Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
SafeBreach
Android Data Breach Gemini Google notifications SafeBreach

Researchers Show How Android Notifications Could Be Used to Manipulate Google Gemini

 





Security researchers have disclosed a now-remediated flaw that could have allowed specially crafted notifications from common messaging and social networking applications to influence the behavior of Google Gemini on Android devices.

The research was conducted by SafeBreach researcher Or Yair, who found that Gemini's ability to access and process notifications could be abused to deliver hidden instructions through otherwise legitimate messages. According to the findings, the technique did not rely on malware or a rogue application being installed on a target device. Instead, any service capable of sending a notification, including WhatsApp, Slack, Signal, Instagram, Messenger, or SMS, could potentially be used to deliver malicious content.

The study builds on SafeBreach's earlier "Invitation Is All You Need" research, which demonstrated how malicious Google Calendar invitations could manipulate Gemini through indirect prompt injection. Following that disclosure, Google introduced new safeguards designed to prevent external content from influencing sensitive actions. Yair's latest work examined whether similar manipulation could still occur through a different source of user data.

At the center of the issue was Gemini's Utilities feature on Android. The functionality allows the assistant to read, manage, and respond to notifications from connected applications. Researchers found that under certain circumstances, notification text could be interpreted not only as information but also as instructions that influenced the assistant's responses and actions.

Because the feature is available on Android devices and not through Gemini's web version or iOS implementation, the attack scenario was limited to Android users who had granted Gemini access to notifications.

According to SafeBreach, the number of potential entry points was unusually large because notifications can originate from countless applications and online services. This meant attackers would not necessarily need direct access to a device. Delivering a crafted notification could be sufficient to introduce malicious instructions into Gemini's processing workflow.

One of the simpler demonstrations involved altering the information Gemini presented to users. Researchers showed that manipulated notifications could cause the assistant to relay fabricated messages while making them appear to originate from legitimate contacts. In some scenarios, Gemini could process real notifications first and then attribute attacker-controlled content to an actual sender already present in the notification queue.

The researchers noted that this type of deception could be particularly effective when users interact with Gemini through voice. For example, someone driving a vehicle may hear a message that appears to come from a manager, colleague, or trusted contact and have little opportunity to verify the information displayed on the screen.

The research also examined Google's post-Calendar security protections. According to Yair, Gemini included mechanisms intended to prevent sensitive actions from being triggered without proper authorization. These checks evaluated both the user's response and the assistant's preceding output to determine whether a requested action was consistent with the conversation.

During testing, direct attempts to inject hidden commands were repeatedly blocked. To overcome these restrictions, Yair developed a technique called "Fake Context Alignment," which sought to make a user's approval appear valid to Gemini's authorization system while obscuring the true request from the user.

One variation involved displaying a sensitive authorization prompt in a language unfamiliar to the victim. Researchers used an example where a request such as "Do you want to open the window?" appeared in Chinese while a harmless English-language question followed. If the user responded with "Yes," Gemini could potentially associate that response with the hidden authorization request rather than the visible conversation.

A second technique relied on differences between information displayed on-screen and information spoken aloud by Gemini's text-to-speech system. Researchers found that certain hidden content embedded within hyperlinks might not be read aloud. In a demonstration, the visible interface contained a sensitive authorization request while the spoken response presented a routine message, increasing the likelihood that a user would unknowingly approve an action.

SafeBreach reported that combining these techniques increased the chances of bypassing the authorization safeguards that Google had introduced after the earlier Calendar-based attack research.

Once authorization was obtained, the researchers demonstrated several potential outcomes. Through integrations with Google Home, Gemini could interact with connected smart-home devices, including windows, lighting systems, and boilers. Additional demonstrations involved opening websites that could expose a user's approximate location through IP address information or trigger file downloads.

The research also explored interactions with third-party applications. In one proof-of-concept scenario, Gemini followed a trusted web address that later redirected to a Zoom link, resulting in the device joining an online meeting. SafeBreach emphasized that this occurred within a controlled testing environment and stated that its own public domain was not configured to redirect users to Zoom. Instead, the redirect was performed through a local test server used during the demonstration.

Researchers additionally identified a persistence mechanism involving Gemini's memory capabilities. Unlike the earlier Calendar-based research, the notification technique enabled the assistant to store attacker-controlled information as long-term memory. In one demonstration, Gemini was persuaded to remember an incorrect name for the user. Because memory is associated with a Google account rather than a single device, inaccurate information could potentially appear wherever that account later accessed Gemini.

The study also demonstrated the creation of recurring automated tasks. Researchers showed that instructions could potentially be scheduled to execute repeatedly, including examples involving regular access to recent messages at specific times.

SafeBreach disclosed the findings to Google's Vulnerability Reward Program on August 17, 2025. Google classified the report as a high-priority issue and later confirmed that changes to its content-classification systems mitigated both the notification-based prompt injection technique and the related authorization bypass method. The company confirmed the remediation on November 14, 2025.

No CVE identifier was assigned to the issue, and SafeBreach stated that it found no evidence indicating the technique had been exploited in real-world attacks before the fixes were implemented.

Because Google's mitigation was deployed through server-side updates, users did not need to install a software update to receive protection. However, individuals seeking additional safeguards can restrict Gemini's access to notifications by disabling the Utilities feature through Connected Apps settings or by revoking the Google app's notification-reading permissions on Android.

The findings provide another example of the security challenges that emerge as AI assistants gain access to messages, notifications, calendars, and connected services. As these systems become increasingly capable of performing actions on behalf of users, researchers continue to examine how external content can influence AI-driven decision-making and whether existing safeguards are sufficient to prevent misuse.

Read more »
VISA
Cyber Fraud Data Breach sensitive information UK government VISA

UK Visa Application Service Left More Than 100,000 Identity Documents Accessible Online

 




A private visa assistance website used by travelers seeking permission to enter the United Kingdom left a large collection of customer records accessible online, exposing passport copies, identity verification photographs, and location information linked to applicants.

The website, known as UK Visa Portal, offers paid assistance for visa and travel authorization applications. The platform is not operated by the U.K. government, although reports indicate that some users may have mistaken it for an official government service and paid application-related fees through the site instead of using government channels.

The exposure came to light after an individual discovered a security issue affecting the platform and reported it to journalists. According to information shared by the source, the accessible records included more than 100,000 files uploaded by applicants during the visa application process. These files reportedly contained passport images and selfie photographs that users submitted to verify their identities.

Following inquiries from journalists, the exposed data was secured. However, details regarding how long the information remained accessible have not been publicly disclosed.

According to reporting on the incident, the exposed records were stored in an Amazon-hosted cloud storage repository used by UK Visa Portal. While the storage system did not openly display a list of documents to the public, individual files could still be accessed by anyone who possessed the correct web address. The individual who identified the issue stated that a flaw within the website's backend functionality made it possible to view references to files stored in the cloud environment.

Journalists investigating the incident reportedly verified the authenticity of the exposed records by contacting individuals whose documents appeared in the dataset. Those contacted confirmed that the information matched records they had submitted through the platform.

Beyond passport scans and identity photographs, some uploaded images reportedly contained embedded geolocation metadata. This information can be automatically recorded by smartphones and digital cameras when a photograph is taken. In certain cases, the metadata was reportedly detailed enough to reveal the location where the image was captured, including locations associated with applicants' residences.

The exposure of identity documents can create opportunities for fraud and impersonation. Passports, facial images, dates of birth, addresses, and other personal identifiers are frequently used during account verification processes. If obtained by unauthorized parties, such information may be used in attempts to create fraudulent accounts, bypass identity checks, or conduct targeted social engineering operations.

The handling of the incident has also left several questions unanswered. Reports indicate that journalists attempted to notify the company about the security issue but were unable to identify a dedicated vulnerability reporting channel. The website reportedly did not provide public contact information for company executives or security personnel responsible for addressing cybersecurity matters.

After initial contact was made through customer support, a manager was identified as a potential point of contact. However, reports indicate that direct engagement with company management did not occur. Instead, communication later involved representatives from a public relations firm and attorneys from a U.S.-based law firm.

Following publication of the findings, journalists sought additional information regarding the incident, including the length of time the storage repository remained exposed, whether access logs exist, whether any files were downloaded by unauthorized parties, and who oversees cybersecurity operations within the organization. Public answers to those questions have not been released.

The company is reportedly linked to an organization called Active Leadgen LLC, which is described as having connections to the United Arab Emirates. However, independent verification of the ownership structure has not been publicly established.

The incident comes amid increasing reliance on online identity verification systems by governments, financial institutions, and digital service providers. As more organizations require users to submit passports and photographs electronically, the protection of those documents has become a critical responsibility for any company handling sensitive personal information.

Applicants seeking authorization to travel to the United Kingdom are generally advised to confirm that they are using official government services before submitting identity documents or making payments. In most cases, travelers can complete the application process directly through official U.K. government channels without relying on third-party visa assistance platforms.

Read more »
WordPress Security
Admin Account Compromise Cyber Threats Data Breach Payment Card Skimmer Plugin Vulnerability Supply Chain Attack Website Takeover WooCommerce Security WordPress Security

WordPress Plugin Security Failure Opens Door to Payment Data Theft


 

Cybercriminals have been actively exploiting a critical flaw in the widely deployed Funnel Builder plugin in order to harvest customer payment information during online transactions in a newly uncovered attack campaign, once again highlighting the security risks that face the WordPress e-commerce ecosystem. 

According to security researchers, attackers are exploiting this vulnerability to silently inject malicious code into WooCommerce checkout pages, transforming legitimate payment workflows into points of data collection that are used to steal payment card information. 

Approximately 40,000 websites are reported to have been infected with the plugin, posing a serious threat to online retailers as the vulnerability exposes sensitive customer data, including payment card information, CVV number, billing information, and other personal identifiers, to unauthorized access. Linked to the discovery was an extensive security incident affecting the WordPress ecosystem, in which researchers discovered malicious code embedded within several widely used plugins, allowing attackers to gain access to vulnerable sites at an administrator level. 

The full scope of the attack is still being investigated, but early indications indicate that a number of plugins with significant installations may have been affected, thereby expanding the attack surface substantially. 

A threat actor may be able to bypass conventional authentication controls by create privileged accounts covertly and gain persistence over website environments. This allows them to manipulate content, exfiltrate sensitive business and customer data, deploy additional malware payloads, or take full control of the affected platform by manipulating site content. It is important to understand how a single compromised plugin component can quickly become a source of global supply chain security concerns, presenting a heightened risk to both website operators and their users. 

Based on further analysis, it was found that the vulnerability emerged from an unauthenticated flaw in Funnel Builder versions before 3.15.0.3, which enabled attackers to manipulate key plugin settings without requiring valid credentials.

More than 40,000 WordPress websites are hosting the plugin, which is widely used by WooCommerce merchants to create customized checkout experiences, landing pages, and sales funnels focused on conversions, amplifying the impact of exploitation. According to Sansec researchers, the malicious activity was associated with a deceptive JavaScript payload disguised as Google Analytics or Google Tag Manager components. 

A WebSocket connection is established between the script and the attacker-controlled infrastructure, and the script abuses a vulnerable checkout endpoint to inject arbitrary code into the plugin's External Scripts configuration. 

By loading malicious JavaScript automatically during checkout pages, a tailored payment skimmer silently captures the customer's credit card numbers, CVV codes, billing details, and other information provided by the customer. It is common for stolen payment data to be monetized through fraudulent purchases or traded on underground carding markets.

FunnelKit has addressed the issue by releasing version 3.15.0.3, and acknowledges unauthorized script injection activity has been reported. The security update must be deployed immediately, but administrators should also inspect checkout-related script configurations for unauthorized entries that may have been introduced prior to the security update implementation. 

A review of software supply chain security within the WordPress ecosystem has also been initiated following the incident. Investigations are underway to determine whether the compromise resulted from vulnerabilities within plugin development workflows, third-party dependencies, or supporting infrastructure utilized during software development. 

The threat actors are increasingly targeting the development environment and shared code libraries, since a successful intrusion can propagate malicious functionality across a wide range of downstream deployments. There are indications that the injected code in this case is intended to circumvent standard authentication controls in order to establish privileged access to the account, perhaps by manipulating back end data structures or abusing application logic responsible for account provisioning.

After gaining access to the administrator-level accounts, attackers have broad control over the affected environment, allowing them to deface the website, steal customer records, and deploy additional malware, as well as maintain persistent access to the environment. As a consequence of the compromise, there are also opportunities for secondary abuse, including the insertion of phishing content, malicious redirects, and SEO spam intended to manipulate search engine rankings without being noticed by site operators. 

Aside from the immediate technical impact, organizations may be liable for considerable recovery costs, regulatory obligations relating to data exposure, incident response expenses, and long-term reputational damage, particularly if customer trust and online transactions form an integral part of their business model. WordPress plugin compromises serve as a reminder that cyber threats are increasingly targeting trusted components that support digital businesses rather than the businesses themselves. 

A number of websites can become entry points for large-scale abuse as attackers continue weaponizing software dependencies, plugin ecosystems, and checkout infrastructure. Organizations which rely on WordPress and WooCommerce require security management that transcends patching vulnerabilities as soon as they are discovered; it is imperative to continuously monitor third-party components, implement strict access controls, detect proactive threats, and regularly review the integrity of the website.

Keeping visibility across the entire application supply chain remains one of the most effective ways to combat emerging threats, particularly in an environment where a single compromised plugin may compromise sensitive customer information.
Read more »
pharmaceutical services
Data Breach financial data exposure Healthcare pharmaceutical services

West Pharmaceutical Services Reports Data Breach and Encrypted Systems

 




West Pharmaceutical Services has confirmed that it suffered a cybersecurity incident that resulted in both data theft and the encryption of parts of its internal network, making it the latest major manufacturing and healthcare-related company to face operational disruption from a cyberattack.

In a filing submitted to the U.S. Securities and Exchange Commission (SEC), the company stated that it identified suspicious activity on May 4, 2026, and later determined on May 7 that an unauthorized actor had exfiltrated certain data and encrypted multiple systems within its environment. The company described the breach as a “material cybersecurity attack,” indicating that the incident was serious enough to potentially affect operations or business continuity.

Following the initial detection of the intrusion, West Pharmaceutical said it immediately activated its incident response procedures. As part of its containment efforts, the company proactively shut down and isolated affected systems across its global infrastructure, restricted access to enterprise resources, informed law enforcement authorities, and brought in external cyber-forensic specialists to assist with the investigation and recovery process.

The investigation into the incident is still ongoing, and the company says it is currently working to determine the full scope and nature of the breach, including exactly what type of information may have been stolen during the attack.

West Pharmaceutical Services is a publicly traded American pharmaceutical manufacturing company and a member of the S&P 500 index. The firm generates more than $3 billion in annual revenue and employs over 10,800 people worldwide. Its business focuses heavily on injectable drug packaging systems, syringe and vial components, containment technologies, and medical drug delivery devices used throughout the healthcare and pharmaceutical sectors.

The cyberattack disrupted several parts of the company’s global operations, particularly systems tied to manufacturing, shipping, and other enterprise functions. West Pharmaceutical stated that some of its core systems supporting production and distribution activities have now been restored, while manufacturing operations have partially resumed in certain areas. However, the company acknowledged that the full restoration process has not yet been completed and did not provide a timeline for when all systems are expected to return to normal operation.

At this stage, the company has also not estimated the financial impact the incident may have on its business.

West Pharmaceutical further stated that it has taken measures intended to reduce the risk of the stolen information being distributed or exposed publicly, although it did not disclose what those mitigation steps involve.

In a statement shared after media inquiries, a company spokesperson said the organization initiated both incident response and crisis management procedures immediately after discovering the intrusion. The company added that containment actions included shutting down and isolating affected on-premises infrastructure, limiting access to enterprise systems, and implementing additional technical and organizational security measures.

West Pharmaceutical also confirmed that it engaged Palo Alto Networks’ Unit 42 incident response team to assist with containment, forensic analysis, and system recovery efforts alongside outside legal counsel and other external experts.

As of now, no ransomware group has publicly claimed responsibility for the attack. However, cybersecurity analysts note that incidents involving both data exfiltration and system encryption often resemble modern double-extortion ransomware operations, where attackers not only lock systems but also threaten to leak stolen information to pressure victims into negotiations.

The incident also reflects a broader trend affecting manufacturing and healthcare supply chains, sectors that have increasingly become targets for cybercriminal groups because operational downtime can quickly disrupt production, logistics, and critical services. Security experts continue to warn that attacks against pharmaceutical and healthcare-related manufacturers can have consequences extending beyond financial losses, particularly when production environments and supply chain systems are affected.

Read more »
stolen data
BWH Hotels Data Breach Login Credentials scams stolen data

BWH Hotels Confirms Cyberattack Exposed Customer Reservation Information

 



BWH Hotels, the parent company of hotel brands including Best Western Hotels & Resorts, WorldHotels, and SureStay Hotels, has disclosed a cybersecurity incident that exposed sensitive guest reservation data.

The company recently began notifying affected individuals after detecting unauthorized access within its systems earlier this year. According to the breach notification, BWH Hotels discovered the incident on April 22, 2026. The organization said attackers managed to obtain customer information stored within a web application connected to hotel reservations.

The stolen data reportedly includes customers’ names, email addresses, phone numbers, and home mailing addresses. Reservation-related details were also accessed, including booking confirmation numbers, stay dates, and special requests submitted by guests during reservations.

While the company did not reveal how many individuals were impacted, the exposed information appears to cover records generated between October 14, 2025, and April 22, 2026. BWH Hotels also did not specify how long the attackers may have remained inside its systems before the intrusion was identified.

According to the company’s Chief Technology Officer Bill Ryan, the attackers exploited a weakness in a web-based application that stored certain guest reservation information. However, the company stated that the compromised environment did not contain customers’ payment card details or banking information.

After identifying the intrusion, BWH Hotels said it immediately disabled the affected application and blocked the unauthorized access. The company also confirmed that external cybersecurity specialists were brought in to assist with the investigation, incident response, and additional security improvements.

Ryan further warned customers to remain cautious when receiving unexpected communications related to hotel reservations or travel bookings. Cybercriminals frequently use stolen reservation data to launch convincing phishing campaigns by impersonating hotels, travel agencies, or customer support teams.

The company advised customers not to respond to suspicious emails, text messages, WhatsApp messages, or phone calls requesting payments, login credentials, security codes, or verification details, even if those communications appear to reference an upcoming reservation or a BWH Hotels property. Customers were also encouraged to visit official websites directly instead of clicking links sent through messages.

Cybersecurity experts have repeatedly warned that hospitality companies remain attractive targets for attackers because hotel reservation systems store large volumes of personal information connected to travel activity. Even when financial records are not exposed, reservation data can still be valuable for social engineering scams, identity fraud, and targeted phishing operations.

In recent years, researchers have observed a rise in travel-related phishing schemes where attackers use stolen booking information to send fake payment requests or fraudulent reservation updates. Because these messages often contain real travel dates or hotel details, victims may find them more believable than ordinary scam attempts.

BWH Hotels operates approximately 4,300 properties across more than 100 countries and generates annual revenue exceeding $8.5 billion, making it one of the largest hospitality groups globally. The company has not publicly attributed the incident to any specific threat actor, and it remains unclear whether additional customer information may have been affected as the investigation continues.

Read more »
ShinyHunters
Canvas LMS Data Breach Instructure Breach Login Page Defacement Ransomware Attack School Cyberattack ShinyHunters

Threat Campaign Targets School Login Systems After Alleged Instructure Hack


 

The initial appearance of a routine service disruption within one of the most widely used academic learning platforms in the world quickly evolved into a significant cybersecurity issue as threat actors associated with the ShinyHunters group allegedly compromised Instructure's Canvas system. 

A large number of educational institutions experienced widespread operational instability as a result of the incident, which exposed sensitive academic and identity-related records, disrupted coursework timelines, and resulted in the defacement of several school authentication portals. 

A growing concern over the potential release of a data set reportedly affecting thousands of institutions as well as hundreds of millions of students and employees led Instructure to reveal that it had reached an agreement with the unauthorised actor responsible for the intrusion language that cybersecurity analysts interpreted as an indication of ransom negotiations. ShinyHunters collective claims to have successfully compromised Instructure's infrastructure for the second time in just a few weeks, further escalating the issue. 

The breach resulted in school authentication portals were made public and were affected in addition to backend systems. The incidents took place during final examination periods across several institutions using Canvas, causing even more disruption for administrators, educators, and students experiencing intermittent outages as a result of the earlier intrusion disclosed on April 30.

The Instructure platform had acknowledged that "criminal threat actors" were responsible for unauthorized access to parts of its environment, but subsequent activity indicates the attackers were still able to manipulate externally accessible services. 

When threat actors were reportedly injected malicious HTML components into Canvas login pages, unauthorized message prompts were found attributed to ShinyHunters, effectively defacing the authentication screens utilized for coursework management, assignment submissions, and academic communication, multiple Canvas login pages were later found displaying unauthorized messages attributed to ShinyHunters.

According to the message posted by the group, the allegedly stolen data will be made public on May 12 unless the company enters into a "settlement" negotiations. Parts of Instructure's online infrastructure appeared unstable during the escalation process, with some services intermittently returning "too many requests" errors while Canvas displayed maintenance notices indicating ongoing remediation and containment efforts throughout the company's network infrastructure. 

According to further disclosures, the breach affected a wide spectrum of academic stakeholders, including students, faculty, and institutional staff, with portions of information reportedly relating to minors. Despite Instructure's claims that passwords and highly sensitive authentication credentials were not compromised, the attackers are said to have obtained substantial amounts of information regarding personal identification and platform usage, such as usernames, e-mail addresses, student identification numbers, and private communications exchanged within the learning management system. 

According to the company, the initial compromise was terminated, remediation measures were implemented across the affected systems, and Canvas services were restored after containment procedures were initiated to prevent additional intrusions. However, ShinyHunters later stated it had successfully breached the platform again, this time targeting institution-specific authentication portals, thereby putting the company under pressure to enter into a settlement negotiation related to the earlier data theft, despite these efforts. 

As part of the extortion attempt, the group used stolen data as a means of coercion following network intrusions, which is a well-established operational pattern, however, the apparent recurrence of unauthorized access raised concerns regarding residual vulnerability issues within Instructure's network infrastructure. Canvas was brought offline once again following the second disruption, prompted the company to remove the component identified as being at the root of the incident  the Free-for-Teacher environment. 

Instructure acknowledged in an updated incident disclosure that investigators had identified a vulnerability associated with support ticket functionality within the Free-for-Teacher system, which threat actors allegedly exploited to facilitate the latest security breach. By putting the incident on its leak portal, ShinyHunters had earlier accepted public responsibility for the initial intrusion. 

The tactic is commonly used by ransomware and extortion-focused groups to increase pressure on targets by threatening data release under controlled circumstances. In the wake of the recent compromise, the attackers have attempted to reach out directly to media outlets regarding the defaced Canvas login pages, suggesting they are attempting to escalate the attack not only against Instructure but also against the thousands of educational institutions that rely on the platform for their operations. During ongoing negotiations regarding the previously stolen data, cybersecurity analysts viewed the public defacement as an attempt to amplify reputational and operational pressures. 

In spite of the fact that there is no clear indication of how the school-specific authentication pages were compromised, ShinyHunters officials have indicated the breach has been a separate one from the original attack, but declined to provide any further technical information regarding the method used to gain access to the system. 

The group claims to have stolen data from nearly 9,000 educational institutions around the world; these records are believed to belong to approximately 231 million people. Following the earlier compromise, the group claimed to have exfiltrated information related to nearly 9,000 educational institutions. 

A key component of the campaign was a mirroring of the threat group's established operating model, which is typically composed of a combination of network intrusion, public exposure of victims through leak sites, and sustained extortion efforts to maximize financial leverage following the theft of large amounts of data. There has been an increased focus on security architecture of cloud-based education platforms in the wake of the incident, which has become a critical infrastructure for academic operations worldwide.

In addition to disrupting coursework and institutional systems for the immediate period, the exposure of student communications and identity-linked records, particularly involving minors, demonstrates the long-term risks associated with large-scale compromises of digitally centralized learning environments. 

During the remediation and forensic investigation efforts, Instructure is likely to establish the breach as a landmark in the field of ransomware and extortion, which increasingly target educational technology ecosystems where operational urgency and reputational pressure can lead to high-stakes cybersecurity incidents.
Read more »
data security
AI coding tools Consumer Data Exposure Corporate Data Breach cybersecurity vulnerabilities Data Breach data security

AI Coding Tools Expose Thousands of Apps With Sensitive Corporate Data Online

 

Thousands of web applications built using AI coding tools have been found publicly accessible online without proper security protections. Researchers at RedAccess identified more than 5,000 exposed apps tied to companies, many revealing private information to anyone with the correct URL. Employee records, customer conversations, system plans, and financial files were among the exposed materials. The problem wasn’t faulty code but missing security setup steps that many users overlooked. 

In many cases, public access remained enabled long after deployment, creating silent data leaks that went unnoticed for months. Many of the vulnerable apps were created using platforms like Replit, Netlify, Base44 owned by Wix, and Lovable. Nearly 2,000 apps appeared to contain genuine sensitive information, including advertising spending reports, company strategy documents, chatbot logs, customer contact details, hospital personnel records, and financial summaries. 

According to RedAccess researcher Dor Zvi, the issue is linked to the rise of “vibe coding,” where non-technical employees use AI tools to rapidly build and publish web applications. Since these platforms make development extremely simple, apps can go live within minutes without any review from engineering or cybersecurity teams. Researchers found the exposed apps through basic Google and Bing searches because many AI coding services host projects publicly on shared domains by default. 

Some applications exposed private information without requiring logins, while others reportedly allowed outsiders to gain administrative control over backend systems. The exposed data covered multiple industries. Hospital staff schedules listing doctors’ identities appeared alongside marketing strategy presentations, shipping records, retailer chatbot conversations, and detailed advertising campaign budgets. Such leaks could expose sensitive competitive information, including business planning timelines and financial allocations. 

The investigation also uncovered phishing websites hosted directly on AI coding platform domains. These fake pages impersonated major companies including Bank of America, Costco, FedEx, Trader Joe’s, and McDonald’s. The platforms disputed parts of the findings while acknowledging that publicly accessible apps existed. Amjad Masad said users choose whether apps remain public or private. Lovable emphasized that creators are responsible for configuring security correctly, while Wix stated weakening protections requires deliberate user actions. 

Security experts argue the broader issue remains serious because AI coding tools rarely enforce strong safeguards automatically. Many employees using them lack training in authentication systems or permission controls, allowing insecure deployments to slip through unnoticed. Researchers say the situation resembles earlier waves of exposed Amazon S3 cloud storage buckets, where confusing defaults and user mistakes left sensitive files publicly accessible. 

AI-powered coding platforms may now be accelerating similar risks on a larger scale as businesses increasingly rely on AI tools for internal dashboards, marketing systems, client portals, and reporting applications. Experts also warn the true scale may be far larger. The 5,000 discovered apps only included projects hosted directly on AI platform domains. Thousands more could exist on privately owned domains that standard searches cannot easily detect. 

As AI-generated development grows rapidly, companies are now under pressure to strengthen oversight, improve employee training, and introduce stricter security reviews. Without stronger safeguards, fast AI-assisted app creation could continue exposing confidential corporate and personal information online.
Read more »
Password theft
2FA Credential Theft Data Breach MaaS Password theft

What Really Happens After Your Password Gets Stolen? Researchers Trace the Cybercrime Pipeline

 



Password theft operations continue to expand despite growing public awareness campaigns around online security. Infostealer malware remains active, compromised accounts continue circulating across underground marketplaces, and stolen credentials are still being used for financial fraud, ransomware attacks, and unauthorized access to online services.

New research published by Comparitech examined how stolen passwords move through cybercriminal networks after they are first compromised. The study analyzed more than 447,000 credential leaks, breach threads, and password dumps posted across four major cybercrime forums. Altogether, the dataset contained roughly 1.1 million compromised user records collected between 2013 and 2026.

The report focused on understanding where leaked passwords ultimately end up and how attackers process them before they are used in large-scale attacks.

For many users, discovering that a password has been exposed can create immediate panic, particularly because credential theft incidents have increased sharply in recent years. Previous security reporting found that nearly 2.8 billion credentials were exposed during 2025 alone. Researchers have also raised concerns about browser-stored passwords after reports that credentials saved in browsers may sometimes become accessible in plaintext form within system memory. At the same time, stolen credentials are increasingly being used to abuse retail, cloud, and subscription-based services.

According to Comparitech researcher Paul Bischoff, analysts including Mantas Sasnauskas reviewed databases from four cybercrime forums to understand how stolen passwords are accessed, redistributed, combined, and eventually weaponized in credential-stuffing campaigns, ransomware intrusions, business email compromise incidents, and account takeover attacks.

The researchers outlined a five-stage credential supply chain. The first stage, known as “origin,” refers to how passwords are initially stolen before appearing on underground forums. The report identified infostealer malware and data breaches as the two most common starting points.

Infostealer malware is designed to silently collect sensitive information from infected devices. This can include browser-saved passwords, authentication cookies, autofill data, cryptocurrency wallet information, and session tokens that attackers can later exploit to bypass login protections.

The final stage of the supply chain involves the eventual use of stolen credentials in attacks such as ransomware deployment, unauthorized account access, and corporate breaches. However, the researchers said the middle stages of the ecosystem reveal the most about how the underground password economy functions.

The wholesale stage represents the broker market for stolen access. In this phase, attackers sell compromised credentials directly to other criminals. The report pointed to the Russian-language cybercrime forum RAMP, where pre-authenticated access to corporate systems was allegedly being offered for sale using stolen login credentials. This type of access is especially valuable because it can provide immediate entry into business networks.

The next stage, trade, involves credentials being reposted, exchanged, resold, or distributed across multiple hacker forums. Some datasets are uploaded for free to build credibility inside underground communities, while others are placed behind paid marketplaces where buyers can purchase access to larger credential collections.

The aggregation stage centers around the creation of “combolists,” which are massive databases containing usernames and passwords collected from multiple breaches. The most valuable combolists are typically cleaned and deduplicated to remove repeated records and improve their effectiveness.

Attackers frequently use these combolists in credential-stuffing operations, where automated tools test stolen username-and-password combinations across many different websites. Because many users reuse passwords across platforms, one compromised credential can sometimes unlock email accounts, banking services, shopping platforms, or workplace systems tied to the same login information.

Researchers and cybersecurity analysts have repeatedly warned that the underground market for stolen credentials continues growing alongside the rise of malware-as-a-service operations and initial access brokers. In recent years, infostealer logs containing browser credentials and authentication cookies have become widely traded across dark web forums and encrypted messaging platforms.

The report also examined how users can reduce the risk of credential theft. Security professionals continue encouraging users to adopt passkeys whenever possible because passwordless authentication systems are significantly harder to steal and reuse in automated attacks.

Experts additionally recommend avoiding password reuse across websites and services, since a single breach can otherwise expose multiple accounts at once. Password managers can help users generate and store unique credentials securely, while two-factor authentication adds another layer of verification that can block unauthorized logins even if a password becomes compromised.

As cybercrime groups continue refining credential theft operations, researchers believe password-based security systems may gradually become less reliable for protecting online accounts in the long term.

Read more »
Instructure
AI Canvas Cloud Data Breach Data Leak data security Instructure

Data Leak: Instructure, Canvas Allegedly Hacked, ShinyHunters Claim Responsibility


Instructure, a cloud-based LMS Canvas company was hit by a massive data attack. Ransomware gang ShinyHunters claimed responsibility for the attack, saying that it had stolen data related to 280 million students, teachers, and school staff.

100s of GBs data leaked

The data breach accounts for hundreds of gigabytes, possibly leaking Canvas users’ email ids, private messages, and names. 

Instructure revealed in May that it was hit by a data breach. The Canvas incidents of 8,809 universities, educational platforms, schools were impacted by the attack. ShinyHunters said that the numbers range between tens of thousands to several millions per institution.

It is concerning that a lot of K-12 students’ data has been leaked. If your child has been affected by the data breach, Malware Bytes can help in what to do next and how to stay safe.

Canvas compromised

Various students who tried using Canvas after the cyberattack received the message from ShinyHunters blackmailing to leak the data if Instructure did not contact the hackers by May 12. Canvas was shut down offline for various students following the incident, but it is now available for most users. 

GTA 6, Studio Rockstar were blackmailed too

ShinyHunters has been killing it this year, with only high profile targets in its track records. The group asked for a ransom from GTA 6 (a video game) Studio Rockstar in April. But in reality, it was a hoax demand as the hackers did not have anything important/worthy to leak. 

Nvidea Geforce allegedly hacked

But recently, the group allegedly claimed responsibility for the Nvidea’s GeForce Now breach, claiming to have “pulled their entire database straight from the backend."

Shiny hunters all over the place

In the Canvas incident, ShinyHunters allegedly stole user records through exposrting features inside the platform. This consists of DAP queries, APIs, and provisioning reports, according to Bleeping Computers. “The unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” Instructure said. 

It also added that it “revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms." 

The impact

Instructure also “engaged a third-party forensic firm and notified law enforcement. Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements.”

However, it might be too little, too late—parents are unlikely to overlook the possibility of disclosing their children's information. The much bigger problem, though, is the disastrous harm ShinyHunters has caused to Canvas's operations and reputation, as malware historian vx-underground stated on X.

Read more »
ShinyHunters
Academic Network Security Canvas cyberattack Data Breach Education Sector Security Phishing Threats Ransomware Attack ShinyHunters

Ransomware Attack Disrupts Grading Platform Used by LBUSD Cal State and LBCC


 

A cyberattack linked to the ShinyHunters extortion group temporarily disrupted educational operations across a number of educational institutions in the United States, causing concern over the potential exposure of sensitive student and faculty data. These institutions continued to restore access to Canvas this week. Although several universities and school districts have been able to resume normal access following recovery efforts coordinated by Canvas parent company Instructure, the incident continues to affect portions of the education sector. 

Administrators have assessed the broader impacts of the breach and reviewed claims regarding the compromise of data belonging to hundreds of millions of platform users around the world. After the incident was triggered on Thursday, teachers and students at Long Beach Unified School District, California State University Long Beach and Long Beach City College were suddenly unable to access Canvas, the cloud-based platform widely used for coursework, grades, assignments and internal communication, the operational impact of the incident became more apparent. 

According to district officials, they were informed earlier this week that Instructure, the company which provides Canvas, had discovered that certain user-identifying information related to customer environments had been accessed without authorization. In spite of the company's initial assertion that the incident had been contained and that core platform operations continued, educators later reported that login attempts redirected users to ransom-style messages allegedly associated with the ShinyHunters cybercriminal group upon attempting to log in.

Apparently, the notice instructed affected institutions to engage a cyber advisory firm and negotiate payment terms before a specified deadline otherwise compromised data could be exposed to the public. Despite the fact that the full extent of the intrusion is still under investigation, notifications sent to campus users indicate that names, email addresses, institutional identification numbers, and confidential communications may have been compromised. 

A response from Instructure was that portions of the platform environment had been disabled, the underlying vulnerability had been rectified, digital forensic specialists were engaged, and federal authorities, including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, were coordinated. 

A significant number of academic institutions are experiencing the disruption at the same time, with final examinations at California State University Long Beach rapidly approaching. Since Canvas serves as the primary repository for instructional content, coursework, and student records, several educators have described the outage as operationally disrupting, even though some teachers have been able to maintain continuity by using externally hosted materials and collaboration tools through Google. 

Cybersecurity experts caution that, while the current incident has mainly disrupted colleges and universities, K-12 institutions have also faced repeated operational and data security challenges related to attacks against the education technology infrastructure. Researchers referred to the Los Angeles Unified School District cyberattack of 2022, when a ransomware-related intrusion disabled critical district systems over Labor Day weekend, disrupting internal communication, attendance tracking, and classroom instruction. 

Approximately 2,000 student assessment records, together with additional sensitive information, including driver’s license numbers and Social Security numbers accumulated over multiple years, were later published on the dark web as a result of the incident. Recovery efforts lasted for weeks during which administrative and technical staff restored systems and coordinated password resets for over 600,000 user accounts.

According to security researchers, incidents associated with platforms such as Canvas can create long-term phishing and social engineering risks even after services have been restored. A Norton security analyst, Luis Corrons, emphasized that information exposed by the company includes names, institutional email addresses, student identification numbers, and internal academic communications, which could provide threat actors with the necessary context to create highly convincing phishing campaigns impersonating legitimate school notifications regarding grades, coursework, financial aid, and password resets.

In addition to Anton Dahbura's concerns, the executive director of the Johns Hopkins University Information Security Institute advised institutions that residual risk may continue to exist after platform access has been restored, and cautioned against operating under this assumption. According to Dahbura, colleges and universities should encourage students and employees to change their passwords, review authentication tokens, and audit integrations with third-party platforms connected to Canvas environments. 

Likewise, colleges and universities should keep a close eye on follow-on phishing activity targeting them. Further, he emphasized that higher education is increasingly reliant on a single instructional platform, which represents a systemic risk as a whole. He advised academic institutions to develop resilience plans, implement additional security controls, and develop alternative instructional workflows that can support continuity during prolonged service interruptions. 

A centralized cloud-based learning infrastructure in the educational sector has further increased the cybersecurity vulnerability of the sector. As a result of a single third party platform compromise, thousands of academic institutions may be disrupted simultaneously if a single compromise occurs.

A continuing forensic investigation and recovery effort will require security teams on affected campuses to focus on credential protection, phishing monitoring, and access-review procedures, while assessing the degree of integration instructional platforms, such as Canvas, have made with broader institutional networks.
Read more »
leaked sensitive data
Customer Data Data Breach Data Leak Data protection data security Hacking Attack Hacking Group leaked sensitive data

ShinyHunters Vimeo Data Breach Exposes Information of Over 119,000 Users

 

Early this year, Vimeo faced a security incident leading to the theft of personal details tied to over 119,000 people by the ShinyHunters hacking collective. Information on the leak became known via Have I Been Pwned, a service tracking compromised accounts, after examining the exposed records. 

Late last month, Vimeo revealed a security issue affecting its systems. The platform, known for hosting and streaming videos globally, serves many millions of active users. Access by unknown parties came via a flaw tied to Anodot. This firm provides tools that spot irregularities in data flows. Its technology connects directly into parts of Vimeo’s infrastructure. 

The event marks one point where external partnerships introduced risk. Details emerged only after internal reviews concluded. One thing became clear: the entry did not stem from inside Vimeo's own network. Instead, it traced back to how outside services link up. Security teams now examine how third-party integrations affect overall protection levels. 

Surprisingly, early reports showed hackers obtained technical data, video metadata, and titles - sometimes even user emails. Despite the breach, payment information, account passwords, and live session tokens stayed secure, according to internal confirmation. Throughout the event, Vimeo’s main system kept running smoothly, maintaining full service availability. Unexpectedly, operations continued without noticeable interference. 

Right away, Vimeo shut down every login linked to Anodeto stop any more unwanted entry once the break-in came to light. Instead of handling things alone, outside cyber experts joined to support the inquiry. At the same time, officials responsible for enforcing laws got word about what happened. Later, even so, the hackers released a huge 106GB collection of stolen files online when talks reportedly broke down. 

That data appeared on a hidden website used by the ShinyHunters crew, who stated weak login credentials tied to Anodot opened doors unexpectedly. From there, they moved into Vimeo's storage platforms - Snowflake and BigQuery - with little resistance. Some 119,200 individuals had their email addresses disclosed, along with names in certain instances, based on findings from Have I Been Pwned after reviewing the leaked data. 

Though the breach details have circulated, Vimeo hasn’t officially verified how many accounts were impacted. Inside these breaches, access began through deceptive emails or fake support calls tricking staff. Not long ago, compromised logins gave hackers entry to identity tools like Okta and Microsoft Entra. From there, movement spread toward customer relationship software, team messaging apps, file storage, design programs, help desks, and workplace productivity suites. Cloud infrastructure and subscription-based tech now draw more attention than before. 

Breach attempts often follow weak points in unified login setups across company networks. Though main networks stay secure, outside providers sometimes open doors hackers exploit. A breach in one connected service might unlock several company areas at once. Experts observe rising incidents targeting cloud logins and partner tools for this reason. Instead of attacking central defenses, intruders shift focus to these links. Sensitive client data ends up at risk even if primary infrastructure holds firm.  

Recently, ShinyHunters took credit for hacks spanning education, retail, health care, gaming, and government bodies. Vimeo's situation shows third-party links still pose steady threats to big digital services managing vast user information. Despite different targets, weak outside connections often open doors. One breach can ripple through many layers unexpectedly.
Read more »
student data leak
Canvas LMS hack Cybersecurity Incident Data Breach Instructure data breach ShinyHunters cyberattack student data leak

Instructure Confirms Data Breach as ShinyHunters Claims Responsibility

 

Educational technology company Instructure has confirmed that user data was compromised following a cyberattack, while the cybercriminal group ShinyHunters has claimed responsibility for the breach.

The U.S.-based firm is widely recognized for developing Canvas, a popular learning management platform used by schools, universities, and organizations to manage online coursework, assignments, and communication.

The company revealed on Friday that it had experienced a cybersecurity incident and had begun an investigation with the assistance of third-party cybersecurity specialists and law enforcement authorities. A follow-up statement issued on Saturday confirmed that certain user information had been exposed during the breach.

"While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users," reads the updated statement.

"At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions."

As part of its mitigation efforts, Instructure said it has implemented security patches, enhanced monitoring systems, and rotated application keys as a preventive measure. Customers have also been instructed to re-authorize access to the company’s API so that new application keys can be issued.

Although the company has not publicly addressed questions regarding the exact timing of the breach or whether it was facing extortion demands, ShinyHunters has added Instructure to its data leak platform.

"Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII," reads the data leak site.

"Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved."

According to the cybercrime group, the breach occurred through a vulnerability in Instructure’s systems that has since been fixed. The hackers allege that the stolen information includes more than 240 million records linked to students, teachers, and staff members.

The leaked data is said to contain names, email addresses, enrolled course details, and private conversations between students and teachers. Information shared by the threat actors suggests the dataset may cover nearly 15,000 institutions across regions including North America, Europe, and Asia-Pacific.

At present, the full scope of the incident remains unverified, and independent confirmation regarding the number of affected schools and individuals has not yet been established
Read more »
us marines
Data Breach Hacking Group Handala hackers Iranian hackers MOIS us marines

U.S. Marines Reportedly Targeted by Iranian-Linked Hackers in New Data Exposure Incident

 



Iran-linked hacking group Handala has allegedly leaked personal information belonging to thousands of U.S. Marines deployed across the Persian Gulf region, shortly after American military personnel in the Middle East began receiving threatening messages from the group.

According to posts published on Handala’s website, the hackers claim to have released the names and phone numbers of 2,379 U.S. Marines as proof of what they described as their “intelligence superiority.” The group further claimed that the exposed information represents only a small sample from a much larger collection of data allegedly tied to American military personnel stationed in the region.

Handala asserted that it possesses additional details related to military members and their families, including home addresses, movement patterns, military base affiliations, commuting routines, shopping behavior, and other personal activities. These claims have not been independently verified by U.S. authorities.

The alleged leak surfaced days after several U.S. service members reportedly received threatening WhatsApp messages warning that they were under surveillance. The messages referenced Iranian drone and missile systems and attempted to intimidate military personnel by claiming their identities and movements were being tracked. Similar threatening communications believed to be linked to Handala were also reportedly sent to civilians in Israel earlier this week, suggesting a broader psychological and cyber influence campaign connected to escalating tensions in the Middle East.

Since the regional conflict involving Iran, Israel, and the United States intensified earlier this year, Handala has repeatedly claimed responsibility for several high-profile cyber incidents. Last month, the group allegedly leaked hundreds of emails said to have originated from the personal Gmail account of Kash Patel. The hackers have also been linked to a cyberattack targeting medical technology company Stryker, an operation that reportedly resulted in data being erased from tens of thousands of employee devices globally.

However, questions remain regarding the authenticity and quality of the newly leaked Marine data. An analysis of the published sample reportedly identified multiple inconsistencies, including incomplete phone numbers and entries that appeared to contain military contract identifiers rather than personal names. Several listed numbers reportedly connected only to automated voicemail systems.

In a limited number of cases, voicemail names reportedly matched information included in the leak. One individual contacted by reporters allegedly confirmed their identity before ending the call, while others declined to comment or redirected inquiries to military public affairs officials.

U.S. Central Command referred media questions regarding the incident to the Naval Criminal Investigative Service, which had not publicly commented on the matter at the time of reporting.

The incident comes amid growing concerns over cyber-enabled psychological operations targeting military personnel and their families. Earlier this month, Navy Secretary John Phelan urged sailors to strengthen the security of their mobile devices and social media accounts amid concerns over phishing attacks and malicious online activity. In an internal warning, he noted that threat actors may attempt to manipulate military personnel into opening harmful files or clicking malicious links designed to compromise personal accounts and devices.

Handala publicly portrays itself as a pro-Palestinian hacktivist organization. However, multiple cybersecurity firms and recent assessments from the U.S. Department of Justice have alleged that the group operates as a front tied to Iran’s Ministry of Intelligence and Security (MOIS).

Cybersecurity experts note that modern cyber campaigns increasingly combine data leaks, online intimidation, and misinformation tactics to create psychological pressure rather than relying solely on technical disruption. Analysts also caution that hacker groups sometimes exaggerate the scale or sensitivity of stolen data to amplify fear and media attention.

Although U.S. authorities have previously seized domains associated with Handala, the group continues to remain active by turning to new websites and communication platforms, including Telegram, allowing it to sustain its cyber and propaganda operations online.

Read more »
User Security
Data Breach Data Theft Medtronic Breach ShinyHunters User Security

Medtronic Confirms ShinyHunters' Theft of 9 Million Records

 

Medtronic, a leading global medical device manufacturer, recently confirmed a significant cybersecurity breach affecting its corporate IT systems. The incident came to light after the notorious hacking group ShinyHunters claimed responsibility, boasting of stealing over 9 million records containing personally identifiable information (PII) and terabytes of internal corporate data. 

On April 17 and 18, 2026, the group listed Medtronic on its Tor-based data leak site, issuing a ransom ultimatum that expired on April 21 without public confirmation of payment or data release. Medtronic publicly disclosed the breach on April 24, 2026, via its website and a U.S. Securities and Exchange Commission Form 8-K filing, acknowledging unauthorized access but emphasizing that the intrusion was contained with no disruption to operations.

The breach targeted non-critical corporate networks, sparing patient-facing systems, medical devices, manufacturing, and distribution channels. Medtronic stated explicitly that products, patient safety, customer connections, financial reporting, and care delivery remained unaffected, as these operate on segregated infrastructure. ShinyHunters, known for high-profile extortion campaigns against over 40 organizations in 2026—including ADT, Amtrak, and Cisco—alleged the haul included sensitive PII from employees, partners, or affiliates, though Medtronic has not verified the exact volume or contents. The group's listing vanished from the leak site shortly after, fueling speculation of behind-the-scenes negotiations.

This incident underscores escalating threats to healthcare giants, where corporate IT often serves as a softer entry point for attackers. ShinyHunters has exploited misconfigured Salesforce Experience Cloud guest permissions in multiple cases, a customer setup issue rather than a platform flaw, according to Salesforce. Medtronic's response involved activating incident protocols with external cybersecurity experts to assess data exfiltration and potential exposure. An ongoing forensic investigation aims to pinpoint compromised information, with commitments to notify and support affected individuals if personal data is confirmed stolen.

The implications ripple beyond Medtronic, highlighting vulnerabilities in the medical technology sector amid rising ransomware and extortion tactics. Law firms like Schubert Jonckheer & Kolbe LLP launched investigations by early May 2026, probing liabilities for the nearly 9 million potentially impacted records. While no widespread data dumps have surfaced publicly, the breach erodes trust in supply chain security, even when clinical operations stay insulated. Healthcare firms face mounting pressure to fortify perimeter defenses as cybercriminals increasingly target administrative data for profit.

To mitigate risks from such incidents, individuals should monitor credit reports, enable two-factor authentication on personal accounts, and freeze credit if notified of exposure. Organizations are advised to segment networks rigorously, conduct regular penetration testing, patch third-party configurations like Salesforce promptly, and develop robust incident response plans. Medtronic's case reinforces the need for proactive cybersecurity hygiene to safeguard sensitive data in high-stakes industries.
Read more »
data security
ADT ADT data breach customer data leak customer data privacy Data Breach Data Extortion Data Leak data security

ADT Data Breach Confirmed After ShinyHunters Threatens Leak of Stolen Customer Information

 

Now comes word that ADT, a provider of home security systems, suffered a data breach following threats by the hacking collective ShinyHunters to expose purloined records if payment isn’t made. This event joins others recently where attackers gain access via compromised credentials or outside service providers. 

On April 20, the company noticed unusual activity within its systems - response teams moved quickly to limit exposure and launch a review from within. It turned out some customer and prospective customer details were reached and copied by those responsible. Names, contact numbers, and home locations made up most of what was seen; in a few cases, birth dates showed up alongside incomplete identification digits used for tax or government purposes. Though only a narrow collection of files was involved, steps followed to assess how far the breach extended. 

What ADT made clear is that financial details of high sensitivity stayed secure. It turned out bank accounts, credit cards, along with any payment records, remained untouched through the incident. On top of this, home security setups and active monitoring kept running without interference. Evidently, the breach never reached operational systems - only certain data areas felt its effect. After claims surfaced on a hacker forum, ShinyHunters stated they accessed more than 10 million records - some containing personal details and private business files. 
Despite the threat to publish everything unless met with demands, confirmation of the full extent remains unverified by ADT. Still, notification letters have gone out to impacted users during ongoing review efforts. What happens next depends on internal assessments already underway. One claim points to vishing as the starting point - a tactic aimed at one worker. Posing as known contacts, hackers won entry through a company-wide login system. 

Once inside, they navigated sideways into linked environments without immediate detection. Access likely extended to cloud services including Salesforce, where information was pulled from storage. Identity theft now drives many cyber intrusions, moving past old tactics that hunted software bugs. Instead of probing code flaws, hackers aim at sign-in systems like Okta, Microsoft Entra, or Google logins. Breaching one verified profile opens doors to numerous company tools. 

With entry secured, stolen information gets pulled out quietly. That data then becomes leverage - no malware needed to lock files. What happened lately isn’t new for ADT - earlier leaks of staff and client details came out earlier this year. Facing repeated issues, many companies struggle to protect digital identities while handling permissions in linked platforms. 

Still under investigation, the incident highlights how often social engineering now shapes current cyber attacks. Rather than exploiting software flaws, hackers rely on mistakes people make - slipping past defenses by tricking users. 

Because of this shift, training staff to spot risks matters just as much as strong login protections. Preventing future breaches depends less on technology alone, more on understanding human behavior. Awareness becomes a shield when passwords fail.
Read more »
Zero Click Exploits
Commercial Spyware Critical Infrastructure Security Cyber Surveillance Cyber Threat Intelligence Data Breach Digital Espionage Endpoint security Mobile Security Zero Click Exploits

Global Surge in Military Grade Spyware Puts Personal Smartphones at Risk


 

Global cybersecurity discourse is emerging with a growing surveillance threat under the surface as the UK's top cyber authority issues a stark assessment of the unchecked proliferation of commercial spyware capabilities. Initially restricted to tightly regulated law enforcement use, advanced intrusion tools are now widely used across more than 100 countries, able to remotely compromise smartphones, bypass encrypted communications, and covertly activate device sensors. 

NSO Group and an increasingly opaque ecosystem of competitors are driving this rapid expansion, signaling the shift from targeted investigative use to a wider landscape of state-aligned digital intrusion, a shift in which state-aligned cyberattacks are becoming increasingly commonplace. 

In spite of their increasing accessibility and operational stealth, enterprises and operators of critical national infrastructure are not adequately prepared for the scale and sophistication of these threats. There is an evolving threat landscape supporting it, which is supported by the increasing sophistication of modern spyware frameworks, which leverage "zero-click" exploitation chains to gain unauthorized access without requiring the user's involvement. 

NSO Group's Pegasus platform and Paragon's Graphite platform function as highly advanced intrusion suites. They exploit latent vulnerabilities within mobile operating systems to extract sensitive communications, media, geolocation information, and other artifacts through forensic minimalism. 

The commercial dynamics underpinning this ecosystem demonstrate the magnitude of the challenge as well as its persistence. As part of the United States entity list, the Israeli developer NSO Group, widely associated with high-end surveillance tooling, was listed in 2021 for its supply of technologies to foreign governments. These technologies were then utilized to target a wide range of individuals, including government officials, journalists, business leaders, academicians, and diplomats. 

In defending its claims that such capabilities serve legitimate anti-terrorism and law enforcement purposes, the company asserts that it lacks direct visibility into operational use, while retaining the right to terminate client relationships in instances of verified misuse. 

In spite of the rapid expansion of the vendor landscape, NSO Group represents only one node within it. According to industry observers, including Casey, the sector is extremely profitable and is undergoing rapid growth. There are currently dozens of firms offering comparable capabilities in this market. 

According to estimates, more than 100 countries have procured mobile spyware, an increase over earlier assessments, which indicated deployment across more than 80 national jurisdictions. Along with offering a cost-effective shortcut to the development of capabilities that would otherwise require years of development, commercial intrusion platforms offer a fast and easy means for states lacking indigenous cyber expertise.

In addition, the National Cyber Security Centre noted previously that, despite the fact that these tools are intended for law enforcement purposes, there is credible evidence that they have been used on a widespread basis against journalists, human rights defenders, political dissidents, and foreign officials with thousands of individuals being targeted annually. 

Several leaked toolkits, including DarkSword, demonstrate the dispersal of capabilities once restricted to state intelligence agencies into less controlled environments, making it possible for state-aligned and criminal actors to launch attacks by utilizing vectors as inconspicuous as compromised web sessions on unpatched iOS devices. In addition to theoretical risk models, operational exploits are being actively employed against targets who often assume device-level security as the basis of their attack. 

A notable increase in the victim profile is that it includes corporate executives, financial professionals, and organizations dealing with valuable information, as well as journalists and political dissidents. It was highlighted by Richard Horne, the director of the UK's National Cyber Security Centre, that there still remains a significant gap in industry readiness. 

Many enterprises underestimate the capability and operational maturity of these surveillance capabilities. Essentially, this shift illustrates the democratization of offensive cyber tools, where sophisticated surveillance, once monopolized by a few intelligence agencies, is now available to a broader range of state actors lacking native cyber expertise. 

As a result, these capabilities are increasingly available economically and they are unintentionally disseminated, which fundamentally alters the threat equation. Through the transition from tightly controlled assets to commercially traded products, advanced surveillance tools become increasingly difficult to contain as they are propagated through illicit channels, including corrupt procurement practices, insider exfiltration, and secondary resale markets. 

In the wake of this leakage, non-state actors, including organized criminal networks, have acquired capabilities that were previously available only to sovereign intelligence operations. The proliferation of state-linked campaigns, including those attributed to China and focused on large-scale data exfiltration, illustrates the use of such tools not only for immediate intelligence gain, but also to establish strategic prepositioning for future geopolitical conflicts. 

Traditional device-based safeguards and consumer privacy controls are only marginally effective against adversaries equipped with exploit chains developed specifically to circumvent them. International efforts to regulate and oversee exports are gaining momentum, but operational reality suggests that containment may already lag behind proliferation, which enables a significant expansion of attack surfaces across both civilian and enterprise digital environments. 

The convergence of commercial availability, technical sophistication and weak oversight has led to the normalization of capabilities that were once considered exceptional. These developments illustrate a structural shift in the cyber threat environment. 

In conjunction with the widespread adoption of such tools, and their continual evolution and leakage, there is an ongoing need for public and private sectors to assess their security assumptions at a fundamental level. There is no longer a limited need to defend against isolated intrusions for enterprises, critical infrastructure operators, and individual users, but rather to navigate a complex ecosystem where highly advanced surveillance techniques are frequently accessible and increasingly resemble legitimate activity. 

In the absence of strengthened international coordination, enforceable controls, and a corresponding increase in defensive maturity, a continued erosion of digital trust is likely, resulting in compromise becoming not an anomaly, but an expected condition of operating within a hyperconnected environment.
Read more »
Subscribe to: Posts (Atom)