Back to Blog
high severity April 22, 2026 · scope unconfirmed

Baresque Group Listed by aurora Ransomware Group

[design] Baresque Group — a respected commercial-interiors company headquartered in Perth, Australia, with offices in Dallas, Chicago, and Brussels. The exposed material includes: 100+ passport scans, 35 birth certificates, 60+ driver's licences, 50+ TFN declarations — the complete identity-theft toolkit for the entire workforce, spanning Australia, the US, and Europe. Plaintext credentials for every critical system — Microsoft 365, HR platform (Elmo Talent), remote-access gateway (LogMeIn), phone system (3CX), ERP (Jim2) — all in browser-export CSVs and an enterprise-wide Password_Listing.x

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed April 22, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On April 22, 2026, the Aurora ransomware group added Baresque Group to its leak site, exposing internal files from the Australian commercial-interiors company that include 100+ passport scans, 35 birth certificates, 60+ driver’s licences, and 50+ TFN declarations belonging to employees across Australia, the United States, and Europe.

Confirmed Facts from Public Reporting

Available reporting describes Baresque Group as a respected commercial-interiors firm headquartered in Perth with additional offices in Dallas, Chicago, and Brussels. The data set posted to the Aurora leak site contains plaintext credentials for every major system the company uses: Microsoft 365, the Elmo Talent HR platform, the LogMeIn remote-access gateway, the 3CX phone system, and the Jim2 ERP. These credentials appear in browser-export CSV files and a master spreadsheet named Password_Listing.xlsx. The exposed identity documents constitute a near-complete kit for identity theft targeting the entire workforce. No confirmed victim count has been released, and the precise date of initial compromise remains undisclosed in current public reporting.

Why This Matters for You and Your Family

When a company you work for, do business with, or have ever given your personal documents to suffers a breach like this, your full identity package can end up on the dark web within days. Passport scans, birth certificates, driver’s licences, and tax file numbers give criminals everything needed to open accounts, file fraudulent tax returns, or impersonate you at government agencies. The plaintext passwords for enterprise systems mean that any employee who reused those credentials at home now faces immediate risk of account takeover on personal email, banking, or social media. Your family members listed as emergency contacts or dependents can also be pulled into the same chain of exposure.

The Doxxing and Identity-Chain Implications

Identity documents rarely stay isolated. A scanned passport linked to an email address can be correlated with usernames found in the credential dump, then tied to social-media handles, gaming accounts, and family addresses. Once attackers map these connections, they can launch targeted doxxing campaigns, SIM-swapping attacks, or extortion attempts that affect every member of a household. Credential leaks of this type frequently cascade into gaming-platform takeovers, especially for children whose parent accounts share the same passwords or recovery emails. Public reporting indicates that such combined datasets accelerate the speed at which a single breach becomes a multi-year identity nightmare.

Aurora Ransomware Group’s Known Track Record

Public reporting attributes the Aurora ransomware group with emerging in late 2024 and rapidly establishing a double-extortion model that combines data theft with encryption. The group has listed dozens of organizations ranging from manufacturing firms to professional-services companies. Its typical playbook begins with initial access through compromised credentials or remote-desktop vulnerabilities, followed by broad internal exfiltration over several weeks. Aurora then demands payment to prevent publication, posting samples and eventually full datasets on its leak site when victims do not meet extortion deadlines. The Baresque Group listing follows this established pattern.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity so you can begin no-subscription cleanup of exposed records.
  • Rotate every password found in the Baresque Group dump anywhere it has been reused and switch to 2FA using an authenticator app instead of SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak that touches your family is caught in hours rather than months.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts which often chain back to the same credentials or addresses.
  • Let remediation specialists handle takedown requests across data brokers and threat platforms while you focus on securing your own accounts.

The speed with which stolen identity documents and credentials circulate means the window for effective action is measured in days, not months. Starting protective steps now can limit how far this breach reaches into your life and the lives of your children. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping that connects online handles to real identities, and hands-on remediation by specialists who manage takedowns for you and your entire household, including children’s gaming accounts that are frequently targeted after credential leaks like this one.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.