Circulating Breaches Directory

Verified Data Breaches with Publicly Accessible or Circulating Data
DATA BREACH

CarGurus

In mid-February 2026, ShinyHunters claimed to have breached CarGurus, Inc., an online automotive marketplace. After a failed extortion attempt, over 12 million user records spanning nearly two decades were released publicly.

DATA BREACH

Substack 2026

In October 2025, Substack suffered a data breach that was publicly disclosed in February 2026. An unauthorized third party accessed internal systems and obtained limited user data. The exposed dataset contains approximately 663,000 account records.

DATA BREACH

SoundCloud 2026

In December 2025, SoundCloud disclosed unauthorized activity that exposed approximately 30 million user records, later published on a dark web leak site in January 2026.

DATA BREACH

Panera Bread 2026

In January 2026, Panera Bread suffered a large-scale customer data breach attributed to the ShinyHunters extortion group. After Panera declined an extortion demand, the attackers published a full customer dataset.

 DATA BREACH

Under Armour

In November 2025, the Everest ransomware group claimed to have compromised Under Armour's systems and exfiltrated approximately 343GB of internal and customer data.

 DATA BREACH

Iberia Airlines

In late November 2025, Iberia Airlines disclosed a data breach resulting from unauthorized access to a third-party supplier's systems.

 DATA BREACH

Mavis Tire Supply

In late September 2025, Mavis Tire Supply LLC aka Mavis Discount Tire (one of the largest independent multi-brand tire and auto service retailers in the U.S.) suffered a ransomware attack conducted by the WorldLeaks group.

 DATA BREACH

Instagram Data Exposure

In January 2026, a dataset allegedly containing information tied to Instagram user accounts was posted to a hacking forum. The data appears to have been obtained

 DATA BREACH

Salesforce CarMax

In early October 2025, CarMax became one of several high-profile victims of a Salesforce-linked compromise. A group identifying itself as "Scattered LAPSUS$ Hunters"

 DATA BREACH

Ingram Micro

In early July 2025, Ingram Micro was hit by a ransomware attack that crippled its global operations. The intrusion began when the SafePay group gained access through

Understanding Breach Evolution

Circulating breaches are the breaches where data has moved beyond disclosure and is now in circulation. Available to search, trade, or exploit.

Let's unpack what's really going on.

Evolution of a breach

Breach
Every day
Disclosed
(not yet circulating)

About 60,000
Circulating
About 1,000
Exploited
Unknown

Two Very Different Kinds of Breaches

When you hear about a breach, it can fall into one of two categories: Disclosed or Circulating. Knowing which kind you’re dealing with helps you understand what’s known, what’s still unknown, and how to respond.

Disclosed Breaches :: Public, but Not Yet Circulating

A Disclosed Breach is one that's been reported or confirmed publicly. The company might have filed with the SEC, told the press, or notified customers. The key detail: the stolen data hasn’t been observed circulating on open or dark web sources. That doesn’t mean it’s safely contained — only that it hasn’t surfaced publicly.

Sidebar

Your stolen data may not be in active circulation. It may never appear publicly.

But it could still be in play privately — in criminal exchanges, nation-state archives, or exclusive data markets. Treat “not circulating” as unknown risk, not no risk.

What this means:

  • The data may still be in the hands of the attacker, investigators, or a private buyer.
  • There's no evidence it's being sold, traded, or indexed.
  • The breach appears in official reports but isn't searchable or downloadable by third parties.

If you are being notified of a Disclosed Breach this is likely because the company is legally required to notify you that they realize your data has been compromised in some way. They may not even know where it is. (Regulations often require notification even when there's no evidence of data misuse.)

Scale:

60,000+ disclosed breaches exist globally
5,000–10,000 new disclosures happen every year

So: Getting a notice from a disclosed breach doesn’t mean your data is safe. It means the breach has been acknowledged — but not yet confirmed as circulating. Disclosed breaches can still transition into circulation later.

Circulating Breaches :: When the Data Is Out There

A Circulating Breach is when the stolen data actually hits the wild. It's uploaded, sold, or shared on criminal forums, and often becomes part of searchable services like Have I Been Pwned or DataBreach.com. Lots other entities scoop that up too, like intelligence tools, data brokers, and foreign governments.

Because that's when things shift from theoretical to real.

What this means:

  • Your data is actively circulating online.
  • It can be found, reused, or sold multiple times.
  • It's indexed by breach search engines and often resold by automated bots.

If you are being notified of a Circulating Breach this is likely because you signed up for an alert service like ObscureIQ. Notification from us means that your data has come into play.

It's possible that data from breaches that have happened years ago can hit the dark web as a fresh release. This can still be dangerous, so don't ignore such alerts out of hand.

Scale:

1,000–1,200 known circulating breaches exist
Billions of searchable records
Example

The 2012 LinkedIn breach was disclosed early—but didn't circulate widely until 2016. That's when the stolen data became searchable and weaponized.

That's why ObscureIQ monitors multiple breach intelligence sources.

To alert our clients the moment their data moves from disclosed to circulating.

Browse Circulating Breaches

Below you’ll find verified circulating breaches. Datasets that have surfaced publicly or through credible intelligence sources.

Each breach page includes:

Breach Overview
Name, source, year, record count
Data Points Exposed
Email, password, phone, DOB, crypto keys, etc.
Summary
How the breach occurred
Dark Web Verification
Confirmed authenticity and circulation status
About the Threat Actor
Profile and tactics of the attacking group
About the Breached Company
Background and business context
Impact on Breached Clients
Risk assessment and exposure analysis
Recommendations for Impacted Clients
Actionable steps to protect yourself
DOWNLOAD PDF

Why This Directory Exists

The goal of the Circulating Breach Directory is to:

  • Help individuals and organizations identify when their data has entered circulation.
  • Provide verifiable breach intelligence without exposing sensitive data.
  • Show the evolution from disclosure → circulation → exploitation.

ObscureIQ scans multiple breach intelligence sources and dark web repositories to maintain this directory.

This resource is constantly updated as new circulating breaches are discovered.

A disclosed breach can remain quiet for a long time before data surfaces. That’s why ObscureIQ tracks the moment stolen data moves from disclosed to circulating.