# Breach Report Collection
- A collection of companies that disclose adversary TTPs after they have been breached
- Useful for analysis of intrusions launched by adversaries with measurable effects and impact

| Organization | Breach Date | Adversary | Source |
|---|---|---|---|
| DigiCert | April 2026 | GoldenEyeDog (CN APT) | [bugzilla.mozilla.org](https://bugzilla.mozilla.org/show_bug.cgi?id=2033170) / [(archived)](https://web.archive.org/web/20260430002326/https://bugzilla.mozilla.org/show_bug.cgi?id=2033170) |
| F5 Networks | October 2025 | Unknown (APT) | [my.f5.com](https://my.f5.com/manage/s/article/K000154696) / [(archived)](https://archive.is/n2UwA) |
| BeyondTrust | December 2024 | Unknown (CN APT) | [beyondtrust.com](https://www.beyondtrust.com/remote-support-saas-service-security-investigation) / [(archived)](https://web.archive.org/web/20250804163802/https://www.beyondtrust.com/remote-support-saas-service-security-investigation) |
| State of Rhode Island | December 2024 | Brain Cipher (Ransomware) | [rhodeislandcurrent.com](https://rhodeislandcurrent.com/wp-content/uploads/2025/05/RIBridges-Investigation-Summary-EMBARGOED.pdf) / [(archived)](https://web.archive.org/web/20250515221834/https://rhodeislandcurrent.com/wp-content/uploads/2025/05/RIBridges-Investigation-Summary-EMBARGOED.pdf) |
| MITRE | April 2024 | UTA0178/UNC5325 (CN APT) | [MITRE Blog](https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8) / [(archived)](https://web.archive.org/web/20240422095324/https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8) |
| Microsoft | January 2024 | CozyBear (RU APT) | [microsoft.com (1)](https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/), [microsoft.com (2)](https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/) / [(archived)](https://web.archive.org/web/20240120000859/https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/) |
| Mandiant | January 2024 | CLICKSINK (eCrime) | [mandiant.com](https://www.mandiant.com/resources/blog/solana-cryptocurrency-stolen-clinksink-drainer-campaigns) / [(archived)](https://web.archive.org/web/20240111010843/https://www.mandiant.com/resources/blog/solana-cryptocurrency-stolen-clinksink-drainer-campaigns) |
| Nissan Australia | December 2023 | Akira (Ransomware) | [nissan.com.au](https://www.nissan.com.au/website-update.html) / [(archived)](https://web.archive.org/web/20240102223637/https://www.nissan.com.au/website-update.html)|
| Cloudflare | November 2023 | Unknown | [cloudflare.com (1)](https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise), [cloudflare.com (2)](https://blog.cloudflare.com/thanksgiving-2023-security-incident) / [(archived)](https://web.archive.org/web/20240000000000*/https://blog.cloudflare.com/thanksgiving-2023-security-incident) |
| 23andMe | October 2023 | "Anna/Dazhbog" (eCrime) | [ico.org.uk](https://ico.org.uk/media2/kclbljpo/23andme-penalty-notice.pdf) / [(archived)](https://web.archive.org/web/20250617195205/https://ico.org.uk/media2/kclbljpo/23andme-penalty-notice.pdf) |
| Boeing | November 2023 | LockBit (Ransomware) | [cisa.gov](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a) / [(archived)](http://web.archive.org/web/20231121190858/https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a) |
| British Library | October 2023 | Rhysida (Ransomware) | [bl.uk](https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf) / [(archived)](https://web.archive.org/web/20240308110932/https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf)|
| BeyondTrust | October 2023 | Unknown | [beyondtrust.com](https://www.beyondtrust.com/blog/entry/okta-support-unit-breach) / [(archived)](http://web.archive.org/web/20231021002307/https://www.beyondtrust.com/blog/entry/okta-support-unit-breach) |
| Okta | October 2023 | Unknown | [sec.okta.com](https://sec.okta.com/harfiles) / [(archived)](http://web.archive.org/web/20231020225420/https://sec.okta.com/harfiles/) |
| BHI Energy | October 2023 | Akira (Ransomware) | [documentcloud.org](https://www.documentcloud.org/documents/24075435-bhi-notice) / [(archived)](http://web.archive.org/web/20231023214413/https://www.documentcloud.org/documents/24075435-bhi-notice) |
| Gap Personnel | October 2023 | Unknown | [ico.org.uk](https://ico.org.uk/media2/35scoxof/20231018-redacted-reprimand.pdf) / [(archived)](https://web.archive.org/web/20260505215553/https://ico.org.uk/media2/35scoxof/20231018-redacted-reprimand.pdf) |
| D-Link | October 2023 | "succumb" (eCrime) | [dlink.com](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10359) / [(archived)](https://web.archive.org/web/20231017193021/https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10359)|
| Kroll | August 2023 | Unknown (eCrime) | [kroll.com](https://www.kroll.com/en/about-us/news/security-incident) / [(archived)](http://web.archive.org/web/20230828092420/https://www.kroll.com/en/about-us/news/security-incident) |
| Microsoft | July 2023 | Storm-0558 (CN APT) | [microsoft.com](https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/) / [(archived)](http://web.archive.org/web/20230802033832/https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/) |
| JumpCloud | July 2023 | UNC4899 (DPRK APT) | [jumpcloud.com](https://jumpcloud.com/blog/security-update-incident-details) / [(archived)](https://web.archive.org/web/20230726144600/https://jumpcloud.com/blog/security-update-incident-details) |
| Dragos | May 2023 | "KyivWarrior" (eCrime) | [dragos.com](https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/) / [(archived)](https://web.archive.org/web/20230510160749/https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/) |
| Capita | March 2023 | BlackBasta (Ransomware) | [ico.org.uk](https://ico.org.uk/media2/pv5nhks4/capita-plc-and-cpsl-monetary-penalty-notice.pdf) / [(archived)](https://web.archive.org/web/20251015133309/https://ico.org.uk/media2/pv5nhks4/capita-plc-and-cpsl-monetary-penalty-notice.pdf) |
| 3CX | March 2023 | UNC4736 (DPRK APT) | [mandiant.com](https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise) / [(archived)](https://web.archive.org/web/20230514094509/https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise) |
| Coinbase | February 2023 | 0ktapus (suspected) (eCrime) | [coinbase.com](https://www.coinbase.com/blog/social-engineering-a-coinbase-case-study) / [(archived)](https://web.archive.org/web/20230222172459/https://www.coinbase.com/blog/social-engineering-a-coinbase-case-study)|
| Reddit | February 2023 | 0ktapus (suspected) (eCrime) | [reddit.com](https://www.reddit.com/r/reddit/comments/10y427y/we_had_a_security_incident_heres_what_we_know/) / [(archived)](https://web.archive.org/web/20230210080951/https://www.reddit.com/r/reddit/comments/10y427y/we_had_a_security_incident_heres_what_we_know/)  |
| CircleCI | January 2023 | Jade Sleet (DPRK APT) | [circleci.com](https://circleci.com/blog/jan-4-2023-incident-report/) / [(archived)](https://web.archive.org/web/20230324014148/https://circleci.com/blog/jan-4-2023-incident-report/)|
| LastPass | October 2022 | Unknown (eCrime) | [blog.lastpass.com](https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/) / [ico.org.uk](https://ico.org.uk/media2/xfbl1uaa/lastpass-uk-ltd-penalty-notice.pdf) / [(archived)](https://web.archive.org/web/20230404132342/https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/) |
| Uber | September 2022 | Lapsus$ (eCrime) | [uber.com](https://www.uber.com/newsroom/security-update/) / [(archived)](https://web.archive.org/web/20230405195617/https://www.uber.com/newsroom/security-update/) |
| South Staffordshire Water | August 2022 | Clop (Ransomware) | [ico.org.uk](https://ico.org.uk/media2/xdrfahsw/south-staffordshire-plc-and-south-staffordshire-water-plc-monetary-penalty-notice.pdf) / [(archived)](https://web.archive.org/web/20260511102945/https://ico.org.uk/media2/xdrfahsw/south-staffordshire-plc-and-south-staffordshire-water-plc-monetary-penalty-notice.pdf) |
| Advanced Computer Software Group | August 2022 | LockBit (Ransomware) | [ico.org.uk](https://ico.org.uk/media2/gdlfddgc/advanced-penalty-notice-20250327.pdf) / [(archived)](https://web.archive.org/web/20250509024336/https://ico.org.uk/media2/gdlfddgc/advanced-penalty-notice-20250327.pdf) |
| Okta | August 2022 | 0ktapus (eCrime) | [sec.okta.com](https://sec.okta.com/scatterswine) / [(archived)](https://web.archive.org/web/20230131172440/https://sec.okta.com/scatterswine/) |
| Twilio | August 2022 | 0ktapus (eCrime) | [twilio.com](https://www.twilio.com/blog/august-2022-social-engineering-attack) / [(archived)](https://web.archive.org/web/20230404043749/https://www.twilio.com/blog/august-2022-social-engineering-attack) |
| DPP Law | June 2022 | BlackBasta (Ransomware) | [ico.org.uk](https://ico.org.uk/media2/pr4bg5hq/dpp-law-ltd-monetary-penalty-notice.pdf) / [(archived)](https://web.archive.org/web/20250416131742/https://ico.org.uk/media2/pr4bg5hq/dpp-law-ltd-monetary-penalty-notice.pdf)
| Cisco | May 2022 | Yanluowang (Ransomware) | [blog.talosintelligence.com](https://blog.talosintelligence.com/recent-cyber-attack/) / [(archived)](https://web.archive.org/web/20230407165709/https://blog.talosintelligence.com/recent-cyber-attack/) |
| GitHub | April 2022 | Unknown | [github.blog](https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/) / [(archived)](https://web.archive.org/web/20230201012026/https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/) |
| Okta | April 2022 | Lapsus$ (eCrime) | [okta.com](https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/) / [(archived)](https://web.archive.org/web/20230325071437/https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/) |
| Microsoft | March 2022 | Lapsus$ (eCrime) | [microsoft.com](https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/) / [(archived)](https://web.archive.org/web/20230212051224/https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/) |
| Gloucester Council | November 2021 | Conti (Ransomware) | [democracy.gloucester.gov.uk](https://democracy.gloucester.gov.uk/documents/s59774/Appendix%201%20-%20Executive%20Summary%20of%20NCC%20Group%20Report.pdf) / [(archived)](https://web.archive.org/web/20240201223629/https://democracy.gloucester.gov.uk/documents/s59774/Appendix%201%20-%20Executive%20Summary%20of%20NCC%20Group%20Report.pdf) |
| Direct Clothing Co. UK (DDCUK) | August 2021 | Magecart (suspected) (eCrime) | [ico.org.uk](https://ico.org.uk/media2/e3ef5pfb/direct-clothing-company-uk-reprimand.pdf) / [(archived)](https://web.archive.org/web/20260505181650/https://ico.org.uk/media2/e3ef5pfb/direct-clothing-company-uk-reprimand.pdf) |
| Kaseya | July 2021 | REvil (Ransomware) | [helpdesk.kaseya.com](https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961-Incident-Overview-Technical-Details) / [(archived)](https://web.archive.org/web/20230416084704/https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961-Incident-Overview-Technical-Details) |
| Viasat KA-SAT | February 2022 | Sandworm (RU APT) | [news.viasat.com](https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview) / [(archived)](https://web.archive.org/web/20230407225107/https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview) |
| UK Electoral Commission | August 2021 | Unknown (CN APT) | [ico.org.uk](https://ico.org.uk/media2/migrated/4030454/the-electoral-commission-reprimand.pdf) / [(archived)](https://web.archive.org/web/20250711011338/https://ico.org.uk/media2/migrated/4030454/the-electoral-commission-reprimand.pdf) |
| Irish HSE | May 2021 | Conti (Ransomware) | [hse.ie](https://www.hse.ie/eng/services/news/media/pressrel/hse-publishes-independent-report-on-conti-cyber-attack.html) / [(archived)](https://web.archive.org/web/20230323031057/https://www.hse.ie/eng/services/news/media/pressrel/hse-publishes-independent-report-on-conti-cyber-attack.html) |
| Microsoft | February 2021 | CozyBear (RU APT) | [msrc.microsoft.com](https://msrc.microsoft.com/blog/2021/02/microsoft-internal-solorigate-investigation-final-update/) / [archived](https://web.archive.org/web/20230313193242/https://msrc.microsoft.com/blog/2021/02/microsoft-internal-solorigate-investigation-final-update/) |
| New Zealand Reserve Bank | January 2021 | Clop (Ransomware) | [rbnz.govt.nz](https://www.rbnz.govt.nz/about-us/responsibility-and-accountability/our-response-to-the-data-breach) / [(archived)](https://web.archive.org/web/20230206161320/https://www.rbnz.govt.nz/about-us/responsibility-and-accountability/our-response-to-the-data-breach) |
| Qualys | December 2020 | Clop (Ransomware) | [blog.qualys.com](https://blog.qualys.com/vulnerabilities-threat-research/2021/04/02/qualys-update-on-accellion-fta-security-incident) / [(archived)](https://web.archive.org/web/20250713022054/https://blog.qualys.com/vulnerabilities-threat-research/2021/04/02/qualys-update-on-accellion-fta-security-incident) | 
| FireEye | December 2020 | CozyBear (RU APT) | [fireeye.com](https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html) / [(archived)](https://web.archive.org/web/20201209011927/https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html) |
| SolarWinds | December 2020 | CozyBear (RU APT) | [solarwinds.com](https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/) / [(archived)](https://web.archive.org/web/20230209021934/https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/) |
| London Borough of Hackney | October 2020 | Pysa (Ransomware) | [ico.org.uk](https://ico.org.uk/media2/migrated/4030344/20240705-lboh-updated-reprimand-with-redactions-1.pdf) / [(archived)](https://archive.is/UVU6l) |
| Equinix | September 2020| Netwalker (Ransomware) | [datacenterdynamics.com](https://www.datacenterdynamics.com/en/analysis/michael-montoya-equinixs-ciso-a-year-on-from-its-2020-ransomware-incident/) / [(archived)](https://web.archive.org/web/20221129110831/https://www.datacenterdynamics.com/en/analysis/michael-montoya-equinixs-ciso-a-year-on-from-its-2020-ransomware-incident/) |
| Chartered Institute for Securities & Investment (CISI) | February 2020 | Magecart (suspected) (eCrime) | [ico.org.uk](https://ico.org.uk/media2/1kip5gw2/chartered-institiute-for-securities-and-investment-reprimand.pdf) / [(archived)](https://web.archive.org/web/20260505180518/https://ico.org.uk/media2/1kip5gw2/chartered-institiute-for-securities-and-investment-reprimand.pdf) |
| CapitalOne | July 2019 | "ERRAT1C" (aka Paige Thompson) (eCrime) | [capitalone.com](https://www.capitalone.com/digital/facts2019/) / [(archived)](https://web.archive.org/web/20230729170922/https://www.capitalone.com/digital/facts2019/) |
| Equifax | May 2017 | CN APT | [oversight.house.gov](https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf) / [(archived)](https://web.archive.org/web/20181211010005/https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf) |
| Avast/CCleaner | September 2016 | WickedPanda (CN APT) | [blog.avast,com](https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer) / [(archived)](https://web.archive.org/web/20230406024839/https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer) |
| Kaspersky | June 2015 | Duqu 2.0 (APT) | [kaspersky.com](https://www.kaspersky.com/about/press-releases/2015_duqu-is-back-kaspersky-lab-reveals-cyberattack-on-its-corporate-network-that-also-hit-high-profile-victims-in-western-countries-the-middle-east-and-asia) / [(archived)](https://web.archive.org/web/20221102194801/https://www.kaspersky.com/about/press-releases/2015_duqu-is-back-kaspersky-lab-reveals-cyberattack-on-its-corporate-network-that-also-hit-high-profile-victims-in-western-countries-the-middle-east-and-asia) |
| RSA | April 2011 | Unknown (CN APT) | [(archived)](http://web.archive.org/web/20110413224418/http://blogs.rsa.com:80/rivner/anatomy-of-an-attack/)|

---

## 🗨️ Contacts

- @BushidoToken on X
- linkedin.com/in/william-t