Data Leaks Early 2026: The Rising Threat of API Scraping and Extortion
security data-breach instagram substack nike api-scraping shinyhunters
trending_up Trend: security

Data Leaks Early 2026: The Rising Threat of API Scraping and Extortion

calendar_month June 10, 2026 update Updated: June 14, 2026

🔄 Update — 14 June 2026: AI-Driven Vulnerability Scanning and New Breaches at DentaQuest and Canvas

New security incidents reveal an expansion of data leaks into critical patient and student data, while AI-driven analysis exposes vulnerabilities in government systems. Notable events include ShinyHunters leaking the sensitive records of 2.6 million DentaQuest members, a cyberattack exposing student data on Canvas, and a stark warning from Telegram founder Pavel Durov regarding physical kidnapping risks tied to crypto owner leaks.

What’s new?

  • DentaQuest Data Breach: An analysis of the DentaQuest breach shows that the ShinyHunters hacking group exfiltrated and published personally identifiable information (PII) and protected health information (PHI) of 2.6 million members.
  • AI Vulnerability Detection in Government Code: A UK pilot project utilizing AI for cyberdefense successfully identified 407 security flaws in national agency codebases, showcasing AI’s predictive security potential.
  • Canvas Cyberattack and University Breaches: An attack on the Canvas learning platform exposed personal details of millions of students, while the University of Nottingham confirmed a separate data leak following hacker disclosures.
  • Physical Risks of Crypto Leaks: Telegram founder Pavel Durov warned that exposed data revealing cryptocurrency holdings is actively fueling targeted kidnappings, highlighting a new physical dimension of digital threats.

Why this adds to the article

These developments demonstrate that data breaches are no longer confined to digital identity risks, but now directly impact sensitive real-world sectors such as healthcare, education, and physical personal safety.

🔄 Update — 13 June 2026: Security Incidents at OnlyFans, CISA GitHub, and Educational Institutions

Recent security reports reveal a series of new data breaches and credential exposures, including a claimed mega data leak at OnlyFans, exposed AWS GovCloud keys via a CISA GitHub repository, and data leaks at educational institutions. These events highlight the persistent risks associated with code repository configurations and web application access controls.

What’s new?

  • OnlyFans Mega Leak Claims: Hackers claim to have exfiltrated and leaked a massive dataset containing creator details and media from OnlyFans.
  • CISA GitHub and AWS Keys Exposure: A security incident involving a CISA GitHub repository reportedly exposed AWS GovCloud credentials, highlighting risks in public code repositories.
  • Educational and Support Vector Leaks: Leak analyses from Wamin Wittaya School and warnings on customer support email systems highlight how niche portals and communication channels remain soft targets.

Why this adds to the article

These incidents further support the article’s core analysis that misconfigured cloud environments, insecure repositories, and access credentials remain the primary vectors for modern data extraction and extortion.

🔄 Update — 13 June 2026: Data Exposures Across Instagram, GitHub, and Facebook

Within the last 24 hours, new reports of significant data exposures have emerged across Instagram, GitHub, and Facebook. These leaks have exposed user profile data and code repositories, raising immediate security concerns. The incidents highlight the persistent vulnerability of large-scale tech platforms to targeted extraction and misconfigurations.

What’s new?

  • Social Media Scrapes: Reports of data exposures on Instagram and Facebook highlight the ongoing threat of large-scale scraping of user profiles.
  • GitHub Repository Exposure: Compromised source code and potentially exposed credentials present fresh supply-chain risks for developers.

Why this adds to the article

These incidents confirm the article’s core thesis that major tech platforms and their APIs remain high-value targets, emphasizing that securing public-facing interfaces is critical to preventing bulk data exfiltration.

🔄 Update — 12 June 2026: New Data Leaks at Rockstar Games and via Bitsight Tracker

Recent data breach reports show multiple large-scale leaks affecting firms across Europe and Asia. Notably, Rockstar Games has reportedly fallen victim to a massive hack and extortion attempt by the ShinyHunters group, exposing sensitive data related to the highly anticipated game GTA 6. Concurrently, the Bitsight Data Breach Tracker documents a continuous wave of security incidents globally.

What’s new?

  • Rockstar Games Data Leak: The cybercrime group ShinyHunters reportedly breached Rockstar Games, stealing confidential data and source code related to GTA 6 to extort the company.
  • Ongoing Global Leak Wave: The Bitsight Data Breach Tracker recorded several new high-volume leaks impacting corporate entities across Europe and Asia.

Why this adds to the article

These incidents reinforce the original article’s thesis that cybercriminals are prioritizing the theft of proprietary R&D data and intellectual property (such as source code and game designs) for extortion over simple systems encryption.

Summary

Early 2026 witnessed a series of high-profile data leaks and security incidents exposing critical vulnerabilities across modern digital infrastructures. Notable cases include IDMerit’s massive exposure of approximately one billion identity records, Substack’s API-based compromise affecting 700,000 users, Instagram’s database compilation involving 17.5 million scraped profiles, and a major 1.4-terabyte extortion campaign targeting Nike by the cybercrime group WorldLeaks. These incidents reflect a growing trend where attackers prioritize API scraping, cloud database misconfigurations, and value-chain extortion targeting intellectual property rather than traditional system encryption.

What happened?

Several critical security breaches occurred in the opening months of 2026:

  1. IDMerit (Global Data Leak): Cybernews researchers discovered an unprotected MongoDB database belonging to identity verification provider IDMerit, exposing over one billion records globally across 26 countries. Compromised information included sensitive KYC/AML verification logs, names, dates of birth, and national ID numbers.
  2. Substack: In February 2026, Substack disclosed an API security incident originating in October 2025. Approximately 700,000 user records (emails, names, Stripe IDs) were accessed. Financial details and passwords remained secure.
  3. Instagram: A dark web actor named “Solonik” leaked a database of 17.5 million Instagram accounts containing contact information. Concurrently, an API bug allowed malicious actors to trigger legitimate password reset requests en masse to users.
  4. Nike: The extortion gang WorldLeaks exfiltrated 1.4 TB of corporate data from Nike, subsequently leaking 188,000+ files containing manufacturing workflows, product designs (Jordan Brand), and strategic R&D plans after Nike refused ransom demands.

Why it matters

These incidents highlight pivotal shifts in the threat landscape:

  • API Scraping Vulnerability: Substack and Instagram emphasize that APIs represent major attack surfaces. Mass extraction of public/semi-public data creates potent databases for phishing and social engineering without tripping traditional intrusion alarms.
  • Value-Chain Extortion: As seen with Nike, extortionists increasingly target proprietary R&D data and intellectual property rather than encrypting operational systems, leveraging competitive disruption for ransom.
  • Cascade Security Risks: Leaked metadata (like Stripe customer IDs or phone numbers) increases the risk of spear-phishing and SIM-swapping.

Evidence

  • IDMerit: Cybernews documented the unsecured MongoDB database, which was resolved shortly after notification.
  • Substack: Official incident report published by Substack’s security team in February 2026.
  • Nike: WorldLeaks’ publication of 1.4 TB of data on their dark web forum following the expiration of the ransom timer.
  • Instagram: Widespread user reports of unsolicited password reset emails and dark web data dumps confirmed by Meta’s subsequent security updates.

Analysis

The 2026 breaches highlight two major paradigms in cybersecurity. First, the absence of a direct network breach (e.g., scraping via public APIs) does not mitigate data exposure risk. Mass scraped databases of contact info are highly valuable assets for cybercriminals conducting targeted social engineering. Second, ransomware groups are diversifying their monetization tactics. In Nike’s case, stealing industrial blueprints and marketing strategies directly impacts competitive advantage, which provides immense ransom leverage without needing to disrupt daily store operations. Additionally, the recurrence of unprotected cloud servers (such as IDMerit’s MongoDB database) demonstrates that database administration and post-deployment validation remain critical weak points during rapid software releases.

Practical Takeaways

  • For Administrators: Enforce authentication on all cloud storage and database deployments (e.g., MongoDB, Elasticsearch, S3). Never expose databases directly to the internet.
  • For API Developers: Implement strict rate-limiting, authentication, and behavioral analysis to detect and block automated data scraping attempts.
  • For Users: Enable two-factor authentication (2FA) using app-based authenticators or hardware keys instead of SMS to prevent SIM-swapping attacks.
  • For IT Security Teams: Deploy policies to prevent data leaks from chat applications and email attachments as recommended by Google Workspace guides.

Open Questions

  • To what extent will regulatory bodies hold platform operators liable for mass API scraping of public profiles?
  • What are the long-term counterfeit and intellectual property risks for Nike following the leak of Jordan Brand design files?
  • How can organizations reduce the dwell-time of API breaches (such as Substack’s 4-month delay in discovery)?

Sources

  1. Global Data Leak Exposes Billion Records (Cybernews)
  2. A Cybersecurity Study on Data Leaks (ScienceDirect)
  3. Instagram data leak exposes sensitive info of 17.5M accounts (Cybersecuritynews)
  4. Heightened Data Leak Activity (Krebs on Security)
  5. Nike investigates data breach after extortion gang leaks files (Bleepingcomputer)
  6. Instagram data leak allegedly exposed 175 million accounts (MakeUseOf)
  7. Substack discloses security incident after hacker leaks data (Securityweek)
  8. Prevent data leaks from chat messages and attachments (Google Workspace)
  9. 2026 NYS Cybersecurity Conference (New York State ITS)
  10. Substack discloses security incident (Substack)
  11. Instagram data leak 2026 (Cynet)
  12. Data Leak 2026 (Reuters)
  13. Bitsight Data Breach Tracker (Bitsight)
  14. Rockstar Games data breach (Kotaku)
  15. OnlyFans Mega Data Leak (Cybernews)
  16. Protect Yourself from Scams and Data Breaches (CNET)
  17. CISA GitHub Data Leak 2026 (The Tech Marketer)
  18. Wamin Wittaya School Data Leak Analysis (Femtosec)
  19. Customer Support Email Security (PowerDMARC)
  20. UK Pilot Projekt findet 407 Lücken in Behörden-Code (All About Security)
  21. DentaQuest Data Breach Analysis (Rescana)
  22. Canvas Cyberattack Exposes Student Data (Facebook / Rep Laura Friedman)
  23. Telegram Founder Pavel Durov Warns Crypto Leaks Fuel Kidnappings (Coinpedia)
  24. University of Nottingham Confirms Breach (SecurityWeek)