SecureFact – April 6, 2026

Mercor, a $10 billion AI startup that works with companies including OpenAI and Anthropic, confirms major data breach

Mercor, a fast-growing AI training data startup valued at $10 billion, confirmed it suffered a major security breach. The attack was a supply-chain hack linked to a compromised open-source tool called LiteLLM, widely used in AI development. Hackers inserted malicious code into the tool, allowing them to steal credentials and access sensitive systems. Mercor works with major AI companies like OpenAI, Anthropic, and Meta, making the breach particularly high-risk. Reports suggest sensitive data, internal systems, and possibly client project details may have been exposed. A hacking group called TeamPCP is believed to be behind the supply-chain attack, with Lapsus$ claiming access to stolen data. Hackers allegedly obtained up to 4TB of data, including databases, credentials, and internal communications. Mercor stated it acted quickly to contain the breach and launched a third-party forensic investigation. The incident highlights growing risks in the AI supply chain, especially when relying on open-source tools. It may trigger industry-wide security reviews as AI companies reassess vendor and data security practices.

(Source: Read full report)

CERT-EU: European Commission hack exposes data of 30 EU entities

The European Union’s Cybersecurity Service (CERT-EU) attributed the European Commission cloud hack to the TeamPCP threat group. The breach exposed data of at least 29 other Union entities using the europa.eu web hosting service. Threat actors stole tens of thousands of files containing personal information, usernames, email addresses, and email content from 42 internal European Commission clients and at least 29 other Union entities. The exfiltrated data was published on the dark web by ShinyHunters as a 90GB archive (approximately 340GB uncompressed). The dataset contained at least 51,992 files related to outbound email communications totaling 2.22 GB. The Commission notified relevant data protection authorities and is in direct communication with affected entities. No websites were taken offline or tampered with, and no lateral movement to other Commission AWS accounts was detected. The Commission is working with external experts to strengthen security measures and prevent similar incidents.

(Source: Read full report)

Hims & Hers warns of data breach after Zendesk support ticket breach

Telehealth giant Hims & Hers Health disclosed a data breach affecting support tickets stolen from a third-party customer service platform. The breach occurred in early February 2026, with unauthorized access to support tickets from February 4-7, 2026. The ShinyHunters extortion gang conducted the breach by compromising Okta SSO accounts to gain access to the Hims & Hers Zendesk instance, where they stole millions of support tickets. Exposed information included names, contact information, and other unspecified data related to support requests. The company confirmed that no medical records or doctor communications were compromised. Hims & Hers is offering 12 months of free credit monitoring services to all impacted individuals. Customers are advised to maintain heightened vigilance against unsolicited communications containing phishing or social-engineering lures. The company is working with external cybersecurity experts to investigate the full scope of the incident and strengthen security measures.

(Source: Read full report)

Die Linke German political party confirms data stolen by Qilin ransomware

The Qilin ransomware group claimed responsibility for stealing data from Die Linke, a German democratic socialist political party with 123,000 registered members and 64 representatives in the German parliament. The attackers aimed to publish sensitive data from internal party organization areas and personal information of employees at party headquarters. The party confirmed that its membership database was not impacted, as attackers failed to obtain member data. Die Linke received information that the attack was conducted by Russian-speaking cybercriminals with both financial and political motivations. The party stated the attack does not appear coincidental and constitutes an attack on critical infrastructure as part of hybrid warfare. Qilin added Die Linke to its data leak site on April 1st without publishing data samples, using the threat to coerce ransom payment. Die Linke notified German authorities and filed a criminal complaint with police. The party is working with independent IT experts to safely restore impacted systems and strengthen security measures.

(Source: Read full report)

Medtech giant Stryker fully operational after data-wiping attack

Stryker Corporation, a Fortune 500 medical technology company with over 53,000 employees and $22.6 billion in global sales, suffered a cyberattack where the Iranian-linked Handala hacktivist group wiped nearly 80,000 devices on March 11, 2026. The attackers claimed to have stolen 50 terabytes of data before executing the wiper malware using a newly created Global Administrator account after compromising a Windows domain admin account. The company fully restored systems to pre-attack operational levels within three weeks and announced full operational status across its global manufacturing network. Production rapidly moved toward peak capacity with restored commercial, ordering, and distribution systems. Security experts discovered a malicious file that helped attackers hide malicious activity within the network. CISA and Microsoft released guidance on securing Intune and hardening Windows domains to prevent similar attacks. The FBI seized two websites used by Handala hackers for data leaks. Stryker continues working with third-party cybersecurity experts, government agencies, and industry partners to complete the investigation and strengthen security measures.

(Source: Read full report)

Dutch Finance Ministry takes treasury banking portal offline after breach

The Dutch Ministry of Finance took systems offline, including the digital portal for treasury banking, while investigating a cyberattack detected on March 19, 2026. The breach affected some employees but did not impact systems managing tax collection, income-linked subsidies, and import/export regulations. The ministry shut down systems on March 23 for security reasons, directly affecting approximately 1,600 public institutions including ministries, government agencies, educational organizations, social funds, and local governments. Approximately 1,600 public institutions were unable to view treasury account balances online or use the portal for loans, deposits, credit applications, or report generation. However, participants retained full access to their funds in the Treasury, and incoming/outgoing payments continued through regular banking channels. The incident is being investigated with assistance from the Dutch National Cyber Security Center (NCSC) and external forensic experts. The ministry notified the Dutch Data Protection Authority and filed a report with the Dutch national police’s High Tech Crime Team. No clear timeline was provided for investigation completion or system restoration.

(Source: Read full report)

Healthcare tech firm CareCloud says hackers stole patient data

Healthcare IT firm CareCloud disclosed a data breach on March 16, 2026, when hackers accessed its IT infrastructure, causing a temporary network disruption lasting approximately eight hours. The intrusion partially impacted functionality and data access to 1 of CareCloud’s 6 electronic health record (EHR) environments. The compromised environment holds patient health records for CareCloud’s customers. CareCloud engaged a leading cyber response advisory team from a Big Four accounting firm to perform external cybersecurity work and conduct a comprehensive IT forensic investigation. The unauthorized data access was limited in scope, but the company confirmed that patient health records were compromised. The investigation is ongoing to determine which types of data were accessed and/or exfiltrated and the number of affected individuals. All affected systems have been fully restored, and the attacker no longer has access to the database. CareCloud confirmed no impact on other platforms, divisions, systems, or environments. The company is working with external cybersecurity experts to strengthen security measures and prevent similar incidents. No ransomware group has claimed credit for the attack.

(Source: Read full report)