A curated, fact-checked log of recent notable breaches — and, for each one, the specific security control that would have blunted it. Every incident is mapped to a real control from the cyber-insurance checklist and to a primary source. This is a hand-maintained list, not a real-time feed.
Score your own posture in 2 minutes, then close the gaps the breaches below exploit · no login, no email gate
How to read this tracker
Most breaches are not exotic. They are a missing second factor, an exposed admin interface, an un-vetted vendor, or a staff member talked through an MFA prompt on the phone. For each incident below we name what happened, link the primary source, and map it to the exact control — by id — from the 47-control Cyber Insurance Prep Checklist that would have blunted it. The same controls your carrier asks about.
Newest first. Figures are reported as the cited sources report them — including where the numbers are still contested.
· Network edge / multi-sector
A large-scale campaign nicknamed FortiBleed harvested working administrator and SSL-VPN credentials from internet-facing Fortinet FortiGate firewalls. Attackers pulled configuration files from exposed devices and cracked the stored credential hashes offline — older FortiOS versions stored admin passwords with a legacy, comparatively fast-to-crack SHA-256 scheme (Fortinet has since moved to a stronger PBKDF2 hash in FortiOS 7.2.11, 7.4.8, and 7.6.1). Researchers verified working credentials on roughly 30,000 devices, with broader estimates near 75,000 — about half of all internet-facing Fortinet firewalls — across 194 countries. This was a credential-cracking campaign, not a zero-day: there is no single CVE behind FortiBleed.
The control that would have caught it
Require MFA for all remote access — VPN, RDP, and SSH.
A cracked password is worthless to an attacker who also needs a second factor on the VPN. MFA on all remote access is the control that turns a harvested credential into a non-event.
Require MFA for every privileged and administrator account.
The leaked logins were administrator credentials; MFA on every privileged account is what stops a cracked admin hash from becoming live access.
Do not expose Remote Desktop Protocol (RDP) directly to the internet.
The campaign only worked against firewalls whose management was reachable from the open internet; not exposing admin interfaces removes the attack surface entirely.
Apply critical operating-system patches within 30 days of release.
Upgrading to a FortiOS version with stronger password hashing was core remediation guidance — applying critical OS patches promptly is what closes the underlying weakness.
· Telecommunications · Attributed to ShinyHunters
According to reporting, the extortion group ShinyHunters breached Charter Communications with no malware and no zero-day — a vishing (voice phishing) call compromised a Microsoft Entra identity account, which opened the door to Charter’s Salesforce environment, from which data was exfiltrated. The numbers are contested: ShinyHunters claimed more than 42 million records; Charter confirmed a breach but gave no figure, stating sensitive customer (CPNI) data was not exfiltrated. The breach-tracking service Have I Been Pwned later catalogued roughly 4.9 million unique email addresses from the leaked data. The entry method is the headline — a human, a convincing call, and a second factor that could be talked around.
The control that would have caught it
Require MFA for every privileged and administrator account.
The compromised account was an identity/admin login; carriers now expect phishing-resistant MFA (FIDO2 keys, passkeys) on privileged accounts — not just SMS or approve/deny push that a caller can talk a user through.
Require MFA for all cloud service consoles (AWS, Azure, M365 admin).
The path ran through Microsoft Entra into Salesforce; MFA on every cloud console is the control that keeps one social-engineered login from cascading across SaaS platforms.
Provide security awareness training to all employees annually.
The attack was a phone call. Security-awareness training that specifically covers vishing and help-desk impersonation is the human control that breaks the chain before MFA is ever tested.
Conduct phishing simulation exercises at least annually.
Simulated social-engineering exercises are how an organization proves staff can recognize the exact pretext used here, rather than relying on a once-a-year video.
· Education / SaaS vendor · Attributed to ShinyHunters
The learning platform Canvas, run by Instructure and used across a large share of higher education, was breached twice in the span of two weeks. Unauthorized access began April 25; Instructure detected the intrusion and revoked access April 29 and posted initial disclosure May 1; a second incident on May 7 defaced login pages with a ransom message during final-exam season and was claimed by ShinyHunters. Instructure reported exposed data included names, email addresses, student ID numbers, and private messages, while stating it found no evidence that passwords, dates of birth, government IDs, or financial data were involved. Reporting tied the entry point to an issue connected to free teacher accounts and put affected institutions in the thousands; exact figures are still being established. The lesson: the attackers broke into the vendor schools depend on, not the schools themselves.
The control that would have caught it
Limit third-party vendor remote access to approved windows, with MFA.
Your data lives in vendors you don’t control. Limiting and governing third-party access — knowing which vendors hold your sensitive data and on what terms — is the third-party-risk control insurers price because they pay for it.
Maintain a written incident response plan.
A written incident-response plan that covers a vendor breach (who you notify, on what timeline, how you contain access) is what separated organizations that fared well from those that scrambled.
Monitor and address shadow IT (unapproved SaaS tools).
Free/unmanaged accounts were tied to the entry point; tracking shadow IT and unapproved SaaS is how an organization avoids inheriting a breach through a tool nobody vetted.
Every incident above maps back to controls underwriters verify. Find your gaps for free, then fix them with the checklist.
Start here · free
Most popular
Best value
Reported figures vary by source and were accurate as of publication; this page is general security commentary, not specific security or underwriting advice. By purchasing you agree to our Terms. Digital products are non-refundable once accessed. A checklist supports your application; it does not guarantee an underwriting decision.