Skip to main content
    ChemVerify
    Quality Verification

    The Janoshik Data Breach: What a 2026 Testing-Lab Compromise Means for COA Trust

    In February 2026, Janoshik Analytical disclosed a data breach exposing customer order and shipping data. What was reportedly exposed, the ISO 17025 question, and what it means for COA trust.

    ChemVerify Editorial
    8 min read
    Published June 14, 2026

    For laboratory research use only. Not for human consumption.

    TL;DR: Janoshik Analytical — the third-party lab whose certificates of analysis are widely cited across the research-peptide market — disclosed a data-security incident in February 2026. According to the lab's customer notification as relayed across community channels, an attacker gained unauthorized access on or around early February 2026, copied customer database content (contact and order/invoice data, shipping/billing addresses, test reports, uploaded sample images, and IP metadata), and attempted extortion. Janoshik reportedly said it found no evidence of stolen funds or accessed email inboxes. Notably, the disclosure describes an exposure of customer data, not of the testing science: COA verification via Janoshik's QR-code and unique-key portal at public.janoshik.com reportedly continued to function, and a correctly verified certificate is not retroactively invalidated by a breach of customer records.

    Last verified: June 2026 | Breach details attributed to secondary/community sources relaying Janoshik's notification; not independently confirmed against a primary lab statement.

    Was Janoshik hacked, and what was reportedly exposed?

    Janoshik Analytical, a Prague-based independent laboratory whose certificates of analysis (COAs) are referenced by a large share of research-peptide vendors, disclosed a data-security incident in February 2026. According to the lab's customer notification as relayed across community channels, an unauthorized party accessed its systems on or around early February 2026; Janoshik reportedly took systems offline and restored service within about a day, then notified customers. As described in those relays, the exposed material was a copy of customer-side database content — not the chemical methods, instruments, or the integrity of past test results. A primary disclosure on a Janoshik-controlled domain could not be independently retrieved for this article, so the specifics below should be read as the lab's reported account rather than independently confirmed fact.

    According to the relayed notification, the copied data may have included a combination of contact information, order and invoice records, shipping and billing addresses where provided, test reports and report-related data, images of samples or packages uploaded during the testing workflow, and limited technical metadata such as IP addresses. The disclosure reportedly also described an extortion attempt following the copying of the data. Janoshik is reported to have stated it had no evidence that customer funds were stolen, that unauthorized charges occurred, or that customer email inboxes were accessed. The disclosure, as relayed, did not specify a number of affected customers or records.

    • Contact information (names, emails)
    • Order and invoice / billing records
    • Shipping and billing addresses (where supplied by the customer)
    • Test reports and report-related data
    • Images of samples or packages uploaded during testing
    • Limited technical metadata, including IP addresses

    What the breach reportedly did not change: the testing chemistry

    A testing-lab compromise has two distinct surfaces that are easy to conflate: the customer/order database (a conventional IT asset) and the analytical record (the instrument data and certificates the lab produces). The February 2026 incident, as described in the lab's relayed notification, concerned the former. There is no indication in the disclosure that high-performance liquid chromatography (HPLC) purity runs, liquid chromatography–tandem mass spectrometry (LC-MS/MS) identity confirmation, gas chromatography–mass spectrometry (GC-MS) contaminant screening, or endotoxin and sterility assays were altered, nor that previously issued certificates were tampered with.

    This distinction matters for how the event reads analytically. A purity value or mass-confirmed identity on a legitimately issued, correctly verified COA reflects an analytical measurement made on a submitted sample; a data breach exposing the customer who ordered that test does not change the chromatogram. On the account given, the risk created by this incident is a privacy and social-engineering risk to individuals whose order data was exposed — not a measurement-validity risk to the certificates themselves.

    How a testing-lab breach affects the COA verification chain

    Janoshik issues each certificate with a unique key and QR code that can be checked against its public database at public.janoshik.com, a mechanism designed to let anyone confirm a certificate is authentic and detect forged or doctored documents. That verification path is the load-bearing element of COA trust: a PDF circulated by a vendor is only as reliable as its match against the issuing lab's own record. According to the disclosure as relayed, the breach did not disable this portal, and the lab reported that its services resumed within roughly a day of detection.

    Where a breach can erode trust is indirectly. Exposed order data and report metadata could give bad actors raw material to fabricate convincing fake COAs — copying real test IDs, batch references, and formatting to lend forgeries surface credibility. That dynamic raises rather than lowers the value of verifying a certificate at the source. A document that looks like a Janoshik COA but does not resolve to a matching record in the lab's own verification system is, by definition, unverified, regardless of how authentic it appears. The general principle is unchanged by any incident: a verified record is more reliable evidence than a forwarded file.

    Verification signalWhat it confirmsWhat the breach reportedly changes
    QR code / unique key resolves at public.janoshik.comThe certificate exists in the issuing lab's own databaseUnchanged — portal reportedly remained operational; still the authoritative check
    Reported purity / identity valuesAn analytical measurement on the submitted sampleUnchanged — chemistry and instruments were not implicated in the disclosure
    A forwarded PDF from a vendorNothing on its own until verified at sourceHigher forgery risk — exposed metadata could aid convincing fakes
    Customer / order details on the certificateWho ordered the testReportedly exposed — privacy and phishing risk to that individual

    The ISO 17025 accreditation question

    The incident has renewed a long-standing question about the lab's standing: is Janoshik ISO/IEC 17025 accredited? Based on the available community record, it is not. ISO/IEC 17025 is the international standard specifying the general requirements for the competence, impartiality, and consistent operation of testing and calibration laboratories. Accreditation to it, granted by a recognized accreditation body, is formal third-party evidence that a lab operates competently and produces valid results — which is why, as ISO and accreditation bodies describe, suppliers and regulatory authorities in many contexts will not accept test results from a non-accredited laboratory.

    Janoshik operates outside that accreditation framework, and community sources frame this as an industry-wide condition rather than a Janoshik-specific failing: the independent labs commonly cited in the research-peptide market generally do not hold ISO/IEC 17025 accreditation for the specific peptide assays they run. The practical consequence is that a Janoshik COA does not carry formal regulatory weight; in general, results from a non-accredited laboratory would not be treated as accredited evidence by regulatory bodies. Within the unregulated market it serves, the lab is frequently described as one of the most widely used options for independent verification — but that is a statement about market adoption, not about accreditation status. Information security is a separate axis again: ISO/IEC 17025 governs technical testing competence, not the IT controls that a data breach tests.

    What the incident means for those relying on Janoshik COAs

    For anyone whose data was in the exposed set, the account describes an informational exposure: contact details, addresses, and order history that could be reused in extortion or phishing attempts. Janoshik reportedly advised recipients to ignore extortion or 'we have your data' messages, noting that it communicates only from @janoshik.com addresses and will never ask anyone to share passwords, private keys, remote access, or payment to 'remove your data.' On that framing, a message demanding payment to delete leaked data is the extortion attempt itself, not a remediation offer.

    For COA reliance specifically, the analytical takeaway is that source verification remains the deciding signal. A certificate that resolves to a matching record in the issuing lab's own portal reflects a measurement that was made on a submitted sample; a certificate that does not resolve is unverified by definition. An exposed customer database does not invalidate a measurement that was correctly performed and is correctly verifiable. If anything, the existence of exposed metadata is a reason that source verification — rather than the appearance of a document — carries the weight.

    Frequently Asked Questions

    Was Janoshik hacked in 2026?

    According to the lab's customer notification as relayed across community channels, yes: Janoshik Analytical disclosed a data-security incident in February 2026 in which an unauthorized party accessed its systems, copied customer database content, and attempted extortion. The lab is reported to have detected the access, taken systems offline, restored service within about a day, and notified customers. A primary disclosure on a Janoshik-controlled domain could not be independently retrieved, so these details rest on secondary sources.

    What customer data was reportedly exposed in the Janoshik breach?

    According to the relayed notification, the copied database may have included contact information, order and invoice records, shipping and billing addresses where provided, test reports and related data, images of samples or packages uploaded during testing, and limited technical metadata such as IP addresses. The disclosure did not state a specific number of affected customers or records. Janoshik is reported to have found no evidence of stolen funds or accessed email inboxes.

    Does the breach mean Janoshik COAs are no longer trustworthy?

    Not on that basis alone. As described, the incident affected customer and order data, not the analytical instruments or the integrity of issued certificates. A certificate that resolves correctly against Janoshik's verification portal at public.janoshik.com still reflects the measurement made on the submitted sample. The reported exposure of metadata increases the value of verifying each COA at the source, because such data could help bad actors fabricate convincing fakes.

    Is Janoshik ISO 17025 accredited?

    Based on the available community record, no — Janoshik does not appear to hold ISO/IEC 17025 accreditation for the peptide assays it performs, which means its certificates do not carry formal regulatory weight and would not generally be treated as accredited evidence by regulatory bodies. Community sources frame this as common across independent labs serving the research-peptide market rather than unique to Janoshik. ISO/IEC 17025 governs technical testing competence and is a separate matter from the information-security questions a breach raises.

    How can you tell if a Janoshik certificate of analysis is genuine?

    Each Janoshik certificate carries a unique key and a QR code that can be checked against the lab's public database at public.janoshik.com. A genuine certificate resolves to a matching record in that system; a forwarded PDF that does not match is unverified. Where report metadata may have been exposed, source verification is the most reliable signal — not the appearance of the document.

    What does Janoshik say about extortion or 'we have your data' messages?

    Janoshik is reported to have advised recipients not to engage with extortion or phishing messages. According to the relayed notification, the lab communicates only from @janoshik.com addresses and will never request passwords, private keys, remote access, or payment to 'remove your data' — so any message demanding payment to delete leaked data is the extortion attempt itself. Janoshik reportedly said it would post incident updates through its own channels.

    Verify a peptide source on ChemVerify — independent COA checks and price comparison for laboratory researchers.

    Further Reading on ChemVerify

    • Are Research Peptides Legal? -> /learn/are-research-peptides-legal
    • Research-Use-Only (RUO) Legal Status for Peptides: Complete Guide -> /learn/research-use-only-ruo-legal-status-for-peptides-complete-guide
    • FDA Peptide Reclassification 2026: 14 Peptides Return to Category 1 -> /learn/fda-peptide-reclassification-2026-category-1
    • Verify a Certificate of Analysis -> /verify
    • Compare Verified Peptide Sources -> /compare

    Compare Verified Vendors

    Browse COA-verified suppliers with exclusive discount codes and transparent pricing.

    You Might Also Like

    Related Content