search robot, allowing buyers to query targets without downloading the full dataset. The actor claims to support country-based filtering, suggesting a broad, multi-national credential repository.
Date: 2026-04-20T08:04:43Z
Network: openweb
Published URL: https://crackingx.com/threads/72648/
Screenshots:
None
Threat Actors: Mustukaral
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German shopping-targeted combolist with 586,879 credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has shared a combolist containing 586,879 lines on a cracking forum via a Mega.nz link. The dataset is described as targeting European, specifically German, shopping-related accounts. No specific organization or price is mentioned, suggesting the combolist is being freely distributed.
Date: 2026-04-20T08:04:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72649/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail & E-Commerce
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of European and US credential combolists
Category: Data Leak
Content: A threat actor on the AE forum has made available a collection of combolists claimed to be 100% valid and high quality. The credential lists reportedly contain entries from Europe and the United States. No specific organizations, record counts, or pricing information were provided in the post.
Date: 2026-04-20T08:01:49Z
Network: openweb
Published URL: https://altenens.is/threads/star100-full-validstarhigh-qualitystareurope-usa-combolists-star.2927771/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of phone number and password credential list
Category: Data Leak
Content: A threat actor operating under the alias hangover934 has shared a combolist containing phone number and password credential pairs on the AE forum. The post is labeled as HQ Private, suggesting the credentials are claimed to be high quality. No specific victim organization, country, or record count has been identified.
Date: 2026-04-20T08:01:21Z
Network: openweb
Published URL: https://altenens.is/threads/star-phone-number-passstarhq-privatestar.2927775/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 6.4 billion ULP credential records in AlienTxTBase combolist
Category: Logs
Content: A threat actor operating under the alias txtlog_alien has made available a massive combolist dubbed AlienTxTBase Global, claimed to contain approximately 6.4 billion URL:login:password (ULP) credential records totaling 377GB in size. The dataset is being freely distributed via a Mediafire link and appears to be an aggregated collection of stealer logs rather than a breach of a single organization. No specific victim organization or country has been identified, suggesting this is a compiled g
Date: 2026-04-20T07:57:08Z
Network: openweb
Published URL: https://darkforums.su/Thread-%F0%9F%9A%80%E2%9A%A1-6-358-333-331-ULP-%F0%9F%91%BD-AlienTxTBase-Global-%F0%9F%94%A5-PRIVATE-6-4-BILLION-377GB
Screenshots:
None
Threat Actors: txtlog_alien
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber intrusion by Ukrainian hackers into confidential Russian Ministry meeting on drone production
Category: Cyber Attack
Content: Ukrainian hackers reportedly infiltrated a classified session held by Russias Ministry of Industry and Trade concerning drone (UAV) manufacturing. The breach allowed unauthorized access to sensitive government discussions, representing a significant cyber espionage incident targeting Russian defense-industrial activities.
Date: 2026-04-20T06:56:05Z
Network: telegram
Published URL: https://t.me/c/1283513914/21289
Screenshots:
None
Threat Actors: Ukrainian Hackers
Victim Country: Russia
Victim Industry: Government / Defense
Victim Organization: Ministry of Industry and Trade of Russia
Victim Site: Unknown
Alleged sale of access or SEO manipulation service targeting mitm.edu.in
Category: Initial Access
Content: A threat actor operating under Pharaohs Team is advertising mitm.edu.in (DA 28 / PA 28) with a contact handle, suggesting a sale of website access, backdoor, or SEO/link injection capability targeting an Indian educational institution.
Date: 2026-04-20T06:48:46Z
Network: telegram
Published URL: https://t.me/c/3205199875/500
Screenshots:
None
Threat Actors: Pharaohs Team
Victim Country: India
Victim Industry: Education
Victim Organization: MIT Muzaffarpur
Victim Site: mitm.edu.in
Alleged sale of compromised websites with DA/PA metrics by Pharaohs Team
Category: Initial Access
Content: Pharaohs Team market is offering a list of 13 websites across multiple domains and countries, each listed with their Domain Authority (DA) and Page Authority (PA) scores. This is consistent with the sale of compromised websites for SEO spam, link injection, phishing hosting, or defacement purposes. Domains include sites from India (.in, .ac.in), Switzerland (.ch, .swiss), Liechtenstein (.li), and generic TLDs (.com, .org, .world).
Date: 2026-04-20T06:47:33Z
Network: telegram
Published URL: https://t.me/c/3205199875/499
Screenshots:
None
Threat Actors: Pharaohs Team
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Vercel involving database access key and source code
Category: Data Breach
Content: A threat actor posted on BreachForums claiming to possess Vercels database access key and source code, teasing an imminent release. The actor mentions individuals claiming to be Vercel representatives have contacted them seeking verification, suggesting Vercel may be aware of the claim.
Date: 2026-04-20T06:45:52Z
Network: telegram
Published URL: https://t.me/c/3500620464/7126
Screenshots:
None
Threat Actors: Breach
Victim Country: United States
Victim Industry: Technology / Cloud Infrastructure
Victim Organization: Vercel
Victim Site: vercel.com
Alleged defacement of PowerVision solar industry website in the United States
Category: Defacement
Content: The hacktivist group #OpsShadowStrike, in collaboration with multiple groups including TengkorakCyberCrew, MalaysiaHacktivist, EagleCyberCrew, and others, claims to have defaced the US solar industry website powervision.net. A Zone-H mirror (ID: 42021196) is provided as proof. The attack appears politically motivated, referencing Palestine and Iran-Israel conflict hashtags. The defacement page is hosted at powervision.net/ops.html.
Date: 2026-04-20T06:45:03Z
Network: telegram
Published URL: https://t.me/c/3844432135/346
Screenshots:
None
Threat Actors: #OpsShadowStrike
Victim Country: United States
Victim Industry: Energy / Solar
Victim Organization: PowerVision
Victim Site: powervision.net
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias @Steveee36 has made available a combolist containing approximately 1,049 Hotmail credentials on the cracking forum CrackingX. The post, categorized under Combolists & Dumps, offers a free download of the credential list. The origin and validity of the credentials have not been verified.
Date: 2026-04-20T06:44:54Z
Network: openweb
Published URL: https://crackingx.com/threads/72643/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged cyber intrusion into Iraqi government server
Category: Cyber Attack
Content: A hacker group has claimed to have gained access to an Iraqi government server and extracted sensitive data including identity and family records. No technical evidence or data samples have been published, and the targeted entity has not been identified.
Date: 2026-04-20T06:44:16Z
Network: telegram
Published URL: https://t.me/c/1283513914/21288
Screenshots:
None
Threat Actors: Unknown
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Iraqi Government
Victim Site: Unknown
Alleged increase in cyber and intelligence pressure operations against Israeli infrastructure
Category: Cyber Attack
Content: Gil Missing, head of cybersecurity staff at Check Point Israel, has acknowledged a rise in daily cyberattacks targeting Israeli infrastructure. He noted accompanying reconnaissance and intelligence collection activities, including surveillance of sensitive locations and areas linked to security personnel. Concerns were also raised about recruitment attempts targeting individuals in security and other sectors inside Israel. The official described this trend as indicative of escalating hybrid cyber and intelligence pressure campaigns.
Date: 2026-04-20T06:15:09Z
Network: telegram
Published URL: https://t.me/c/1283513914/21287
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Israel
Victim Industry: Government & Critical Infrastructure
Victim Organization: Israeli Critical Infrastructure
Victim Site: Unknown
Alleged leak of Chinese credential combolist containing 26,000 email:password pairs
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has shared a combolist containing approximately 26,000 email:password credential pairs purportedly sourced from China, dated April 20, 2026. The content is described as FRESH and HQ (high quality), suggesting recently obtained or validated credentials. The post directs users to a Telegram channel (@elite_cloud1) for additional credential lists, indicating an ongoing distribution operation.
Date: 2026-04-20T06:14:00Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-26-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-China-%E2%9C%AA-20-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of British Indian credential combolist
Category: Combo List
Content: A threat actor operating under the alias Elite_Cloud1 has made available a combolist of approximately 17,000 email and password combinations described as British Indian in origin. The credentials are claimed to be fresh and high quality, and were shared freely on a cybercrime forum with additional content promoted via a Telegram channel.
Date: 2026-04-20T06:12:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-17-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-British-Indian-%E2%9C%AA-20-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of TVRI Indonesia Employee Database
Category: Data Leak
Content: A threat actor known as Xyph0rix has freely shared a database allegedly belonging to TVRI, Indonesias national public television broadcaster, on the Breached forum. The leaked data contains highly sensitive personally identifiable information of TVRI employees, including full names, national ID numbers (NIK/NIP), dates of birth, religion, marital status, job titles, civil servant ranks, email addresses, phone numbers, residential addresses, bank account numbers, and tax identifiers. The data ap
Date: 2026-04-20T06:05:10Z
Network: openweb
Published URL: https://breached.st/threads/database-tvri-indonesia.86120/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Broadcasting / Media
Victim Organization: TVRI (Televisi Republik Indonesia)
Victim Site: tvri.go.id
Alleged data breach of TVRI Indonesia
Category: Data Breach
Content: A threat actor identified as Xyph0rix has posted a thread on BreachForums (breached.st) allegedly containing a database from TVRI (Televisi Republik Indonesia), Indonesias state-owned public broadcaster. The post was forwarded via the Rakyat Digital Crew channel.
Date: 2026-04-20T05:56:45Z
Network: telegram
Published URL: https://t.me/Xyph0rix_CaypbaraXploit/170
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Media & Broadcasting
Victim Organization: TVRI (Televisi Republik Indonesia)
Victim Site: Unknown
Alleged leak of 575,000 Brazilian email credentials (combolist)
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist containing over 575,000 email:password credential pairs allegedly sourced from Brazil. The list is described as fresh and high quality and is shared via a hidden download link on DemonForums. The actor also promotes an associated Telegram channel (t.me/elite_cloud1) for additional credential logs.
Date: 2026-04-20T05:54:35Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-575-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Brazil-%E2%9C%AA-20-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Colombian email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 219,000+ email and password credential pairs allegedly associated with Colombian users. The combolist is described as fresh and high quality and is accessible via a hidden download link on the forum. The actor also promotes additional credential logs through a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-20T05:54:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-219-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Colombia-%E2%9C%AA-20-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Colombia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Canadian email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 219,000+ email:password credential pairs targeting Canadian accounts. The list is described as FRESH and HQ (high quality), suggesting recently verified or compiled credentials. The post directs users to a Telegram channel (@elite_cloud1) for additional credential lists.
Date: 2026-04-20T05:53:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-219-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Canada-%E2%9C%AA-20-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Bulgarian credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 126,000 email and password credential pairs allegedly sourced from Bulgaria. The combolist is described as fresh and high quality and is distributed via a hidden download link on the forum. The actor also promotes additional credential content through a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-20T05:53:35Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-126-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Bulgaria-%E2%9C%AA-20-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Bulgaria
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Chilean email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has shared a combolist of approximately 96,000 email:password credential pairs allegedly associated with Chilean users. The combolist is described as fresh and high quality, and is made available via a hidden content gate on the forum. The actor also promotes a Telegram channel (t.me/elite_cloud1) for additional credential logs.
Date: 2026-04-20T05:53:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-96-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Chile-%E2%9C%AA-20-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Chile
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist allegedly containing 943,343 lines of Hotmail credentials via a Mega.nz file sharing link. The post was shared on the cracking forum CrackingX in the Combolists & Dumps section. The combolist likely consists of email and password pairs associated with Hotmail accounts.
Date: 2026-04-20T05:53:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72641/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed USA and Europe credential combolist
Category: Data Leak
Content: A threat actor operating under the alias hangover934 has shared an alleged combolist on the AE forum containing credential hits targeting users from the United States and Europe. The post advertises the content as exclusive and mixed, suggesting it may aggregate credentials from multiple sources. No specific victim organizations, record counts, or pricing details were provided in the post.
Date: 2026-04-20T04:15:02Z
Network: openweb
Published URL: https://altenens.is/threads/star-hits-mix-usastareuropestarexclusive-combolist-star.2927762/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of Dumai City Regional Parliament website by Babayo Eror System
Category: Defacement
Content: Threat actor Babayo Eror System claims to have defaced the official website of the Dumai City Regional Parliament (DPRD Kota Dumai) at dprd.dumaikota.go.id. The defacement includes a political message in Indonesian condemning corruption, stating that every corrupted rupiah is not just a number but the rights of the people being stolen. A photo was shared as proof of the defacement.
Date: 2026-04-20T04:06:32Z
Network: telegram
Published URL: https://t.me/c/3865526389/514
Screenshots:
None
Threat Actors: Babayo Eror System
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: DPRD Kota Dumai (Dumai City Regional Parliament)
Victim Site: dprd.dumaikota.go.id
Alleged leak of multi-site credential combolist (URL:Login:Password format)
Category: Data Leak
Content: A threat actor operating under the alias hangover934 has shared what they claim to be a high-quality private combolist in URL:Login:Password (ULP) format on the AE combo list forum. The post offers credential pairs associated with various websites, though specific targets, record counts, and affected organizations are not disclosed. The content is described as HQ Private, suggesting the actor claims the credentials are fresh or previously unpublished.
Date: 2026-04-20T03:57:20Z
Network: openweb
Published URL: https://altenens.is/threads/star-url-login-passstar-ulp-starhq-privatestar.2927760/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German credential combolist with 1.18 million lines
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has shared a combolist containing approximately 1.18 million lines targeting German users on the cracking forum CrackingX. The combolist is described as mixed target, suggesting credentials from multiple services or platforms. The file has been made available for free download via a Mega.nz link.
Date: 2026-04-20T03:43:23Z
Network: openweb
Published URL: https://crackingx.com/threads/72636/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Cyber Attack on Partner Communications Ltd SCADA Systems by M-17SEC
Category: Cyber Attack
Content: Threat actor group M-17SEC, operating under operation OpsResurrect1, claims to have successfully compromised the SCADA systems of Partner Communication Ltd. The group announces plans to expand attacks targeting Israel and its allies. The post is politically motivated and signed with #OpsIsrael #M17Sec #TheGarudaEye, indicating a coordinated hacktivist campaign.
Date: 2026-04-20T03:27:11Z
Network: telegram
Published URL: https://t.me/M171337/63
Screenshots:
None
Threat Actors: M-17SEC
Victim Country: Israel
Victim Industry: Telecommunications
Victim Organization: Partner Communication Ltd
Victim Site: Unknown
Alleged leak of 60,000 Gmail credentials on cracking forum
Category: Combo List
Content: A threat actor operating under the alias ValidMail has made available an alleged combolist of 60,000 Gmail accounts on the cracking forum CrackingX. The post is categorized under Combolists & Dumps, suggesting the content consists of email credential pairs. Full details of the post are restricted to registered forum members.
Date: 2026-04-20T03:26:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72635/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged defacement of KM Academy Asarganj by OpsShadowStrike
Category: Defacement
Content: The hacktivist group OpsShadowStrike, in collaboration with multiple groups including TengkorakCyberCrew, MalaysiaHacktivist, EagleCyberCrew, and others, claims to have defaced the website of KM Academy Asarganj (kmacademyasarganj.com), an educational institution in India. The attack appears politically motivated, referencing pro-Palestinian and anti-Israel sentiments. The post includes hashtags referencing defacement, DDoS, and data breach, though the primary claim is defacement.
Date: 2026-04-20T03:25:08Z
Network: telegram
Published URL: https://t.me/c/3844432135/345
Screenshots:
None
Threat Actors: OpsShadowStrike
Victim Country: India
Victim Industry: Education
Victim Organization: KM Academy Asarganj
Victim Site: kmacademyasarganj.com
Alleged sale of counterfeit currency via Telegram
Category: Cyber Attack
Content: A user identified as hehe repeatedly advertised the sale of counterfeit banknotes (一手源头假钞出售 – first-hand source counterfeit currency for sale) via a Telegram group link (t.me/+B0c3dfLa99IzZWQ1). The post was shared multiple times across the channel, indicating active promotion of counterfeit currency distribution.
Date: 2026-04-20T03:04:42Z
Network: telegram
Published URL: https://t.me/c/2613583520/66022
Screenshots:
None
Threat Actors: hehe
Victim Country: Unknown
Victim Industry: Financial
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist targeting eBay, PayPal, Amazon, Facebook, Twitter, and LinkedIn
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist of approximately 9 million credential pairs across multiple major platforms including eBay, PayPal, Amazon, Facebook, Twitter, and LinkedIn. The combolist is being made available for free via Telegram channels and groups operated by the actor. No price or sale is mentioned; the content is shared freely through Telegram at t.me/Combo445544 and t.me/Coder554455.
Date: 2026-04-20T02:39:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72634/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: eBay, PayPal, Amazon, Facebook, Twitter, LinkedIn
Victim Site: ebay.com, paypal.com, amazon.com, facebook.com, twitter.com, linkedin.com
Alleged Data Breach of programmemoi.ca Account Credentials
Category: Data Breach
Content: A threat actor operating under the alias fent888 is selling 317 account credentials from programmemoi.ca, a Canadian educational platform. The accounts are reported to include associated loyalty or reward points. The seller is offering the data for $2.
Date: 2026-04-20T02:31:41Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-www-programmemoi-ca-317-Accounts
Screenshots:
None
Threat Actors: fent888
Victim Country: Canada
Victim Industry: Education
Victim Organization: Programmemoi
Victim Site: programmemoi.ca
Alleged Data Breach of Canadian Hardware Retailer Timber Mart (timbermart.ca)
Category: Data Breach
Content: A threat actor identified as Databroker1 claims to be selling a database allegedly breached from Canadian hardware retailer Timber Mart (timbermart.ca). The dataset reportedly contains approximately 485,000 records spanning six structured tables, including customer personally identifiable information (names, emails, phone numbers, loyalty IDs), store locations, product inventory, and financial transaction records including payment method types and last four digits of payment cards. The actor i
Date: 2026-04-20T02:31:10Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-485k-Canada-www-timbermart-ca-Customer-contactsincludingemails-phonenumbers-addres
Screenshots:
None
Threat Actors: Databroker1
Victim Country: Canada
Victim Industry: Retail – Building Materials & Hardware
Victim Organization: Timber Mart
Victim Site: timbermart.ca
Alleged Data Breach of Emaar Properties and Select Group with Owner and Rental Records
Category: Data Breach
Content: A threat actor on a dark web forum is selling a dataset allegedly breached within the past week from Emaar Properties and Select Group servers, containing over 700,000 records of property owners and rental information including car details, parking information, addresses, phone numbers, and emails. The dataset reportedly includes 7GB of documents, SMTP credentials, API keys including government API keys, and data on high-profile individuals such as sheikhs and residents of Burj Khalifa. The sell
Date: 2026-04-20T02:30:39Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Emaar-and-SelectGroup-owners-rentals-information
Screenshots:
None
Threat Actors: ksa901
Victim Country: United Arab Emirates
Victim Industry: Real Estate
Victim Organization: Emaar Properties and Select Group
Victim Site: Unknown
Alleged Sale of Customer Data from 7 Thai Banks Including Bangkok Bank, Kasikorn Bank, and Others
Category: Data Breach
Content: A threat actor operating under the alias taomarita is allegedly selling customer data sourced from seven Thai banks, including Bangkok Bank, Kasikorn Bank, and Siam Commercial Bank. The data purportedly includes account balances, account numbers, outstanding debt amounts, customer addresses, phone numbers, national ID card copies, and official government documents. Sample file path data suggests the files were exfiltrated from internal user workstations and OneDrive shares, with documents date
Date: 2026-04-20T02:30:08Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Selling-customer-data-from-7-banking-in-Thailand
Screenshots:
None
Threat Actors: taomarita
Victim Country: Thailand
Victim Industry: Banking & Financial Services
Victim Organization: TMBThanachart Bank, Bangkok Bank, CIMB Thai Bank, Kasikorn Bank, Krung Thai Bank, Siam Commercial Bank, United Overseas Bank
Victim Site: Unknown
Alleged Data Breach of Secretaría de Seguridad del Estado de México (SSEDOMEX) Emergency Call Records
Category: Data Breach
Content: A threat actor known as gordo is selling an alleged database of emergency call records from the Secretaría de Seguridad del Estado de México (SSEDOMEX), covering 911 and 089 emergency and non-emergency calls from 2016 to 2026. The database reportedly consists of 3,652 Excel files containing incident types, timestamps, geographic coordinates, response times, unit dispatch information, and call resolution outcomes. The data is being offered for $1,200 USD via Telegram.
Date: 2026-04-20T02:29:35Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Secretar%C3%ADa-de-Seguridad-del-Estado-de-M%C3%A9xico-SSEDOMEX-911-089-Reports-2016-2026
Screenshots:
None
Threat Actors: gordo
Victim Country: Mexico
Victim Industry: Government – Public Safety & Law Enforcement
Victim Organization: Secretaría de Seguridad del Estado de México (SSEDOMEX)
Victim Site: Unknown
Alleged data leak or credential list associated with Nasdaq
Category: Combo List
Content: A CSV file with the filename [email protected] was shared in the channel SILENT ERROR SYSTEM, suggesting a potential credential dump, combolist, or data leak associated with Nasdaq.
Date: 2026-04-20T02:18:49Z
Network: telegram
Published URL: https://t.me/c/3841736872/278
Screenshots:
None
Threat Actors: SILENT ERROR SYSTEM
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Nasdaq
Victim Site: nasdaq.com
Alleged Data Leak of Indonesian Regional Police Research and Development Database
Category: Data Leak
Content: A threat actor known as Xyph0rix has freely shared a database dump allegedly belonging to the Indonesian Regional Police Research and Development (Porli Litbang), hosted on the Indonesian government domain go.id. The leaked data includes given names, family names, usernames, and email addresses of registered users. A download link for the full dataset has been made available on the forum.
Date: 2026-04-20T02:15:20Z
Network: openweb
Published URL: https://breached.st/threads/database-porli-litbang-go-id.86119/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Indonesian Regional Police Research and Development (Porli Litbang)
Victim Site: litbang.go.id
Alleged leak of Business/Corporate domain combolist with 3 million credentials
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist reportedly containing 3 million business and corporate domain credentials. The list is being distributed for free via Telegram channels. No specific victim organization or country has been identified, suggesting the combolist aggregates credentials across multiple corporate entities.
Date: 2026-04-20T02:04:54Z
Network: openweb
Published URL: https://crackingx.com/threads/72632/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed valid email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias RedCloud has made available a combolist containing approximately 11,100 allegedly valid email credentials on DemonForums. The post, dated April 20, 2026, describes the data as UHQ (ultra-high quality) and private, with access provided via a hidden download link requiring forum registration. The actor also promotes a Telegram channel (@tutuba5m) and a related service gateway (@redcloudservices).
Date: 2026-04-20T02:04:48Z
Network: openweb
Published URL: https://demonforums.net/Thread-11-1K-%E2%9C%A8-Mix-%E2%9C%A8-Valid-Mail-Access-20-04
Screenshots:
None
Threat Actors: RedCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed valid email access credentials (combolist)
Category: Combo List
Content: A threat actor operating under the alias redcloud has made available a combolist containing approximately 11,000 allegedly valid email access credentials via a Mediafire download link. The post, dated April 20, 2026, describes the data as UHQ (ultra-high quality) and private, suggesting the credentials have been verified. A Telegram contact handle (@tutuba5m) is also provided, likely for further communication or distribution.
Date: 2026-04-20T02:04:34Z
Network: openweb
Published URL: https://crackingx.com/threads/72633/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 24,730 valid Hotmail credentials
Category: Data Leak
Content: A threat actor operating under the alias VegaM has shared a combolist containing 24,730 allegedly valid Hotmail credentials on the AE combo list forum. The credential list was made available via Pasteview, a text-sharing platform. The post claims the credentials are valid, suggesting they may have been recently verified.
Date: 2026-04-20T02:01:44Z
Network: openweb
Published URL: https://altenens.is/threads/24-730-valid-hotmail-access.2927747/unread
Screenshots:
None
Threat Actors: VegaM
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged data breach of Indonesian Government Research Institution (litbang.go.id)
Category: Data Breach
Content: Threat actor Xyph0rix claims to have breached and leaked a database from porli.litbang.go.id, an Indonesian government research and development domain. The post includes a link to a BreachForums thread and is accompanied by an anti-corruption message directed at Indonesian police, suggesting a hacktivist motivation. The actors BreachForums profile is also shared.
Date: 2026-04-20T01:50:56Z
Network: telegram
Published URL: https://t.me/Xyph0rix_CaypbaraXploit/169
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Badan Penelitian dan Pengembangan (Litbang) – Indonesian Government
Victim Site: porli.litbang.go.id
Alleged data breach of Vercel by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters is claiming responsibility for a breach of Vercel, sharing a photo with the message See You Next Time! alongside a BleepingComputer article reporting hackers are selling stolen Vercel data. The post references an escrow system on breachforums.ai, indicating stolen data is being offered for sale.
Date: 2026-04-20T01:50:49Z
Network: telegram
Published URL: https://t.me/c/3737716184/1456
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology / Cloud Services
Victim Organization: Vercel
Victim Site: vercel.com
Alleged leak of Hotmail credential combolist with 1.3 million lines
Category: Combo List
Content: A threat actor operating under the handle HQcomboSpace has made available a combolist containing approximately 1.3 million email and password combinations targeting Hotmail (Microsoft) accounts. The credential list was shared via a Mega.nz link on the cracking forum CrackingX. No price was mentioned, indicating this is a free leak distributed to the forum community.
Date: 2026-04-20T01:44:51Z
Network: openweb
Published URL: https://crackingx.com/threads/72631/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged data breach of Vercel by ShinyHunters – Linear Database with 170k+ Issues to be Released
Category: Data Breach
Content: Threat actor ShinyHunters announced an upcoming data release on breachforums.ai related to Vercel. The actor claims to possess the Linear database associated with Vercel, containing over 170,000 issues, over 400,000 comments, and reportedly multiple open vulnerabilities. The data is described as forthcoming (free release), not being sold.
Date: 2026-04-20T01:33:22Z
Network: telegram
Published URL: https://t.me/c/3737716184/1459
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology / Cloud Infrastructure
Victim Organization: Vercel
Victim Site: vercel.com
Alleged leak of Hotmail valid credentials combolist
Category: Combo List
Content: A threat actor operating under the alias redcloud has made available a combolist of approximately 3,100 alleged valid Hotmail credentials on a cracking forum. The post claims the credentials are UHQ (ultra high quality) and verified as of April 2026, suggesting active and working email access. The list is freely distributed via a MediaFire download link, with a Telegram contact provided for further communication.
Date: 2026-04-20T01:25:56Z
Network: openweb
Published URL: https://crackingx.com/threads/72630/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed credential combolists including Hotmail and European accounts
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly is distributing a 10GB collection of URL:Login:Password credential lines sourced from info-stealer logs. The combolist includes mixed credentials spanning multiple regions including EU, UK, France, Poland, Germany, and Italy, with a focus on Hotmail, Live, Outlook, and MSN accounts. The data is made available for free via a hidden forum link, with the actor also promoting a Telegram channel and bot for paid data purchases.
Date: 2026-04-20T01:23:48Z
Network: openweb
Published URL: https://altenens.is/threads/10gb-url-login-pass-lines-from-logs.2927740/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials and logs including Hotmail, Live, and Outlook accounts
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly is distributing a 1.3GB collection of mixed credential lists, logs, cookies, and email data via Telegram. The data includes combolists targeting Hotmail, Live, Outlook, and MSN accounts, with geographic coverage spanning multiple European regions including the EU, UK, France, Poland, Germany, and Italy. The actor claims to share this content freely daily via a Telegram channel, while also offering additional material for purchase through the
Date: 2026-04-20T01:23:19Z
Network: openweb
Published URL: https://altenens.is/threads/1-3gb-full-logs.2927741/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials and access logs via Telegram channel
Category: Data Leak
Content: A threat actor known as WhiteMelly is distributing a mixed combolist of approximately 20,000 credential lines via a Telegram channel, offered for free. The dataset includes email credentials spanning multiple providers such as Hotmail, Live, Outlook, and MSN, along with logs, cookies, and leaked data targeting users across multiple European regions including the EU, UK, France, Poland, Germany, and Italy. The actor also advertises paid offerings through a Telegram bot handle (@suphoodbot).
Date: 2026-04-20T01:22:14Z
Network: openweb
Published URL: https://altenens.is/threads/20k-mix-lines-mail-access.2927738/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail and Microsoft email credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly has made available a combolist of approximately 400 Hotmail/Microsoft email credentials (ULP format) on the AE forum. The post promotes a Telegram channel (@suphoodbot) where similar credential lists, logs, cookies, and leaked data are regularly distributed for free across multiple regions including EU, UK, France, Poland, Germany, and Italy. The actor also appears to offer paid services via Telegram for additional data.
Date: 2026-04-20T01:21:45Z
Network: openweb
Published URL: https://altenens.is/threads/0-4k-hotmail-lines-mail-access.2927739/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Roronoa044 has shared a combolist of allegedly valid Hotmail email and password combinations on a cybercriminal forum. The post advertises 4,629 validated credentials described as UHQ (ultra-high quality), suggesting a high validity rate. The actor directs interested parties to a Telegram channel (@noiraccesss) and restricts download access to registered forum members.
Date: 2026-04-20T01:09:08Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X4629-Valid-UHQ-Hotmail-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias noir has made available a combolist of allegedly valid Hotmail credentials on the cracking forum CX. The post describes the content as UHQ (ultra-high quality) and valid, suggesting active or recently verified credentials. The actor directs interested parties to a Telegram handle (@noiraccesss) to obtain the content, which is gated behind forum registration.
Date: 2026-04-20T01:09:03Z
Network: openweb
Published URL: https://crackingx.com/threads/72629/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of United States citizen PII database containing 38 million records including SSNs
Category: Data Breach
Content: A threat actor operating under the alias aliladz213 is allegedly selling a database containing personally identifiable information (PII) of 38 million United States citizens. The dataset purportedly includes full names, phone numbers, addresses, email addresses, dates of birth, and Social Security Numbers (SSNs). The actor is directing interested parties to a Telegram channel for contact and transaction purposes.
Date: 2026-04-20T00:19:34Z
Network: openweb
Published URL: https://altenens.is/threads/starcheck-mark-buttoncomet-usa-united-states-citizen-ssn-leak-38m-linescheck-mark-buttonstar.2927734/unread
Screenshots:
None
Threat Actors: aliladz213
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Free OSINT Lookup Bot Offering Access to 12 Billion Leaked Records
Category: Data Leak
Content: A threat actor operating under the alias devil_mae has made available a Telegram-based OSINT bot that claims to index over 12 billion records aggregated from combolists, database dumps, and public leaks. The bot, accessible via a public Telegram group, allows users to perform free lookups by domain, email, or username, returning associated credentials and personal data as text files. No registration or payment is required, lowering the barrier for abuse by malicious actors conducting reconnais
Date: 2026-04-20T00:13:21Z
Network: openweb
Published URL: https://darkforums.su/Thread-FREE-Nexus-Intel-OSINT-Bot-12B-Records-Database-Millisecond-Lookups
Screenshots:
None
Threat Actors: devil_mae
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Vercel by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters claims to possess Vercel customer data, referencing Vercels own public disclosure that described the incident as affecting a small portion of customers. ShinyHunters is threatening to upload the full customer dataset to a forum, suggesting the scope may be larger than Vercel publicly acknowledged.
Date: 2026-04-20T00:10:36Z
Network: telegram
Published URL: https://t.me/c/3737716184/1452
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology / Cloud Services
Victim Organization: Vercel
Victim Site: vercel.com