✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Human Resources/HR
Breach intelligence, attack campaigns, and threat reports targeting the Human Resources/HR sector.
Explore Other Sectors
Human Resources/HR Threat Reports
Nintendo's 2026 Data Breach: A Wake-Up Call for Third-Party Security
In June 2026, Nintendo of America experienced a data breach through TinyPulse, a third-party service used for internal employee surveys. The cybercriminal group ShadowByt3$ claimed responsibility, alleging they exfiltrated approximately 859 MB of sensitive data, including employee names, email addresses, bank statements, and W-9 forms. Nintendo confirmed the breach but stated that only internal survey content from a small subset of employees was affected, with most information dating back several years. The company's internal systems, as well as customer and financial data, remained uncompromised. This incident underscores the growing threat posed by emerging ransomware groups like ShadowByt3$, which, despite their relatively recent appearance, are capable of targeting major corporations through third-party service vulnerabilities. Organizations must reassess their third-party risk management strategies to prevent similar breaches.
1 week ago
Kill Chain
Council of Europe Probes ShinyHunters Data Breach Allegations
In June 2026, the Council of Europe, representing 46 member states and over 700 million people, began investigating claims by the cyber extortion group ShinyHunters of a significant data breach. ShinyHunters alleged they had stolen over 429,000 documents containing sensitive HR and payroll data from multiple departments, including payslips, personnel files, and CVs, encompassing personal and financial information such as names, dates of birth, addresses, salaries, and bank account details. The group threatened to leak the data if their demands were not met by June 16, 2026. This incident underscores the escalating threat posed by cyber extortion groups like ShinyHunters, who have been linked to numerous high-profile data breaches targeting organizations worldwide. Their tactics often involve exfiltrating large volumes of sensitive data and leveraging it for ransom, highlighting the critical need for robust cybersecurity measures and proactive threat detection to safeguard organizational data.
1 week ago
Kill Chain
Oxford University CareerConnect Data Breach Exposes User Information
On May 28, 2026, Oxford University's CareerConnect platform, managed by third-party provider Group GTI, was compromised. Attackers accessed users' first names, last names, email addresses, and encrypted passwords for those not using Single Sign-On (SSO). Students using SSO were less affected, with only their names and email addresses exposed. GTI has since addressed the security vulnerability and implemented additional measures. ([careers.ox.ac.uk](https://www.careers.ox.ac.uk/article/careerconnect-secured-and-safe-to-use-following-data-security-incident?utm_source=openai)) This incident underscores the risks associated with third-party service providers in educational institutions. It highlights the importance of robust security measures and vigilant monitoring to protect sensitive user data from unauthorized access.
2 weeks ago
Kill Chain
Detection Strategies Against Infiltrating IT Workers
In April 2026, Microsoft reported that the North Korean state-sponsored group Jasper Sleet exploited remote work trends by posing as legitimate IT hires using fabricated identities and AI-assisted deception. These operatives infiltrated organizations to gain trusted access, leading to data theft, extortion, and potential follow-on compromises. The attackers systematically surveyed job postings, crafted convincing applications, and, once hired, accessed sensitive company resources. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/04/21/detection-strategies-cloud-identities-against-infiltrating-it-workers/?utm_source=openai)) This incident underscores the evolving tactics of nation-state actors leveraging AI to enhance social engineering attacks, highlighting the urgent need for organizations to strengthen identity verification processes and monitor for anomalous behaviors during recruitment and onboarding phases. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/04/21/detection-strategies-cloud-identities-against-infiltrating-it-workers/?utm_source=openai))
2 months ago
Kill Chain
Microsoft 2026: Storm-2755's Payroll Pirate Attack Exposes MFA Vulnerabilities
In April 2026, Microsoft identified a financially motivated threat actor, Storm-2755, targeting Canadian employees through sophisticated 'payroll pirate' attacks. The attackers employed adversary-in-the-middle (AiTM) techniques, using malicious Microsoft 365 sign-in pages to intercept authentication tokens and session cookies. This method allowed them to bypass traditional multi-factor authentication (MFA) and gain unauthorized access to employee accounts. Once inside, they created inbox rules to conceal communications from human resources and manipulated payroll systems, such as Workday, to redirect salary payments to accounts under their control. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/?utm_source=openai)) This incident underscores the evolving nature of business email compromise (BEC) schemes, highlighting the need for organizations to implement phishing-resistant MFA solutions and monitor for anomalous activities within their systems. The use of AiTM tactics to circumvent standard security measures signifies a shift in cybercriminal strategies, emphasizing the importance of continuous vigilance and adaptive security protocols. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/?utm_source=openai))
2 months ago
Kill Chain
Storm-2755: Unveiling the 2026 Payroll Pirate AiTM Attack in Canada
In April 2026, a financially motivated threat actor identified as Storm-2755 targeted Canadian employees through a sophisticated 'payroll pirate' campaign. Utilizing adversary-in-the-middle (AiTM) phishing techniques, the attackers intercepted authentication sessions to gain unauthorized access to employee profiles on HR platforms. This access enabled them to divert salary payments to accounts under their control, resulting in direct financial losses for both individuals and organizations. The campaign was notable for its use of malvertising and search engine optimization (SEO) poisoning to lure victims to malicious sites, effectively bypassing traditional multi-factor authentication (MFA) methods. This incident underscores the evolving nature of cyber threats, particularly the increasing prevalence of AiTM attacks that can circumvent standard MFA protections. Organizations must recognize the limitations of traditional security measures and adopt more robust, phishing-resistant authentication methods to safeguard against such sophisticated attacks.
2 months ago
Kill Chain
Silver Fox Exploits Japan's Tax Season in 2025 Phishing Campaign
In early 2025, the Chinese state-aligned threat actor known as Silver Fox launched a sophisticated phishing campaign targeting Japanese organizations during the tax season. By impersonating official entities such as the National Taxation Bureau, Silver Fox distributed emails containing malicious attachments and links, leading recipients to download trojanized versions of legitimate software. Once installed, these malicious programs deployed remote access trojans (RATs) like ValleyRAT and Winos 4.0, enabling unauthorized access, data exfiltration, and potential financial fraud. The campaign's timing exploited the heightened activity and urgency associated with tax season, increasing the likelihood of successful infiltration. ([trustwave.com](https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/inside-silver-foxs-den-trustwave-spiderlabs-unmasks-a-global-threat-actor/?utm_source=openai)) This incident underscores a growing trend where state-sponsored threat actors blend espionage with financially motivated cybercrime. Silver Fox's operations highlight the evolving landscape of cyber threats, where attackers leverage seasonal events and trusted software to enhance the effectiveness of their campaigns. Organizations must remain vigilant, especially during periods of increased administrative activity, to mitigate the risks posed by such multifaceted threats. ([darkreading.com](https://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime?utm_source=openai))
2 months ago
Kill Chain
Palo Alto Networks 2026 Recruiter Phishing Scam: A Cautionary Tale
Since August 2025, a series of sophisticated phishing campaigns have targeted senior-level professionals by impersonating Palo Alto Networks' talent acquisition staff. Attackers utilized scraped LinkedIn data to craft highly personalized emails, falsely claiming that the recipient's resume failed to meet applicant tracking system (ATS) requirements. They then offered paid services to 'correct' these issues, charging fees ranging from $400 to $800. This social engineering tactic exploited victims' career aspirations and trust in reputable companies. This incident underscores a growing trend of cybercriminals leveraging social engineering and impersonation tactics to exploit individuals' trust and professional ambitions. As remote work and digital communication become more prevalent, such personalized phishing schemes are likely to increase, highlighting the need for heightened vigilance and robust verification processes.
3 months ago
Kill Chain
HackerOne Data Breach 2026: Lessons in Third-Party Security
In early 2026, HackerOne disclosed a data breach affecting 287 employees, resulting from a security incident at Navia, their U.S. benefits administrator. Between December 22, 2025, and January 15, 2026, attackers exploited a Broken Object Level Authorization (BOLA) vulnerability in Navia's systems, accessing sensitive personal information including Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, and plan enrollment details. Navia detected the suspicious activity on January 23, 2026, and subsequently notified affected companies on February 20, 2026. This incident underscores the critical importance of securing third-party service providers, as vulnerabilities in external partners can directly impact an organization's data security. The breach also highlights the necessity for robust authorization mechanisms to prevent unauthorized data access. Organizations are reminded to continuously assess and monitor the security posture of their vendors to mitigate potential risks.
3 months ago
Kill Chain
Cybercriminals Exploit Fake Resumes to Deploy Cryptominers in Corporate Networks
In March 2026, a sophisticated phishing campaign targeted French-speaking corporate environments by distributing emails with fake resumes. These emails contained highly obfuscated VBScript files disguised as CV documents. When executed, the scripts deployed cryptocurrency miners and information-stealing malware on the victims' systems, leading to unauthorized resource utilization and potential data breaches. This incident underscores the evolving tactics of cybercriminals who exploit common business processes, such as recruitment, to infiltrate organizations. The use of obfuscated scripts and the dual payload of cryptominers and infostealers highlight the need for enhanced email security measures and user awareness training to detect and prevent such multifaceted attacks.
3 months ago
Kill Chain
Starbucks 2026 Data Breach: Credential Theft via Phishing
In early 2026, Starbucks experienced a data breach affecting 889 employees after attackers gained unauthorized access to Partner Central accounts. The breach, discovered on February 6, 2026, involved threat actors obtaining login credentials through phishing websites impersonating the Partner Central portal. Exposed information included names, Social Security numbers, dates of birth, and financial account details. Starbucks promptly initiated an investigation, notified law enforcement, and offered affected employees two years of free identity theft protection and credit monitoring services. This incident underscores the persistent threat of credential theft via phishing attacks, emphasizing the need for robust security measures and employee awareness training to prevent unauthorized access to sensitive information.
3 months ago
Kill Chain
BlackSanta EDR Killer: A New Threat to HR Departments in 2026
In March 2026, a sophisticated cyberattack campaign was uncovered targeting human resources (HR) departments. Russian-speaking threat actors distributed malware via spear-phishing emails containing ISO image files disguised as resumes. Upon execution, these files initiated a multi-stage infection chain, culminating in the deployment of 'BlackSanta,' an Endpoint Detection and Response (EDR) killer. BlackSanta disabled security solutions by terminating antivirus processes, shutting down EDR agents, and suppressing system logging, allowing attackers to exfiltrate sensitive data undetected. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/?utm_source=openai)) This incident underscores a growing trend of cybercriminals exploiting HR workflows to infiltrate organizations. The use of advanced evasion techniques, such as steganography and DLL sideloading, highlights the increasing sophistication of these attacks. Organizations must enhance security measures within HR processes to mitigate such threats. ([darkreading.com](https://www.darkreading.com/threat-intelligence/blacksanta-edr-killer-hr-workflows?utm_source=openai))
3 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports