February was a great month if you were a hacker. For everyone else, not so much.
Four major U.S. companies got hit. Tens of millions of records exposed. And the attack methods? The same ones we have been warning about for years: no multi-factor authentication, weak vendor security, and passwords being reused across every platform imaginable.
Here is what happened and what you should do about it.
One Group Did Most of the Damage
Before we get into the individual breaches, you need to know the name ShinyHunters.
ShinyHunters is the cybercriminal group responsible for multiple major breaches this month alone. They are not new and they are not slowing down. They are not going after complex vulnerabilities either; they are walking through doors that should have been locked years ago.
The Breaches
1. Conduent — 25 Million Americans
Conduent is a government services contractor most people have never heard of; that is the problem. When their systems were breached, over 25 million Americans had names, Social Security numbers, healthcare records, and payment information exposed. Multiple state agencies were affected. Most victims had no idea Conduent even had their data.
How it happened: A third-party vendor breach. Someone got into Conduent’s systems and walked out with data from dozens of downstream clients.
2. CarGurus — 12.5 Million Users
ShinyHunters stole data from 12.5 million CarGurus accounts; names, emails, hashed passwords, and finance application data from users who submitted income and credit information while car shopping.
How it happened: Social engineering; someone convinced an authorized user to hand over access. One conversation was all it took.
3. Panera Bread — 5.1 Million Accounts
This is Panera’s second major breach in two years. 5.1 million accounts exposed; names, emails, loyalty data, and partial payment info. Seven class action lawsuits filed. Apparently the first breach was not enough of a wake-up call.
How it happened: Unauthorized access through weak authentication on a customer database.
4. PayPal — 35,000 Accounts
Smallest in scale, highest in severity. PayPal confirmed names, emails, SSNs, dates of birth were exposed and money was stolen; all because users reused passwords from previously breached platforms.
How it happened: Reused passwords. That is it. Someone used the same password on PayPal that they used on a platform that was previously breached; and attackers banked on it.
What This Actually Means
No sophisticated hacking. No zero-day exploits. Just unlocked doors: no MFA, no vendor audits, no monitoring. Ask yourself three questions:
- Is MFA enforced on every account your team uses?
- Have you audited your vendors in the last 12 months?
- Would you know if someone accessed your systems today?
If any answer is “no,” you share the same gaps that exposed millions of Americans last month.
The businesses that don’t get breached aren’t lucky. They’re prepared.
→ Schedule Your Free Security Assessment
Published: Mar 3, 2026
