Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Third Party Risk
Banking Security Cybersecurity Threats Data Breach Data protection financial data exposure Network Security Ransomware attack SonicWall Vulnerability Third Party Risk

Large Scale Ransomware Attack at Marquis Compromises Data of 672000 People


 

Marquis, a Texas-based provider of analytics and visualization solutions to hundreds of U.S. banks, recently disclosed a ransomware intrusion that took place in August 2025 resulted in a large-scale compromise of highly sensitive customer information, demonstrating the systemic vulnerability inherent in today's interconnected financial data ecosystem. 

A breach that has only recently become publicized due to regulatory disclosures affected at least 672,075 individuals, and involved exfiltration of both personal identifiers and critical financial information. A company filing submitted to the Maine Attorney General's office indicates that it is beginning the process of notifying the affected, with a significant concentration of those affected residing in Texas. 

In light of the extent of the stolen dataset, which consists of names, dates of birth, addresses, bank account details, payment card information, and even Social Security numbers, this is not merely an unauthorized access incident, but a deeply consequential event threatening consumer financial security as well as institutional trust for the long term. 

Marquis has received subsequent disclosures suggesting that the incident may have been linked to a broader compromise within the vendor ecosystem on which Marquis relies. SonicWall released an advisory in mid-September 2025 urging its customers to reset their credentials following the discovery of a brute-force attack on the MySonicWall cloud platform. This service stores and manages configuration backups on behalf of firewall administrators. 

A backup may contain highly sensitive operational data, including network rules, access control policies, VPN configurations, authentication parameters associated with enterprise identity systems such as LDAP, RADIUS, and SNMP, as well as administrative account credentials. Later, Marquis confirmed the inclusion of Marquis among those affected entities, and the company acknowledged that the compromise encompassed the entire company's customer base. 

Although early reports do not offer a complete picture of downstream impact, subsequent regulatory filings by Marquis across multiple jurisdictions show that the nature and extent of compromised data varies from state to state. This company provided a particularly comprehensive dataset in its submission to Maine authorities that included names, physical addresses, contact information, Social Security numbers, taxpayer identification numbers, and financial account information without associated security codes. 

The date of birth, as well as the dates of birth, indicate a breach with both infrastructure and personal consequences. As a result of the incident, more attention has been drawn to the structural risks associated with the financial sector's reliance on third-party service providers, where a single point of compromise can have cascading effects on a number of institutions and, by extension, their clients. 

The runsomware event in August affected data associated with clients from dozens of banks and credit unions, according to Marquis, but it has only recently been confirmed how broad the scope of the individual impact and the amount of information exposed have been clarified. According to our investigation, the initial intrusion vector was caused by unauthorized access to the SonicWall firewall, which permitted a third party to gain access to Marquis’ internal network. 

In response to this incident, the company has taken legal action against the vendor, emphasizing the complexity of accountability issues which often follow breaches involving interconnected technology. Providing digital and physical marketing solutions to more than 700 financial institutions along with compliance software and services, Marquis occupies a position of considerable data centrality, which inherently magnifies the downstream consequences of any security breaches. 

Due to their centralized storage of aggregated financial data and personally identifiable information, such intermediaries remain high-value targets for ransomware groups. Upon learning about the breach, affected individuals are advised to adopt heightened monitoring practices, including carefully reviewing their bank and credit card transactions, obtaining credit reports from established credit bureaus, and activating fraud alerts and credit freezes whenever necessary. 

Furthermore, caution is being urged against unsolicited communications that may attempt to exploit the incident through phishing or social engineering methods. Ultimately, the episode underscores the importance of continuous risk assessments, stronger access controls, and coordinated security strategies between institutions and service providers as an increasingly persistent and sophisticated threat landscape continues to affect the financial ecosystem.

A security breach has also drawn attention to the systemic vulnerabilities introduced by financial institutions' deeper integration with third-party technology providers, where operational efficiency is often sacrificed at the expense of expanded attack surfaces. 

Even though Marquis had previously acknowledged that the August ransomware incident affected banking and credit union clients, subsequent disclosures have clarified the extent of individual exposures as well as the sensitive nature of compromised records.

A forensic analysis revealed that the point of entry was a SonicWall firewall that permitted unauthorized access to Marquis' internal infrastructure, allowing an external actor to gain access to the system. It has therefore decided to pursue legal action against the vendor in response, emphasizing the complex issues of liability and shared responsibility that arise from breaches within interconnected digital ecosystems. 

A significant amount of information within Marquis's systems magnifies the impact of such an intrusion because of the company's role in providing marketing, compliance, and data-driven services to more than 700 financial institutions. Observations from security experts suggest organizations that operate at this crossroads of aggregated financial and personally identifiable data remain particularly attractive targets for ransomware operators seeking maximum impact. 

In light of the incident, individuals are being urged to adopt a more vigilant stance, which includes monitoring their financial statements on a continuous basis, obtaining credit reports to detect anomalies, and implementing precautionary measures, such as fraud alerts or credit freezes, as appropriate.

A special focus is being placed on preventing opportunistic follow-on attacks, such as phishing attacks or deceptive outreach that may use compromised information to establish trust. These incidents serve as a reminder, together with tighter access governance and more cohesive defensive collaboration between service providers and their institutional clients, of the importance of continuous security reassessment, tighter access governance, and more cohesive defensive collaboration. 

In an increasingly complex digital environment, threat actors continue to refine their tactics. Despite the incident's unfortunate outcome, it serves as a defining example of how digitally interconnected financial services are evolving in terms of risk dynamics, in which trust is distributed among vendors, platforms, and shared infrastructure. 

As a result, cybersecurity is no longer considered a perimeter function, but rather an integrated, continuous discipline throughout the entire supply chain that must be addressed continuously. It entails a deeper level of vendor due diligence, stricter configuration governance, and real-time visibility into third-party dependencies for institutions. As a result, service providers must harden cloud-integrated environments and limit the persistence of sensitive credentials within systems that can be accessed. 

A stronger regulatory scrutiny and continued exploits of systemic interdependencies will lead to an increasing focus on resilience, which will not necessarily mean avoiding breaches but rather anticipating, containing, and responding transparently to breaches without eroded stakeholder trust.
Read more »
Threat Intelligence
Cyber Warfare Cybersecurity Data Breach Endpoint Management Enterprise security identity-based attacks Microsoft Intune supply chain security Threat Intelligence

Stryker Attack Prompts Scrutiny of Enterprise Device Management Tools



A significant shift has occurred in the strategic calculus behind destructive cyber operations in recent years, expanding beyond the confines of traditional critical infrastructures into lesser-noticed yet equally vital ecosystems underpinning modern economies. 

State-aligned threat actors are increasingly focusing their efforts on organizations embedded within logistics and supply chain frameworks that support entire industries through their operational continuity. A single, well-placed intrusion at these junctions can have a far-reaching impact on interconnected networks, reverberating across multiple interconnected networks with minimal direct involvement. 

Healthcare supply chains, however, stand out as especially vulnerable in this context. As central channels of delivery of care, medical technology companies, pharmaceutical distributors, and logistics companies operate as central hubs for the delivery of care, providing support for large healthcare networks. 

The scale of these organizations, their interdependence, and their operational criticality make them high-value targets, which allows adversaries to inflict widespread damage indirectly, without exposing themselves to the immediate impact and consequences associated with attacking frontline healthcare organizations. It is against this backdrop that a less examined yet increasingly consequential risk is becoming increasingly evident one that is not related to adversaries' offensive tooling, but rather to the systems organizations use to orchestrate and secure their own environments. 

As part of the evolving force multipliers role of device and endpoint management platforms, designed to provide centralized control, visibility, and resilience at scale, these platforms are now emerging as force multipliers. Several recent cyber incidents have provided urgency to this issue, including the recent incident involving Stryker Corporation, where an intrusion into its Microsoft-based environment caused rapid operational disruptions across the company's global footprint. 

In response to the company's disclosure of the breach approximately a week later, the Cybersecurity and Infrastructure Security Agency issued a formal alert stating that malicious activity was targeting endpoint management systems within U.S. organizations. 

A broader investigation was initiated after the Stryker event triggered it. Through coordination with the Federal Bureau of Investigation, the agency has undertaken efforts to determine the scope of the threat and identify potential affected entities. As illustrated in mid-March, such access can provide a systemic leverage. 

An incident occurred on March 11, 2019, causing Stryker's order processing functions to be interrupted, its manufacturing throughput to be restricted, and outbound shipments to be delayed. These effects are consistent with interference at the management level as opposed to a single, isolated system compromise. 

The subsequent reporting indicated the incident may have involved the wiping of about 200,000 managed devices as well as the exfiltration of approximately 50 terabytes of data, indicating that both destructive and intelligence-gathering objectives were involved. 

A later claim of responsibility was made by Handala, which described the operation as retaliatory in nature after a strike in southern Iran, emphasizing the growing intersection between geopolitical signaling and supply chain disruption in contemporary cyber campaigns. 

During the course of the incident, it became increasingly evident that such a compromise would have practical consequences. Several key operational capabilities, including order processing, manufacturing execution, and distribution, were lost as a result of the intrusion, effectively limiting Stryker Corporation's ability to service demand across a globally distributed network. As a result of this disruption, traceable to Microsoft's environment, supply chain processes were immediately slowed down, creating bottlenecks beyond internal systems that led to downstream delivery commitments. 

Consequently, the organization initiated its incident response protocol, undertaking containment and forensic analysis, assisted by external cybersecurity specialists, in order to determine the scope, entry vectors, and persistence mechanisms of the incident. Observations from industry observers indicate that Microsoft Intune may be misused as an integral part of a network attack chain, based on preliminary assessments. 

Apparently, Lucie Cardiet of Vectra AI has found that threat actors may have exploited the platform's legitimate administration capabilities to remotely wipe managed endpoints, triggering large-scale factory resets on corporate laptops and mobile devices. The implementation of such an approach is technically straightforward, but operationally disruptive at scale, particularly in environments where endpoint integrity is a primary component of production systems and logistics operations. 

As a result of these device resets, widespread reconfiguration efforts were necessary, interrupting the availability of inventory management systems, production scheduling platforms, and coordination tools crucial to ensuring supply continuity. 

Applied cumulatively, these disruptions delayed manufacturing cycles and affected the timely processing and fulfillment of orders across multiple facilities, demonstrating the rapid occurrence of tangible operational paralysis that can be caused by control-plane compromises. There is evidence from the incident that the pattern of advanced enterprise intrusions is increasingly characterized by the convergence of compromised privileged identities, trusted management infrastructure, and intentional misuse of administrative functions, resulting in disruption of the enterprise. 

In the field of security, this alignment is often referred to as a "lethal trifecta," a technique that enables adversaries to inflict systemic damage without using conventional malware techniques. According to investigators, Stryker Corporation was compromised as a result of an intrusion centered on administrative access to its Microsoft Identity and Device Management stack, allowing attackers to utilize enterprise-approved tools in their operations. 

Intune platforms, such as Microsoft's, which provide centralized control over device fleets, are naturally equipped with high-impact capabilities. These capabilities can range from the enforcement of policies to the provision of remote wipe functions that can be repurposed into mechanisms for disruption if commandeered. 

Employees have been abruptly locked out of corporate systems across geographical boundaries, suggesting that administrative actions have been coordinated. This is consistent with "living off the land" techniques that exploit native enterprise controls in order to avoid detection and maximize operational consequences. It is evident that the scale of disruption underscores the structural dependence that is inherent within the global healthcare supply chain. 

Stryker, one of the most prominent companies in the sector, operates in dozens of countries and employs tens of thousands of people. In the event that internal systems underlying manufacturing and order fulfillment were rendered inaccessible, the effects spread rapidly across the organization's international operations. 

Many facilities, including major hubs in Ireland, reported experiencing widespread downtime, with employees being unable to access company network services. In spite of the fact that the company stated that its medical devices continued to function safely in clinical settings due to their segregation from affected corporate systems, the incident nevertheless highlights the fragility of interconnected supply chains. 

Medical technology providers serve as critical intermediaries and disruptions at this level can have an adverse effect on distributors, healthcare providers, and ultimately the timeline for delivering patient care. On a technical level, the breach indicates that attacker priorities have shifted from endpoint compromise to identity dominance. 

Identity-centric operations are increasingly replacing traditional intrusion models, which typically involve malware deployment, lateral movement, and persistence mechanisms. These adversaries use credential, authentication token, or privileged session vulnerabilities to gain control over the enterprise control planes.

After being embedded within identity infrastructure, attackers are able to interact with administrative portals, SaaS management consoles, and device orchestration platforms as if they were legitimate operators. Because actions are executed through trusted channels, malicious activity is significantly less visible. It is therefore important to note that the extent to which the attackers have affected the network is determined by the scope of privileges that the compromised identities possess. 

Additionally, it is evident that the attacker's intent has shifted from financial extortion to outright disruption. Although ransomware continues to dominate the threat landscape, these incidents are more closely associated with destructive operations, which are aimed at disabling systems and degrading functionality rather than extracting payment.

In light of the reported scale of device resets and data exfiltration, it appears the campaign was intended to disrupt operational continuity, echoing tactics employed in previous wiper-style attacks often associated with state-aligned actors. Operations of this type are often designed to disrupt organizations for maximum disruption, rather than to maximize financial gain, and are frequently deployed to signal strategic intent. 

As evidenced by the attribution claims surrounding the incident, the group Handala defined the operation within the framework of broader geopolitical tensions, indicating that it was aimed at retaliation. Even if such claims are not capable of being fully attributed to such entities, the narrative is consistent with an observation that private sector entities - particularly those involved in critical supply chains - are increasingly at risk of state-linked cyber activity. 

Cyberspace geopolitical contestation is no longer confined to peripheral targets, but encompasses integral elements of healthcare, manufacturing, and logistics. A recalibration of enterprise security priorities is particularly necessary in environments in which identity systems and management platforms serve as the operational backbone. These events emphasize the need to refocus enterprise security priorities. 

The tactics that are employed today are increasingly misaligned with defenses centered around endpoint detection and malware prevention. Organizations must instead adopt a security posture that focuses on identity-centric risk management, enforcing strict privilege governance, performing continuous authentication validation, and monitoring administrative actions across control planes at the granular level. 

Additionally, it is crucial that enterprise management tools themselves be hardened, ensuring that high impact functions such as remote wipe, policy enforcement, and system-wide configuration changes are subject to layered authorization controls and real-time anomaly detection. For industries embedded in critical supply chains, resilience planning extends to the capability of sustaining operations when control-plane disruptions occur, as well as the prevention of intrusions. 

Ultimately, Stryker's incident serves as a reminder that in modern enterprise settings, the most trusted of systems can inadvertently turn into the most damaging failure points-and their secure operation requires a degree of scrutiny commensurate with their impact. It can also be argued that the Stryker incident provides a useful illustration of how modern cyber operations can transcend isolated breaches into instruments that can cause widespread disruptions throughout global networks.

Read more »
Telus Digital
Data Breach Data Exposure Microsoft 365 Salesforce ShinyHunters Telus Digital

Telus Digital Faces Scrutiny Following Claims of Large-Scale Data Extraction

 



Canadian outsourcing and digital services firm Telus Digital has confirmed that it experienced a cybersecurity incident after threat actors alleged they had extracted an enormous volume of data, estimated at nearly one petabyte, over a prolonged period of unauthorized access.

Telus Digital operates as the outsourcing and digital solutions division of Telus. The company provides services such as customer support, content moderation, artificial intelligence data operations, and other business process outsourcing functions to organizations around the world. Because firms in this sector often manage customer interactions, billing systems, and internal authentication tools on behalf of multiple clients, they are frequently targeted by attackers aiming to gain access to large datasets through a single compromise.

The breach has been linked to a threat group known as ShinyHunters, which claims it obtained a wide range of customer-related data connected to Telus Digital’s outsourcing services, along with call records tied to Telus’ consumer telecommunications operations.

Reports about a possible breach had surfaced earlier this year, and inquiries were made to the company at the time, though no response was received then. Telus has now acknowledged the incident, stating that it is investigating what information may have been accessed and which customers could be affected.

In its official statement, the company said unauthorized access was identified in a limited number of systems. It added that immediate steps were taken to contain the activity and prevent further intrusion. Telus also stated that its operations remain fully functional, with no evidence of disruption to customer connectivity or services. The company confirmed that external cyber forensics specialists have been engaged and that law enforcement authorities are involved. It further noted that additional safeguards have been implemented and that affected customers will be notified where appropriate.

Sources indicated that the attackers attempted to extort the company, but Telus did not engage in communication with them.


Attack Method and Data Exposure Claims

After learning that the company was not negotiating, the attackers were contacted for further details regarding the incident.

According to their claims, the intrusion began with access to Google Cloud Platform credentials that were previously exposed in data linked to the Salesloft Drift breach. In that earlier incident, attackers extracted Salesforce data belonging to approximately 760 organizations, including customer support tickets. These records were then examined to locate credentials, authentication tokens, and other sensitive information, which could be reused to access additional systems.

The threat actors stated that they identified credentials associated with Telus within that dataset. These credentials allegedly enabled them to access multiple internal systems, including a large BigQuery data environment. After extracting initial data, they reportedly used the tool trufflehog to scan for further secrets, allowing them to expand their access into additional parts of the company’s infrastructure.

The group claims that the total amount of data taken is close to one petabyte, though this figure has not been independently verified. They also shared the names of 28 well-known companies that they allege were affected. However, these claims have not been confirmed, and the identities of those organizations remain undisclosed.

The data described by the attackers covers a wide range of business operations. This includes information related to customer support services, call center activities, agent performance metrics, AI-powered support systems, fraud detection mechanisms, and content moderation processes. In addition, they claim to have accessed source code, financial records, Salesforce data, background verification documents, and recordings of customer service calls.

The breach is also said to affect Telus’ telecommunications operations, particularly its consumer fixed-line services. The allegedly exposed data includes detailed call logs, voice recordings, and campaign-related information. Samples of these call records reportedly contain timestamps, call durations, originating and receiving numbers, and technical metadata such as call quality indicators.

Overall, the nature of the exposed data appears to vary significantly depending on the organization, indicating that multiple business functions across different clients may have been impacted.

The attackers stated that they began extortion attempts in February, demanding $65 million in exchange for not releasing the stolen data. The company did not respond to these demands.

Telus has indicated that further updates may be provided as its investigation progresses.


Who Are ShinyHunters

The name ShinyHunters has been associated with various individuals and cyber incidents over time, but the group currently operating under this identity has emerged as one of the more active data extortion actors in recent months. Their operations have largely focused on compromising cloud-based platforms, particularly those connected to enterprise software ecosystems.

The group has been linked to incidents involving major organizations such as Google, Cisco, and Match Group, among others.

More recently, their tactics have expanded to include voice phishing, or vishing, attacks. In these cases, employees are contacted by individuals posing as IT support staff and are persuaded to reveal login credentials or multi-factor authentication codes through fraudulent websites. The group has also been observed using device code phishing techniques to obtain authentication tokens linked to identity platforms such as Microsoft Entra.

Once valid credentials and authentication codes are obtained, attackers can take control of single sign-on accounts and gain access to interconnected enterprise services, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.


Security Implications

This incident reflects a broader trend in which attackers reuse previously stolen data to launch new intrusions. It also highlights the elevated risk associated with outsourcing providers that centralize sensitive operations for multiple organizations.

Cybersecurity experts increasingly note that modern attacks often occur in stages, where one breach creates opportunities for subsequent compromises. As businesses continue to rely on cloud platforms and third-party service providers, the potential scale and impact of such incidents continue to grow.

The situation is currently under investigation, and additional verified details are expected as more information surfaces.

Read more »
South Africa
Bitcoin Data Breach IT system land bank Microsoft Server Ransomware South Africa

Ransomware Attack Hits South Africa’s Land Bank, Hackers Demand Bitcoin Payment

 



South Africa’s Finance Minister Enoch Godongwana has disclosed that the Land and Agricultural Development Bank of South Africa was targeted in a ransomware incident earlier this year.

The cyberattack took place on January 12, according to official confirmation.

Details of the breach were made public through a parliamentary response after Adil Nchabeleng requested clarification on how the incident occurred, which systems were impacted, and whether the attackers issued any ransom demands.

In his response, the Minister stated that the attackers demanded 5 Bitcoin, estimated to be worth around R5.4 million. The bank chose not to comply with this demand. He further confirmed that core banking infrastructure and data related to farmers were not accessed or compromised.

Initial investigations revealed that suspicious activity was detected within certain parts of the bank’s IT environment. Further analysis suggested that an external party gained entry by exploiting a vulnerability in an internet-facing server. Following this, ransomware was deployed, leading to encryption of portions of the bank’s server systems as well as several employee laptops.

The attack specifically affected servers operating within virtual environments that run on Microsoft systems. Authorities have identified the perpetrators as part of a Ransomware-as-a-Service group, indicating the use of commercially distributed ransomware tools.

In response to the breach, the bank acted swiftly to contain the damage. Affected systems were isolated, indicators of compromise were removed, and additional security measures were implemented to strengthen defenses.

Officials emphasized that critical platforms, including enterprise resource planning systems, core banking infrastructure, and customer relationship management tools, were not accessed. This was attributed to the fact that the SAP environment is maintained separately from other server systems, providing an additional layer of protection.

However, other parts of the IT environment were significantly impacted. Systems outside the SAP infrastructure were either encrypted or rendered inaccessible to staff, and multiple laptops were also locked by the ransomware.

The attackers reportedly demanded payment in Bitcoin in exchange for restoring access to data and refraining from releasing any stolen information. Despite this, the bank confirmed that it did not make any ransom payment.

During the recovery phase, the bank continued to isolate affected environments, remove malicious traces, and enhance its cybersecurity posture. This included strengthening firewall configurations, patching known vulnerabilities, and improving detection mechanisms to better respond to future threats.

This incident follows a series of cyberattacks affecting organizations in South Africa. In May of the previous year, South African Airways experienced a major cyber disruption that affected its website, mobile application, and several internal systems. Immediate steps were taken at the time to reduce the impact on flight operations and customer services.

The Land Bank attack sheds light on the increasing frequency of ransomware incidents targeting key institutions. It also underscores the importance of proactive cybersecurity measures, including system segmentation, timely updates, and continuous monitoring to prevent and mitigate such threats.

Read more »
WhatsApp hacking
AIVD MIVD warning cyber espionage Data Breach Russian Hackers Signal security breach social engineering attacks WhatsApp hacking

Russian Cyber Campaign Targets Signal and WhatsApp Users Through Social Engineering Tactics

 

Hackers believed to be linked to Russia are attempting to gain access to Signal and WhatsApp accounts of government officials, journalists, and military personnel worldwide—not by breaking encryption, but by manipulating users into giving up their access credentials.

This warning was issued on Monday by the Netherlands’ intelligence and military agencies, AIVD and MIVD, which reported a "large-scale" cyber operation focused on compromising accounts on these messaging platforms. Instead of attacking the apps’ end-to-end encryption, the campaign aims to take control of user accounts and discreetly monitor their communications.

According to the agencies, attackers directly contact targets through chats and convince them to share verification codes or PINs, effectively handing over account access. In certain instances, the hackers impersonate a Signal support bot to make their requests appear authentic. Once the code is provided, they can log in and view private messages or track group conversations without bypassing encryption.

Another technique involves exploiting Signal’s “linked devices” feature, which allows multiple devices to connect to one account. If attackers successfully link their own device, they can observe messages in real time. Dutch authorities confirmed that this campaign has already impacted individuals, including those within the Dutch government. "The Russian hackers have likely gained access to sensitive information," the AIVD and MIVD said, adding that "targets and victims of the campaign include Dutch government employees" as well as journalists.

Ironically, the strong encryption that makes these platforms popular among officials and reporters also increases their value as targets once an account is compromised. While end-to-end encryption secures messages during transmission, it offers no protection if an attacker gains direct access to the account.

A Meta spokesperson told The Register that users should never share their six-digit code with others and that it provides detailed advice on how WhatsApp users can protect themselves from scams.

Signal did not immediately respond to The Register’s inquiries. Meanwhile, Dutch authorities have issued a cybersecurity advisory and are helping affected users secure their accounts. They also highlighted warning signs of a potential breach, such as duplicate contacts appearing or numbers being marked as “deleted account” unexpectedly.

The broader takeaway from intelligence officials is that while encrypted messaging apps are convenient, they are not designed for highly sensitive communication. As MIVD director Vice-Admiral Peter Reesink put it:

"Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information."

In essence, relying solely on the assumption that no one will request a verification code may not be sufficient for maintaining operational security.
Read more »
ransomware attack 2025
AkzoNobel cyberattack Anubis ransomware Data Breach data breach US site ransomware attack 2025

AkzoNobel Confirms Cyberattack at U.S. Site Following Anubis Ransomware Data Leak

 

kDutch multinational paints and coatings company AkzoNobel has confirmed that a cyberattack impacted one of its facilities in the United States, according to a statement shared with BleepingComputer.

The incident came to light after the Anubis ransomware gang published data allegedly stolen from the company. In response, a spokesperson clarified that the breach was quickly contained and did not spread beyond the affected location.

“AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer. “The impact is limited, and we are taking the appropriate steps to notify and support impacted parties, and will work closely with relevant authorities.”

With a workforce of around 35,000 employees, AkzoNobel generates over $12 billion in annual revenue and operates across more than 150 countries. Its portfolio includes well-known brands such as Dulux, Sikkens, International, and Interpon.

The Anubis ransomware group claims it exfiltrated approximately 170GB of data, comprising nearly 170,000 files. It has also released sample materials on its leak site, including screenshots and file listings as proof of the breach.

According to the group, the leaked data contains sensitive information such as confidential contracts with major clients, contact details, internal communications, passport copies, testing documentation, and technical specifications.

So far, only a portion of the stolen data has been made public. The company has not disclosed whether it has engaged in any negotiations with the attackers.

Anubis operates under a ransomware-as-a-service (RaaS) model, which began in December 2024, offering affiliates a significant share—up to 80%—of ransom payments. The group expanded its reach in February 2025 by launching an affiliate initiative on underground forums, increasing its presence in cybercrime activities

Later in June 2025, the group introduced a destructive tool capable of permanently erasing victims’ data, making recovery efforts significantly more challenging

Read more »
Ransomware attack
Cybercrime Trends Data Breach Data Exfiltration Healthcare cybersecurity Hospital Cyber Attack Network Security Ransomware As A Service Ransomware attack

Royal Bahrain Hospital Faces Alleged Breach by Payload Ransomware


 

Several ransomware outfits have recently surfaced, claiming responsibility for significant breaches at Royal Bahrain Hospital, raising fresh concerns about healthcare cybersecurity. The group claims that it has penetrated the hospital’s digital infrastructure and exfiltrated a considerable amount of sensitive data using the name Payload.

The assertions of this nature, if verified, illustrate how vulnerable healthcare institutions are, since critical operations and highly confidential patient information are intertwined. As threat actors increasingly leverage reputational pressure by threatening the public disclosure of stolen information, they are not only seeking financial gain, but also seeking reputational gain. 

The incident is a reflection of an emerging trend in which ransomware groups are rapidly adopting sophisticated tactics in order to target essential service providers, posing considerable threats to operations continuity and data privacy. As a result of cyber threat intelligence and monitoring channels, the alleged intrusion has been discovered, further emphasizing ransomware operators' continued focus on healthcare infrastructure worldwide. 

The Royal Bahrain Hospital was established in 2011, and is a private medical facility with a capacity of 70 patients. It offers a variety of inpatient and outpatient services, including maternity care, surgery, and advanced diagnostics. 

In addition to serving a domestic patient base, the facility also serves patients from Oman, Qatar, Saudi Arabia, and the United Arab Emirates, positioning it within a system of cross-border medical care that continues to expand. These institutions have become increasingly attractive targets for financially motivated threat actors, primarily due to the criticality of uninterrupted clinical operations and the sensitive nature of patient data, which can increase the urgency with which incidents must be contained and normalcy restored. 

In the broader ransomware ecosystem, the emergence of new groups continues to reflect a highly competitive threat landscape that is continually evolving. It appears Payload, a relatively recent entrant to the market, employs a structured extortion model, which incorporates data exfiltration and system level encryption to maximize leverage. 

There has been a noticeable increase in the activity of the group across mid-sized to large-scale companies, particularly in sectors such as real estate and logistics, with an emphasis on organizations operating in high-growth markets or in developing countries. 

Technically, its ransomware framework includes ChaCha20 for file encryption and Curve25519 for secure key exchange, in addition to further security controls that are being implemented to inhibit recovery attempts, including the removal of shadow copies and interference with security controls. 

Further indicators indicate that ransomware-as-a-service may also be employed, with a Tor-based leak portal being used in a staged manner to pressure non-compliant victims. As per recent threat intelligence, the broader ransomware economy is also experiencing a period of transition.

Although ransomware remains a persistent and disruptive threat, several indicators suggest that profitability across the ecosystem is gradually decreasing. There is a growing reluctance among victims to pay ransom demands as a result of strengthened organizational defenses, improved incident recovery capabilities, and improved incident recovery capabilities. 

Furthermore, sustained law enforcement actions and internal fragmentation within cybercriminal networks have disrupted some previously dominant cybercriminal networks, contributing to the increase in competition and crowdedness among cybercriminals. 

Consequently, threat actors appear to be recalibrating their strategies, increasing their attention to smaller organizations and pivoting toward data exfiltration-based extortion without full-scale encryption in response. In spite of the increasing pressure on ransomware threat models, they continue to adapt in order to develop viable monetization strategies.

In light of this background, the incident serves as a reminder that ransomware threats are no longer restricted to large corporations, and are now increasingly affecting midsized organizations across a wide range of industries. 

Experts recommend layered and proactive defense strategies to reduce operational and data exposure. Dark web activity and information stealer logs can be continuously monitored to identify compromised credentials or leaked datasets before they have been weaponized in a timely manner. 

Additionally, organizations are advised to conduct comprehensive compromised assessments to trace intrusion vectors, determine whether data has been exfiltrated, and identify the presence of persistent mechanisms within their environments. 

Moreover, resilience is highly dependent on the integrity of backups, which must be regularly verified, encrypted in a secure manner, and, ideally, maintained in an offline or immutable configuration to avoid tampering. 

It is critical for organizations to increase their detection and response capabilities by integrating actionable threat intelligence into SIEMs and XDRs, but employee-focused measures are also necessary to prevent credential-based attacks, such as phishing awareness and strict enforcement of multifactor authentication. It is essential to coordinate engaging with specialized response teams, including forensic analysts and attorneys, prior to engaging with threat actors in the event of an incident. 

The available threat intelligence indicates that Payload targets medium- to large-scale organizations across emerging markets, including those operating in commercially active sectors such as real estate, logistics, and other related industries. 

There is a widespread belief that the group operates under a ransomware-as-a-service model, wherein core developers maintain and update the malware framework while affiliate operators execute attacks, generating revenue by sharing the proceeds. As a result of this approach, the group appears to maintain a Tor-based leak portal that is used for staged disclosure of exfiltrated data to exert pressure on noncompliance victims. 

It is apparent that Royal Bahrain Hospital's inclusion on this platform, along with purported screenshots of compromised systems, is intended to strengthen its claims, while simultaneously amplifying the reputational risk. Further, this incident reinforces existing concerns within the cybersecurity community concerning healthcare institutions' heightened vulnerability. Because hospitals rely on interconnected digital ecosystems for patient records, diagnostics, and operational workflows, they remain particularly vulnerable. These environments can be disrupted immediately and have immediate real-world implications, which threat actors often take advantage of in order to accelerate ransom negotiations. 

The group indicates that it holds a significant amount of allegedly stolen data in this case and has set a deadline for compliance of March 23 after which it threatens to disclose the data. To date, these claims have not been independently verified, and it is unclear to what extent they may have affected systems or data. As the situation develops, standard guidance emphasizes the need for detailed forensic investigations, evaluating the scope of the compromise, and reinforcing defensive controls. 

In its entirety, the episode highlights the imperative for organizations to rethink cybersecurity as an integral component of operational governance rather than a peripheral safeguard. It is exceptionally difficult for healthcare institutions to avoid disruption, since digital dependency is deeply intertwined with patient outcomes. 

In response, resilience-centric security architectures have become increasingly important, which prioritize threat visibility early in the attack cycle, disciplined incident response, and alignment between technical controls and executive oversight.

It is expected that adversaries will continue to refine extortion-driven tactics and exploit structural vulnerabilities, making an organization’s ability to anticipate intrusion patterns, contain risk efficiently and effectively, and maintain trust in the face of advancing cyber threats increasingly becoming the differentiator.
Read more »
Google Gemini
API Keys Data Breach Data Leak Google Gemini

Google API Keys Expose Gemini AI Data via Leaked Credentials

 

Google API keys, once considered harmless when embedded in public websites for services like Maps or YouTube, have turned into a serious security risk following the integration of Google's Gemini AI assistant. Security researchers at Truffle Security uncovered this issue, revealing that nearly 3,000 live API keys—prefixed with "AIza"—are exposed in client-side JavaScript code across popular sites.

Truffle Security's scan of the November 2025 Common Crawl dataset, which captures snapshots of major websites, identified 2,863 active keys from diverse sectors including finance, security firms, and even Google's own infrastructure. These keys, deployed sometimes years ago (one traced back to February 2023), were originally safe as mere billing identifiers but gained unauthorized access to Gemini endpoints without developers' knowledge.Attackers can simply copy a key from page source, authenticate to Gemini, and extract sensitive data like uploaded files, cached contexts, or datasets via simple prompts.

The danger extends beyond data theft to massive financial abuse, as Gemini API calls consume tokens that rack up charges—potentially thousands of dollars daily per compromised account, depending on the model and context window. Truffle Security demonstrated this by querying the /models endpoint with exposed keys, confirming access to private Gemini features. One reported case highlighted an $82,314 bill from a stolen key, underscoring the real-world impact.

Google acknowledged the flaw as "single-service privilege escalation" after Truffle's disclosure on November 21, 2025, and implemented fixes by January 2026, including blocking leaked keys from Gemini access, defaulting new AI Studio keys to Gemini-only scope, and sending proactive leak notifications. Despite these measures, the "retroactive privilege expansion" caught many off-guard, as enabling Gemini in projects silently empowered old keys.

Developers must immediately audit Google Cloud projects for Gemini API enablement, rotate all exposed keys, and restrict scopes to essentials—avoiding the default "unrestricted" setting. Tools like TruffleHog can scan code repositories for leaks, while regular monitoring prevents future exposures in an era where AI services amplify API risks. This incident highlights the need for vigilance as cloud features evolve.
Read more »
Medical Data breach
Cyberattacks Data Breach Data protection data security Hacker attack Healthcare Data Theft Iran hackers Medical Data breach

Iran-Linked Handala Hackers Claim Breach of Israel’s Clalit Healthcare Network

 

A breach at Israel’s biggest health provider has been tied to an Iranian-affiliated hacking collective, which posted stolen patient records online. Claiming credit, a network calling itself Handala detailed the intrusion via public posts. Access reportedly reached Clalit Health Services’ core data stores. That institution cares for around fifty percent of the country’s residents. 

More than ten thousand people saw their medical files exposed, the hackers stated. Samples of what they say is real data now sit on public servers - names, test results, health scans tucked inside. Handala issued a statement saying Israel's hospital networks were left reeling after the breach, calling defenses weak and slow. What followed was not subtle: laughter at how easily systems gave way.  

Not just an attack, but positioned as resistance - this action followed claims of long-standing control and abuse. Echoing past messages, the announcement carried familiar tones seen when digital strikes hit Israeli bodies before. 

A strange post appeared online just hours before the reveal - hinting at something unfolding within Israel’s medical system. By next morning, reports confirmed a possible leak of sensitive information. Right after hearing about it, Clalit's cyber defense units started looking into what happened. Government agencies got updates right away, since detection tools kicked in under standard procedures. 

While checks are still underway, hospital networks remain stable and running without disruption. A fresh incident highlights ongoing digital operations tied to Iran, aimed at entities and people in Israel. In recent years, outfits connected to Tehran have faced claims of seeking information, interfering with key bodies, while also trying to pull in collaborators using internet exchanges along with money offers. 

Now known for bold statements, Handala has taken credit for multiple major cyber events, experts note. While Check Point Research points out that some assertions appear inflated, a few of those declarations align with verified breaches. Unexpected overlaps between claim and evidence keep scrutiny alive. 

In December, hackers revealed they had gained access to ex-Prime Minister Naftali Bennett’s Telegram messages. Confirmation came from Bennett's team - yes, the account was reached, yet his device remained untouched. 

Later, these attackers stated they went after more individuals in politics. Among them: ex-minister Ayelet Shaked and Tzachi Braverman, a close associate of Netanyahu. Earlier, Israel's medical system dealt with digital attacks. Last October, hackers targeted Assaf Harofeh Medical Center using ransomware linked to Qilin. Patient records were at risk when the criminals asked for 70,000 dollars. Threats to expose sensitive information followed if payment failed. 

Later, officials pointed to Iran’s likely involvement in that incident too - showing how digital attacks are becoming a key part of the strain between these nations.
Read more »
Prompt Engineering Attacks
AI Cybersecurity Threats AI Driven Cybercrime AI Jailbreaking Claude AI Exploitation Cyber Espionage Campaign Data Breach Generative AI Attacks Prompt Engineering Attacks

Hackers Exploit Claude to Target Multiple Mexican Government Agencies

 


As generative artificial intelligence emerges, digital innovation is evolving at an unprecedented rate, but it is also quietly reshaping cybercrime in a subtle way. Tools originally designed for the purpose of research, coding, and problem-solving are now being explored for a variety of less benign purposes as well. 

This fact has been illustrated in a troubling fashion by recent revelations that threat actors have exploited the capabilities of Claude in order to support a large-scale intrusion targeting Mexican government networks. 

A security researcher at Gambit Security reported that attackers extracted approximately 150 gigabytes of sensitive information from multiple Mexican government agencies, demonstrating how widely accessible artificial intelligence systems can be manipulated to assist sophisticated cyber operations despite built-in safeguards despite their ease of use. 

It has been determined that the intrusion was not limited to passive reconnaissance. The attacker is believed to have used Claude throughout the campaign as an interactive tool for research and development. 

Gambit Security has released an analysis that indicates that the activity began in December, and continued for approximately a month, during which the chatbot was repeatedly instructed to identify potential vulnerabilities within government networks and to create scripts for exploiting those vulnerabilities. 

Using the same AI model, methods were also outlined for automating sensitive information extraction, effectively turning the model into an assistant for data extraction. In a series of carefully structured prompts, the operator gradually weakened the built-in safeguards of the model, thereby manipulating it slowly. 

There have been reports that the system has rejected initial requests, but subsequent iterations seem to have bypassed the platform's guardrails and generated increasingly more actionable material. The extent of the assistance presented by the model raised particular concerns among analysts. 

According to Curtis Simpson, the system produced thousands of analytical outputs which detailed potential attack paths, internal network targets, and credential-related strategies, thereby providing guidance on how to proceed within compromised environments. These outputs were more structured operational guidance for the campaign's human operator than casual responses. 

According to Anthropic, an internal investigation had been initiated following the disclosure and that the activity had been disrupted and the accounts associated with the misuse were permanently banned. According to a company representative, safeguards are continuing to develop. 

For example, the Claude Opus 4.6 model incorporates additional mechanisms to detect and block similar forms of abuse in the latest iteration. In the time of publishing, it had not been officially determined that the individuals responsible for the intrusion were part of any advanced persistent threat group that had been publicly identified.

Nonetheless, analysts examining the operation noted several similarities with tactics historically associated with espionage campaigns involving Chinese actors. As a result of intelligence gathered by Gambit Security and corroborated by SecurityAffairs, the tradecraft demonstrated in the operation - particularly disciplined operational security and systematic reconnaissance - appears to resemble patterns previously observed in state-aligned cyber espionage. 

A separate disclosure from Anthropic confirmed that state-sponsored actors have misused its AI programming tools to benefit dozens of organizations worldwide. It has been determined that investigators at this incident heavily relied on artificial intelligence-assisted workflows to accelerate the exploit development process, effectively reducing the technical barrier to assembling complex multi-stage intrusion chains while retaining high levels of operational secrecy. 

Technical analysis indicates that the campaign aimed at weaponizing Claude Code, by utilizing prompt engineering techniques in order to circumvent the system's built-in security measures. Over 1,000 prompts were submitted to the artificial intelligence environment, some of which were presented as legitimate bug bounty testing scenarios to bypass ethical restrictions embedded within the model by the researchers. 

In this iterative process, attackers were reported to have developed customized exploit scripts, lateral movement tooling, and operational playbooks tailored to the architecture of compromised networks through this iterative interaction. 

Following the generation of AI-generated material, successive phases of the intrusion chain, including privilege escalation, credential harvesting, and automated data extraction, were carried out. According to reports, the operators began shifting portions of their workflow to GPT-4.1 to continue developing credential handling utilities and refine network traversal techniques when restrictions began limiting output from Claude's environment. 

It was possible for the attackers to maintain a workflow that was largely automated and able to quickly adapt to defensive obstacles within the targeted infrastructure by chaining outputs from both AI systems. As a result of this approach, investigators identified behavioural indicators that stood out during forensic examination.

Among them were unusually large amounts of automated scripting activity, repeated instances of AI-generated code fragments appearing within attack tools, and the presence of AI-aided development processes operating from compromised government infrastructures. 

A series of stages has been involved in the intrusion, which began with compromising systems related to the Mexican tax authority before spreading to other public infrastructures. The attacker, according to investigators, then moved through a network of interconnected systems involving several regional government environments, municipal systems in Mexico City, public utility infrastructure in Monterrey, as well as at least one major financial institution, as well as the national electoral institute. 

As a result of the operation, approximately 150 gigabytes of sensitive data - including administrative information and individually identifiable information - were exfiltrated from these environments. MITER ATT&CK knowledge base analysis revealed a familiar sequence of intrusion techniques based on the observed activity. There is evidence that the initial access was obtained through valid accounts, followed by lateral movement with remote services, credential acquisition through operating system credential dump mechanisms, and large-scale data exfiltration. 

The researchers also observed additional measures intended to undermine defensive monitoring by interfering with security controls within the targeted environments in order to weaken defensive monitoring. 

Researchers noted that each of these tactics has been observed in conventional cyberespionage operations; however, the distinctive feature of the campaign was the systematic integration of generative artificial intelligence into the attack process. 

It is possible for attackers to coordinate complex intrusion chains at a speed and scale that is not possible with traditional manual methods, as they were able to automate reconnaissance, exploit development, and operational planning. This incident underscores how generative artificial intelligence systems are rapidly becoming a new layer within the cyber threat landscape that can enhance both defensive and offensive capabilities. 

In response to the threat of AI-aided attacks, security experts recommend that organizations, particularly those operating critical public infrastructure, adapt their defensive strategies accordingly. A number of measures are being taken to strengthen identity and access controls, identify anomalous automation patterns, and implement advanced behavioral analytics to identify tooling and scripting generated by AI. 

It is also recommended that AI developers, cybersecurity firms, and government agencies collaborate continuously so that safeguards can be refined to ensure that large language models are not manipulated for malicious purposes. 

It is becoming increasingly important for the cybersecurity community to ensure that innovations in artificial intelligence do not inadvertently become a force multiplier for sophisticated digital intrusions as platforms such as Claude and other generative AI systems continue to evolve.
Read more »
Texas cybersecurity lawsuit
Data Breach firewall cloud backup breach Marquis ransomware attack SonicWall breach Texas cybersecurity lawsuit

Marquis Sues SonicWall Over Alleged Security Flaws Linked to Major Ransomware Attack

 

A legal battle is escalating in Texas after fintech company Marquis filed a lawsuit against firewall vendor SonicWall, claiming that weaknesses in the company’s cloud backup service played a key role in a large ransomware attack.

The case was filed Monday in the U.S. District Court for the Eastern District of Texas, where Marquis is requesting a jury trial. The company argues that a 2025 cybersecurity incident at SonicWall "exposed critical security information for Marquis and every customer that used SonicWall's firewall cloud backup service."

According to the complaint, cybercriminals were able to obtain sensitive firewall configuration backup files, which were later used to infiltrate Marquis’ internal network.

Firewalls are meant to prevent unauthorized access to private networks. However, Marquis claims attackers used data taken from SonicWall’s cloud backup service to analyze how customers configured their firewall protections. This information allegedly provided them with a detailed roadmap to circumvent security controls.

The stolen information reportedly included emergency administrative access credentials known as scratch codes. These codes are designed to enable urgent system access but, according to the lawsuit, were exploited by attackers to bypass protections and gain entry into Marquis’ network.

"SonicWall allowed a threat actor to obtain the keys to bypass that line of defense and walk right into Marquis's internal network, the very thing that SonicWall's firewall was supposed to prevent," the lawsuit states.

After gaining access, the hackers allegedly launched a ransomware attack that disrupted Marquis’ operations and exfiltrated sensitive data.

Marquis, which offers data visualization solutions used by hundreds of banks and credit unions, reported that the attackers accessed "personally identifiable information concerning customers of some of Marquis's financial institution clients."

The compromised data reportedly includes names, dates of birth, mailing addresses, and financial information such as bank account numbers, debit card numbers, and credit card numbers. Social Security numbers were also exposed during the breach.

Expanding Impact of the Breach

SonicWall initially disclosed the security incident in mid-September 2025, stating that fewer than 5% of firewall configuration backup files belonging to customers had been taken from storage servers hosted on Amazon’s cloud infrastructure and managed by SonicWall.

However, the company later updated its disclosure in October, acknowledging that the attackers had actually obtained backup files belonging to all customers.

Marquis began notifying impacted individuals in December 2025, explaining that its systems had been compromised earlier in August. SonicWall has not revealed when the attackers initially accessed its environment, leaving questions about how long the vulnerability may have remained undetected.

In the lawsuit, Marquis claims that a modification made in February 2025 to one of SonicWall’s application programming interfaces (APIs) "created a vulnerability exploitable by threat actors." The complaint further alleges that this weakness enabled attackers to retrieve firewall configuration backup files "without proper authentication" by predicting firewall serial numbers.

The company has not yet confirmed the full scope of affected individuals. However, a report filed with the Texas attorney general indicates that at least 400,000 people across the United States may have been impacted. That number could rise as more breach notifications are submitted to regulators in other states.

The case now raises serious questions about SonicWall’s security controls surrounding its cloud backup service. A jury in the Eastern District of Texas will ultimately decide whether the vulnerabilities and subsequent ransomware attack were the result of security failures on SonicWall’s part, as Marquis alleges.
Read more »
Microsoft
AI tools Copilot Data Breach Microsoft

New Copilot Setting May Access Activity From Other Microsoft Services. Here’s How Users Can Disable It

 



A recently noticed configuration inside Microsoft Copilot may allow the AI tool to reference activity from several other Microsoft platforms, prompting renewed discussion around data privacy and AI personalization. The option, which appears within Copilot’s settings, enables the assistant to use information connected to services such as Bing, MSN, and the Microsoft Edge browser. Users who are uncomfortable with this level of integration can switch the feature off.

Like many modern artificial intelligence systems, Copilot attempts to improve the usefulness of its responses by understanding more about the person interacting with it. The assistant normally does this by remembering past conversations and storing certain details that users intentionally share during chats. These stored elements help the AI maintain context across multiple interactions and generate responses that feel more tailored.

However, a specific configuration called “Microsoft usage data” expands that capability. According to reporting first highlighted by the technology outlet Windows Latest, this setting allows Copilot to reference information associated with other Microsoft services a user has interacted with. The option appears within the assistant’s Memory controls and is available through both the Copilot website and its mobile applications. Observers believe the setting was introduced recently as part of Microsoft’s effort to strengthen personalization features in its AI tools.

The Memory feature in Copilot is designed to help the assistant retain useful context. Through this system, the AI can recall earlier conversations, remember instructions or factual information shared by users, and potentially reference certain account-linked activity from other Microsoft products. The idea is that by understanding more about a user’s interests or previous discussions, the assistant can provide more relevant answers.

In practice, such capabilities can be helpful. For instance, a user who discussed a topic with Copilot previously may want to continue that conversation later without repeating the entire background. Similarly, individuals seeking guidance about personal or professional matters may receive more relevant suggestions if the assistant has some awareness of their preferences or circumstances.

Despite the convenience, the feature also raises questions about privacy. Some users may be concerned that allowing an AI assistant to accumulate information from multiple services could expose more personal data than expected. Others may want to know how that information is used beyond personalizing conversations.

Microsoft addresses these concerns in its official Copilot documentation. In its frequently asked questions section, the company states that user conversations are processed only for limited purposes described in its privacy policies. According to Microsoft, this information may be used to evaluate Copilot’s performance, troubleshoot operational issues, identify software bugs, prevent misuse of the service, and improve the overall quality of the product.

The company also says that conversations are not used to train AI models by default. Model training is controlled through a separate configuration, which users can choose to disable if they do not want their interactions contributing to AI development.

Microsoft further clarifies that Copilot’s personalization settings do not determine whether a user receives targeted advertisements. Advertising preferences are managed through a different option available in the Microsoft account privacy dashboard. Users who want to stop personalized advertising must adjust the Personalized ads and offers setting separately.

Even with these explanations, privacy concerns remain understandable, particularly because Microsoft documentation indicates that Copilot’s personalization features may already be activated automatically in some cases. When reviewing the settings on a personal device, these options were found to be switched on. Users who prefer not to allow Copilot to access broader usage data may therefore wish to disable them.

Checking these settings is straightforward. Users can open Copilot through its website or mobile application and ensure they are signed in with their Microsoft account. On the web interface, selecting the account name at the bottom of the left-hand panel opens the Settings menu, where the Memory section can be accessed. In the mobile application, the same controls are available through the side navigation menu by tapping the account name and choosing Memory.

Inside the Memory settings, users will see a general control labeled “Personalization and memory.” Two additional options appear beneath it: “Facts you’ve shared,” which stores information provided directly during conversations, and “Microsoft usage data,” which allows Copilot to reference activity from other Microsoft services.

To limit this behavior, users can switch off the Microsoft usage data toggle. They may also disable the broader Personalization and memory option if they prefer that the AI assistant does not retain contextual information about their interactions. Copilot also provides a “Delete all memory” function that removes all stored data from the system. If individual personal details have been recorded, they can be reviewed and deleted through the editing option next to “Facts you’ve shared.”

Security and privacy experts generally advise caution when sharing information with AI assistants, even when personalization features remain enabled. Sensitive or confidential details should not be entered into conversations. Microsoft itself recommends avoiding the disclosure of certain types of highly personal data, including information related to health conditions or sexual orientation.

The broader development reflects a growing trend in the technology industry. As AI assistants become integrated across multiple platforms and services, companies are increasingly using cross-service data to make these tools more helpful and personalized. While this approach can improve convenience and usability, it also underlines the grave necessity for transparent privacy controls so users remain aware of how their information is being used and can adjust those settings when necessary.

Read more »
Voice Phishing Attack
Cloud Security Incident Data Breach Identity Access Attacks Optimizely Data Breach ShinyHunters Cyberattack Voice Phishing Attack

Optimizely Reports Data Breach Linked to Sophisticated Vishing Incident


 

In addition to serving as a crossroads of technology, marketing intelligence, and vast networks of corporate data, digital advertising platforms are becoming increasingly attractive targets for cybercriminals seeking an entry point into enterprise infrastructure.

Optimizely recently revealed that a security incident was initiated not by sophisticated malware, but rather by a social engineering scheme that was carefully orchestrated. A voice-phishing tactic was utilized by attackers linked to the threat group ShinyHunters to deceive a company employee earlier in February 2026 and gain access to some parts of the company's internal environment without authorization. 

Investigators determined that the attackers were able to extract limited business contact information from internal resources even though the intrusion was contained before it could reach sensitive customer databases or critical operational systems. 

Throughout this episode, we learn that even mature technology companies remain vulnerable to manipulation-based attacks aimed at bypassing technical defenses and targeting the human layer of security. 

Optimizely, a leading provider of digital experience infrastructure, develops tools that assist organizations in managing web properties, conducting marketing experiments, and refining online customer journeys based on data. 

Among its many capabilities are A/B experimentation frameworks, enterprise-grade content management systems, and integrated ecommerce tools that are designed to assist businesses in improving conversion performance and audience engagement across a variety of digital channels. 

Over 10,000 organizations worldwide use the company's technology stack, including H&M, PayPal, Toyota, Nike, and Salesforce, among others. A number of customers have recently received notifications detailing this incident. According to the company, the attackers gained access through what it described as a "sophisticated voice-phishing attack" on February 11. 

The internal investigation indicates that although the threat actors were able to penetrate a limited segment of the corporate environment, the intrusion did not result in privilege escalation and no malicious payloads or malware were deployed within the network during the intrusion. 

Therefore, the breach remained constrained within a narrow scope, confirming our assessment that the attackers were limited in their access and were not permitted to reach sensitive customer and operational data. Researchers have identified the intrusion as the work of the threat actor collective ShinyHunters, a financially motivated group involved in cybercrime since at least 2020. 

It is well known for orchestrating high-visibility data theft operations and subsequently distributing or monetizing compromised databases through dark web forums and underground marketplaces. A great deal of its campaign effort has been directed toward technology and telecommunications organizations, areas where internal access to corporate databases and partner information can prove to be very useful. 

According to analysts, this group has demonstrated a high degree of flexibility in its intrusion techniques, combining credential-based attacks, such as credential stuffing, with increasingly persuasive social engineering techniques, such as voice-based deception schemes, to achieve their objectives. 

Despite the fact that the precise geographical origins of the actors remain unknown, their operational footprint spans multiple regions, reflecting their focus on monetizing corporate information or using stolen data to exert reputational and financial pressure on targeted organizations through exploitation of stolen data. In the immediate case, organizations connected to the affected environment appear to be only exposed to basic business contact information, not sensitive customer information. 

Cybersecurity specialists caution, however, that even seemingly routine information can provide a foothold for follow-on attacks. By using contact directories, email addresses, and professional identifiers, attackers may be able to craft convincing phishing emails or conduct additional social engineering attempts in order to gather credentials or financial information. 

In addition to facilitating spam operations, this type of data can also facilitate fraudulent outreach that impersonates trusted partners or internal employees. A precautionary measure, security experts recommend that employees and partners be aware of unexpected communications, independently verify the legitimacy of telephone calls or e-mail requests, and maintain multi-factor authentication on all corporate accounts as a precautionary measure. 

A proactive approach to security hygiene and maintaining open communication with affected stakeholders are widely regarded as essential measures in order to minimize the impact of incidents of this nature on organizational operations and reputations. 

Optimizely did not disclose the exact number of customers whose information may have been exposed; however, it indicated in its breach notification that the activity closely resembles that of a network of attackers known for persistent social engineering campaigns involving loosely connected attackers. 

According to the firm, during the incident, communications were received that reflected patterns commonly associated with groups that utilize voice phishing to manipulate employees into providing access to corporate systems. 

As stated in the description, the operational style of ShinyHunters is commonly attributed to those responsible for a series of breaches affecting major online platforms and consumer brands recently, such as Canada Goose, Panera Bread, Betterment, SoundCloud, Pornhub, Figure, and Match Group, which operates Tinder, Hinge, Meetic, Match.com, and OkCupid, among others. 

It should be noted that not every incident has been related to a single coordinated campaign; however, numerous victims have reported a successful intrusion attempt related to voice phishing operations designed to compromise enterprise single sign-on environments. 

It has been reported that attackers have impersonated internal IT support staff and contacted employees directly, leading them to counterfeit authentication portals that mimic legitimate corporate logins. These interactions led to the attackers bypassing standard access controls by obtaining account credentials and one-time multi-factor authentication codes from victims. These techniques have also been observed to evolve, with threat actors using device-code phishing methods to obtain authentication tokens tied to enterprise identity services by exploiting the legitimate OAuth device authorization flow. 

Once a single sign-on account has been compromised, attackers can pivot among integrated corporate applications and cloud-based platforms using compromised employee accounts. The same access may be extended to enterprise tools such as Microsoft Entra ID, Microsoft 365, Google Workspace, Salesforce, Zendesk, Dropbox, SAP, Slack, Adobe, and Atlassian, enabling an intruder to move laterally across connected services and collect additional corporate information once an initial foothold has been established. 

Ultimately, this incident serves as a reminder that technical safeguards alone are rarely sufficient to prevent determined social engineering campaigns from gaining traction. It is not uncommon for attackers to exploit human trust and routine operational processes to breach the security architecture of organizations with mature security architectures. 

Identify-verification procedures should be strengthened for internal support interactions, voice-based fraud should be regularly discussed with employees and strong monitoring should be implemented around single sign-on activity and unusual authentication requests, according to security professionals. 

Taking measures such as implementing conditional access policies, enforcing multi-factor authentication strictly, and implementing rapid incident response protocols can greatly reduce an attacker's ability to attack after the initial attempt has been made. 

The development of voice-driven deception tactics is continuing to prompt companies across the technology sector to prioritize social engineering resilience as a core component of enterprise cybersecurity strategy, rather than as a peripheral issue.
Read more »
Subscribe to: Comments (Atom)