Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
WordPress Security
Admin Account Compromise Cyber Threats Data Breach Payment Card Skimmer Plugin Vulnerability Supply Chain Attack Website Takeover WooCommerce Security WordPress Security

WordPress Plugin Security Failure Opens Door to Payment Data Theft


 

Cybercriminals have been actively exploiting a critical flaw in the widely deployed Funnel Builder plugin in order to harvest customer payment information during online transactions in a newly uncovered attack campaign, once again highlighting the security risks that face the WordPress e-commerce ecosystem. 

According to security researchers, attackers are exploiting this vulnerability to silently inject malicious code into WooCommerce checkout pages, transforming legitimate payment workflows into points of data collection that are used to steal payment card information. 

Approximately 40,000 websites are reported to have been infected with the plugin, posing a serious threat to online retailers as the vulnerability exposes sensitive customer data, including payment card information, CVV number, billing information, and other personal identifiers, to unauthorized access. Linked to the discovery was an extensive security incident affecting the WordPress ecosystem, in which researchers discovered malicious code embedded within several widely used plugins, allowing attackers to gain access to vulnerable sites at an administrator level. 

The full scope of the attack is still being investigated, but early indications indicate that a number of plugins with significant installations may have been affected, thereby expanding the attack surface substantially. 

A threat actor may be able to bypass conventional authentication controls by create privileged accounts covertly and gain persistence over website environments. This allows them to manipulate content, exfiltrate sensitive business and customer data, deploy additional malware payloads, or take full control of the affected platform by manipulating site content. It is important to understand how a single compromised plugin component can quickly become a source of global supply chain security concerns, presenting a heightened risk to both website operators and their users. 

Based on further analysis, it was found that the vulnerability emerged from an unauthenticated flaw in Funnel Builder versions before 3.15.0.3, which enabled attackers to manipulate key plugin settings without requiring valid credentials.

More than 40,000 WordPress websites are hosting the plugin, which is widely used by WooCommerce merchants to create customized checkout experiences, landing pages, and sales funnels focused on conversions, amplifying the impact of exploitation. According to Sansec researchers, the malicious activity was associated with a deceptive JavaScript payload disguised as Google Analytics or Google Tag Manager components. 

A WebSocket connection is established between the script and the attacker-controlled infrastructure, and the script abuses a vulnerable checkout endpoint to inject arbitrary code into the plugin's External Scripts configuration. 

By loading malicious JavaScript automatically during checkout pages, a tailored payment skimmer silently captures the customer's credit card numbers, CVV codes, billing details, and other information provided by the customer. It is common for stolen payment data to be monetized through fraudulent purchases or traded on underground carding markets.

FunnelKit has addressed the issue by releasing version 3.15.0.3, and acknowledges unauthorized script injection activity has been reported. The security update must be deployed immediately, but administrators should also inspect checkout-related script configurations for unauthorized entries that may have been introduced prior to the security update implementation. 

A review of software supply chain security within the WordPress ecosystem has also been initiated following the incident. Investigations are underway to determine whether the compromise resulted from vulnerabilities within plugin development workflows, third-party dependencies, or supporting infrastructure utilized during software development. 

The threat actors are increasingly targeting the development environment and shared code libraries, since a successful intrusion can propagate malicious functionality across a wide range of downstream deployments. There are indications that the injected code in this case is intended to circumvent standard authentication controls in order to establish privileged access to the account, perhaps by manipulating back end data structures or abusing application logic responsible for account provisioning.

After gaining access to the administrator-level accounts, attackers have broad control over the affected environment, allowing them to deface the website, steal customer records, and deploy additional malware, as well as maintain persistent access to the environment. As a consequence of the compromise, there are also opportunities for secondary abuse, including the insertion of phishing content, malicious redirects, and SEO spam intended to manipulate search engine rankings without being noticed by site operators. 

Aside from the immediate technical impact, organizations may be liable for considerable recovery costs, regulatory obligations relating to data exposure, incident response expenses, and long-term reputational damage, particularly if customer trust and online transactions form an integral part of their business model. WordPress plugin compromises serve as a reminder that cyber threats are increasingly targeting trusted components that support digital businesses rather than the businesses themselves. 

A number of websites can become entry points for large-scale abuse as attackers continue weaponizing software dependencies, plugin ecosystems, and checkout infrastructure. Organizations which rely on WordPress and WooCommerce require security management that transcends patching vulnerabilities as soon as they are discovered; it is imperative to continuously monitor third-party components, implement strict access controls, detect proactive threats, and regularly review the integrity of the website.

Keeping visibility across the entire application supply chain remains one of the most effective ways to combat emerging threats, particularly in an environment where a single compromised plugin may compromise sensitive customer information.
Read more »
pharmaceutical services
Data Breach financial data exposure Healthcare pharmaceutical services

West Pharmaceutical Services Reports Data Breach and Encrypted Systems

 




West Pharmaceutical Services has confirmed that it suffered a cybersecurity incident that resulted in both data theft and the encryption of parts of its internal network, making it the latest major manufacturing and healthcare-related company to face operational disruption from a cyberattack.

In a filing submitted to the U.S. Securities and Exchange Commission (SEC), the company stated that it identified suspicious activity on May 4, 2026, and later determined on May 7 that an unauthorized actor had exfiltrated certain data and encrypted multiple systems within its environment. The company described the breach as a “material cybersecurity attack,” indicating that the incident was serious enough to potentially affect operations or business continuity.

Following the initial detection of the intrusion, West Pharmaceutical said it immediately activated its incident response procedures. As part of its containment efforts, the company proactively shut down and isolated affected systems across its global infrastructure, restricted access to enterprise resources, informed law enforcement authorities, and brought in external cyber-forensic specialists to assist with the investigation and recovery process.

The investigation into the incident is still ongoing, and the company says it is currently working to determine the full scope and nature of the breach, including exactly what type of information may have been stolen during the attack.

West Pharmaceutical Services is a publicly traded American pharmaceutical manufacturing company and a member of the S&P 500 index. The firm generates more than $3 billion in annual revenue and employs over 10,800 people worldwide. Its business focuses heavily on injectable drug packaging systems, syringe and vial components, containment technologies, and medical drug delivery devices used throughout the healthcare and pharmaceutical sectors.

The cyberattack disrupted several parts of the company’s global operations, particularly systems tied to manufacturing, shipping, and other enterprise functions. West Pharmaceutical stated that some of its core systems supporting production and distribution activities have now been restored, while manufacturing operations have partially resumed in certain areas. However, the company acknowledged that the full restoration process has not yet been completed and did not provide a timeline for when all systems are expected to return to normal operation.

At this stage, the company has also not estimated the financial impact the incident may have on its business.

West Pharmaceutical further stated that it has taken measures intended to reduce the risk of the stolen information being distributed or exposed publicly, although it did not disclose what those mitigation steps involve.

In a statement shared after media inquiries, a company spokesperson said the organization initiated both incident response and crisis management procedures immediately after discovering the intrusion. The company added that containment actions included shutting down and isolating affected on-premises infrastructure, limiting access to enterprise systems, and implementing additional technical and organizational security measures.

West Pharmaceutical also confirmed that it engaged Palo Alto Networks’ Unit 42 incident response team to assist with containment, forensic analysis, and system recovery efforts alongside outside legal counsel and other external experts.

As of now, no ransomware group has publicly claimed responsibility for the attack. However, cybersecurity analysts note that incidents involving both data exfiltration and system encryption often resemble modern double-extortion ransomware operations, where attackers not only lock systems but also threaten to leak stolen information to pressure victims into negotiations.

The incident also reflects a broader trend affecting manufacturing and healthcare supply chains, sectors that have increasingly become targets for cybercriminal groups because operational downtime can quickly disrupt production, logistics, and critical services. Security experts continue to warn that attacks against pharmaceutical and healthcare-related manufacturers can have consequences extending beyond financial losses, particularly when production environments and supply chain systems are affected.

Read more »
stolen data
BWH Hotels Data Breach Login Credentials scams stolen data

BWH Hotels Confirms Cyberattack Exposed Customer Reservation Information

 



BWH Hotels, the parent company of hotel brands including Best Western Hotels & Resorts, WorldHotels, and SureStay Hotels, has disclosed a cybersecurity incident that exposed sensitive guest reservation data.

The company recently began notifying affected individuals after detecting unauthorized access within its systems earlier this year. According to the breach notification, BWH Hotels discovered the incident on April 22, 2026. The organization said attackers managed to obtain customer information stored within a web application connected to hotel reservations.

The stolen data reportedly includes customers’ names, email addresses, phone numbers, and home mailing addresses. Reservation-related details were also accessed, including booking confirmation numbers, stay dates, and special requests submitted by guests during reservations.

While the company did not reveal how many individuals were impacted, the exposed information appears to cover records generated between October 14, 2025, and April 22, 2026. BWH Hotels also did not specify how long the attackers may have remained inside its systems before the intrusion was identified.

According to the company’s Chief Technology Officer Bill Ryan, the attackers exploited a weakness in a web-based application that stored certain guest reservation information. However, the company stated that the compromised environment did not contain customers’ payment card details or banking information.

After identifying the intrusion, BWH Hotels said it immediately disabled the affected application and blocked the unauthorized access. The company also confirmed that external cybersecurity specialists were brought in to assist with the investigation, incident response, and additional security improvements.

Ryan further warned customers to remain cautious when receiving unexpected communications related to hotel reservations or travel bookings. Cybercriminals frequently use stolen reservation data to launch convincing phishing campaigns by impersonating hotels, travel agencies, or customer support teams.

The company advised customers not to respond to suspicious emails, text messages, WhatsApp messages, or phone calls requesting payments, login credentials, security codes, or verification details, even if those communications appear to reference an upcoming reservation or a BWH Hotels property. Customers were also encouraged to visit official websites directly instead of clicking links sent through messages.

Cybersecurity experts have repeatedly warned that hospitality companies remain attractive targets for attackers because hotel reservation systems store large volumes of personal information connected to travel activity. Even when financial records are not exposed, reservation data can still be valuable for social engineering scams, identity fraud, and targeted phishing operations.

In recent years, researchers have observed a rise in travel-related phishing schemes where attackers use stolen booking information to send fake payment requests or fraudulent reservation updates. Because these messages often contain real travel dates or hotel details, victims may find them more believable than ordinary scam attempts.

BWH Hotels operates approximately 4,300 properties across more than 100 countries and generates annual revenue exceeding $8.5 billion, making it one of the largest hospitality groups globally. The company has not publicly attributed the incident to any specific threat actor, and it remains unclear whether additional customer information may have been affected as the investigation continues.

Read more »
ShinyHunters
Canvas LMS Data Breach Instructure Breach Login Page Defacement Ransomware Attack School Cyberattack ShinyHunters

Threat Campaign Targets School Login Systems After Alleged Instructure Hack


 

The initial appearance of a routine service disruption within one of the most widely used academic learning platforms in the world quickly evolved into a significant cybersecurity issue as threat actors associated with the ShinyHunters group allegedly compromised Instructure's Canvas system. 

A large number of educational institutions experienced widespread operational instability as a result of the incident, which exposed sensitive academic and identity-related records, disrupted coursework timelines, and resulted in the defacement of several school authentication portals. 

A growing concern over the potential release of a data set reportedly affecting thousands of institutions as well as hundreds of millions of students and employees led Instructure to reveal that it had reached an agreement with the unauthorised actor responsible for the intrusion language that cybersecurity analysts interpreted as an indication of ransom negotiations. ShinyHunters collective claims to have successfully compromised Instructure's infrastructure for the second time in just a few weeks, further escalating the issue. 

The breach resulted in school authentication portals were made public and were affected in addition to backend systems. The incidents took place during final examination periods across several institutions using Canvas, causing even more disruption for administrators, educators, and students experiencing intermittent outages as a result of the earlier intrusion disclosed on April 30.

The Instructure platform had acknowledged that "criminal threat actors" were responsible for unauthorized access to parts of its environment, but subsequent activity indicates the attackers were still able to manipulate externally accessible services. 

When threat actors were reportedly injected malicious HTML components into Canvas login pages, unauthorized message prompts were found attributed to ShinyHunters, effectively defacing the authentication screens utilized for coursework management, assignment submissions, and academic communication, multiple Canvas login pages were later found displaying unauthorized messages attributed to ShinyHunters.

According to the message posted by the group, the allegedly stolen data will be made public on May 12 unless the company enters into a "settlement" negotiations. Parts of Instructure's online infrastructure appeared unstable during the escalation process, with some services intermittently returning "too many requests" errors while Canvas displayed maintenance notices indicating ongoing remediation and containment efforts throughout the company's network infrastructure. 

According to further disclosures, the breach affected a wide spectrum of academic stakeholders, including students, faculty, and institutional staff, with portions of information reportedly relating to minors. Despite Instructure's claims that passwords and highly sensitive authentication credentials were not compromised, the attackers are said to have obtained substantial amounts of information regarding personal identification and platform usage, such as usernames, e-mail addresses, student identification numbers, and private communications exchanged within the learning management system. 

According to the company, the initial compromise was terminated, remediation measures were implemented across the affected systems, and Canvas services were restored after containment procedures were initiated to prevent additional intrusions. However, ShinyHunters later stated it had successfully breached the platform again, this time targeting institution-specific authentication portals, thereby putting the company under pressure to enter into a settlement negotiation related to the earlier data theft, despite these efforts. 

As part of the extortion attempt, the group used stolen data as a means of coercion following network intrusions, which is a well-established operational pattern, however, the apparent recurrence of unauthorized access raised concerns regarding residual vulnerability issues within Instructure's network infrastructure. Canvas was brought offline once again following the second disruption, prompted the company to remove the component identified as being at the root of the incident  the Free-for-Teacher environment. 

Instructure acknowledged in an updated incident disclosure that investigators had identified a vulnerability associated with support ticket functionality within the Free-for-Teacher system, which threat actors allegedly exploited to facilitate the latest security breach. By putting the incident on its leak portal, ShinyHunters had earlier accepted public responsibility for the initial intrusion. 

The tactic is commonly used by ransomware and extortion-focused groups to increase pressure on targets by threatening data release under controlled circumstances. In the wake of the recent compromise, the attackers have attempted to reach out directly to media outlets regarding the defaced Canvas login pages, suggesting they are attempting to escalate the attack not only against Instructure but also against the thousands of educational institutions that rely on the platform for their operations. During ongoing negotiations regarding the previously stolen data, cybersecurity analysts viewed the public defacement as an attempt to amplify reputational and operational pressures. 

In spite of the fact that there is no clear indication of how the school-specific authentication pages were compromised, ShinyHunters officials have indicated the breach has been a separate one from the original attack, but declined to provide any further technical information regarding the method used to gain access to the system. 

The group claims to have stolen data from nearly 9,000 educational institutions around the world; these records are believed to belong to approximately 231 million people. Following the earlier compromise, the group claimed to have exfiltrated information related to nearly 9,000 educational institutions. 

A key component of the campaign was a mirroring of the threat group's established operating model, which is typically composed of a combination of network intrusion, public exposure of victims through leak sites, and sustained extortion efforts to maximize financial leverage following the theft of large amounts of data. There has been an increased focus on security architecture of cloud-based education platforms in the wake of the incident, which has become a critical infrastructure for academic operations worldwide.

In addition to disrupting coursework and institutional systems for the immediate period, the exposure of student communications and identity-linked records, particularly involving minors, demonstrates the long-term risks associated with large-scale compromises of digitally centralized learning environments. 

During the remediation and forensic investigation efforts, Instructure is likely to establish the breach as a landmark in the field of ransomware and extortion, which increasingly target educational technology ecosystems where operational urgency and reputational pressure can lead to high-stakes cybersecurity incidents.
Read more »
data security
AI coding tools Consumer Data Exposure Corporate Data Breach cybersecurity vulnerabilities Data Breach data security

AI Coding Tools Expose Thousands of Apps With Sensitive Corporate Data Online

 

Thousands of web applications built using AI coding tools have been found publicly accessible online without proper security protections. Researchers at RedAccess identified more than 5,000 exposed apps tied to companies, many revealing private information to anyone with the correct URL. Employee records, customer conversations, system plans, and financial files were among the exposed materials. The problem wasn’t faulty code but missing security setup steps that many users overlooked. 

In many cases, public access remained enabled long after deployment, creating silent data leaks that went unnoticed for months. Many of the vulnerable apps were created using platforms like Replit, Netlify, Base44 owned by Wix, and Lovable. Nearly 2,000 apps appeared to contain genuine sensitive information, including advertising spending reports, company strategy documents, chatbot logs, customer contact details, hospital personnel records, and financial summaries. 

According to RedAccess researcher Dor Zvi, the issue is linked to the rise of “vibe coding,” where non-technical employees use AI tools to rapidly build and publish web applications. Since these platforms make development extremely simple, apps can go live within minutes without any review from engineering or cybersecurity teams. Researchers found the exposed apps through basic Google and Bing searches because many AI coding services host projects publicly on shared domains by default. 

Some applications exposed private information without requiring logins, while others reportedly allowed outsiders to gain administrative control over backend systems. The exposed data covered multiple industries. Hospital staff schedules listing doctors’ identities appeared alongside marketing strategy presentations, shipping records, retailer chatbot conversations, and detailed advertising campaign budgets. Such leaks could expose sensitive competitive information, including business planning timelines and financial allocations. 

The investigation also uncovered phishing websites hosted directly on AI coding platform domains. These fake pages impersonated major companies including Bank of America, Costco, FedEx, Trader Joe’s, and McDonald’s. The platforms disputed parts of the findings while acknowledging that publicly accessible apps existed. Amjad Masad said users choose whether apps remain public or private. Lovable emphasized that creators are responsible for configuring security correctly, while Wix stated weakening protections requires deliberate user actions. 

Security experts argue the broader issue remains serious because AI coding tools rarely enforce strong safeguards automatically. Many employees using them lack training in authentication systems or permission controls, allowing insecure deployments to slip through unnoticed. Researchers say the situation resembles earlier waves of exposed Amazon S3 cloud storage buckets, where confusing defaults and user mistakes left sensitive files publicly accessible. 

AI-powered coding platforms may now be accelerating similar risks on a larger scale as businesses increasingly rely on AI tools for internal dashboards, marketing systems, client portals, and reporting applications. Experts also warn the true scale may be far larger. The 5,000 discovered apps only included projects hosted directly on AI platform domains. Thousands more could exist on privately owned domains that standard searches cannot easily detect. 

As AI-generated development grows rapidly, companies are now under pressure to strengthen oversight, improve employee training, and introduce stricter security reviews. Without stronger safeguards, fast AI-assisted app creation could continue exposing confidential corporate and personal information online.
Read more »
Password theft
2FA Credential Theft Data Breach MaaS Password theft

What Really Happens After Your Password Gets Stolen? Researchers Trace the Cybercrime Pipeline

 



Password theft operations continue to expand despite growing public awareness campaigns around online security. Infostealer malware remains active, compromised accounts continue circulating across underground marketplaces, and stolen credentials are still being used for financial fraud, ransomware attacks, and unauthorized access to online services.

New research published by Comparitech examined how stolen passwords move through cybercriminal networks after they are first compromised. The study analyzed more than 447,000 credential leaks, breach threads, and password dumps posted across four major cybercrime forums. Altogether, the dataset contained roughly 1.1 million compromised user records collected between 2013 and 2026.

The report focused on understanding where leaked passwords ultimately end up and how attackers process them before they are used in large-scale attacks.

For many users, discovering that a password has been exposed can create immediate panic, particularly because credential theft incidents have increased sharply in recent years. Previous security reporting found that nearly 2.8 billion credentials were exposed during 2025 alone. Researchers have also raised concerns about browser-stored passwords after reports that credentials saved in browsers may sometimes become accessible in plaintext form within system memory. At the same time, stolen credentials are increasingly being used to abuse retail, cloud, and subscription-based services.

According to Comparitech researcher Paul Bischoff, analysts including Mantas Sasnauskas reviewed databases from four cybercrime forums to understand how stolen passwords are accessed, redistributed, combined, and eventually weaponized in credential-stuffing campaigns, ransomware intrusions, business email compromise incidents, and account takeover attacks.

The researchers outlined a five-stage credential supply chain. The first stage, known as “origin,” refers to how passwords are initially stolen before appearing on underground forums. The report identified infostealer malware and data breaches as the two most common starting points.

Infostealer malware is designed to silently collect sensitive information from infected devices. This can include browser-saved passwords, authentication cookies, autofill data, cryptocurrency wallet information, and session tokens that attackers can later exploit to bypass login protections.

The final stage of the supply chain involves the eventual use of stolen credentials in attacks such as ransomware deployment, unauthorized account access, and corporate breaches. However, the researchers said the middle stages of the ecosystem reveal the most about how the underground password economy functions.

The wholesale stage represents the broker market for stolen access. In this phase, attackers sell compromised credentials directly to other criminals. The report pointed to the Russian-language cybercrime forum RAMP, where pre-authenticated access to corporate systems was allegedly being offered for sale using stolen login credentials. This type of access is especially valuable because it can provide immediate entry into business networks.

The next stage, trade, involves credentials being reposted, exchanged, resold, or distributed across multiple hacker forums. Some datasets are uploaded for free to build credibility inside underground communities, while others are placed behind paid marketplaces where buyers can purchase access to larger credential collections.

The aggregation stage centers around the creation of “combolists,” which are massive databases containing usernames and passwords collected from multiple breaches. The most valuable combolists are typically cleaned and deduplicated to remove repeated records and improve their effectiveness.

Attackers frequently use these combolists in credential-stuffing operations, where automated tools test stolen username-and-password combinations across many different websites. Because many users reuse passwords across platforms, one compromised credential can sometimes unlock email accounts, banking services, shopping platforms, or workplace systems tied to the same login information.

Researchers and cybersecurity analysts have repeatedly warned that the underground market for stolen credentials continues growing alongside the rise of malware-as-a-service operations and initial access brokers. In recent years, infostealer logs containing browser credentials and authentication cookies have become widely traded across dark web forums and encrypted messaging platforms.

The report also examined how users can reduce the risk of credential theft. Security professionals continue encouraging users to adopt passkeys whenever possible because passwordless authentication systems are significantly harder to steal and reuse in automated attacks.

Experts additionally recommend avoiding password reuse across websites and services, since a single breach can otherwise expose multiple accounts at once. Password managers can help users generate and store unique credentials securely, while two-factor authentication adds another layer of verification that can block unauthorized logins even if a password becomes compromised.

As cybercrime groups continue refining credential theft operations, researchers believe password-based security systems may gradually become less reliable for protecting online accounts in the long term.

Read more »
Instructure
AI Canvas Cloud Data Breach Data Leak data security Instructure

Data Leak: Instructure, Canvas Allegedly Hacked, ShinyHunters Claim Responsibility


Instructure, a cloud-based LMS Canvas company was hit by a massive data attack. Ransomware gang ShinyHunters claimed responsibility for the attack, saying that it had stolen data related to 280 million students, teachers, and school staff.

100s of GBs data leaked

The data breach accounts for hundreds of gigabytes, possibly leaking Canvas users’ email ids, private messages, and names. 

Instructure revealed in May that it was hit by a data breach. The Canvas incidents of 8,809 universities, educational platforms, schools were impacted by the attack. ShinyHunters said that the numbers range between tens of thousands to several millions per institution.

It is concerning that a lot of K-12 students’ data has been leaked. If your child has been affected by the data breach, Malware Bytes can help in what to do next and how to stay safe.

Canvas compromised

Various students who tried using Canvas after the cyberattack received the message from ShinyHunters blackmailing to leak the data if Instructure did not contact the hackers by May 12. Canvas was shut down offline for various students following the incident, but it is now available for most users. 

GTA 6, Studio Rockstar were blackmailed too

ShinyHunters has been killing it this year, with only high profile targets in its track records. The group asked for a ransom from GTA 6 (a video game) Studio Rockstar in April. But in reality, it was a hoax demand as the hackers did not have anything important/worthy to leak. 

Nvidea Geforce allegedly hacked

But recently, the group allegedly claimed responsibility for the Nvidea’s GeForce Now breach, claiming to have “pulled their entire database straight from the backend."

Shiny hunters all over the place

In the Canvas incident, ShinyHunters allegedly stole user records through exposrting features inside the platform. This consists of DAP queries, APIs, and provisioning reports, according to Bleeping Computers. “The unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” Instructure said. 

It also added that it “revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms." 

The impact

Instructure also “engaged a third-party forensic firm and notified law enforcement. Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements.”

However, it might be too little, too late—parents are unlikely to overlook the possibility of disclosing their children's information. The much bigger problem, though, is the disastrous harm ShinyHunters has caused to Canvas's operations and reputation, as malware historian vx-underground stated on X.

Read more »
ShinyHunters
Academic Network Security Canvas cyberattack Data Breach Education Sector Security Phishing Threats Ransomware Attack ShinyHunters

Ransomware Attack Disrupts Grading Platform Used by LBUSD Cal State and LBCC


 

A cyberattack linked to the ShinyHunters extortion group temporarily disrupted educational operations across a number of educational institutions in the United States, causing concern over the potential exposure of sensitive student and faculty data. These institutions continued to restore access to Canvas this week. Although several universities and school districts have been able to resume normal access following recovery efforts coordinated by Canvas parent company Instructure, the incident continues to affect portions of the education sector. 

Administrators have assessed the broader impacts of the breach and reviewed claims regarding the compromise of data belonging to hundreds of millions of platform users around the world. After the incident was triggered on Thursday, teachers and students at Long Beach Unified School District, California State University Long Beach and Long Beach City College were suddenly unable to access Canvas, the cloud-based platform widely used for coursework, grades, assignments and internal communication, the operational impact of the incident became more apparent. 

According to district officials, they were informed earlier this week that Instructure, the company which provides Canvas, had discovered that certain user-identifying information related to customer environments had been accessed without authorization. In spite of the company's initial assertion that the incident had been contained and that core platform operations continued, educators later reported that login attempts redirected users to ransom-style messages allegedly associated with the ShinyHunters cybercriminal group upon attempting to log in.

Apparently, the notice instructed affected institutions to engage a cyber advisory firm and negotiate payment terms before a specified deadline otherwise compromised data could be exposed to the public. Despite the fact that the full extent of the intrusion is still under investigation, notifications sent to campus users indicate that names, email addresses, institutional identification numbers, and confidential communications may have been compromised. 

A response from Instructure was that portions of the platform environment had been disabled, the underlying vulnerability had been rectified, digital forensic specialists were engaged, and federal authorities, including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, were coordinated. 

A significant number of academic institutions are experiencing the disruption at the same time, with final examinations at California State University Long Beach rapidly approaching. Since Canvas serves as the primary repository for instructional content, coursework, and student records, several educators have described the outage as operationally disrupting, even though some teachers have been able to maintain continuity by using externally hosted materials and collaboration tools through Google. 

Cybersecurity experts caution that, while the current incident has mainly disrupted colleges and universities, K-12 institutions have also faced repeated operational and data security challenges related to attacks against the education technology infrastructure. Researchers referred to the Los Angeles Unified School District cyberattack of 2022, when a ransomware-related intrusion disabled critical district systems over Labor Day weekend, disrupting internal communication, attendance tracking, and classroom instruction. 

Approximately 2,000 student assessment records, together with additional sensitive information, including driver’s license numbers and Social Security numbers accumulated over multiple years, were later published on the dark web as a result of the incident. Recovery efforts lasted for weeks during which administrative and technical staff restored systems and coordinated password resets for over 600,000 user accounts.

According to security researchers, incidents associated with platforms such as Canvas can create long-term phishing and social engineering risks even after services have been restored. A Norton security analyst, Luis Corrons, emphasized that information exposed by the company includes names, institutional email addresses, student identification numbers, and internal academic communications, which could provide threat actors with the necessary context to create highly convincing phishing campaigns impersonating legitimate school notifications regarding grades, coursework, financial aid, and password resets.

In addition to Anton Dahbura's concerns, the executive director of the Johns Hopkins University Information Security Institute advised institutions that residual risk may continue to exist after platform access has been restored, and cautioned against operating under this assumption. According to Dahbura, colleges and universities should encourage students and employees to change their passwords, review authentication tokens, and audit integrations with third-party platforms connected to Canvas environments. 

Likewise, colleges and universities should keep a close eye on follow-on phishing activity targeting them. Further, he emphasized that higher education is increasingly reliant on a single instructional platform, which represents a systemic risk as a whole. He advised academic institutions to develop resilience plans, implement additional security controls, and develop alternative instructional workflows that can support continuity during prolonged service interruptions. 

A centralized cloud-based learning infrastructure in the educational sector has further increased the cybersecurity vulnerability of the sector. As a result of a single third party platform compromise, thousands of academic institutions may be disrupted simultaneously if a single compromise occurs.

A continuing forensic investigation and recovery effort will require security teams on affected campuses to focus on credential protection, phishing monitoring, and access-review procedures, while assessing the degree of integration instructional platforms, such as Canvas, have made with broader institutional networks.
Read more »
leaked sensitive data
Customer Data Data Breach Data Leak Data protection data security Hacking Attack Hacking Group leaked sensitive data

ShinyHunters Vimeo Data Breach Exposes Information of Over 119,000 Users

 

Early this year, Vimeo faced a security incident leading to the theft of personal details tied to over 119,000 people by the ShinyHunters hacking collective. Information on the leak became known via Have I Been Pwned, a service tracking compromised accounts, after examining the exposed records. 

Late last month, Vimeo revealed a security issue affecting its systems. The platform, known for hosting and streaming videos globally, serves many millions of active users. Access by unknown parties came via a flaw tied to Anodot. This firm provides tools that spot irregularities in data flows. Its technology connects directly into parts of Vimeo’s infrastructure. 

The event marks one point where external partnerships introduced risk. Details emerged only after internal reviews concluded. One thing became clear: the entry did not stem from inside Vimeo's own network. Instead, it traced back to how outside services link up. Security teams now examine how third-party integrations affect overall protection levels. 

Surprisingly, early reports showed hackers obtained technical data, video metadata, and titles - sometimes even user emails. Despite the breach, payment information, account passwords, and live session tokens stayed secure, according to internal confirmation. Throughout the event, Vimeo’s main system kept running smoothly, maintaining full service availability. Unexpectedly, operations continued without noticeable interference. 

Right away, Vimeo shut down every login linked to Anodeto stop any more unwanted entry once the break-in came to light. Instead of handling things alone, outside cyber experts joined to support the inquiry. At the same time, officials responsible for enforcing laws got word about what happened. Later, even so, the hackers released a huge 106GB collection of stolen files online when talks reportedly broke down. 

That data appeared on a hidden website used by the ShinyHunters crew, who stated weak login credentials tied to Anodot opened doors unexpectedly. From there, they moved into Vimeo's storage platforms - Snowflake and BigQuery - with little resistance. Some 119,200 individuals had their email addresses disclosed, along with names in certain instances, based on findings from Have I Been Pwned after reviewing the leaked data. 

Though the breach details have circulated, Vimeo hasn’t officially verified how many accounts were impacted. Inside these breaches, access began through deceptive emails or fake support calls tricking staff. Not long ago, compromised logins gave hackers entry to identity tools like Okta and Microsoft Entra. From there, movement spread toward customer relationship software, team messaging apps, file storage, design programs, help desks, and workplace productivity suites. Cloud infrastructure and subscription-based tech now draw more attention than before. 

Breach attempts often follow weak points in unified login setups across company networks. Though main networks stay secure, outside providers sometimes open doors hackers exploit. A breach in one connected service might unlock several company areas at once. Experts observe rising incidents targeting cloud logins and partner tools for this reason. Instead of attacking central defenses, intruders shift focus to these links. Sensitive client data ends up at risk even if primary infrastructure holds firm.  

Recently, ShinyHunters took credit for hacks spanning education, retail, health care, gaming, and government bodies. Vimeo's situation shows third-party links still pose steady threats to big digital services managing vast user information. Despite different targets, weak outside connections often open doors. One breach can ripple through many layers unexpectedly.
Read more »
student data leak
Canvas LMS hack Cybersecurity Incident Data Breach Instructure data breach ShinyHunters cyberattack student data leak

Instructure Confirms Data Breach as ShinyHunters Claims Responsibility

 

Educational technology company Instructure has confirmed that user data was compromised following a cyberattack, while the cybercriminal group ShinyHunters has claimed responsibility for the breach.

The U.S.-based firm is widely recognized for developing Canvas, a popular learning management platform used by schools, universities, and organizations to manage online coursework, assignments, and communication.

The company revealed on Friday that it had experienced a cybersecurity incident and had begun an investigation with the assistance of third-party cybersecurity specialists and law enforcement authorities. A follow-up statement issued on Saturday confirmed that certain user information had been exposed during the breach.

"While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users," reads the updated statement.

"At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions."

As part of its mitigation efforts, Instructure said it has implemented security patches, enhanced monitoring systems, and rotated application keys as a preventive measure. Customers have also been instructed to re-authorize access to the company’s API so that new application keys can be issued.

Although the company has not publicly addressed questions regarding the exact timing of the breach or whether it was facing extortion demands, ShinyHunters has added Instructure to its data leak platform.

"Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII," reads the data leak site.

"Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved."

According to the cybercrime group, the breach occurred through a vulnerability in Instructure’s systems that has since been fixed. The hackers allege that the stolen information includes more than 240 million records linked to students, teachers, and staff members.

The leaked data is said to contain names, email addresses, enrolled course details, and private conversations between students and teachers. Information shared by the threat actors suggests the dataset may cover nearly 15,000 institutions across regions including North America, Europe, and Asia-Pacific.

At present, the full scope of the incident remains unverified, and independent confirmation regarding the number of affected schools and individuals has not yet been established
Read more »
us marines
Data Breach Hacking Group Handala hackers Iranian hackers MOIS us marines

U.S. Marines Reportedly Targeted by Iranian-Linked Hackers in New Data Exposure Incident

 



Iran-linked hacking group Handala has allegedly leaked personal information belonging to thousands of U.S. Marines deployed across the Persian Gulf region, shortly after American military personnel in the Middle East began receiving threatening messages from the group.

According to posts published on Handala’s website, the hackers claim to have released the names and phone numbers of 2,379 U.S. Marines as proof of what they described as their “intelligence superiority.” The group further claimed that the exposed information represents only a small sample from a much larger collection of data allegedly tied to American military personnel stationed in the region.

Handala asserted that it possesses additional details related to military members and their families, including home addresses, movement patterns, military base affiliations, commuting routines, shopping behavior, and other personal activities. These claims have not been independently verified by U.S. authorities.

The alleged leak surfaced days after several U.S. service members reportedly received threatening WhatsApp messages warning that they were under surveillance. The messages referenced Iranian drone and missile systems and attempted to intimidate military personnel by claiming their identities and movements were being tracked. Similar threatening communications believed to be linked to Handala were also reportedly sent to civilians in Israel earlier this week, suggesting a broader psychological and cyber influence campaign connected to escalating tensions in the Middle East.

Since the regional conflict involving Iran, Israel, and the United States intensified earlier this year, Handala has repeatedly claimed responsibility for several high-profile cyber incidents. Last month, the group allegedly leaked hundreds of emails said to have originated from the personal Gmail account of Kash Patel. The hackers have also been linked to a cyberattack targeting medical technology company Stryker, an operation that reportedly resulted in data being erased from tens of thousands of employee devices globally.

However, questions remain regarding the authenticity and quality of the newly leaked Marine data. An analysis of the published sample reportedly identified multiple inconsistencies, including incomplete phone numbers and entries that appeared to contain military contract identifiers rather than personal names. Several listed numbers reportedly connected only to automated voicemail systems.

In a limited number of cases, voicemail names reportedly matched information included in the leak. One individual contacted by reporters allegedly confirmed their identity before ending the call, while others declined to comment or redirected inquiries to military public affairs officials.

U.S. Central Command referred media questions regarding the incident to the Naval Criminal Investigative Service, which had not publicly commented on the matter at the time of reporting.

The incident comes amid growing concerns over cyber-enabled psychological operations targeting military personnel and their families. Earlier this month, Navy Secretary John Phelan urged sailors to strengthen the security of their mobile devices and social media accounts amid concerns over phishing attacks and malicious online activity. In an internal warning, he noted that threat actors may attempt to manipulate military personnel into opening harmful files or clicking malicious links designed to compromise personal accounts and devices.

Handala publicly portrays itself as a pro-Palestinian hacktivist organization. However, multiple cybersecurity firms and recent assessments from the U.S. Department of Justice have alleged that the group operates as a front tied to Iran’s Ministry of Intelligence and Security (MOIS).

Cybersecurity experts note that modern cyber campaigns increasingly combine data leaks, online intimidation, and misinformation tactics to create psychological pressure rather than relying solely on technical disruption. Analysts also caution that hacker groups sometimes exaggerate the scale or sensitivity of stolen data to amplify fear and media attention.

Although U.S. authorities have previously seized domains associated with Handala, the group continues to remain active by turning to new websites and communication platforms, including Telegram, allowing it to sustain its cyber and propaganda operations online.

Read more »
User Security
Data Breach Data Theft Medtronic Breach ShinyHunters User Security

Medtronic Confirms ShinyHunters' Theft of 9 Million Records

 

Medtronic, a leading global medical device manufacturer, recently confirmed a significant cybersecurity breach affecting its corporate IT systems. The incident came to light after the notorious hacking group ShinyHunters claimed responsibility, boasting of stealing over 9 million records containing personally identifiable information (PII) and terabytes of internal corporate data. 

On April 17 and 18, 2026, the group listed Medtronic on its Tor-based data leak site, issuing a ransom ultimatum that expired on April 21 without public confirmation of payment or data release. Medtronic publicly disclosed the breach on April 24, 2026, via its website and a U.S. Securities and Exchange Commission Form 8-K filing, acknowledging unauthorized access but emphasizing that the intrusion was contained with no disruption to operations.

The breach targeted non-critical corporate networks, sparing patient-facing systems, medical devices, manufacturing, and distribution channels. Medtronic stated explicitly that products, patient safety, customer connections, financial reporting, and care delivery remained unaffected, as these operate on segregated infrastructure. ShinyHunters, known for high-profile extortion campaigns against over 40 organizations in 2026—including ADT, Amtrak, and Cisco—alleged the haul included sensitive PII from employees, partners, or affiliates, though Medtronic has not verified the exact volume or contents. The group's listing vanished from the leak site shortly after, fueling speculation of behind-the-scenes negotiations.

This incident underscores escalating threats to healthcare giants, where corporate IT often serves as a softer entry point for attackers. ShinyHunters has exploited misconfigured Salesforce Experience Cloud guest permissions in multiple cases, a customer setup issue rather than a platform flaw, according to Salesforce. Medtronic's response involved activating incident protocols with external cybersecurity experts to assess data exfiltration and potential exposure. An ongoing forensic investigation aims to pinpoint compromised information, with commitments to notify and support affected individuals if personal data is confirmed stolen.

The implications ripple beyond Medtronic, highlighting vulnerabilities in the medical technology sector amid rising ransomware and extortion tactics. Law firms like Schubert Jonckheer & Kolbe LLP launched investigations by early May 2026, probing liabilities for the nearly 9 million potentially impacted records. While no widespread data dumps have surfaced publicly, the breach erodes trust in supply chain security, even when clinical operations stay insulated. Healthcare firms face mounting pressure to fortify perimeter defenses as cybercriminals increasingly target administrative data for profit.

To mitigate risks from such incidents, individuals should monitor credit reports, enable two-factor authentication on personal accounts, and freeze credit if notified of exposure. Organizations are advised to segment networks rigorously, conduct regular penetration testing, patch third-party configurations like Salesforce promptly, and develop robust incident response plans. Medtronic's case reinforces the need for proactive cybersecurity hygiene to safeguard sensitive data in high-stakes industries.
Read more »
data security
ADT ADT data breach customer data leak customer data privacy Data Breach Data Extortion Data Leak data security

ADT Data Breach Confirmed After ShinyHunters Threatens Leak of Stolen Customer Information

 

Now comes word that ADT, a provider of home security systems, suffered a data breach following threats by the hacking collective ShinyHunters to expose purloined records if payment isn’t made. This event joins others recently where attackers gain access via compromised credentials or outside service providers. 

On April 20, the company noticed unusual activity within its systems - response teams moved quickly to limit exposure and launch a review from within. It turned out some customer and prospective customer details were reached and copied by those responsible. Names, contact numbers, and home locations made up most of what was seen; in a few cases, birth dates showed up alongside incomplete identification digits used for tax or government purposes. Though only a narrow collection of files was involved, steps followed to assess how far the breach extended. 

What ADT made clear is that financial details of high sensitivity stayed secure. It turned out bank accounts, credit cards, along with any payment records, remained untouched through the incident. On top of this, home security setups and active monitoring kept running without interference. Evidently, the breach never reached operational systems - only certain data areas felt its effect. After claims surfaced on a hacker forum, ShinyHunters stated they accessed more than 10 million records - some containing personal details and private business files. 
Despite the threat to publish everything unless met with demands, confirmation of the full extent remains unverified by ADT. Still, notification letters have gone out to impacted users during ongoing review efforts. What happens next depends on internal assessments already underway. One claim points to vishing as the starting point - a tactic aimed at one worker. Posing as known contacts, hackers won entry through a company-wide login system. 

Once inside, they navigated sideways into linked environments without immediate detection. Access likely extended to cloud services including Salesforce, where information was pulled from storage. Identity theft now drives many cyber intrusions, moving past old tactics that hunted software bugs. Instead of probing code flaws, hackers aim at sign-in systems like Okta, Microsoft Entra, or Google logins. Breaching one verified profile opens doors to numerous company tools. 

With entry secured, stolen information gets pulled out quietly. That data then becomes leverage - no malware needed to lock files. What happened lately isn’t new for ADT - earlier leaks of staff and client details came out earlier this year. Facing repeated issues, many companies struggle to protect digital identities while handling permissions in linked platforms. 

Still under investigation, the incident highlights how often social engineering now shapes current cyber attacks. Rather than exploiting software flaws, hackers rely on mistakes people make - slipping past defenses by tricking users. 

Because of this shift, training staff to spot risks matters just as much as strong login protections. Preventing future breaches depends less on technology alone, more on understanding human behavior. Awareness becomes a shield when passwords fail.
Read more »
Zero Click Exploits
Commercial Spyware Critical Infrastructure Security Cyber Surveillance Cyber Threat Intelligence Data Breach Digital Espionage Endpoint security Mobile Security Zero Click Exploits

Global Surge in Military Grade Spyware Puts Personal Smartphones at Risk


 

Global cybersecurity discourse is emerging with a growing surveillance threat under the surface as the UK's top cyber authority issues a stark assessment of the unchecked proliferation of commercial spyware capabilities. Initially restricted to tightly regulated law enforcement use, advanced intrusion tools are now widely used across more than 100 countries, able to remotely compromise smartphones, bypass encrypted communications, and covertly activate device sensors. 

NSO Group and an increasingly opaque ecosystem of competitors are driving this rapid expansion, signaling the shift from targeted investigative use to a wider landscape of state-aligned digital intrusion, a shift in which state-aligned cyberattacks are becoming increasingly commonplace. 

In spite of their increasing accessibility and operational stealth, enterprises and operators of critical national infrastructure are not adequately prepared for the scale and sophistication of these threats. There is an evolving threat landscape supporting it, which is supported by the increasing sophistication of modern spyware frameworks, which leverage "zero-click" exploitation chains to gain unauthorized access without requiring the user's involvement. 

NSO Group's Pegasus platform and Paragon's Graphite platform function as highly advanced intrusion suites. They exploit latent vulnerabilities within mobile operating systems to extract sensitive communications, media, geolocation information, and other artifacts through forensic minimalism. 

The commercial dynamics underpinning this ecosystem demonstrate the magnitude of the challenge as well as its persistence. As part of the United States entity list, the Israeli developer NSO Group, widely associated with high-end surveillance tooling, was listed in 2021 for its supply of technologies to foreign governments. These technologies were then utilized to target a wide range of individuals, including government officials, journalists, business leaders, academicians, and diplomats. 

In defending its claims that such capabilities serve legitimate anti-terrorism and law enforcement purposes, the company asserts that it lacks direct visibility into operational use, while retaining the right to terminate client relationships in instances of verified misuse. 

In spite of the rapid expansion of the vendor landscape, NSO Group represents only one node within it. According to industry observers, including Casey, the sector is extremely profitable and is undergoing rapid growth. There are currently dozens of firms offering comparable capabilities in this market. 

According to estimates, more than 100 countries have procured mobile spyware, an increase over earlier assessments, which indicated deployment across more than 80 national jurisdictions. Along with offering a cost-effective shortcut to the development of capabilities that would otherwise require years of development, commercial intrusion platforms offer a fast and easy means for states lacking indigenous cyber expertise.

In addition, the National Cyber Security Centre noted previously that, despite the fact that these tools are intended for law enforcement purposes, there is credible evidence that they have been used on a widespread basis against journalists, human rights defenders, political dissidents, and foreign officials with thousands of individuals being targeted annually. 

Several leaked toolkits, including DarkSword, demonstrate the dispersal of capabilities once restricted to state intelligence agencies into less controlled environments, making it possible for state-aligned and criminal actors to launch attacks by utilizing vectors as inconspicuous as compromised web sessions on unpatched iOS devices. In addition to theoretical risk models, operational exploits are being actively employed against targets who often assume device-level security as the basis of their attack. 

A notable increase in the victim profile is that it includes corporate executives, financial professionals, and organizations dealing with valuable information, as well as journalists and political dissidents. It was highlighted by Richard Horne, the director of the UK's National Cyber Security Centre, that there still remains a significant gap in industry readiness. 

Many enterprises underestimate the capability and operational maturity of these surveillance capabilities. Essentially, this shift illustrates the democratization of offensive cyber tools, where sophisticated surveillance, once monopolized by a few intelligence agencies, is now available to a broader range of state actors lacking native cyber expertise. 

As a result, these capabilities are increasingly available economically and they are unintentionally disseminated, which fundamentally alters the threat equation. Through the transition from tightly controlled assets to commercially traded products, advanced surveillance tools become increasingly difficult to contain as they are propagated through illicit channels, including corrupt procurement practices, insider exfiltration, and secondary resale markets. 

In the wake of this leakage, non-state actors, including organized criminal networks, have acquired capabilities that were previously available only to sovereign intelligence operations. The proliferation of state-linked campaigns, including those attributed to China and focused on large-scale data exfiltration, illustrates the use of such tools not only for immediate intelligence gain, but also to establish strategic prepositioning for future geopolitical conflicts. 

Traditional device-based safeguards and consumer privacy controls are only marginally effective against adversaries equipped with exploit chains developed specifically to circumvent them. International efforts to regulate and oversee exports are gaining momentum, but operational reality suggests that containment may already lag behind proliferation, which enables a significant expansion of attack surfaces across both civilian and enterprise digital environments. 

The convergence of commercial availability, technical sophistication and weak oversight has led to the normalization of capabilities that were once considered exceptional. These developments illustrate a structural shift in the cyber threat environment. 

In conjunction with the widespread adoption of such tools, and their continual evolution and leakage, there is an ongoing need for public and private sectors to assess their security assumptions at a fundamental level. There is no longer a limited need to defend against isolated intrusions for enterprises, critical infrastructure operators, and individual users, but rather to navigate a complex ecosystem where highly advanced surveillance techniques are frequently accessible and increasingly resemble legitimate activity. 

In the absence of strengthened international coordination, enforceable controls, and a corresponding increase in defensive maturity, a continued erosion of digital trust is likely, resulting in compromise becoming not an anomaly, but an expected condition of operating within a hyperconnected environment.
Read more »
North Korean
Crypto Platform Data Breach Decentralized Finance Hackers Hacking Kelp North Korean

North Korea-Linked Hackers Target Crypto Platforms, $500M Stolen

 



Cybersecurity researchers are raising alarms over a developing pattern of cryptocurrency thefts linked to North Korean actors, with recent incidents suggesting a move from isolated breaches to a sustained and structured campaign. In a span of just over two weeks, attacks targeting the Drift trading platform and the Kelp protocol resulted in losses exceeding $500 million, pointing to a level of coordination that goes beyond opportunistic hacking.

What initially appeared to be separate security failures is now being viewed as part of a broader operational strategy, likely driven by the financial pressures faced by a heavily sanctioned state. Shortly after attackers used social engineering techniques to compromise Drift, another incident emerged involving Kelp, a restaking protocol integrated with cross-chain infrastructure.

The Kelp breach surfaces a noticeable turn in attacker behavior. Rather than exploiting traditional software bugs or stealing credentials, the attackers targeted fundamental design assumptions within decentralized systems. When examined together, both incidents indicate a deliberate escalation in efforts to extract value from the crypto ecosystem.

Alexander Urbelis of ENS Labs described the pattern as systematic rather than incidental, noting that the frequency and timing of these events resemble an operational cycle. He warned that reactive fixes alone are insufficient against threats that follow a structured tempo.


Breakdown of the Kelp exploit

Unlike many traditional cyberattacks, the Kelp incident did not involve bypassing encryption or stealing private keys. Instead, the system behaved as designed, but was fed manipulated data. Attackers altered the inputs that the protocol relied on, causing it to validate transactions that never actually occurred.

Urbelis explained that while cryptographic signatures can verify the origin of a message, they do not ensure the truthfulness of the information being transmitted. In simple terms, the system confirmed who sent the data, but failed to verify whether the data itself was accurate.

David Schwed of SVRN reinforced this view, stating that the exploit was not based on breaking cryptography, but on taking advantage of how the system had been configured.

A central weakness was Kelp’s dependence on a single verifier to validate cross-chain messages. While this approach improves efficiency and simplifies deployment, it removes an essential layer of security redundancy. In response, LayerZero has advised projects to adopt multiple independent verifiers, similar to requiring multiple approvals in traditional financial systems.

However, this recommendation has sparked criticism. Some experts argue that if a configuration is known to be unsafe, it should not be offered as a default option. Relying on users to manually implement secure settings, especially in complex environments, increases the likelihood of misconfiguration.


Contagion across interconnected systems

The impact of the Kelp exploit did not remain confined to a single platform. Decentralized finance systems are deeply interconnected, with assets frequently reused across multiple protocols. This creates a chain of dependencies, where a failure in one component can propagate across others.

Schwed described these assets as interconnected obligations, emphasizing that the strength of the system depends on each individual link. In this case, lending platforms such as Aave, which accepted the affected assets as collateral, experienced financial strain. This transformed an isolated breach into a broader ecosystem-level disruption.


Reassessing decentralization claims

The incident also exposes a disconnect between how decentralization is promoted and how systems actually function. A structure that relies on a single point of verification cannot be considered fully decentralized, despite being marketed as such.

Urbelis expanded on this by noting that decentralization is not an inherent feature, but the result of specific design decisions. Weaknesses often emerge in less visible layers, such as data validation or infrastructure components, which are increasingly becoming primary targets for attackers.

The activity aligns with a bigger change in strategy by groups such as Lazarus Group. Instead of focusing only on exchanges or obvious coding flaws, attackers are now targeting foundational infrastructure, including cross-chain bridges and restaking mechanisms.

These components play a critical role in enabling asset movement and reuse across blockchain networks. Their complexity, combined with the large volumes of value they handle, makes them particularly attractive targets.

Earlier waves of crypto-related attacks often focused on centralized platforms or easily identifiable vulnerabilities. In contrast, current operations are increasingly directed at the underlying systems that connect the ecosystem, which are harder to monitor and more prone to configuration errors.

Importantly, the Kelp exploit did not introduce a new category of vulnerability. Instead, it demonstrated how existing weaknesses remain exploitable when not properly addressed. The incident underscores a recurring issue in the industry: security measures are often treated as optional guidelines rather than mandatory requirements.

As attackers continue to enhance their methods and increase the pace of operations, this gap becomes easier to exploit and more costly for organizations. The growing sophistication of these campaigns suggests that the primary risk may not lie in unknown flaws, but in the failure to consistently address well-understood security challenges.

Read more »
Hacking Group
Cyber Security Ransomware Attacks Data Breach Data Leak Data protection data security Hacker attack Hacking Group

ShinyHunters Targets McGraw Hill In Salesforce Data Leak Dispute Over Breach Scope

 

A breach at McGraw Hill came to light when details appeared on a leak page run by ShinyHunters, a hacking collective now seeking payment. Appearing online without warning, the listing suggested sensitive data had been taken. The firm acknowledged something went wrong only after outsiders pointed to the published claims. Instead of silence, there followed a brief statement - no elaborate explanations, just confirmation. What exactly was accessed remains partly unclear, though the criminals promise more leaks if demands go unmet. Their method? Take data first, then pressure victims publicly through exposure. 

Though the collective says it pulled around 45 million records from Salesforce setups, McGraw Hill challenges how serious the incident really was. A flaw in a cloud-based Salesforce setup - misconfigured, not hacked - led to what occurred, according to the company. Public release looms unless money changes hands by their stated date. Not a breach of core infrastructure, they clarify. Timing hinges on whether terms get fulfilled. What surfaced came via access error, not forced entry. 

Later came confirmation from the firm: only minor data sat exposed through a public page tied to Salesforce. Not part of deeper networks - systems handling daily operations stayed untouched. Customer records? Still secure. Educational material platforms? Unreached. Personal identifiers like income traces or school files showed no signs of exposure. The breach never reached those layers. A single weak link elsewhere might open doors wider than expected. Problems often start outside core networks, hidden in connected tools. 

One misstep in setup could ripple across several teams relying on Salesforce. When outside systems slip, sensitive details sometimes follow. Security gaps far from the main system still carry risk close to home. What seems distant can quickly become immediate. Even with those reassurances, ShinyHunters insists the breached records include personal details - setting their version against the firm’s own review. Contradictions like this often surface when attacks aim to extort, as hackers sometimes inflate what they took to push targets into responding. 

Now operating at a steady pace, ShinyHunters stands out within the underground scene by focusing less on locking files and more on quietly siphoning information. Instead of scrambling networks, they pressure victims using material already taken - payment demands follow exposure threats. Their name surfaced after breaches hit well-known companies, where leaked datasets served as leverage. Rather than causing immediate downtime, their power lies in what could be revealed. 

What stands out lately is how this group exploited a security gap at Anodet, an analytics company, gaining entry through leaked access tokens aimed squarely at cloud-based data systems. Alongside that incident came the public drop of massive corporate datasets - another sign their main goal remains pulling vast amounts of information from high-profile targets. Among recent breaches, the one involving McGraw Hill stands out - not because of its scale, but due to how it reveals weaknesses hidden within standard cloud setups. 

Instead of breaking through strong defenses, hackers often slip in via small errors made during setup steps handled by outside teams. What makes this case notable is less about immediate damage, more about what follows: sensitive information pulled quietly into unauthorized hands. While systems keep running without interruption, stolen data becomes the weapon - threatening public release unless demands are met. 

Over time, such tactics have shifted the focus of digital attacks away from crashes toward silent leaks. With probes still underway, one thing becomes clear: oversight of outside connections matters more now than ever. When digital intruders challenge what companies say, credibility hinges on openness. Tight rules around setup adjustments help reduce weak spots. How firms handle disclosures can shape public trust just as much as technical fixes. Clarity during crises often separates measured responses from confusion.
Read more »
Subscribe to: Posts (Atom)