Breach

The notice, submitted on June 8, 2026, presents several anomalies that suggest it may not be an officially verified incident.

The breach occurred on May 28, with attackers gaining access to users' first names, last names, email addresses, and encrypted passwords for those not using Single Sign-On.

The breach resulted in the exposure of names, phone numbers, addresses, and CPF numbers, which are crucial Brazilian taxpayer identification documents used for various daily transactions.

The incident came to light last month when the extortion group ShinyHunters claimed to have stolen over 234 GB of data from the company.

The World Food Programme confirmed a breach of its self-registration application (SRA) for Palestine, which occurred on May 14.

Ultrahuman confirmed that attackers accessed customer data using credentials stolen from an employee's malware-infected laptop.

The lawsuit stems from a credential-stuffing attack in October 2023, where threat actors exploited weak user credentials to access accounts.