Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Stolen Credentials
Cybercrime Trends Cybersecurity Threats Dark Web Data Breach Digital Security Identity Protection Online Privacy Proton Research Stolen Credentials

Security Researchers at Proton Warn of Massive Credential Exposure


 

Data is becoming the most coveted commodity in the ever-growing digital underworld, and it is being traded at an alarming rate. In a recent investigation conducted by Proton, it has been revealed that there are currently more than 300 million stolen credentials circulating across dark web marketplaces, demonstrating how widespread cybercrime is. 

According to Proton's Data Breach Observatory, which continuously monitors illicit online forums for evidence of data compromise, there is a growing global cybersecurity crisis that is being revealed. In the year 2025, the Observatory has recorded 794 confirmed breach incidents. When aggregating these data, the number increases to 1,571, which amounts to millions of records exposed to the public in the coming years. 

One of the troubling aspects of the research is the pattern of targeting small and medium-sized businesses: cybercriminals have increasingly targeted these companies. Over half of all breaches were recorded at companies with between 10 and 249 employees, while 23% of breaches occurred in micro businesses with fewer than 10 employees. 

This report highlights a growing truth about the digital age: while businesses are racing to innovate and expand online, threat actors are evolving just as quickly. As a result, the vast internet architecture has become a vibrant market for stolen identities, corporate secrets, and business secrets. 

Security breaches are still largely hidden from the public eye for many organisations due to fear of reputational damage, financial losses, or regulatory scrutiny, so they remain reluctant to reveal them. This leaves the true extent of cybercrime largely hidden from the public eye. Using Proton's latest initiative, the company hopes to break down the silence surrounding this threat by tracking it to its source: the underground marketplaces that openly sell stolen credentials and personal data.

In doing so, Proton is continuing its quest to foster a safer, more private internet, which is a vital component of the company's mission. As an extension of the Proton VPN Observatory, which monitors global instances of government-imposed internet restrictions and VPN censorship in the form of government-imposed restrictions, the Data Breach Observatory extends that vigilance to track instances of cybercrime in the form of data breaches. 

Its creation, which is made in collaboration with Constella Intelligence, is an observatory that constantly scans the dark web for new breaches, analysing the types of data compromised, including passwords and personal identifiers, as well as financial records, and the number of accounts affected. 

Through real-time monitoring, Proton can alert victims as soon as a breach occurs, sometimes even before the breached organisation realises it is happening. The Proton platform provides transparent, publicly accessible insights into these security breaches, which are aimed at both educating users about the magnitude of the threat and discouraging organisations from concealing their security shortcomings. 

There is a policy of responsible disclosure at the heart of this initiative, which ensures that affected entities are informed in advance of any public announcement relating to the incident. This is an era that has been defined by data theft and corporate secrecy since the dawn of the digital age. Proton's proactive approach serves as a countermeasure, turning dark web intelligence into actionable preventative measures. 

With this initiative, the company not only reveals the hidden mechanics of cybercrime but also strengthens its reputation as a pioneer in digital transparency and empowerment for users, allowing businesses and individuals alike a better understanding of the shadowy forces that shape today's cybersecurity landscape, as well as the risks associated with it. 

In its latest research, Proton has provided a sobering assessment of the escalating cost of cybercrime to smaller businesses. There have been an estimated four out of five small businesses in recent months that have been affected by data breaches, and these attacks have often resulted in losses exceeding one million dollars. 

As part of the growing crisis surrounding data breaches, a Data Breach Observatory was established to identify breaches that often remain hidden until a significant amount of damage has been sustained. Proton constantly scans dark web marketplaces where stolen credentials are traded to deliver early warnings about potential breaches so that organisations can take steps to protect their data before attackers have an opportunity to exploit it further. 

Through the course of these investigations, a wide range of personal and financial details were uncovered, including names, dates of birth, email addresses, passwords, and physical contact information of those individuals. 

Almost all of these breaches have involved social security numbers, bank credentials, and IBAN details being exposed, which together represent an alarming combination that creates an extremely high likelihood of identity theft and financial fraud. 

It has been recorded by the observatory that several high-profile incidents will occur in 2025, such as the Qantas Airways breach in October that exposed more than 11.8 million customer records; Alleianz Life Germany in September, with more than one million compromised accounts; and the U.S. tech firm Tracelo that was breached by 1.4 million records earlier this year, while breaches at Free Telecom, a French company, and SkilloVilla, a Indian company, revealed 19 million records and 33 million records respectively, emphasizing the threat to be very global in nature. 

Security experts have always stressed the necessity of multi-factor authentication, as well as strong password management, as essential defences against credential-based attacks. Consequently, Proton reiterates this advice by advising businesses to regularly monitor their credentials for leaks and to reset passwords as soon as suspicious activity is detected. 

The company enables businesses to verify whether or not their data has been compromised through its public access observatory platform, which is a critical step toward minimising the damage done to a business before cybercriminals can weaponise the data stolen. This is done through the company's public observatory platform that is widely accessible. 

A stronger global security awareness and proactive cybersecurity practices are essential, and Proton's Data Breach Observatory confirms this need. Aside from the observatory's use as a crucial alert system, it is important to note that experts also emphasise that prevention is the best form of protection when it comes to securing information online. 

The Observatory stresses the importance of adopting layered security strategies, including the use of Virtual Private Networks (VPNs) that safeguard online communications and reduce the risk of interception, even in situations where users' data is compromised. By using its own Proton VPN, based on end-to-end encryption and the company's signature Secure Core architecture, traffic passes through multiple servers located in privacy-friendly jurisdictions, effectively masking users' IP addresses and shielding their digital identities from cybercriminals. The company is effectively protecting their digital identity from prying eyes. 

As a result of the robust infrastructure, the observatory continues to monitor across the dark web, and personal information remains encrypted and protected from the cybercriminal networks it monitors. Besides technical solutions, Proton and cybersecurity experts alike emphasise the importance of a set of foundational best practices for individuals and organisations who want to strengthen their defences. 

This is the best way to protect online accounts is to enable multi-factor authentication (MFA), widely recognised as the most effective method of preventing the theft of credentials, and to use a password manager whose function is to keep secure passwords for every online account. As part of regular breach monitoring, Proton's observatory platform can be used to provide timely alerts whenever credentials are discovered in leaked databases. 

In addition to fostering cybersecurity awareness among employees, companies must also create an incident response plan, enforce the principle of least privilege, and make sure that only systems that are essential to the role they are playing are accessible. Taking advantage of more advanced strategies, including network segmentation, enterprise-grade identity and access management (IAM) tools, such as Privileged Access Management (PAM), may allow for further containment and protection of critical infrastructure. 

These recommendations have been derived from the fact that credential theft is often based on exploited software vulnerabilities or weak configurations that are often exploited by hackers. An unpatched flaw—such as an API endpoint that is exposed or an authentication mechanism that is not working properly—can result in brute-force attacks or session hijacking attacks. 

Proton's exposure itself does not have any specific link to a vulnerability identifier; however, it indicates that there are still many systemic vulnerabilities which facilitate large-scale credential theft across many industries today. As a result of the importance of patching timely manner and implementing strict configuration management, businesses can significantly reduce the chances of attackers gaining access to their network. 

However, Proton’s research goes well beyond delivering a warning. It calls for action. The number of compromised accounts on dark web markets has increased by over 300 million, and we cannot afford to stay complacent. This study underscores that protecting one's data is not merely about technology, but about maintaining a proactive approach to cyber hygiene and continuous vigilance. 

A message Protoemphasises in this, when data is both a commodity and a target, it is clear: the key to digital safety lies in proactive defence, informed awareness, and collective responsibility. In an age when the digital landscape is becoming increasingly complex, Proton’s findings serve as a powerful reminder that cybersecurity is not an investment that can be made once but is an ongoing commitment. 

Organisations that take steps to ensure that their employees are informed and trained about cyber threats are better prepared to cope with the next wave of cyber threats. Several security measures, including encrypting infrastructure, conducting regular security audits, and continuously performing vulnerability assessments, can be taken to significantly reduce exposure, while collaborations between cybersecurity researchers and private firms can strengthen collective defences. 

Even though stolen data fuels a thriving underground economy in today's cyber world, the most effective defences against cybercrime remain vigilance and informed action.
Read more »
SQL Database
Accounting Firm API Data Breach Ernst & Young SQL Database

Ernst & Young Exposes 4TB Database Backup Online, Leaking Company Secrets

 

Ernst & Young (EY), one of the world’s largest accounting firms, reportedly left a massive 4TB SQL database backup exposed online, containing highly sensitive company secrets and credentials accessible to anyone who knew where to find it. 

The backup, in the form of a .BAK file, contained not only schema and stored procedures but also application secrets, API keys, session tokens, user credentials, cached authentication tokens, and service account passwords. Security researchers from Neo Security discovered this alarming exposure during routine tooling work, verifying that the file was indeed publicly accessible.

The researchers emphasized that an exposed database backup like this is equivalent to releasing the master blueprints and keys to a vault, noting that such exposure could lead to catastrophic consequences, including large-scale breaches and ransomware attacks. Due to legal and ethical concerns, the researchers did not download the backup in full, but they warned that any skilled threat actor could have already accessed the data, potentially leading to severe security fallout.

Upon discovering the issue, Neo Security promptly alerted EY, who were praised for their professional and prompt response; the company did not deflect, show defensiveness, or issue legal threats, but instead acknowledged the risk and began triaging the problem. Despite the quick engagement, EY took a full week to remediate the issue, which is considered a significant delay given the urgency and potential for malicious exploitation in such security incidents.

The breach highlights the dangers of misconfigured cloud storage and the need for organizations, especially those handling sensitive data, to rigorously audit and secure their backups and databases. The exposure of such a large database could have resulted in the theft of proprietary information, customer data, and even facilitated coordinated cyberattacks on EY and its clients.

Experts urge companies to assume that any publicly accessible database backup may have already been compromised, as even a brief window of exposure can be enough for malicious actors to exploit the data. The incident underscores the importance of robust security practices, regular audits, and rapid incident response protocols to minimize the risk and impact of data breaches.

This incident serves as a cautionary tale for organizations to take extra precautions in securing all forms of sensitive data, especially those stored in backups, and to act swiftly to remediate publicly exposed databases.
Read more »
Svenska Kraftnät
Critical Infrastructure Cyber Threats Cybersecurity Data Breach Everest Ransomware Network Protection Power Grid Security Ransomware attack Svenska Kraftnät

Sweden Confirms Power Grid Breach Amid Growing Ransomware Concerns

 


Swedish power grid operator, Suderland, has confirmed it is investigating a security incident related to a potential ransomware attack aimed at decrypting sensitive data as part of its ongoing cybersecurity investigation, a revelation that has stirred alarm across Europe's critical infrastructure community.

It has been revealed by Svenska kraftnät, the state-owned company in charge of ensuring the nation's electricity transmission networks, that a criminal group has threatened to release what it claims to be hundreds of gigabytes of internal data allegedly stolen from the organization's computer system in order to sell it to the public. It appears, based on initial findings, that the breach occurred solely through a limited external file transfer platform, and officials stressed that the electricity supply and core grid of Sweden have not been affected.

In spite of this, the revelation has raised alarm about the threat to critical energy infrastructure from cyber extortion, which has increased as authorities continue to figure out exactly how extensive and damaging the cyber extortion attack has been. A breach which took place on October 26, 2025, reverberated throughout the cybersecurity landscape across Europe, highlighting the fragility of digital defences protecting critical infrastructure for the first time. 

In response to claims made by the notorious Everest ransomware group, Sweden's government-owned electricity transmission company, which plays a crucial role in the stability of the country's power grid, confirmed a data compromise had been confirmed by Svenska kraftnät. In spite of the fact that the full scope of the intrusion is still being investigated, early indications suggest that the attackers may have obtained or exfiltrated sensitive internal data as part of the intrusion. 

It has been reported that the Everest group, notorious for coordinated extortion campaigns and sophisticated methods of network infiltration, has publicly accepted responsibility, increasing scrutiny of both national and international cybersecurity authorities. Such attacks on critical national infrastructure (CNI), according to experts, have far-reaching consequences, threatening both operational continuity as well as economic stability and public confidence, among others. 

It has rekindled the need to strengthen cyber resilience frameworks, to collaborate on threat intelligence, and to increase vigilance across essential service providers to prevent similar disruptions in the future. Despite the intrusion, officials have assured that the nation's power transmission and supply operations remain fully operational, with no signs that mission-critical infrastructure will be affected by the intrusion. 

The extent to which the organisation has been compromised is still being investigated while securing affected systems and assessing the nature of the leaked information. In spite of the fact that it is still uncertain to what extent the breach has affected the organisation, early reports suggest that around 280 gigabytes of internal data may have been stolen. An established cybercrime group known as Everest has claimed responsibility for the recent attack on Svenska Kraftnät, and they have listed Svenska Kraftnät among their victims on a Tor-based data leak website, which was launched in late 2020. 

A notorious group for extortion and cyberattacks, the group has been previously linked to high-profile incidents such as Collins Aerospace's cyberattack, which disrupted operations at several European airports as a result. Despite the increasing boldness of ransomware actors to attack key entities of national infrastructure, the latest claim against Sweden's key power operator is a clear indication of what is happening. 

In the process of investigating the incident, Svenska kraftnät continues to maintain close coordination with law enforcement and cybersecurity agencies to identify the perpetrators and mitigate further risks. Despite the fact that this incident has been isolated, it is nonetheless an indication of the escalating cyber threat landscape affecting critical infrastructure providers, where even isolated system failures can pose significant risks to national stability and public confidence. 

Svenska kraftnät has confirmed to the media that Cem Göcgoren, Head of Information Security at Svenska kraftnät, is leading a comprehensive forensic investigation to determine the nature and extent of the data compromised during the cyberattack, as well as to assess the level of damage that has been caused. It has been determined that the breach of security did not affect Sweden's transmission or distribution systems, with officials reassuring that the country's electricity systems should continue to operate uninterrupted during the investigation. 

The aforementioned distinction highlights that the attackers probably targeted administrative or corporate data, not the systems responsible for managing real-time power flo,whichat are responsible for preventing potential disruptions from occurring, which is a critical factor in preventing potentially severe damagSvenska kraftnät must informrms the national law enforcement authorities of the intrusion immediately after it discovers the intrusion and coordinates with the appropriate government agencies to safeguard the infrastructure and cybersecurity of the network. 

As a result of the swift escalation, power grid operators are becoming increasingly regarded as prime targets by ransomware groups, given the strategic and economic leverage they hold. There is a known ransomware gang, Everest, that has claimed responsibility for the attack. This group is notorious for its "double extortion" tactics, in which they encrypt the data of victims while simultaneously threatening to publish the stolen files in the absence of the ransom payment. 

According to cybersecurity experts, this incident has served to underscore the importance of vigilant security governance within critical infrastructure sectors. In terms of countermeasures, it is recommended that robust incident response protocols be activated, as well as users be isolated from compromised systems, and detailed forensic assessments be conducted in order to identify vulnerabilities exploited during the breach. 

The strengthening of the defenders through multi-factor authentication, network segmentation, and the disciplined management of patches is of utmost importance at this time, especially as ransomware operators target flaws in enterprise software products such as VMware vCenter and Ivanti software with increasing frequency. Furthermore, keeping immutable offline backups, making employees aware of phishing and social engineering threats, and leveraging real-time threat intelligence can all help to strengthen resilience against similar attacks in the future. 

Thus, the Svenska kraftnät breach serves both as a warning and a lesson in the ongoing fight against the cyberattacks of modern societies, both in the sense that they serve as a warning and a lesson. In the energy sector, the incident serves as a defining reminder that cybersecurity is no longer only a technical issue, but is also a matter of national resilience. With ransomware actors becoming more sophisticated and audacious, power grid operators have to take a proactive approach and move from reactive defence to predictive intelligence - by adopting continuous monitoring and zero-trust architectures, as well as collaborating with multiple agencies to strengthen digital ecosystems. 

Aside from immediate containment efforts, it will be essential to invest in cybersecurity training, international alliances for information sharing, and next-generation defence technologies to prevent future cyber threats. While alarming, the Svenska kraftnät breach presents a unique opportunity for governments and industries alike to strengthen their digital trust and operational stability by using this breach.
Read more »
Personal Data
cybersecurity threat Data Breach Data Leak Data protection data security Defence Ministry Personal Data

Afghans Report Killings After British Ministry of Defence Data Leak

 

Dozens of Afghans whose personal information was exposed in a British Ministry of Defence (MoD) data breach have reported that their relatives or colleagues were killed because of the leak, according to new research submitted to a UK parliamentary inquiry. The breach, which occurred in February 2022, revealed the identities of nearly 19,000 Afghans who had worked with the UK government during the war in Afghanistan. It happened just six months after the Taliban regained control of Kabul, leaving many of those listed in grave danger. 

The study, conducted by Refugee Legal Support in partnership with Lancaster University and the University of York, surveyed 350 individuals affected by the breach. Of those, 231 said the MoD had directly informed them that their data had been compromised. Nearly 50 respondents said their family members or colleagues were killed as a result, while over 40 percent reported receiving death threats. At least half said their relatives or friends had been targeted by the Taliban following the exposure of their details. 

One participant, a former Afghan special forces member, described how his family suffered extreme violence after the leak. “My father was brutally beaten until his toenails were torn off, and my parents remain under constant threat,” he said, adding that his family continues to face harassment and repeated house searches. Others criticized the British government for waiting too long to alert them, saying the delay had endangered lives unnecessarily.  

According to several accounts, while the MoD discovered the breach in 2023, many affected Afghans were only notified in mid-2025. “Waiting nearly two years to learn that our personal data was exposed placed many of us in serious jeopardy,” said a former Afghan National Army officer still living in Afghanistan. “If we had been told sooner, we could have taken steps to protect our families.”  

Olivia Clark, Executive Director of Refugee Legal Support, said the findings revealed the “devastating human consequences” of the government’s failure to protect sensitive information. “Afghans who risked their lives working alongside British forces have faced renewed threats, violent assaults, and even killings of their loved ones after their identities were exposed,” she said. 

Clark added that only a small portion of those affected have been offered relocation to the UK. The government estimates that more than 7,300 Afghans qualify for resettlement under a program launched in 2024 to assist those placed at risk by the data breach. However, rights organizations say the scheme has been too slow and insufficient compared to the magnitude of the crisis.

The breach has raised significant concerns about how the UK manages sensitive defense data and its responsibilities toward Afghans who supported British missions. For many of those affected, the consequences of the exposure remain deeply personal and ongoing, with families still living under threat while waiting for promised protection or safe passage to the UK.
Read more »
healthcare data breach
Data Breach Data Exfilteration Data protection data security Healthcare Healthcare Breach Healthcare Data healthcare data breach

Conduent Healthcare Data Breach Exposes 10.5 Million Patient Records in Massive 2025 Cyber Incident

 

In what may become the largest healthcare breach of 2025, Conduent Business Solutions LLC disclosed a cyberattack that compromised the data of over 10.5 million patients. The breach, first discovered in January, affected major clients including Blue Cross Blue Shield of Montana and Humana, among others. Although the incident has not yet appeared on the U.S. Department of Health and Human Services’ HIPAA breach reporting website, Conduent confirmed the scale of the exposure in filings with federal regulators. 

The company reported to the U.S. Securities and Exchange Commission in April that a “threat actor” gained unauthorized access to a portion of its network on January 13. The breach caused operational disruptions for several days, though systems were reportedly restored quickly. Conduent said the attack led to data exfiltration involving files connected to a limited number of its clients. Upon further forensic analysis, cybersecurity experts confirmed that these files contained sensitive personal and health information of millions of individuals. 

Affected data included patient names, treatment details, insurance information, and billing records. The company’s notification letters sent to Humana and Blue Cross customers revealed that the breach stemmed from Conduent’s third-party mailroom and printing services unit. Despite the massive scale, Conduent maintains that there is no evidence the stolen data has appeared on the dark web. 

Montana regulators recently launched an investigation into the breach, questioning why Blue Cross Blue Shield of Montana took nearly ten months to notify affected individuals. Conduent, which provides business and government support services across 22 countries, reported approximately $25 million in direct response costs related to the incident during the second quarter of 2024. The company also confirmed that it holds cyber insurance coverage and has notified federal law enforcement. 

The Conduent breach underscores the growing risk of third-party vendor incidents in the healthcare sector. Experts note that even ancillary service providers like mailroom or billing vendors handle vast amounts of protected health information, making them prime targets for cybercriminals. Regulatory attorney Rachel Rose emphasized that all forms of protected health information (PHI)—digital or paper—fall under HIPAA’s privacy and security rules, requiring strict administrative and technical safeguards. 

Security consultant Wendell Bobst noted that healthcare organizations must improve vendor risk management programs by implementing continuous monitoring and stronger contractual protections. He recommended requiring certifications like HITRUST or FedRAMP for high-risk vendors and enforcing audit rights and breach response obligations. 

The incident follows last year’s record-breaking Change Healthcare ransomware attack, which exposed data from 193 million patients. While smaller in comparison, Conduent’s 10.5 million affected individuals highlight how interconnected the healthcare ecosystem has become—and how each vendor link in that chain poses a potential cybersecurity risk. As experts warn, healthcare organizations must tighten vendor oversight, ensure data minimization practices, and develop robust incident response playbooks to prevent the next large-scale PHI breach.
Read more »
Ravin Academy
Data Breach Iranian hackers MOIS Private Data Ravin Academy

Iranian Intelligence-Linked Ravin Academy Suffers Data Breach

 

Ravin Academy, a cybersecurity training center closely linked to Iran's Ministry of Intelligence and Security (MOIS), has suffered a significant data breach that exposed the personal information of over 1,000 individuals enrolled in its technical programs.

The academy, established in 2019, has been described as a recruitment pipeline for Iran's cyber operations and has previously been sanctioned by the U.S., UK, and EU for aiding the country's intelligence activities.

Details of the breach

The breach involved the compromise of personal data, including names, phone numbers, Telegram usernames, and, in some cases, national ID numbers of students and associates. The information was reportedly leaked on an online platform managed by the academy and subsequently made public by UK-based Iranian activist Nariman Gharib, who obtained a copy of the stolen dataset. 

The breach occurred just before Ravin Academy's annual Tech Olympics event, leading the institution to claim the attack was orchestrated to undermine its reputation and harm Iran's cybersecurity ambitions. Ravin Academy has been widely recognized for providing both offensive and defensive cyber training to Iranian intelligence personnel, including courses in red-teaming, malware reverse-engineering, and vulnerability analysis. 

The academy’s founders, Farzin Karimi Mazlganchai and Seyed Mojtaba Mostafavi, are themselves sanctioned by Western governments for their ties to state-sponsored cyber operations. The organization is thought to play a critical role in Iran’s cyber capabilities, contributing to projects that have targeted domestic protests and international adversaries.

Global implications

The breach not only highlights vulnerabilities within Iran’s cyber training infrastructure but also raises concerns over the privacy and security of individuals involved in state-linked cyber programs. Analysts suggest the incident underscores the risks faced by institutions central to national cyber development and the growing sophistication of cyber operations targeting such entities. 

With the leaked data potentially useful for intelligence and counterintelligence purposes, the breach has significant ramifications for both individual privacy and the broader landscape of cyber conflict. This incident serves as a stark reminder of the exposure faced by state-affiliated cyber training programs and the far-reaching consequences of cyber breaches in the realm of international security.
Read more »
Password
Credentials Data Breach Data Leak Gmail Google Infostealer Password

Gmail Credentials Appear in Massive 183 Million Infostealer Data Leak, but Google Confirms No New Breach




A vast cache of 183 million email addresses and passwords has surfaced in the Have I Been Pwned (HIBP) database, raising concern among Gmail users and prompting Google to issue an official clarification. The newly indexed dataset stems from infostealer malware logs and credential-stuffing lists collected over time, rather than a fresh attack targeting Gmail or any other single provider.


The Origin of the Dataset

The large collection, analyzed by HIBP founder Troy Hunt, contains records captured by infostealer malware that had been active for nearly a year. The data, supplied by Synthient, amounted to roughly 3.5 terabytes, comprising nearly 23 billion rows of stolen information. Each entry typically includes a website name, an email address, and its corresponding password, exposing a wide range of online accounts across various platforms.

Synthient’s Benjamin Brundage explained that this compilation was drawn from continuous monitoring of underground marketplaces and malware operations. The dataset, referred to as the “Synthient threat data,” was later forwarded to HIBP for indexing and public awareness.


How Much of the Data Is New

Upon analysis, Hunt discovered that most of the credentials had appeared in previous breaches. Out of a 94,000-record sample, about 92 percent matched older data, while approximately 8 percent represented new and unseen credentials. This translates to over 16 million previously unrecorded email addresses, fresh data that had not been part of any known breaches or stealer logs before.

To test authenticity, Hunt contacted several users whose credentials appeared in the sample. One respondent verified that the password listed alongside their Gmail address was indeed correct, confirming that the dataset contained legitimate credentials rather than fabricated or corrupted data.


Gmail Accounts Included, but No Evidence of a Gmail Hack

The inclusion of Gmail addresses led some reports to suggest that Gmail itself had been breached. However, Google has publicly refuted these claims, stating that no new compromise has taken place. According to Google, the reports stem from a misunderstanding of how infostealer databases operate, they simply aggregate previously stolen credentials from different malware incidents, not from a new intrusion into Gmail systems.

Google emphasized that Gmail’s security systems remain robust and that users are protected through ongoing monitoring and proactive account protection measures. The company said it routinely detects large credential dumps and initiates password resets to protect affected accounts.

In a statement, Google advised users to adopt stronger account protection measures: “Reports of a Gmail breach are false. Infostealer databases gather credentials from across the web, not from a targeted Gmail attack. Users can enhance their safety by enabling two-step verification and adopting passkeys as a secure alternative to passwords.”


What Users Should Do

Experts recommend that individuals check their accounts on Have I Been Pwned to determine whether their credentials appear in this dataset. Users are also advised to enable multi-factor authentication, switch to passkeys, and avoid reusing passwords across multiple accounts.

Gmail users can utilize Google’s built-in Password Manager to identify weak or compromised passwords. The password checkup feature, accessible from Chrome’s settings, can alert users about reused or exposed credentials and prompt immediate password changes.

If an account cannot be accessed, users should proceed to Google’s account recovery page and follow the verification steps provided. Google also reminded users that it automatically requests password resets when it detects exposure in large credential leaks.


The Broader Security Implications

Cybersecurity professionals stress that while this incident does not involve a new system breach, it reinforces the ongoing threat posed by infostealer malware and poor password hygiene. Sachin Jade, Chief Product Officer at Cyware, highlighted that credential monitoring has become a vital part of any mature cybersecurity strategy. He explained that although this dataset results from older breaches, “credential-based attacks remain one of the leading causes of data compromise.”

Jade further noted that organizations should integrate credential monitoring into their broader risk management frameworks. This helps security teams prioritize response strategies, enforce adaptive authentication, and limit lateral movement by attackers using stolen passwords.

Ultimately, this collection of 183 million credentials serves as a reminder that password leaks, whether new or recycled, continue to feed cybercriminal activity. Continuous vigilance, proactive password management, and layered security practices remain the strongest defenses against such risks.


Read more »
User Security
aviation DAA Data Breach Dublin Airport Ireland User Security

Dublin Airport Data Breach Exposes 3.8 Million Passengers

 

Dublin Airport has confirmed a significant data breach affecting potentially 3.8 million passengers who traveled through the Irish facility during August 2025, following a cyberattack on aviation technology supplier Collins Aerospace. The breach compromised boarding pass data for all flights departing Dublin Airport from August 1-31, 2025, a period during which the airport processed over 3.7 million passengers across more than 110,000 daily passenger movements.

The Dublin Airport Authority (DAA), which operates both Dublin and Cork airports, first learned of the compromise on September 18, 2025, when Collins Aerospace notified them of a breach affecting its IT systems. By September 19, intelligence gathered by airport authorities confirmed that boarding pass information had been published online by a cybercriminal group. Cork Airport officials clarified that none of the compromised data relates to flights through their facility.

The exposed data includes passenger booking references, first and last names, frequent flyer numbers, contact information such as email addresses and phone numbers, and travel itineraries. Airlines including Swedish carrier SAS have sent notifications to affected passengers warning that other booking-related details may have been accessed. However, the breach did not involve passport information, payment card details, or other financial data.

The incident is directly linked to the devastating Collins Aerospace ransomware attack that crippled multiple European airports in September 2025. Collins Aerospace's MUSE (Multi-User System Environment) software, which powers check-in and boarding operations at approximately 170 airports globally, fell victim to HardBit ransomware on the night of September 19, 2025. Dublin Airport was particularly hard hit, with officials confirming they had to rebuild servers "from scratch" with no clear timeline for resolution.

Additionally, the Russia-linked Everest ransomware gang has claimed responsibility for a separate attack on Dublin Airport, threatening to leak data of over 1.5 million records on the dark web unless the airport pays a ransom. This claim includes device information, workstation IDs, timestamps, departure dates and times, and barcode formats.

The DAA immediately reported the breach to multiple authorities on September 19, 2025, including the Data Protection Commission (DPC), Irish Aviation Authority, and National Cyber Security Centre. Graham Doyle, Deputy Commissioner at the Data Protection Commission, confirmed the agency is conducting a full investigation into the breach's scope and impact.

Security experts warn that the compromised information provides sufficient detail for sophisticated phishing campaigns, social engineering attacks, frequent flyer account takeover attempts, and identity theft operations targeting affected passengers.
Read more »
Phishing and Spam
Customer Data Customer Data Exposed Dark Web Data Breach Data exposed data security Hackers identity theft risk Phishing and Spam

Toys “R” Us Canada Data Breach Exposes Customer Information, Raising Phishing and Identity Theft Concerns

 

Toys “R” Us Canada has confirmed a data breach that exposed sensitive customer information, including names, postal addresses, email addresses, and phone numbers. Although the company assured that no passwords or payment details were compromised, cybersecurity experts warn that the exposed data could still be exploited for phishing and identity theft schemes. 

The company discovered the breach after hackers leaked stolen information on the dark web, prompting an immediate investigation. Toys “R” Us engaged a third-party cybersecurity firm to conduct forensic analysis and confirm the scope of the incident. Early findings revealed that a “subset of customer records” had been stolen. The retailer began notifying affected customers through official communications, with letters quickly circulating on social media after being shared by recipients.  

According to the company’s statement, the breach did not involve financial information or account credentials, but the exposure of valid contact details still presents significant risk. Cybercriminals often use such data to create convincing phishing emails or impersonate legitimate companies to deceive victims into revealing sensitive information. 

Toys “R” Us stated that its IT systems were already protected by strong security protocols but have since been reinforced with additional defensive measures. The company has not disclosed how the attackers infiltrated its network or how many individuals were impacted. It also confirmed that, to date, there is no evidence suggesting the stolen data has been misused. 

In the aftermath of the incident, Toys “R” Us reported the breach to relevant authorities and advised customers to remain vigilant against phishing attempts. The company urged users not to share personal information with unverified senders, avoid clicking on suspicious links or attachments, and closely monitor any unusual communications that appear to come from the retailer.  

While no hacking group has claimed responsibility for the breach, cybersecurity analysts emphasize that exposed names, emails, and phone numbers can easily be weaponized in future scams. The incident underscores how even non-financial data can lead to significant cybersecurity risks when mishandled or leaked. 

Despite the company’s reassurances and strengthened defenses, the breach highlights the ongoing threat businesses face from cyberattacks that target customer trust and data privacy.
Read more »
Technology
Apple Data Breach dating app security Technology

Apple Removes Controversial Dating Apps After Data Leak and Privacy Violations

 

Apple has removed two dating apps, Tea and TeaOnHer, from the App Store months after a major data breach exposed users’ private information. The removal comes amid continued criticism over the apps’ privacy failures and lack of effective content moderation. 

The controversy started earlier this year when 404 Media reported that Tea, described as a dating and safety app, had leaked sensitive data, including driver’s licenses and chat histories. 

The exposed information was traced to an unsecured database and later appeared on the forum 4chan. Despite the breach, the app briefly gained popularity and reached the top of the App Store charts, driven by widespread online attention. 

TechCrunch reported that Apple confirmed the removal of both apps, citing multiple violations of its App Store Review Guidelines. The company pointed to sections 1.2, 5.1.2, and 5.6, which address objectionable content, data protection, and excessive negative user feedback. 

Apple also received a large number of complaints and low ratings, including reports that personal information belonging to minors had been shared on the platforms. According to Apple, the developers were notified of the issues and given time to make improvements, but no adequate action was taken. 

The gap between the initial reports of the data leak and the eventual removal likely reflects this period of review and attempted remediation. The incident highlights ongoing challenges around privacy and user safety in dating apps, which often collect and store large amounts of personal data. 

While Apple enforces rules intended to protect users, the case raises questions about how quickly and effectively those rules are applied when serious privacy risks come to light. The removal of Tea and TeaOnHer underscores the growing scrutiny facing apps that fail to secure user information or moderate harmful content.
Read more »
VPN vulnerabilities
Akira Ransomware APAC Cybercrime cyber resilience Cybersecurity Threats Data Breach Network Security ransomware attacks SonicWall Exploit VPN vulnerabilities

Growing VPN Exploits Trigger Fresh Ransomware Crisis in APAC


 

Despite the growing cyber risk landscape in Asia-Pacific, ransomware operations continue to tighten their grip on India and the broader region, as threat actors more often seek to exploit network vulnerabilities and target critical sectors in order to get a foothold in the region. 

It is essential to note that Cyble's Monthly Threat Landscape Report for July 2025 highlights a concerning trend: cybercriminals are no longer merely encrypting systems for ransom; they are systematically extracting sensitive information, selling network access, and exposing victims to the public in underground marketplaces. 

In recent weeks, India has been a focal point of this escalation, with a string of damaging breaches taking place across a number of key industries. Recently, the Warlock ransomware group released sensitive information concerning a domestic manufacturing company. This information included employee records, financial reports, and internal HR files. Parallel to this, two Indian companies – a technology consulting firm and a SaaS provider – have been found posting stolen data on dark web forums that revealed information on customers, payment credentials, and server usage logs. 

Further compounding the threat, the report claims that credentials granting administrative control over an Indian telecommunications provider’s infrastructure were being sold for an estimated US$35,000 as a way of monetizing network intrusions, highlighting the increasing monetization of network hacking. 

Throughout the region, Thailand, Japan, and Singapore are the most targeted nations for ransomware, followed by India and the Philippines, with manufacturing, government, and critical infrastructure proving to be the most targeted sectors. As the region's digital volatility continues, the pro-India hacktivist group Team Pelican Hackers has been claiming responsibility for hacking multiple Pakistani institutions and leaking sensitive academic data and administrative data related to research projects, which demonstrates that cyber-crime is going beyond financial motives in order to serve as a form of geopolitical signaling in the region. 

Security experts across the region are warning about renewed exploitation of SonicWall devices by threat actors linked to the Akira ransomware group among a growing number of ransomware incidents that have swept across the region. Since the resurgence of Akira's activity occurred in late July 2025, there has been a noticeable increase in intrusions leveraging SonicWall appliances as entry points. Rapid7 researchers have documented this increase.

An attacker, according to the firm, is exploiting a critical vulnerability that dates back a year—identified as CVE-2024-40766 with a CVSS score of 9.3—that is linked to a vulnerability in the SSL VPN configuration on the device. It is clear that this issue, which led to local user passwords persisting rather than being reset after migration, has provided cybercriminals with a convenient way to compromise network defenses. 

It was SonicWall who acknowledged the targeted activity, and confirmed that malicious actors were attempting to gain unauthorized access to the network using brute force. According to the company, administrators should activate Botnet Filtering for the purpose of blocking known malicious IP addresses as well as enforce strict Account Lockout policies to take immediate measures. As ransomware campaigns that exploit VPN vulnerabilities continue to increase, proactive security hygiene is becoming increasingly important. 

The increasing cybercrime challenges in the Asia-Pacific region are being exacerbated by recent findings from Barracuda's SOC Threat Radar Report, which indicate a significant increase in attacks exploiting vulnerabilities in VPN infrastructures and Microsoft 365 accounts. Throughout the study, threat actors are becoming increasingly stealthy and adopting Python-based scripts to avoid detection and maintain persistence within targeted networks in order to evade detection. 

It has been determined that the Akira ransomware syndicate has increased its operations significantly, compromising outdated or unpatched systems rapidly, leading to significant losses for the syndicate. A number of intrusions have been traced back to exploitation of a known flaw in SonicWall VPN appliances — CVE-2024-40766 — that allows attackers to manipulate legacy credentials that haven’t been reset after migration as a result of this flaw. 

A month ago, there was a patch released which addressed the issue. However, many organizations across the APAC region have yet to implement corrective measures, leaving them vulnerable to renewed exploitation in the coming months. In multiple instances, Akira operators have been observed intercepting one-time passwords and generating valid session tokens using previously stolen credentials, effectively bypassing multi-factor authentication protocols, even on patched networks. 

In order to achieve such a level of sophistication, the group often deploys legitimate remote monitoring and management tools in order to disable security software, wipe backups, and obstruct remediation attempts, allowing the group to effectively infiltrate systems without being detected. There has been a sustained outbreak of such attacks in Australia and other Asian countries, which indicates how lapses in patch management, the use of legacy accounts, and the unrotation of high-privilege credentials continue to amplify risk exposure, according to security researchers. 

There is no doubt that a prompt application of patches, a rigorous password reset, and a strict credential management regime are crucial defenses against ransomware threats as they evolve. There is no doubt that manufacturing is one of the most frequently targeted industries in the Asia-Pacific region, as more than 40 percent of all reported cyber incidents have been related to manufacturing industries. 

Several researchers attribute this sustained attention to the sector's intricate supply chains, its dependence on outdated technologies, and the high value of proprietary data and intellectual property that resides within operational networks, which makes it a target for cybercriminals. It has been common for attackers to exploit weak server configurations, steal credentials, and deploy ransomware to disrupt production and gain financial gain by exploiting weak server configurations. 

Approximately 16 percent of observed attacks occurred in the financial sector and insurance industry, with adversaries infiltrating high-value systems through sophisticated phishing campaigns and malware. The purpose of these intrusions was not only to steal sensitive information, such as customer and payment information, but also to maintain persistent access for prolonged reconnaissance. 

Among the targeted entities, the transportation industry, which accounts for around 11 percent of all companies targeted, suffered from an increase in attacks intended to disrupt logistics and operational continuity as a consequence of its reliance on remote connectivity and third-party digital infrastructure as a consequence of its heavy reliance on remote connectivity. 

In the wider APAC context, cybercriminals are increasingly pursuing both operational and financial goals in these attacks, aiming to disrupt as well as monetize. It is still very common for threats actors to steal trade secrets, customer records, and confidential enterprise information, making data theft one of the most common outcomes of these attacks. 

Despite the fact that credential harvesting is often facilitated by malware that steals information from compromised systems, this method of extorting continues to enable subsequent breaches and lateral movements within compromised systems. Furthermore, the extortion-based operation has evolved, with many adversaries now turning to non-encrypting extortion schemes for coercing victims, rather than using ransomware encryption to coerce victims, emphasizing the change in cyber threats within the region. 

Several experts have stressed that there is no substitute for a multilayered and intelligence-driven approach to security in the Asia-Pacific region that goes beyond conventional security frameworks in order to defend against the increasing tide of ransomware. Static defenses are not sufficient in an era in which threat actors have evolved their tactics in a speed and precision that is unprecedented in history. 

A defence posture that is based on intelligence must be adopted by organizations, continuously monitoring the tactics, techniques, and procedures used by ransomware operators and initial access brokers in order to identify potential intrusions before they arise. As modern "sprinter" ransomware campaigns have been exploiting vulnerabilities within hours of public disclosure, agile patch management is a critical part of this approach.

There is no doubt that timely identification of vulnerable systems and remediation of those vulnerabilities, as well as close collaboration with third party vendors and suppliers to ensure consistency in patching, are critical components of an effective cyber hygiene program. It is equally important to take human factors into consideration. 

The most common attack vector that continues to be exploited is social engineering. Therefore, it is important to conduct continuous awareness training tailored to employees who are in sensitive or high-privilege roles, such as IT and helpdesk workers, to reduce the potential for compromise. Furthermore, security leaders advise organizations to adopt a breach-ready mindset, which means accepting the possibility of a breach of even the most advanced defenses.

If an attack occurs, containing damage and ensuring continuity of operations can be achieved through the use of network segmentation, immutable data backups, and a rigorously tested incident response plan to strengthen resilience. Using actionable intelligence combined with proactive risk management, as well as developing a culture of security awareness, APAC enterprises can be better prepared to cope with the relentless wave of ransomware threats that continue to shape the digital threat landscape and recover from them. 

A defining moment in the Asia-Pacific cybersecurity landscape is the current refinement of ransomware groups' tactics as they continue to exploit every weakness in enterprise defenses. Those recent incidents of cyber-attacks using VPNs and data exfiltration incidents should serve as a reminder that cyber resilience is no longer just an ambition; it is a business imperative as well. Organizations are being encouraged to shift away from reactive patching and adopt a culture that emphasizes visibility, adaptability, and intelligence sharing as the keys to continuous security maturity. 

Collaboration between government, the private sector, and the cybersecurity community can make a significant contribution to the development of early warning systems and collective response abilities. A number of measures can help organizations detect threats more efficiently, enforce zero-trust architectures, and conduct regular penetration tests, which will help them identify any vulnerabilities before adversaries take advantage of them. 

Increasingly, digital transformation is accelerating across industries, which makes the importance of integrating security by design—from supply chains to cloud environments—more pressing than ever before. Cybersecurity can be treated by APAC organizations as an enabler rather than as a compliance exercise, which is important since such enterprises are able to not only mitigate risks, but also build digital trust and operational resilience during an age in which ransomware threats are persistent and sophisticated.
Read more »
Financial Data Breach
Cyberattacks Data Breach Data exposed data security Encryption Security Financial Data Financial Data Breach

FinWise Data Breach Exposes Insider Threats, Highlights Need for Strong Encryption and Key Management

 

The 2024 FinWise data breach underscores the rising risk of insider threats within financial institutions. Unlike cyberattacks initiated by external hackers, this breach resulted from unauthorized access by a former employee who retained system credentials after leaving the company. On May 31, 2024, the ex-employee accessed FinWise Bank’s internal systems and leaked personal information of approximately 689,000 customers of American First Finance (AFF). The breach went unnoticed for more than a year, until FinWise discovered it on June 18, 2025. This prolonged exposure period raises serious concerns about the bank’s internal monitoring and incident detection capabilities. 

Legal complaints against FinWise allege that the compromised data was inadequately encrypted, intensifying public scrutiny and regulatory pressure. Security experts emphasize that effective information protection involves more than encrypting financial data; it requires continuous monitoring, abnormal access detection, and secure key management. FinWise’s alleged failure to deploy these essential safeguards has led to lawsuits and reputational damage. While the bank has yet to disclose details about its encryption protocols, experts agree that encryption alone cannot protect data without proper implementation and access controls. 

The incident highlights how encryption serves as a final layer of defense, but its effectiveness depends on complementary systems like key management and access control. Proper encryption management could have minimized the risk of data exposure, even after unauthorized access. In this context, Penta Security’s D.AMO encryption platform has gained renewed attention as an all-in-one defense solution against such vulnerabilities. 

D.AMO, South Korea’s first packaged encryption solution launched in 2004, integrates encryption, granular access control, and an independent key management system (KMS). Trusted by over 10,000 clients across the finance, public, and enterprise sectors, D.AMO ensures data confidentiality while maintaining operational efficiency. It supports multiple encryption methods and selective column-level encryption, reducing system slowdown without compromising data protection. 

The platform’s key management system, D.AMO KMS, operates as a dedicated hardware appliance that keeps encryption keys separate from the data they protect. By dividing the roles of database and security administrators, D.AMO prevents unauthorized individuals—including insiders—from accessing both encrypted data and the keys simultaneously. Even if an attacker breaches the database, the absence of decryption keys renders the stolen data unusable. 

Additionally, D.AMO Control Center provides centralized management across an organization’s encryption systems. It allows administrators to monitor logs, enforce role-based access controls, and manage permissions to reduce insider misuse. This centralized visibility helps institutions detect unusual behavior early and maintain compliance with international data security regulations such as PCI-DSS, GDPR, and CCPA. 

The FinWise breach serves as a cautionary tale about the consequences of weak encryption governance and insufficient access monitoring. It demonstrates that robust data protection requires a proactive, multi-layered approach integrating encryption, key management, and centralized oversight. Penta Security’s D.AMO platform embodies this strategy, offering institutions a unified solution to mitigate both external and insider threats. For organizations managing sensitive customer information, implementing comprehensive encryption frameworks is no longer optional—it is essential for preserving trust, compliance, and long-term security resilience.
Read more »
Prosper Marketplace
Data Breach financial data leak fintech security breach Prosper cybersecurity incident Prosper data exposure Prosper Marketplace

Prosper Marketplace Cybersecurity Breach Exposes Data of 17 Million Users, Sparks Renewed Fintech Security Concerns

 

Prosper Marketplace has confirmed a major cybersecurity breach that compromised the personal data of over 17 million users, underscoring the persistent challenges faced by financial institutions in protecting sensitive consumer information.

According to the peer-to-peer lending firm, an unauthorized actor gained access to internal systems earlier this month by exploiting compromised administrative credentials. While Prosper emphasized that no bank account details or passwords were affected, exposed data included names, Social Security numbers, and income information—posing serious identity theft risks and fresh security challenges for financial sector CISOs.

The company said it swiftly contained the breach and initiated a full-scale investigation with the help of external cybersecurity experts. Prosper also began notifying affected users and regulators while offering free credit monitoring to those impacted. Though its financial and lending operations remained secure, the incident highlights how stolen or misused credentials continue to endanger fintech organizations.

Prosper’s incident FAQ revealed that the company detected unauthorized system access in early September and immediately took affected servers offline to prevent further compromise. Investigators discovered that an attacker used administrative credentials to reach a database containing both customer and applicant data. Prosper stated that it has since reinforced its security monitoring and implemented enhanced safeguards across all systems.

The company stressed that its lending and payment systems were not affected and found no signs of misuse involving account balances or login details. Notifications were issued in compliance with state and federal requirements, and Prosper is cooperating with law enforcement and cybersecurity authorities as the investigation continues.

The company estimated that approximately 17.6 million users were affected. Independent cybersecurity firm OffSeq Radar suggested the number of exposed records could be even higher, citing additional forensic evidence. The compromised data reportedly includes Social Security numbers, income details, and contact information, but no payment credentials or passwords.

Malwarebytes supported Prosper’s reported timeline, noting that while the leaked data has not yet surfaced on public forums, it could still be exploited for targeted phishing attacks or identity fraud.

The Register reported that Prosper’s internal probe confirmed unauthorized system access and prompted efforts to tighten its overall security framework. The outlet noted that the incident, contained by early September, underscores how credential security and database protection remain ongoing risks for fintech companies.

For cybersecurity leaders, the Prosper breach reinforces the critical need for multi-factor authentication, privileged access audits, and thorough logging. Experts continue to advocate for zero-trust frameworks, continuous monitoring, and data loss prevention strategies to limit exposure. Governance and transparency are increasingly essential alongside technology investments to maintain digital trust with consumers.

Beyond consumer protection concerns, the breach spotlights operational and reputational threats for fintech firms. With more organizations relying on hybrid cloud environments, administrative access points have become prime targets. Without robust segmentation and least-privilege policies, a single compromised account can result in massive data exposure.

Regulators are also tightening expectations around breach notification timelines, compelling firms to improve detection, automate incident responses, and maintain compliance readiness. Even contained events, such as Prosper’s, can disrupt customer confidence and regulatory standing.

Key Takeaways for Security Leaders

Credential-based attacks remain among the hardest to prevent and the costliest to manage. To strengthen defenses and readiness, experts recommend:

  • Limiting administrative credentials and conducting regular privilege audits.
  • Reviewing encryption, segmentation, and monitoring policies across all systems.
  • Reassessing third-party data-sharing and integration risks.

True resilience, experts say, requires more than technology upgrades—it demands proactive identity threat detection, frequent tabletop exercises, and strong governance. The Prosper breach serves as a reminder that visibility, preparation, and zero-trust principles are essential foundations for long-term cybersecurity strength.
Read more »
Prosper hack
Data Breach data breach September 2025 identity theft protection Prosper Prosper customer data leak Prosper hack

Prosper Data Breach Exposes 17.6 Million Users’ Personal Information — Company Offers Free Credit Monitoring

 

Prosper, the popular peer-to-peer lending platform that connects borrowers with investors, suffered a major data breach on September 2nd. According to details shared on the company’s official FAQ page, the incident was caused by “unauthorized queries made on company databases that store customer and applicant data,” which allowed attackers to gain access to sensitive personal information.

The compromised data reportedly includes names, Social Security numbers, government-issued IDs, employment and credit details, income levels, birth dates, home addresses, IP addresses, and browser user-agent information. However, Prosper confirmed that no customer accounts or funds were accessed, and the company’s operations remained unaffected.

While Prosper has not revealed the total number of affected users, cybersecurity outlet BleepingComputer reported that as many as 17.6 million unique email addresses were involved in the breach.

This stolen data presents a serious risk of phishing scams and identity theft, as cybercriminals could use it to impersonate victims or gain unauthorized access to financial accounts. Prosper is currently offering free credit monitoring to affected users and encourages both current and former customers to reach out for further details on what specific information was exposed.

Experts recommend that affected users immediately update passwords for their Prosper account and any connected financial platforms. Choosing strong, unique passwords for each account—and using a password manager to store them securely—is strongly advised.

Additionally, users should enable two-factor or multi-factor authentication wherever possible, as it provides an essential layer of defense against unauthorized access. Remain cautious of phishing attempts, particularly emails or texts requesting personal information or prompting unexpected downloads.

Finally, individuals concerned about potential misuse of their data should consider enrolling in identity theft monitoring services. These tools can alert you to suspicious activity related to your Social Security number, financial accounts, or other sensitive personal details.
Read more »
Oracle E-Business Suite
American Airlines cyberattack Clop Ransomware Data Breach Data Leak Envoy Air data breach Oracle E-Business Suite

Envoy Air Confirms Oracle Data Breach After Clop Ransomware Group Lists American Airlines on Leak Site

 

kEnvoy Air, a regional carrier owned by American Airlines, has confirmed that data from its Oracle E-Business Suite application was compromised following claims by the Clop extortion group, which recently listed American Airlines on its data leak site.

"We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer.

"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."

Envoy Air operates regional flights for American Airlines under the American Eagle brand. Although it functions as a separate entity, its operations are closely integrated with American’s systems for ticketing, scheduling, and passenger services.

The Clop ransomware group has begun leaking what it claims to be stolen Envoy data, posting the message: “The company doesn’t care about its customers, it ignored their security!!!” This breach is tied to a wider campaign that began in August, in which Clop targeted Oracle E-Business Suite systems and began sending extortion demands to affected companies in September.

Initially, Oracle said that attackers were exploiting vulnerabilities patched in July. However, the company later confirmed that the threat actors took advantage of a previously unknown zero-day flaw, now identified as CVE-2025-61882.

Cybersecurity firms CrowdStrike and Mandiant later reported that Clop exploited the flaw in early August to infiltrate networks and install malware. While the total number of victims remains unclear, Google’s John Hultquist told BleepingComputer that “dozens of organizations” were affected.

The extortion gang is also targeting Harvard University as part of the same operation. The university confirmed to BleepingComputer that the breach affected “a limited number of parties associated with a small administrative unit.”

Adding to the concerns, Oracle quietly patched another zero-day flaw—CVE-2025-61884—in its E-Business Suite last week, which had been actively exploited since July 2025. The exploit was reportedly leaked by the Shiny Lapsus$ Hunters group on Telegram.

American Airlines has previously faced data breaches in 2022 and 2023, which exposed employee personal data.

Who is Clop?

The Clop ransomware group, also known as TA505, Cl0p, or FIN11, has been active since 2019. It initially used a variant of the CryptoMix ransomware to infiltrate corporate networks and steal information.

Since 2020, the group has shifted its focus to exploiting zero-day vulnerabilities in file transfer and data storage platforms. Notable campaigns include:

  • 2020: Accellion FTA zero-day attack impacting nearly 100 companies
  • 2021: SolarWinds Serv-U FTP zero-day exploit
  • 2023: GoAnywhere MFT zero-day breach affecting 100+ firms
  • 2023: MOVEit Transfer campaign, their largest to date, compromising data from 2,773 organizations worldwide
  • 2024: Exploited Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) for data theft and extortion

The U.S. State Department is currently offering a $10 million reward for information linking Clop’s ransomware operations to any foreign government.
Read more »
Sotheby
Data Breach Employee Data Financial Information Ransomware Sotheby

Sotheby’s Investigates Cyberattack That Exposed Employee Financial Information

 



Global auction house Sotheby’s has disclosed that it recently suffered a data breach in which cybercriminals accessed and extracted files containing sensitive information. The company confirmed that the security incident, detected on July 24, 2025, led to unauthorized access to certain internal data systems.

According to a notification filed with the Maine Attorney General’s Office, the compromised records included details such as full names, Social Security Numbers (SSNs), and financial account information. While the filing listed only a few individuals from the states of Maine and Rhode Island, the overall number of people affected by the breach has not been publicly confirmed.

Sotheby’s stated that once the intrusion was identified, its cybersecurity team immediately launched a detailed investigation, working alongside external security experts and law enforcement authorities. The process reportedly took nearly two months as the company conducted a comprehensive audit to determine what type of information was taken and whose data was affected.

In its notice to those impacted, the company wrote that certain Sotheby’s data “appeared to have been removed from our environment by an unknown actor.” It added that an “extensive review of the data” was carried out to identify the affected records and confirm the individuals connected to them.

As a precautionary measure, Sotheby’s is offering affected individuals 12 months of free identity protection and credit monitoring services through TransUnion, encouraging them to register within 90 days of receiving the notification letter.

Initially, it was unclear whether the compromised data involved employees or clients. However, in an update on October 17, 2025, Sotheby’s clarified in a statement to BleepingComputer that the breach involved employee information, not customer data. The company emphasized that it took the incident seriously and immediately involved external cybersecurity experts to support the response and remediation process.

“Sotheby’s discovered a cybersecurity incident that may have involved certain employee information,” a company spokesperson said in an official statement. “Upon discovery, we promptly began an investigation with leading data protection specialists and law enforcement. The company is notifying all impacted individuals as required and remains committed to protecting the integrity of its systems and data.”

Sotheby’s is among the world’s most recognized auction houses, dealing in high-value art and luxury assets. In 2024, the firm recorded total annual sales of nearly $6 billion, highlighting the scale and sensitivity of the data it manages, including financial and transactional records.

Although no ransomware groups have claimed responsibility for this breach so far, similar attacks have previously targeted high-end auction platforms. In 2024, the RansomHub gang allegedly breached Christie’s, stealing personal data belonging to an estimated 500,000 clients. Such incidents indicate that cybercriminals increasingly view global art institutions as lucrative targets due to the financial and personal data they store.

This is not the first time Sotheby’s has dealt with cybersecurity issues. Between March 2017 and October 2018, the company’s website was compromised by a malicious web skimmer designed to collect customer payment information. A comparable supply-chain attack in 2021 also led to unauthorized access to sensitive data.

The latest breach reinforces the growing risks faced by major cultural and financial institutions that handle valuable client and employee data. As investigations continue, Sotheby’s has urged affected individuals to remain vigilant, review their financial statements regularly, and immediately report any suspicious activity to their bank or credit institution.


Read more »
Subscribe to: Comments (Atom)