Skip to content

Vulnetix/breach-notes

BranchesTags

Repository files navigation

breach-notes

Structured YAML records of breach reports, advisories, and cyber incidents.

Last updated: 2026-04-11 Total records: 3893

Summary Statistics

Metric Value
Total incidents 3893
With CVE/GHSA references 70 (2%)
Unique CVEs/GHSAs 78
With malware identified 272 (7%)
Supply chain claimed 848 (22%)
Unique vendor products 2793
Median disclosure lag (days) 0
Max disclosure lag (days) 3474
Incidents with financial loss data 830 (21%)
Total financial loss (USD) $80.9B
Total financial recovered (USD) $53.3B
AI-related incidents 45 (1%)
Cloud / SaaS incidents 177 (5%)
Crypto / Web3 incidents 1090 (28%)
Incidents with affected-count data 75 (2%)
Total affected (wallets / users) 43.4M

Incidents by Category

Category Count %
ransomware 218 6%
data-leak 809 21%
supply-chain 722 19%
credential-theft 106 3%
ai 45 1%
cloud 183 5%
cryptocurrency 1086 28%
other 724 19%

Incidents by Year

Year Count
1996 1
1998 1
1999 3
2000 1
2001 3
2002 1
2003 3
2004 3
2005 8
2006 2
2007 2
2008 3
2009 5
2010 2
2011 10
2012 18
2013 29
2014 42
2015 21
2016 41
2017 48
2018 85
2019 85
2020 117
2021 326
2022 985
2023 665
2024 477
2025 701
2026 205

Top Malware Families

Malware Incidents
POS RAM-scraping malware 12
DEWMODE web shell 11
ALPHV/BlackCat ransomware 5
Black Basta ransomware 5
Cl0p; Truebot web shell 5
DragonForce ransomware 4
Hunters International ransomware 4
Interlock ransomware 4
LockBit ransomware 4
POS malware 4
TeamPCP Cloud Stealer 4
web payment page skimmer 4
ALPHV/BlackCat 3
DarkSide 3
DoppelPaymer ransomware 3

CVE / GHSA References

CVE-2001-0333
CVE-2001-0500
CVE-2001-0507
CVE-2002-0649
CVE-2005-1983
CVE-2010-0249
CVE-2010-2568
CVE-2010-2729
CVE-2010-2772
CVE-2011-0609
CVE-2014-0160
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-10271
CVE-2017-3248
CVE-2017-3506
CVE-2017-5638
CVE-2019-11510
CVE-2019-18187
CVE-2019-19781
CVE-2020-10148
CVE-2020-5741
CVE-2020-8260
CVE-2021-20016
CVE-2021-22893
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065
CVE-2021-27101
CVE-2021-27102
CVE-2021-27103
CVE-2021-27104
CVE-2021-27860
CVE-2021-30116
CVE-2021-31207
CVE-2021-34473
CVE-2021-34523
CVE-2021-35587
CVE-2021-40539
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105
CVE-2022-24521
CVE-2022-41080
CVE-2022-41082
CVE-2023-0669
CVE-2023-2868
CVE-2023-29059
CVE-2023-34362
CVE-2023-35708
CVE-2023-46805
CVE-2023-4966
CVE-2023-6448
CVE-2024-1708
CVE-2024-1709
CVE-2024-21887
CVE-2024-21893
CVE-2024-27198
CVE-2024-27199
CVE-2024-3094
CVE-2024-3400
CVE-2024-40766
CVE-2024-50623
CVE-2024-55956
CVE-2024-57726
CVE-2024-57727
CVE-2024-57728
CVE-2025-0282
CVE-2025-0283
CVE-2025-0994
CVE-2025-22457
CVE-2025-30154
CVE-2025-5777
CVE-2025-61882
CVE-2025-61884
CVE-2026-33634

Top Attack Vectors

Attack Vector Incidents
Compromise of third-party service provider / vendor relationship 556
Smart contract exploit / hack 361
Unauthorized access / data exposure 306
Regulatory / legal action 279
Protocol collapse / insolvency 111
Exit scam / rug pull 101
Ransomware intrusion 98
On-chain theft (attributed by zachxbt) 66
Flash loan attack on smart contract 60
Software bug / unintentional loss 58
Phishing attack 53
Ponzi / pyramid scheme 42
Credential theft or account compromise 40
Withdrawal halt / insolvency 39
Third-party / vendor compromise 24

Top Blockchains

Blockchain Incidents Financial Loss
ethereum 646 $5.6B
bitcoin 137 $8.0B
bsc 124 $855.0M
solana 105 $979.1M
polygon 61 $268.1M
terra 39 $40.2B
avalanche 23 $106.5M
fantom 19 $110.6M
cosmos 10 $8.2M
tron 9 $290.3M
monero 8 $632.5M
celo 5 $588K
cardano 4 $6.0M
hyperliquid 4 $38.9M
litecoin 4 $281.3M

Top AI Model Providers

Provider Incidents
OpenAI 7
Microsoft 4
Anthropic 3
BerriAI 2
Google 2
GitLab 1
Griffin AI 1
McKinsey 1
Mercor 1
Tenzai 1

Top AI Attack Vectors

AI Attack Vector Incidents
AI-assisted cyberattack 11
AI-generated malware 8
data exposure 6
deepfake 4
prompt injection 3
supply chain attack 3
training data exposure 2
AI platform breach 1
AI-assisted malware 1
AI-generated vulnerable code 1
AI-themed fraud 1
adversarial input 1
jailbreak 1
malicious LLM 1
smart contract exploit 1

Top Cloud Providers

Provider Incidents
AWS 48
Salesforce 27
Snowflake 18
Okta 10
Elasticsearch 9
LastPass 6
Ivanti 5
Atlassian 3
Codecov 3
Mailchimp 3
Microsoft 3
Oracle Cloud 3
SolarWinds 3
Twilio 3
Zendesk 3

Schema

Each YAML file captures (see schema.yaml for the canonical definition):

# ── Core fields (always present) ───────────────────────────────────────────────
source_name: "Publication or organization reporting the breach"
source_url: "https://example.com/direct-link-to-report"
date_of_breach: "YYYY-MM-DD"          # also accepts YYYY-MM or YYYY
date_of_disclosure: "YYYY-MM-DD"      # empty string "" if unknown
category: "ransomware | data-leak | supply-chain | credential-theft | ai | cloud | cryptocurrency | other"
notes: "Narrative summary of the incident including timeline, scope, threat actor attribution, and any known impact."

# ── Traditional breach fields ───────────────────────────────────────────────────
date_of_customer_notification: ""     # YYYY-MM-DD or "" if unknown
initial_attack_vector: "CWE-NNN: Short description, or free-text description of the attack method"
cve: []                               # list of CVE/GHSA IDs, e.g. ["CVE-2024-3094"], empty if none
vendor_product: "Vendor Product Name" # affected vendor or product
software_package: ""                  # package name for software supply chain incidents, "" otherwise
malware: ""                           # malware family name if identified, "" otherwise
supply_chain_claimed: false           # true if a third-party vendor relationship was the attack vector

# ── Crypto / Web3 fields ───────────────────────────────────────────────────────
blockchain: "ethereum"                # blockchain(s) involved, e.g. "ethereum, solana"; omit if not applicable
financial_loss_usd: 0                 # numeric USD value of funds lost; omit if not applicable
financial_recovered_usd: 0           # numeric USD value recovered after the incident; omit if not applicable
affected_count: 0                    # number of affected wallets, users, or individuals; omit if not applicable

# ── AI fields ─────────────────────────────────────────────────────────────────
ai_model_name: ""                    # AI model involved, e.g. "ChatGPT", "Claude", "Gemini"; omit if not applicable
ai_model_provider: ""                # organization behind the model, e.g. "OpenAI", "Anthropic"; omit if not applicable
ai_attack_vector: ""                 # AI-specific attack method, e.g. "prompt injection", "deepfake"; omit if not applicable

# ── Cloud / SaaS fields ───────────────────────────────────────────────────────
cloud_provider: ""                   # cloud provider, e.g. "AWS", "Azure", "GCP", "Snowflake"; omit if not applicable
cloud_shared_responsibility: ""      # "vendor" | "customer" | "shared" | "unknown"
cloud_resource_crit: ""              # CRIT identifier, e.g. "arn:aws:s3:::{bucket}"; omit if not applicable

Folders

  • ransomware/ — ransomware incidents
  • data-leak/ — customer data exposure
  • supply-chain/ — supply chain attacks
  • credential-theft/ — credential compromise
  • ai/ — AI-related cybersecurity incidents
  • cloud/ — cloud and SaaS security incidents
  • cryptocurrency/ — cryptocurrency, DeFi, and Web3 incidents
  • other/ — uncategorized or multi-category

RSS Feeds

The site publishes RSS 2.0 feeds with full incident metadata via a custom breach: XML namespace (https://breachnotes.vulnetix.com/xmlns/breach/1.0).

Available feeds

Feed URL Contents
All incidents /index.xml Latest incidents across every category
Ransomware /ransomware/index.xml Ransomware incidents only
Data Leaks /data-leak/index.xml Data leak incidents only
Supply Chain /supply-chain/index.xml Supply chain incidents only
Credential Theft /credential-theft/index.xml Credential theft incidents only
AI /ai/index.xml AI-related incidents only
Cloud /cloud/index.xml Cloud / SaaS incidents only
Cryptocurrency /cryptocurrency/index.xml Crypto / Web3 incidents only
Other /other/index.xml Uncategorized incidents

Custom XML elements

Each <item> includes standard RSS elements (<title>, <link>, <pubDate>, <guid>, <description>, <category>) plus <content:encoded> for full HTML notes, and namespaced breach:* elements for every field defined in schema.yaml:

Element Schema field Type
breach:sourceUrl source_url string
breach:dateOfBreach date_of_breach date
breach:dateOfDisclosure date_of_disclosure date
breach:dateOfCustomerNotification date_of_customer_notification date
breach:initialAttackVector initial_attack_vector string
breach:cve cve repeated per ID
breach:vendorProduct vendor_product string
breach:softwarePackage software_package string
breach:malware malware string
breach:supplyChainClaimed supply_chain_claimed boolean
breach:blockchain blockchain string
breach:financialLossUsd financial_loss_usd number
breach:financialRecoveredUsd financial_recovered_usd number
breach:affectedCount affected_count integer
breach:aiModelName ai_model_name string
breach:aiModelProvider ai_model_provider string
breach:aiAttackVector ai_attack_vector string
breach:cloudProvider cloud_provider string
breach:cloudSharedResponsibility cloud_shared_responsibility enum
breach:cloudResourceCrit cloud_resource_crit string

Elements are only present when the field has a non-empty value.

Configuration

RSS behaviour is controlled in hugo.toml:

# Which page types produce an RSS feed
[outputs]
  home    = ["HTML", "RSS", "JSON"]
  section = ["HTML", "RSS"]

# Maximum number of items per feed (most recent first)
[services.rss]
  limit = 200     # set to -1 for unlimited

To change the feed size, edit services.rss.limit. Setting limit = -1 removes the cap and includes every incident. To disable RSS for section pages, remove "RSS" from outputs.section.

The feed template lives at layouts/_default/rss.xml and applies to all feeds (home and per-category). To customise the output, edit that template directly.

Contributing

Submit a new breach by opening a pull request that adds a YAML file to the appropriate category directory. When you create a PR, select one of the templates below to get a pre-filled checklist and YAML skeleton.

Template Category Directory Required fields (beyond core)
Cloud Breach cloud cloud/ cloud_provider, cloud_resource_crit, cloud_shared_responsibility
AI Breach ai ai/ ai_model_provider
Crypto Breach cryptocurrency cryptocurrency/ financial_loss_usd
Traditional Breach ransomware, data-leak, supply-chain, credential-theft, other matching category folder (none beyond core)

Quick start

  1. Fork this repository.
  2. Create a file named YYYY-MM_slug.yaml in the correct category directory.
  3. Fill in the required fields — use an existing record in the same directory as a reference.
  4. Open a pull request and choose the matching template (cloud_breach.md, ai_breach.md, crypto_breach.md, or traditional_breach.md).

Every record requires these core fields: source_name, source_url, date_of_breach, date_of_disclosure, category, and notes. See Schema above for the full field reference.

About

Breach intelligence notes: structured YAML records of breach reports, advisories, and cyber incidents

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages