NightSpire claims PriceTable breach, security firms warn of possible data leak

NightSpire, a ransomware group security analysts say has been active since February 2025, publicly claimed responsibility for an intrusion of PriceTable, a U.S. technology company that operates at pricetable.io, warning that sensitive information could be published unless demands are met. Cyber-intelligence sites reported the claim on February 28, 2026 and captured a short threat actor statement: "Data is not available now."

Timeline fields published by HookPhish give a Date of Breach of 2026-02-21 00:00:00.000000 and a Discovery Date/time of 2026-02-28 14:30:33.752714, while DeXpose and Malware News list February 28, 2026 as the date the group publicly claimed responsibility. The sources do not include an on-the-record statement from PriceTable, and there is no public confirmation from law enforcement or an outside forensic firm in the material provided to reporters.

Researchers and incident summaries assembled by Ahnlab and Cmitsolutions portray NightSpire as operating like a Ransomware-as-a-Service enterprise that commonly uses double-extortion tactics: encrypting victim systems, exfiltrating data, and threatening public release via a dedicated leak site with countdown timers. Ahnlab notes the group communicates through channels such as "ProtonMail, OnionMail, and Telegram channels" and has targeted companies across multiple industries and countries. Cmitsolutions points to a January 19, 2026 claim by NightSpire against Hyatt Hotel Corporation, in which the group allegedly released a 48.5GB cache on the dark web, a sample that included employee personally identifiable information, vendor records, invoices, and digital signatures.

Those prior claims underline the potential stakes for PriceTable customers and partners, because Cmitsolutions characterizes the impact of a comparable incident as "HIGH - Confidentiality and Integrity loss; potential for lateral movement via stolen credentials." Security advisories compiled in the reporting recommend firms assume exfiltration is possible, secure immutable or offline backups, and prepare for an uptick in phishing and social-engineering attempts tied to the leak. As Cmitsolutions bluntly puts it, "A backup you can't restore is worthless during a ransomware attack."

Despite the public claim and the timeline metadata, critical questions remain unanswered. None of the available summaries specify what, if any, PriceTable systems were encrypted, what categories of data may have been taken, or whether the company has engaged incident responders. The terse threat actor line "Data is not available now" is ambiguous; it does not clarify whether NightSpire intends to publish material, whether it has provided proof, or whether negotiations are underway.

For organizations that work with PriceTable or use its services, the immediate risk is twofold: exposure of sensitive business or customer data if exfiltration occurred, and follow-on phishing and credential abuse if employee records were part of a leak. Security teams are being urged to verify backups, reset exposed credentials, increase email scrutiny, and monitor the dark web and dedicated leak sites for proof material linked to the pricetable.io domain.

Reporters and investigators say the next steps are clear: obtain a direct response from PriceTable, request forensic indicators from any engaged incident response firms, and seek confirmation from national cyber authorities. Until an authoritative technical assessment is released, the public claims by NightSpire and the historical pattern of large data dumps tied to the group are the primary basis for assessing risk.