Multiple high‑profile breaches disclosed

Several big consumer brands disclosed fresh data exposures in the past two days, with Rockstar Games, Booking.com and Basic-Fit all tied to separate reports of customer or business records being accessed or leaked. (bleepingcomputer.com) The largest claim came from the ShinyHunters extortion group, which posted what it said were 78.6 million Rockstar Games records taken through Anodot’s access to Snowflake customer environments. BleepingComputer reported Rockstar confirmed a breach of “limited” information, while researchers tied the broader campaign to stolen third-party tokens rather than a direct break-in at Snowflake itself. (bleepingcomputer.com) (cloud.google.com) (bleepingcomputer.com) Booking.com said hackers may have accessed reservation data that included names, email addresses, phone numbers, addresses, booking details and messages shared with properties. The company told multiple outlets that payment card data was not accessed, and it reset reservation Personal Identification Number codes for affected bookings. (techcrunch.com) (bleepingcomputer.com) Basic-Fit said a breach affected about 1 million members across several European countries, including roughly 200,000 in the Netherlands alone. Reuters and BleepingComputer reported the exposed data included names, dates of birth, contact details and bank account numbers, but not passwords, identity documents or workout data. (reuters.com) (bleepingcomputer.com) A fourth case is less verified: the ransomware group BLACKWATER claimed it stole 3.3 terabytes from Turkey’s Medical Park Hospitals Group. Medical Park’s website says the company operates hospitals across Turkey, but no public confirmation of the claimed theft was available in the sources reviewed on April 14, 2026. (medicalpark.com.tr 1) (medicalpark.com.tr 2) The common thread is not one company or one country but the kind of data involved: reservation details, bank account information and internal analytics records can all be used for follow-on fraud. Booking.com users have already reported phishing emails, calls and WhatsApp messages tied to real travel plans, which makes fake messages harder to spot. (cybernews.com) (techcrunch.com) The Rockstar case also points back to a problem that has been building since 2024, when Mandiant and Snowflake said attackers were targeting customer accounts with stolen credentials. In the new wave, BleepingComputer reported that attackers abused access held by software integrators such as Anodot, turning one vendor connection into a path toward many downstream customers. (cloud.google.com) (bleepingcomputer.com) The disclosures also show how uneven breach reporting still is. Booking.com has not publicly said how many reservations were affected, Rockstar has characterized its incident as limited, and the Medical Park claim remains only a criminal allegation as of Tuesday, April 14. (techcrunch.com) (bleepingcomputer.com) (medicalpark.com.tr) For customers, the immediate risk is not only that data was taken but that the stolen details can make the next scam look legitimate. For the companies involved, the next steps are now familiar: notify users, rotate credentials and tokens, narrow what third parties can reach, and show whether the reported numbers hold up under formal investigation. (bleepingcomputer.com 1) (bleepingcomputer.com 2)