The Biggest Data Breaches of June 2026

If May felt bad, June didn't ease up. ShinyHunters kept up its extortion spree across half a dozen industries, a single supply-chain hack managed to drag half the cybersecurity world into the same breach, and a pharmaceutical giant lost its actual drug formulas. Here's a rundown of the month's most significant incidents — what happened, who it hit, and what data walked out the door.

Novo Nordisk loses its crown jewels

Of everything that happened in June, this one stands out. On June 11, the maker of Ozempic confirmed unauthorized access to a limited number of internal systems — and the list of what was taken reads less like a typical breach and more like a corporate nightmare. Attackers reportedly got their hands on over 4,700 source code repositories, 41,000 proprietary drug compound structures, more than 30 trained AI models, clinical trial data for over 11,500 patients, 163,000 employee records, and — this is the part that should worry every pharma company watching — the exact manufacturing recipe for one of Novo Nordisk's flagship drugs. Data like patient records can be replaced or reissued in some form. A stolen drug formula can't.

One supply-chain hack, half the security industry

If you wanted a case study in how fragile modern software supply chains are, June delivered one. A Vancouver-based market intelligence firm called Klue was compromised through what's being described as an OAuth token attack, carried out by a group calling itself Icarus. Because Klue integrates with Salesforce, the attackers didn't just get Klue's data — they got a foothold into the Salesforce CRM environments of Klue's customers, too.

And the customer list reads like a who's-who of the cybersecurity world: HackerOne, LastPass, OneTrust, Gong, Tanium, and Huntress all confirmed they were caught up in it. The data exposed varied by company but generally included customer names, business emails, phone numbers, job titles, sales notes, pricing quotes, and internal sales communications. It's a good reminder that even security-focused companies are only as safe as the SaaS tools plugged into their CRM.

ShinyHunters had a very busy month

The ShinyHunters group didn't slow down at all in June — if anything, it widened its net. Food distribution giant Sysco was hit hard, with the group claiming to have pulled over 61 million Salesforce records containing employee, customer, and internal corporate data. Fashion house Ralph Lauren lost roughly 220 GB, including customer PII, purchase histories, and financial transaction data. Madison Square Garden Sports Corp — parent company of the New York Knicks and Rangers — reportedly had more than 26 million customer records taken.

The group also went after higher education and public institutions with equal enthusiasm: the University of Nottingham (over 10 GB of data, including nearly 455,000 email addresses, passport numbers, and academic records), the Council of Europe (roughly 297 GB covering payslips, HR files, and financial records), and Amazon-owned One Medical, where the claimed haul was a staggering 8.8 TB. Add Kodak, Illinois Central College, Glendale Community College, Houston City College, and Moody Bible Institute to the list, and it's clear ShinyHunters treated June like an open season across sectors.

Nissan, hit through an Oracle flaw

Nissan disclosed that current and former employees across the US, Canada, Mexico, and Brazil had their data exposed after attackers — linked to a group calling itself "Shiny Hunterz" — exploited a zero-day flaw in Oracle PeopleSoft. The stolen data included contact information, banking details, Social Security numbers, national ID numbers, and dependent/beneficiary records. Employee HR systems built on third-party software remain a soft spot, and this breach is a reminder of why patch management for enterprise platforms matters even when the software isn't customer-facing.

Government and public services didn't escape either

Texas's Parks and Wildlife Department disclosed that a breach at its license vendor exposed data belonging to more than 3 million customers who'd bought hunting and fishing licenses — including driver's license numbers, passport numbers, and home addresses. In France, the government's internal messaging app Tchap was hacked by an actor going by "misere," who claims to have taken 13.5 GB of data covering more than 73,000 user accounts and over 640,000 messages. Meanwhile, London Hydro, an Ontario electricity provider serving 169,000 customers, confirmed attackers accessed billing and account information after a system intrusion in mid-June.

The bigger picture

A few patterns keep showing up. Third-party and SaaS integrations — Salesforce especially — were behind a disproportionate number of June's breaches, turning a single compromised vendor into a multi-company incident. Ransomware groups, ShinyHunters chief among them, are no longer picking targets by industry; healthcare, education, retail, sports, and government all took hits in the same few weeks. And the Novo Nordisk case shows that the most damaging breaches aren't always the ones with the biggest numbers attached — sometimes it's not how many records were taken, but what those records actually were.

If there's one takeaway for July, it's this: check what your vendors have access to, and don't assume a breach at "just a marketing tool" or "just an integration partner" stays contained to that one product.