Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
ShinyHunters
Canvas LMS Data Breach Instructure Breach Login Page Defacement Ransomware Attack School Cyberattack ShinyHunters

Threat Campaign Targets School Login Systems After Alleged Instructure Hack


 

The initial appearance of a routine service disruption within one of the most widely used academic learning platforms in the world quickly evolved into a significant cybersecurity issue as threat actors associated with the ShinyHunters group allegedly compromised Instructure's Canvas system. 

A large number of educational institutions experienced widespread operational instability as a result of the incident, which exposed sensitive academic and identity-related records, disrupted coursework timelines, and resulted in the defacement of several school authentication portals. 

A growing concern over the potential release of a data set reportedly affecting thousands of institutions as well as hundreds of millions of students and employees led Instructure to reveal that it had reached an agreement with the unauthorised actor responsible for the intrusion language that cybersecurity analysts interpreted as an indication of ransom negotiations. ShinyHunters collective claims to have successfully compromised Instructure's infrastructure for the second time in just a few weeks, further escalating the issue. 

The breach resulted in school authentication portals were made public and were affected in addition to backend systems. The incidents took place during final examination periods across several institutions using Canvas, causing even more disruption for administrators, educators, and students experiencing intermittent outages as a result of the earlier intrusion disclosed on April 30.

The Instructure platform had acknowledged that "criminal threat actors" were responsible for unauthorized access to parts of its environment, but subsequent activity indicates the attackers were still able to manipulate externally accessible services. 

When threat actors were reportedly injected malicious HTML components into Canvas login pages, unauthorized message prompts were found attributed to ShinyHunters, effectively defacing the authentication screens utilized for coursework management, assignment submissions, and academic communication, multiple Canvas login pages were later found displaying unauthorized messages attributed to ShinyHunters.

According to the message posted by the group, the allegedly stolen data will be made public on May 12 unless the company enters into a "settlement" negotiations. Parts of Instructure's online infrastructure appeared unstable during the escalation process, with some services intermittently returning "too many requests" errors while Canvas displayed maintenance notices indicating ongoing remediation and containment efforts throughout the company's network infrastructure. 

According to further disclosures, the breach affected a wide spectrum of academic stakeholders, including students, faculty, and institutional staff, with portions of information reportedly relating to minors. Despite Instructure's claims that passwords and highly sensitive authentication credentials were not compromised, the attackers are said to have obtained substantial amounts of information regarding personal identification and platform usage, such as usernames, e-mail addresses, student identification numbers, and private communications exchanged within the learning management system. 

According to the company, the initial compromise was terminated, remediation measures were implemented across the affected systems, and Canvas services were restored after containment procedures were initiated to prevent additional intrusions. However, ShinyHunters later stated it had successfully breached the platform again, this time targeting institution-specific authentication portals, thereby putting the company under pressure to enter into a settlement negotiation related to the earlier data theft, despite these efforts. 

As part of the extortion attempt, the group used stolen data as a means of coercion following network intrusions, which is a well-established operational pattern, however, the apparent recurrence of unauthorized access raised concerns regarding residual vulnerability issues within Instructure's network infrastructure. Canvas was brought offline once again following the second disruption, prompted the company to remove the component identified as being at the root of the incident  the Free-for-Teacher environment. 

Instructure acknowledged in an updated incident disclosure that investigators had identified a vulnerability associated with support ticket functionality within the Free-for-Teacher system, which threat actors allegedly exploited to facilitate the latest security breach. By putting the incident on its leak portal, ShinyHunters had earlier accepted public responsibility for the initial intrusion. 

The tactic is commonly used by ransomware and extortion-focused groups to increase pressure on targets by threatening data release under controlled circumstances. In the wake of the recent compromise, the attackers have attempted to reach out directly to media outlets regarding the defaced Canvas login pages, suggesting they are attempting to escalate the attack not only against Instructure but also against the thousands of educational institutions that rely on the platform for their operations. During ongoing negotiations regarding the previously stolen data, cybersecurity analysts viewed the public defacement as an attempt to amplify reputational and operational pressures. 

In spite of the fact that there is no clear indication of how the school-specific authentication pages were compromised, ShinyHunters officials have indicated the breach has been a separate one from the original attack, but declined to provide any further technical information regarding the method used to gain access to the system. 

The group claims to have stolen data from nearly 9,000 educational institutions around the world; these records are believed to belong to approximately 231 million people. Following the earlier compromise, the group claimed to have exfiltrated information related to nearly 9,000 educational institutions. 

A key component of the campaign was a mirroring of the threat group's established operating model, which is typically composed of a combination of network intrusion, public exposure of victims through leak sites, and sustained extortion efforts to maximize financial leverage following the theft of large amounts of data. There has been an increased focus on security architecture of cloud-based education platforms in the wake of the incident, which has become a critical infrastructure for academic operations worldwide.

In addition to disrupting coursework and institutional systems for the immediate period, the exposure of student communications and identity-linked records, particularly involving minors, demonstrates the long-term risks associated with large-scale compromises of digitally centralized learning environments. 

During the remediation and forensic investigation efforts, Instructure is likely to establish the breach as a landmark in the field of ransomware and extortion, which increasingly target educational technology ecosystems where operational urgency and reputational pressure can lead to high-stakes cybersecurity incidents.
Read more »
data security
AI coding tools Consumer Data Exposure Corporate Data Breach cybersecurity vulnerabilities Data Breach data security

AI Coding Tools Expose Thousands of Apps With Sensitive Corporate Data Online

 

Thousands of web applications built using AI coding tools have been found publicly accessible online without proper security protections. Researchers at RedAccess identified more than 5,000 exposed apps tied to companies, many revealing private information to anyone with the correct URL. Employee records, customer conversations, system plans, and financial files were among the exposed materials. The problem wasn’t faulty code but missing security setup steps that many users overlooked. 

In many cases, public access remained enabled long after deployment, creating silent data leaks that went unnoticed for months. Many of the vulnerable apps were created using platforms like Replit, Netlify, Base44 owned by Wix, and Lovable. Nearly 2,000 apps appeared to contain genuine sensitive information, including advertising spending reports, company strategy documents, chatbot logs, customer contact details, hospital personnel records, and financial summaries. 

According to RedAccess researcher Dor Zvi, the issue is linked to the rise of “vibe coding,” where non-technical employees use AI tools to rapidly build and publish web applications. Since these platforms make development extremely simple, apps can go live within minutes without any review from engineering or cybersecurity teams. Researchers found the exposed apps through basic Google and Bing searches because many AI coding services host projects publicly on shared domains by default. 

Some applications exposed private information without requiring logins, while others reportedly allowed outsiders to gain administrative control over backend systems. The exposed data covered multiple industries. Hospital staff schedules listing doctors’ identities appeared alongside marketing strategy presentations, shipping records, retailer chatbot conversations, and detailed advertising campaign budgets. Such leaks could expose sensitive competitive information, including business planning timelines and financial allocations. 

The investigation also uncovered phishing websites hosted directly on AI coding platform domains. These fake pages impersonated major companies including Bank of America, Costco, FedEx, Trader Joe’s, and McDonald’s. The platforms disputed parts of the findings while acknowledging that publicly accessible apps existed. Amjad Masad said users choose whether apps remain public or private. Lovable emphasized that creators are responsible for configuring security correctly, while Wix stated weakening protections requires deliberate user actions. 

Security experts argue the broader issue remains serious because AI coding tools rarely enforce strong safeguards automatically. Many employees using them lack training in authentication systems or permission controls, allowing insecure deployments to slip through unnoticed. Researchers say the situation resembles earlier waves of exposed Amazon S3 cloud storage buckets, where confusing defaults and user mistakes left sensitive files publicly accessible. 

AI-powered coding platforms may now be accelerating similar risks on a larger scale as businesses increasingly rely on AI tools for internal dashboards, marketing systems, client portals, and reporting applications. Experts also warn the true scale may be far larger. The 5,000 discovered apps only included projects hosted directly on AI platform domains. Thousands more could exist on privately owned domains that standard searches cannot easily detect. 

As AI-generated development grows rapidly, companies are now under pressure to strengthen oversight, improve employee training, and introduce stricter security reviews. Without stronger safeguards, fast AI-assisted app creation could continue exposing confidential corporate and personal information online.
Read more »
Password theft
2FA Credential Theft Data Breach MaaS Password theft

What Really Happens After Your Password Gets Stolen? Researchers Trace the Cybercrime Pipeline

 



Password theft operations continue to expand despite growing public awareness campaigns around online security. Infostealer malware remains active, compromised accounts continue circulating across underground marketplaces, and stolen credentials are still being used for financial fraud, ransomware attacks, and unauthorized access to online services.

New research published by Comparitech examined how stolen passwords move through cybercriminal networks after they are first compromised. The study analyzed more than 447,000 credential leaks, breach threads, and password dumps posted across four major cybercrime forums. Altogether, the dataset contained roughly 1.1 million compromised user records collected between 2013 and 2026.

The report focused on understanding where leaked passwords ultimately end up and how attackers process them before they are used in large-scale attacks.

For many users, discovering that a password has been exposed can create immediate panic, particularly because credential theft incidents have increased sharply in recent years. Previous security reporting found that nearly 2.8 billion credentials were exposed during 2025 alone. Researchers have also raised concerns about browser-stored passwords after reports that credentials saved in browsers may sometimes become accessible in plaintext form within system memory. At the same time, stolen credentials are increasingly being used to abuse retail, cloud, and subscription-based services.

According to Comparitech researcher Paul Bischoff, analysts including Mantas Sasnauskas reviewed databases from four cybercrime forums to understand how stolen passwords are accessed, redistributed, combined, and eventually weaponized in credential-stuffing campaigns, ransomware intrusions, business email compromise incidents, and account takeover attacks.

The researchers outlined a five-stage credential supply chain. The first stage, known as “origin,” refers to how passwords are initially stolen before appearing on underground forums. The report identified infostealer malware and data breaches as the two most common starting points.

Infostealer malware is designed to silently collect sensitive information from infected devices. This can include browser-saved passwords, authentication cookies, autofill data, cryptocurrency wallet information, and session tokens that attackers can later exploit to bypass login protections.

The final stage of the supply chain involves the eventual use of stolen credentials in attacks such as ransomware deployment, unauthorized account access, and corporate breaches. However, the researchers said the middle stages of the ecosystem reveal the most about how the underground password economy functions.

The wholesale stage represents the broker market for stolen access. In this phase, attackers sell compromised credentials directly to other criminals. The report pointed to the Russian-language cybercrime forum RAMP, where pre-authenticated access to corporate systems was allegedly being offered for sale using stolen login credentials. This type of access is especially valuable because it can provide immediate entry into business networks.

The next stage, trade, involves credentials being reposted, exchanged, resold, or distributed across multiple hacker forums. Some datasets are uploaded for free to build credibility inside underground communities, while others are placed behind paid marketplaces where buyers can purchase access to larger credential collections.

The aggregation stage centers around the creation of “combolists,” which are massive databases containing usernames and passwords collected from multiple breaches. The most valuable combolists are typically cleaned and deduplicated to remove repeated records and improve their effectiveness.

Attackers frequently use these combolists in credential-stuffing operations, where automated tools test stolen username-and-password combinations across many different websites. Because many users reuse passwords across platforms, one compromised credential can sometimes unlock email accounts, banking services, shopping platforms, or workplace systems tied to the same login information.

Researchers and cybersecurity analysts have repeatedly warned that the underground market for stolen credentials continues growing alongside the rise of malware-as-a-service operations and initial access brokers. In recent years, infostealer logs containing browser credentials and authentication cookies have become widely traded across dark web forums and encrypted messaging platforms.

The report also examined how users can reduce the risk of credential theft. Security professionals continue encouraging users to adopt passkeys whenever possible because passwordless authentication systems are significantly harder to steal and reuse in automated attacks.

Experts additionally recommend avoiding password reuse across websites and services, since a single breach can otherwise expose multiple accounts at once. Password managers can help users generate and store unique credentials securely, while two-factor authentication adds another layer of verification that can block unauthorized logins even if a password becomes compromised.

As cybercrime groups continue refining credential theft operations, researchers believe password-based security systems may gradually become less reliable for protecting online accounts in the long term.

Read more »
Instructure
AI Canvas Cloud Data Breach Data Leak data security Instructure

Data Leak: Instructure, Canvas Allegedly Hacked, ShinyHunters Claim Responsibility


Instructure, a cloud-based LMS Canvas company was hit by a massive data attack. Ransomware gang ShinyHunters claimed responsibility for the attack, saying that it had stolen data related to 280 million students, teachers, and school staff.

100s of GBs data leaked

The data breach accounts for hundreds of gigabytes, possibly leaking Canvas users’ email ids, private messages, and names. 

Instructure revealed in May that it was hit by a data breach. The Canvas incidents of 8,809 universities, educational platforms, schools were impacted by the attack. ShinyHunters said that the numbers range between tens of thousands to several millions per institution.

It is concerning that a lot of K-12 students’ data has been leaked. If your child has been affected by the data breach, Malware Bytes can help in what to do next and how to stay safe.

Canvas compromised

Various students who tried using Canvas after the cyberattack received the message from ShinyHunters blackmailing to leak the data if Instructure did not contact the hackers by May 12. Canvas was shut down offline for various students following the incident, but it is now available for most users. 

GTA 6, Studio Rockstar were blackmailed too

ShinyHunters has been killing it this year, with only high profile targets in its track records. The group asked for a ransom from GTA 6 (a video game) Studio Rockstar in April. But in reality, it was a hoax demand as the hackers did not have anything important/worthy to leak. 

Nvidea Geforce allegedly hacked

But recently, the group allegedly claimed responsibility for the Nvidea’s GeForce Now breach, claiming to have “pulled their entire database straight from the backend."

Shiny hunters all over the place

In the Canvas incident, ShinyHunters allegedly stole user records through exposrting features inside the platform. This consists of DAP queries, APIs, and provisioning reports, according to Bleeping Computers. “The unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” Instructure said. 

It also added that it “revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms." 

The impact

Instructure also “engaged a third-party forensic firm and notified law enforcement. Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements.”

However, it might be too little, too late—parents are unlikely to overlook the possibility of disclosing their children's information. The much bigger problem, though, is the disastrous harm ShinyHunters has caused to Canvas's operations and reputation, as malware historian vx-underground stated on X.

Read more »
ShinyHunters
Academic Network Security Canvas cyberattack Data Breach Education Sector Security Phishing Threats Ransomware Attack ShinyHunters

Ransomware Attack Disrupts Grading Platform Used by LBUSD Cal State and LBCC


 

A cyberattack linked to the ShinyHunters extortion group temporarily disrupted educational operations across a number of educational institutions in the United States, causing concern over the potential exposure of sensitive student and faculty data. These institutions continued to restore access to Canvas this week. Although several universities and school districts have been able to resume normal access following recovery efforts coordinated by Canvas parent company Instructure, the incident continues to affect portions of the education sector. 

Administrators have assessed the broader impacts of the breach and reviewed claims regarding the compromise of data belonging to hundreds of millions of platform users around the world. After the incident was triggered on Thursday, teachers and students at Long Beach Unified School District, California State University Long Beach and Long Beach City College were suddenly unable to access Canvas, the cloud-based platform widely used for coursework, grades, assignments and internal communication, the operational impact of the incident became more apparent. 

According to district officials, they were informed earlier this week that Instructure, the company which provides Canvas, had discovered that certain user-identifying information related to customer environments had been accessed without authorization. In spite of the company's initial assertion that the incident had been contained and that core platform operations continued, educators later reported that login attempts redirected users to ransom-style messages allegedly associated with the ShinyHunters cybercriminal group upon attempting to log in.

Apparently, the notice instructed affected institutions to engage a cyber advisory firm and negotiate payment terms before a specified deadline otherwise compromised data could be exposed to the public. Despite the fact that the full extent of the intrusion is still under investigation, notifications sent to campus users indicate that names, email addresses, institutional identification numbers, and confidential communications may have been compromised. 

A response from Instructure was that portions of the platform environment had been disabled, the underlying vulnerability had been rectified, digital forensic specialists were engaged, and federal authorities, including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, were coordinated. 

A significant number of academic institutions are experiencing the disruption at the same time, with final examinations at California State University Long Beach rapidly approaching. Since Canvas serves as the primary repository for instructional content, coursework, and student records, several educators have described the outage as operationally disrupting, even though some teachers have been able to maintain continuity by using externally hosted materials and collaboration tools through Google. 

Cybersecurity experts caution that, while the current incident has mainly disrupted colleges and universities, K-12 institutions have also faced repeated operational and data security challenges related to attacks against the education technology infrastructure. Researchers referred to the Los Angeles Unified School District cyberattack of 2022, when a ransomware-related intrusion disabled critical district systems over Labor Day weekend, disrupting internal communication, attendance tracking, and classroom instruction. 

Approximately 2,000 student assessment records, together with additional sensitive information, including driver’s license numbers and Social Security numbers accumulated over multiple years, were later published on the dark web as a result of the incident. Recovery efforts lasted for weeks during which administrative and technical staff restored systems and coordinated password resets for over 600,000 user accounts.

According to security researchers, incidents associated with platforms such as Canvas can create long-term phishing and social engineering risks even after services have been restored. A Norton security analyst, Luis Corrons, emphasized that information exposed by the company includes names, institutional email addresses, student identification numbers, and internal academic communications, which could provide threat actors with the necessary context to create highly convincing phishing campaigns impersonating legitimate school notifications regarding grades, coursework, financial aid, and password resets.

In addition to Anton Dahbura's concerns, the executive director of the Johns Hopkins University Information Security Institute advised institutions that residual risk may continue to exist after platform access has been restored, and cautioned against operating under this assumption. According to Dahbura, colleges and universities should encourage students and employees to change their passwords, review authentication tokens, and audit integrations with third-party platforms connected to Canvas environments. 

Likewise, colleges and universities should keep a close eye on follow-on phishing activity targeting them. Further, he emphasized that higher education is increasingly reliant on a single instructional platform, which represents a systemic risk as a whole. He advised academic institutions to develop resilience plans, implement additional security controls, and develop alternative instructional workflows that can support continuity during prolonged service interruptions. 

A centralized cloud-based learning infrastructure in the educational sector has further increased the cybersecurity vulnerability of the sector. As a result of a single third party platform compromise, thousands of academic institutions may be disrupted simultaneously if a single compromise occurs.

A continuing forensic investigation and recovery effort will require security teams on affected campuses to focus on credential protection, phishing monitoring, and access-review procedures, while assessing the degree of integration instructional platforms, such as Canvas, have made with broader institutional networks.
Read more »
leaked sensitive data
Customer Data Data Breach Data Leak Data protection data security Hacking Attack Hacking Group leaked sensitive data

ShinyHunters Vimeo Data Breach Exposes Information of Over 119,000 Users

 

Early this year, Vimeo faced a security incident leading to the theft of personal details tied to over 119,000 people by the ShinyHunters hacking collective. Information on the leak became known via Have I Been Pwned, a service tracking compromised accounts, after examining the exposed records. 

Late last month, Vimeo revealed a security issue affecting its systems. The platform, known for hosting and streaming videos globally, serves many millions of active users. Access by unknown parties came via a flaw tied to Anodot. This firm provides tools that spot irregularities in data flows. Its technology connects directly into parts of Vimeo’s infrastructure. 

The event marks one point where external partnerships introduced risk. Details emerged only after internal reviews concluded. One thing became clear: the entry did not stem from inside Vimeo's own network. Instead, it traced back to how outside services link up. Security teams now examine how third-party integrations affect overall protection levels. 

Surprisingly, early reports showed hackers obtained technical data, video metadata, and titles - sometimes even user emails. Despite the breach, payment information, account passwords, and live session tokens stayed secure, according to internal confirmation. Throughout the event, Vimeo’s main system kept running smoothly, maintaining full service availability. Unexpectedly, operations continued without noticeable interference. 

Right away, Vimeo shut down every login linked to Anodeto stop any more unwanted entry once the break-in came to light. Instead of handling things alone, outside cyber experts joined to support the inquiry. At the same time, officials responsible for enforcing laws got word about what happened. Later, even so, the hackers released a huge 106GB collection of stolen files online when talks reportedly broke down. 

That data appeared on a hidden website used by the ShinyHunters crew, who stated weak login credentials tied to Anodot opened doors unexpectedly. From there, they moved into Vimeo's storage platforms - Snowflake and BigQuery - with little resistance. Some 119,200 individuals had their email addresses disclosed, along with names in certain instances, based on findings from Have I Been Pwned after reviewing the leaked data. 

Though the breach details have circulated, Vimeo hasn’t officially verified how many accounts were impacted. Inside these breaches, access began through deceptive emails or fake support calls tricking staff. Not long ago, compromised logins gave hackers entry to identity tools like Okta and Microsoft Entra. From there, movement spread toward customer relationship software, team messaging apps, file storage, design programs, help desks, and workplace productivity suites. Cloud infrastructure and subscription-based tech now draw more attention than before. 

Breach attempts often follow weak points in unified login setups across company networks. Though main networks stay secure, outside providers sometimes open doors hackers exploit. A breach in one connected service might unlock several company areas at once. Experts observe rising incidents targeting cloud logins and partner tools for this reason. Instead of attacking central defenses, intruders shift focus to these links. Sensitive client data ends up at risk even if primary infrastructure holds firm.  

Recently, ShinyHunters took credit for hacks spanning education, retail, health care, gaming, and government bodies. Vimeo's situation shows third-party links still pose steady threats to big digital services managing vast user information. Despite different targets, weak outside connections often open doors. One breach can ripple through many layers unexpectedly.
Read more »
student data leak
Canvas LMS hack Cybersecurity Incident Data Breach Instructure data breach ShinyHunters cyberattack student data leak

Instructure Confirms Data Breach as ShinyHunters Claims Responsibility

 

Educational technology company Instructure has confirmed that user data was compromised following a cyberattack, while the cybercriminal group ShinyHunters has claimed responsibility for the breach.

The U.S.-based firm is widely recognized for developing Canvas, a popular learning management platform used by schools, universities, and organizations to manage online coursework, assignments, and communication.

The company revealed on Friday that it had experienced a cybersecurity incident and had begun an investigation with the assistance of third-party cybersecurity specialists and law enforcement authorities. A follow-up statement issued on Saturday confirmed that certain user information had been exposed during the breach.

"While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users," reads the updated statement.

"At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions."

As part of its mitigation efforts, Instructure said it has implemented security patches, enhanced monitoring systems, and rotated application keys as a preventive measure. Customers have also been instructed to re-authorize access to the company’s API so that new application keys can be issued.

Although the company has not publicly addressed questions regarding the exact timing of the breach or whether it was facing extortion demands, ShinyHunters has added Instructure to its data leak platform.

"Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII," reads the data leak site.

"Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved."

According to the cybercrime group, the breach occurred through a vulnerability in Instructure’s systems that has since been fixed. The hackers allege that the stolen information includes more than 240 million records linked to students, teachers, and staff members.

The leaked data is said to contain names, email addresses, enrolled course details, and private conversations between students and teachers. Information shared by the threat actors suggests the dataset may cover nearly 15,000 institutions across regions including North America, Europe, and Asia-Pacific.

At present, the full scope of the incident remains unverified, and independent confirmation regarding the number of affected schools and individuals has not yet been established
Read more »
us marines
Data Breach Hacking Group Handala hackers Iranian hackers MOIS us marines

U.S. Marines Reportedly Targeted by Iranian-Linked Hackers in New Data Exposure Incident

 



Iran-linked hacking group Handala has allegedly leaked personal information belonging to thousands of U.S. Marines deployed across the Persian Gulf region, shortly after American military personnel in the Middle East began receiving threatening messages from the group.

According to posts published on Handala’s website, the hackers claim to have released the names and phone numbers of 2,379 U.S. Marines as proof of what they described as their “intelligence superiority.” The group further claimed that the exposed information represents only a small sample from a much larger collection of data allegedly tied to American military personnel stationed in the region.

Handala asserted that it possesses additional details related to military members and their families, including home addresses, movement patterns, military base affiliations, commuting routines, shopping behavior, and other personal activities. These claims have not been independently verified by U.S. authorities.

The alleged leak surfaced days after several U.S. service members reportedly received threatening WhatsApp messages warning that they were under surveillance. The messages referenced Iranian drone and missile systems and attempted to intimidate military personnel by claiming their identities and movements were being tracked. Similar threatening communications believed to be linked to Handala were also reportedly sent to civilians in Israel earlier this week, suggesting a broader psychological and cyber influence campaign connected to escalating tensions in the Middle East.

Since the regional conflict involving Iran, Israel, and the United States intensified earlier this year, Handala has repeatedly claimed responsibility for several high-profile cyber incidents. Last month, the group allegedly leaked hundreds of emails said to have originated from the personal Gmail account of Kash Patel. The hackers have also been linked to a cyberattack targeting medical technology company Stryker, an operation that reportedly resulted in data being erased from tens of thousands of employee devices globally.

However, questions remain regarding the authenticity and quality of the newly leaked Marine data. An analysis of the published sample reportedly identified multiple inconsistencies, including incomplete phone numbers and entries that appeared to contain military contract identifiers rather than personal names. Several listed numbers reportedly connected only to automated voicemail systems.

In a limited number of cases, voicemail names reportedly matched information included in the leak. One individual contacted by reporters allegedly confirmed their identity before ending the call, while others declined to comment or redirected inquiries to military public affairs officials.

U.S. Central Command referred media questions regarding the incident to the Naval Criminal Investigative Service, which had not publicly commented on the matter at the time of reporting.

The incident comes amid growing concerns over cyber-enabled psychological operations targeting military personnel and their families. Earlier this month, Navy Secretary John Phelan urged sailors to strengthen the security of their mobile devices and social media accounts amid concerns over phishing attacks and malicious online activity. In an internal warning, he noted that threat actors may attempt to manipulate military personnel into opening harmful files or clicking malicious links designed to compromise personal accounts and devices.

Handala publicly portrays itself as a pro-Palestinian hacktivist organization. However, multiple cybersecurity firms and recent assessments from the U.S. Department of Justice have alleged that the group operates as a front tied to Iran’s Ministry of Intelligence and Security (MOIS).

Cybersecurity experts note that modern cyber campaigns increasingly combine data leaks, online intimidation, and misinformation tactics to create psychological pressure rather than relying solely on technical disruption. Analysts also caution that hacker groups sometimes exaggerate the scale or sensitivity of stolen data to amplify fear and media attention.

Although U.S. authorities have previously seized domains associated with Handala, the group continues to remain active by turning to new websites and communication platforms, including Telegram, allowing it to sustain its cyber and propaganda operations online.

Read more »
User Security
Data Breach Data Theft Medtronic Breach ShinyHunters User Security

Medtronic Confirms ShinyHunters' Theft of 9 Million Records

 

Medtronic, a leading global medical device manufacturer, recently confirmed a significant cybersecurity breach affecting its corporate IT systems. The incident came to light after the notorious hacking group ShinyHunters claimed responsibility, boasting of stealing over 9 million records containing personally identifiable information (PII) and terabytes of internal corporate data. 

On April 17 and 18, 2026, the group listed Medtronic on its Tor-based data leak site, issuing a ransom ultimatum that expired on April 21 without public confirmation of payment or data release. Medtronic publicly disclosed the breach on April 24, 2026, via its website and a U.S. Securities and Exchange Commission Form 8-K filing, acknowledging unauthorized access but emphasizing that the intrusion was contained with no disruption to operations.

The breach targeted non-critical corporate networks, sparing patient-facing systems, medical devices, manufacturing, and distribution channels. Medtronic stated explicitly that products, patient safety, customer connections, financial reporting, and care delivery remained unaffected, as these operate on segregated infrastructure. ShinyHunters, known for high-profile extortion campaigns against over 40 organizations in 2026—including ADT, Amtrak, and Cisco—alleged the haul included sensitive PII from employees, partners, or affiliates, though Medtronic has not verified the exact volume or contents. The group's listing vanished from the leak site shortly after, fueling speculation of behind-the-scenes negotiations.

This incident underscores escalating threats to healthcare giants, where corporate IT often serves as a softer entry point for attackers. ShinyHunters has exploited misconfigured Salesforce Experience Cloud guest permissions in multiple cases, a customer setup issue rather than a platform flaw, according to Salesforce. Medtronic's response involved activating incident protocols with external cybersecurity experts to assess data exfiltration and potential exposure. An ongoing forensic investigation aims to pinpoint compromised information, with commitments to notify and support affected individuals if personal data is confirmed stolen.

The implications ripple beyond Medtronic, highlighting vulnerabilities in the medical technology sector amid rising ransomware and extortion tactics. Law firms like Schubert Jonckheer & Kolbe LLP launched investigations by early May 2026, probing liabilities for the nearly 9 million potentially impacted records. While no widespread data dumps have surfaced publicly, the breach erodes trust in supply chain security, even when clinical operations stay insulated. Healthcare firms face mounting pressure to fortify perimeter defenses as cybercriminals increasingly target administrative data for profit.

To mitigate risks from such incidents, individuals should monitor credit reports, enable two-factor authentication on personal accounts, and freeze credit if notified of exposure. Organizations are advised to segment networks rigorously, conduct regular penetration testing, patch third-party configurations like Salesforce promptly, and develop robust incident response plans. Medtronic's case reinforces the need for proactive cybersecurity hygiene to safeguard sensitive data in high-stakes industries.
Read more »
data security
ADT ADT data breach customer data leak customer data privacy Data Breach Data Extortion Data Leak data security

ADT Data Breach Confirmed After ShinyHunters Threatens Leak of Stolen Customer Information

 

Now comes word that ADT, a provider of home security systems, suffered a data breach following threats by the hacking collective ShinyHunters to expose purloined records if payment isn’t made. This event joins others recently where attackers gain access via compromised credentials or outside service providers. 

On April 20, the company noticed unusual activity within its systems - response teams moved quickly to limit exposure and launch a review from within. It turned out some customer and prospective customer details were reached and copied by those responsible. Names, contact numbers, and home locations made up most of what was seen; in a few cases, birth dates showed up alongside incomplete identification digits used for tax or government purposes. Though only a narrow collection of files was involved, steps followed to assess how far the breach extended. 

What ADT made clear is that financial details of high sensitivity stayed secure. It turned out bank accounts, credit cards, along with any payment records, remained untouched through the incident. On top of this, home security setups and active monitoring kept running without interference. Evidently, the breach never reached operational systems - only certain data areas felt its effect. After claims surfaced on a hacker forum, ShinyHunters stated they accessed more than 10 million records - some containing personal details and private business files. 
Despite the threat to publish everything unless met with demands, confirmation of the full extent remains unverified by ADT. Still, notification letters have gone out to impacted users during ongoing review efforts. What happens next depends on internal assessments already underway. One claim points to vishing as the starting point - a tactic aimed at one worker. Posing as known contacts, hackers won entry through a company-wide login system. 

Once inside, they navigated sideways into linked environments without immediate detection. Access likely extended to cloud services including Salesforce, where information was pulled from storage. Identity theft now drives many cyber intrusions, moving past old tactics that hunted software bugs. Instead of probing code flaws, hackers aim at sign-in systems like Okta, Microsoft Entra, or Google logins. Breaching one verified profile opens doors to numerous company tools. 

With entry secured, stolen information gets pulled out quietly. That data then becomes leverage - no malware needed to lock files. What happened lately isn’t new for ADT - earlier leaks of staff and client details came out earlier this year. Facing repeated issues, many companies struggle to protect digital identities while handling permissions in linked platforms. 

Still under investigation, the incident highlights how often social engineering now shapes current cyber attacks. Rather than exploiting software flaws, hackers rely on mistakes people make - slipping past defenses by tricking users. 

Because of this shift, training staff to spot risks matters just as much as strong login protections. Preventing future breaches depends less on technology alone, more on understanding human behavior. Awareness becomes a shield when passwords fail.
Read more »
Zero Click Exploits
Commercial Spyware Critical Infrastructure Security Cyber Surveillance Cyber Threat Intelligence Data Breach Digital Espionage Endpoint security Mobile Security Zero Click Exploits

Global Surge in Military Grade Spyware Puts Personal Smartphones at Risk


 

Global cybersecurity discourse is emerging with a growing surveillance threat under the surface as the UK's top cyber authority issues a stark assessment of the unchecked proliferation of commercial spyware capabilities. Initially restricted to tightly regulated law enforcement use, advanced intrusion tools are now widely used across more than 100 countries, able to remotely compromise smartphones, bypass encrypted communications, and covertly activate device sensors. 

NSO Group and an increasingly opaque ecosystem of competitors are driving this rapid expansion, signaling the shift from targeted investigative use to a wider landscape of state-aligned digital intrusion, a shift in which state-aligned cyberattacks are becoming increasingly commonplace. 

In spite of their increasing accessibility and operational stealth, enterprises and operators of critical national infrastructure are not adequately prepared for the scale and sophistication of these threats. There is an evolving threat landscape supporting it, which is supported by the increasing sophistication of modern spyware frameworks, which leverage "zero-click" exploitation chains to gain unauthorized access without requiring the user's involvement. 

NSO Group's Pegasus platform and Paragon's Graphite platform function as highly advanced intrusion suites. They exploit latent vulnerabilities within mobile operating systems to extract sensitive communications, media, geolocation information, and other artifacts through forensic minimalism. 

The commercial dynamics underpinning this ecosystem demonstrate the magnitude of the challenge as well as its persistence. As part of the United States entity list, the Israeli developer NSO Group, widely associated with high-end surveillance tooling, was listed in 2021 for its supply of technologies to foreign governments. These technologies were then utilized to target a wide range of individuals, including government officials, journalists, business leaders, academicians, and diplomats. 

In defending its claims that such capabilities serve legitimate anti-terrorism and law enforcement purposes, the company asserts that it lacks direct visibility into operational use, while retaining the right to terminate client relationships in instances of verified misuse. 

In spite of the rapid expansion of the vendor landscape, NSO Group represents only one node within it. According to industry observers, including Casey, the sector is extremely profitable and is undergoing rapid growth. There are currently dozens of firms offering comparable capabilities in this market. 

According to estimates, more than 100 countries have procured mobile spyware, an increase over earlier assessments, which indicated deployment across more than 80 national jurisdictions. Along with offering a cost-effective shortcut to the development of capabilities that would otherwise require years of development, commercial intrusion platforms offer a fast and easy means for states lacking indigenous cyber expertise.

In addition, the National Cyber Security Centre noted previously that, despite the fact that these tools are intended for law enforcement purposes, there is credible evidence that they have been used on a widespread basis against journalists, human rights defenders, political dissidents, and foreign officials with thousands of individuals being targeted annually. 

Several leaked toolkits, including DarkSword, demonstrate the dispersal of capabilities once restricted to state intelligence agencies into less controlled environments, making it possible for state-aligned and criminal actors to launch attacks by utilizing vectors as inconspicuous as compromised web sessions on unpatched iOS devices. In addition to theoretical risk models, operational exploits are being actively employed against targets who often assume device-level security as the basis of their attack. 

A notable increase in the victim profile is that it includes corporate executives, financial professionals, and organizations dealing with valuable information, as well as journalists and political dissidents. It was highlighted by Richard Horne, the director of the UK's National Cyber Security Centre, that there still remains a significant gap in industry readiness. 

Many enterprises underestimate the capability and operational maturity of these surveillance capabilities. Essentially, this shift illustrates the democratization of offensive cyber tools, where sophisticated surveillance, once monopolized by a few intelligence agencies, is now available to a broader range of state actors lacking native cyber expertise. 

As a result, these capabilities are increasingly available economically and they are unintentionally disseminated, which fundamentally alters the threat equation. Through the transition from tightly controlled assets to commercially traded products, advanced surveillance tools become increasingly difficult to contain as they are propagated through illicit channels, including corrupt procurement practices, insider exfiltration, and secondary resale markets. 

In the wake of this leakage, non-state actors, including organized criminal networks, have acquired capabilities that were previously available only to sovereign intelligence operations. The proliferation of state-linked campaigns, including those attributed to China and focused on large-scale data exfiltration, illustrates the use of such tools not only for immediate intelligence gain, but also to establish strategic prepositioning for future geopolitical conflicts. 

Traditional device-based safeguards and consumer privacy controls are only marginally effective against adversaries equipped with exploit chains developed specifically to circumvent them. International efforts to regulate and oversee exports are gaining momentum, but operational reality suggests that containment may already lag behind proliferation, which enables a significant expansion of attack surfaces across both civilian and enterprise digital environments. 

The convergence of commercial availability, technical sophistication and weak oversight has led to the normalization of capabilities that were once considered exceptional. These developments illustrate a structural shift in the cyber threat environment. 

In conjunction with the widespread adoption of such tools, and their continual evolution and leakage, there is an ongoing need for public and private sectors to assess their security assumptions at a fundamental level. There is no longer a limited need to defend against isolated intrusions for enterprises, critical infrastructure operators, and individual users, but rather to navigate a complex ecosystem where highly advanced surveillance techniques are frequently accessible and increasingly resemble legitimate activity. 

In the absence of strengthened international coordination, enforceable controls, and a corresponding increase in defensive maturity, a continued erosion of digital trust is likely, resulting in compromise becoming not an anomaly, but an expected condition of operating within a hyperconnected environment.
Read more »
North Korean
Crypto Platform Data Breach Decentralized Finance Hackers Hacking Kelp North Korean

North Korea-Linked Hackers Target Crypto Platforms, $500M Stolen

 



Cybersecurity researchers are raising alarms over a developing pattern of cryptocurrency thefts linked to North Korean actors, with recent incidents suggesting a move from isolated breaches to a sustained and structured campaign. In a span of just over two weeks, attacks targeting the Drift trading platform and the Kelp protocol resulted in losses exceeding $500 million, pointing to a level of coordination that goes beyond opportunistic hacking.

What initially appeared to be separate security failures is now being viewed as part of a broader operational strategy, likely driven by the financial pressures faced by a heavily sanctioned state. Shortly after attackers used social engineering techniques to compromise Drift, another incident emerged involving Kelp, a restaking protocol integrated with cross-chain infrastructure.

The Kelp breach surfaces a noticeable turn in attacker behavior. Rather than exploiting traditional software bugs or stealing credentials, the attackers targeted fundamental design assumptions within decentralized systems. When examined together, both incidents indicate a deliberate escalation in efforts to extract value from the crypto ecosystem.

Alexander Urbelis of ENS Labs described the pattern as systematic rather than incidental, noting that the frequency and timing of these events resemble an operational cycle. He warned that reactive fixes alone are insufficient against threats that follow a structured tempo.


Breakdown of the Kelp exploit

Unlike many traditional cyberattacks, the Kelp incident did not involve bypassing encryption or stealing private keys. Instead, the system behaved as designed, but was fed manipulated data. Attackers altered the inputs that the protocol relied on, causing it to validate transactions that never actually occurred.

Urbelis explained that while cryptographic signatures can verify the origin of a message, they do not ensure the truthfulness of the information being transmitted. In simple terms, the system confirmed who sent the data, but failed to verify whether the data itself was accurate.

David Schwed of SVRN reinforced this view, stating that the exploit was not based on breaking cryptography, but on taking advantage of how the system had been configured.

A central weakness was Kelp’s dependence on a single verifier to validate cross-chain messages. While this approach improves efficiency and simplifies deployment, it removes an essential layer of security redundancy. In response, LayerZero has advised projects to adopt multiple independent verifiers, similar to requiring multiple approvals in traditional financial systems.

However, this recommendation has sparked criticism. Some experts argue that if a configuration is known to be unsafe, it should not be offered as a default option. Relying on users to manually implement secure settings, especially in complex environments, increases the likelihood of misconfiguration.


Contagion across interconnected systems

The impact of the Kelp exploit did not remain confined to a single platform. Decentralized finance systems are deeply interconnected, with assets frequently reused across multiple protocols. This creates a chain of dependencies, where a failure in one component can propagate across others.

Schwed described these assets as interconnected obligations, emphasizing that the strength of the system depends on each individual link. In this case, lending platforms such as Aave, which accepted the affected assets as collateral, experienced financial strain. This transformed an isolated breach into a broader ecosystem-level disruption.


Reassessing decentralization claims

The incident also exposes a disconnect between how decentralization is promoted and how systems actually function. A structure that relies on a single point of verification cannot be considered fully decentralized, despite being marketed as such.

Urbelis expanded on this by noting that decentralization is not an inherent feature, but the result of specific design decisions. Weaknesses often emerge in less visible layers, such as data validation or infrastructure components, which are increasingly becoming primary targets for attackers.

The activity aligns with a bigger change in strategy by groups such as Lazarus Group. Instead of focusing only on exchanges or obvious coding flaws, attackers are now targeting foundational infrastructure, including cross-chain bridges and restaking mechanisms.

These components play a critical role in enabling asset movement and reuse across blockchain networks. Their complexity, combined with the large volumes of value they handle, makes them particularly attractive targets.

Earlier waves of crypto-related attacks often focused on centralized platforms or easily identifiable vulnerabilities. In contrast, current operations are increasingly directed at the underlying systems that connect the ecosystem, which are harder to monitor and more prone to configuration errors.

Importantly, the Kelp exploit did not introduce a new category of vulnerability. Instead, it demonstrated how existing weaknesses remain exploitable when not properly addressed. The incident underscores a recurring issue in the industry: security measures are often treated as optional guidelines rather than mandatory requirements.

As attackers continue to enhance their methods and increase the pace of operations, this gap becomes easier to exploit and more costly for organizations. The growing sophistication of these campaigns suggests that the primary risk may not lie in unknown flaws, but in the failure to consistently address well-understood security challenges.

Read more »
Hacking Group
Cyber Security Ransomware Attacks Data Breach Data Leak Data protection data security Hacker attack Hacking Group

ShinyHunters Targets McGraw Hill In Salesforce Data Leak Dispute Over Breach Scope

 

A breach at McGraw Hill came to light when details appeared on a leak page run by ShinyHunters, a hacking collective now seeking payment. Appearing online without warning, the listing suggested sensitive data had been taken. The firm acknowledged something went wrong only after outsiders pointed to the published claims. Instead of silence, there followed a brief statement - no elaborate explanations, just confirmation. What exactly was accessed remains partly unclear, though the criminals promise more leaks if demands go unmet. Their method? Take data first, then pressure victims publicly through exposure. 

Though the collective says it pulled around 45 million records from Salesforce setups, McGraw Hill challenges how serious the incident really was. A flaw in a cloud-based Salesforce setup - misconfigured, not hacked - led to what occurred, according to the company. Public release looms unless money changes hands by their stated date. Not a breach of core infrastructure, they clarify. Timing hinges on whether terms get fulfilled. What surfaced came via access error, not forced entry. 

Later came confirmation from the firm: only minor data sat exposed through a public page tied to Salesforce. Not part of deeper networks - systems handling daily operations stayed untouched. Customer records? Still secure. Educational material platforms? Unreached. Personal identifiers like income traces or school files showed no signs of exposure. The breach never reached those layers. A single weak link elsewhere might open doors wider than expected. Problems often start outside core networks, hidden in connected tools. 

One misstep in setup could ripple across several teams relying on Salesforce. When outside systems slip, sensitive details sometimes follow. Security gaps far from the main system still carry risk close to home. What seems distant can quickly become immediate. Even with those reassurances, ShinyHunters insists the breached records include personal details - setting their version against the firm’s own review. Contradictions like this often surface when attacks aim to extort, as hackers sometimes inflate what they took to push targets into responding. 

Now operating at a steady pace, ShinyHunters stands out within the underground scene by focusing less on locking files and more on quietly siphoning information. Instead of scrambling networks, they pressure victims using material already taken - payment demands follow exposure threats. Their name surfaced after breaches hit well-known companies, where leaked datasets served as leverage. Rather than causing immediate downtime, their power lies in what could be revealed. 

What stands out lately is how this group exploited a security gap at Anodet, an analytics company, gaining entry through leaked access tokens aimed squarely at cloud-based data systems. Alongside that incident came the public drop of massive corporate datasets - another sign their main goal remains pulling vast amounts of information from high-profile targets. Among recent breaches, the one involving McGraw Hill stands out - not because of its scale, but due to how it reveals weaknesses hidden within standard cloud setups. 

Instead of breaking through strong defenses, hackers often slip in via small errors made during setup steps handled by outside teams. What makes this case notable is less about immediate damage, more about what follows: sensitive information pulled quietly into unauthorized hands. While systems keep running without interruption, stolen data becomes the weapon - threatening public release unless demands are met. 

Over time, such tactics have shifted the focus of digital attacks away from crashes toward silent leaks. With probes still underway, one thing becomes clear: oversight of outside connections matters more now than ever. When digital intruders challenge what companies say, credibility hinges on openness. Tight rules around setup adjustments help reduce weak spots. How firms handle disclosures can shape public trust just as much as technical fixes. Clarity during crises often separates measured responses from confusion.
Read more »
P3 Global Intel breach
BlueLeaks 2.0 crime tip data leak Cybersecurity Breach Data Breach hackers selling data P3 Global Intel breach

Hackers List 8.3 Million U.S. Crime Tip Records for $10,000, Raising Major Security Concerns

 

Hackers responsible for stealing 8.3 million crime tip records are now attempting to sell the dataset for $10,000 in cryptocurrency, escalating concerns around one of the largest breaches involving sensitive law enforcement information.

The compromised data includes confidential crime tips submitted to hundreds of Crime Stoppers programs run by law enforcement agencies across the United States. It also extends to submissions made to certain branches of the U.S. military and even educational institutions.

The sale offer, posted on a cybercrime forum, highlights the serious implications of the breach involving cloud-based intelligence firm P3 Global Intel. The leaked database reportedly contains extensive personal information about individuals identified in tips, including names, email addresses, dates of birth, phone numbers, home addresses, license plate details, Social Security numbers, and criminal histories. In some cases, it also reveals identities and details of informants, potentially putting them at risk of retaliation.

Cybersecurity experts had earlier warned that the breach could also pose national security risks, given that some of the exposed tips were submitted to federal agencies and the military.

The dataset was originally stolen late last year by a hacker group known as INTERNET YIFF MACHINE and later shared with Straight Arrow News and the nonprofit transparency group Distributed Denial of Secrets (DDoSecrets). The collection, referred to as BlueLeaks 2.0, spans records from February 1987 through November 2025.

In a statement, a member of the hacking group confirmed their involvement in listing the data for sale, expressing reluctance over the decision.

“It’s truly not something I want to do and it goes against my principles,” the hacker said. “However, it was out of necessity. Principles are for the well-fed, and I’m unfortunately not in a great place.”

The hacker also indicated that there is already interest from potential buyers, some of whom may have malicious intent.

“I assume this will likely attract customers related to fraud, extortion, or at worst, finding and targeting informants,” they said. “Again, this isn’t something I feel good about doing, but it’s necessary.”

They added that the intention is to sell the dataset to a single buyer.

Mailyn Fidler, assistant professor at the University of New Hampshire Franklin School of Law specializing in cybersecurity and cybercrime, warned that exposure of such data could lead to “severe harm and even death to police informants.”

P3 Global Intel’s parent company, Navigate360, has not responded to inquiries regarding the attempted sale. Earlier, CEO JP Guilbault stated that a third-party forensic investigation was underway to determine the extent of any breach.

“To this point, we have not confirmed that any sensitive information has been accessed or misused,” Guilbault said at the time.

The company has not issued further updates, and its services continue to operate. However, some users have taken precautionary measures. For instance, the Portland Police Bureau in Oregon recently advised the public to temporarily refrain from submitting tips through its Crime Stoppers program due to the ongoing concerns.
Read more »
stolen data sale
BlueLeaks 2.0 crime tip records leak cybersecurity threat Data Breach P3 Global Intel hack stolen data sale

Hackers Put 8.3 Million U.S. Crime Tip Records Up for Sale, Raising Security Fears

 

Cybercriminals behind a massive data breach involving 8.3 million crime tip records are now attempting to sell the stolen information for $10,000 in cryptocurrency.

The compromised data includes confidential tips submitted to numerous Crime Stoppers programs run by law enforcement agencies across the United States. It also extends to inputs shared with certain U.S. military units and even educational institutions.

The sale listing, discovered on an underground cybercrime forum, highlights the severity of the breach linked to cloud-based intelligence firm P3 Global Intel. The exposed dataset reportedly contains highly sensitive personal information about individuals identified in tips, including names, email addresses, dates of birth, phone numbers, home addresses, license plate details, Social Security numbers, and even criminal records. In some cases, the leak also reveals identities and details of informants, potentially putting them at risk of retaliation.

Security analysts have previously warned that the breach could have broader implications, including threats to national security, as it involves information shared with military and federal entities.

The dataset—referred to as “BlueLeaks 2.0” by nonprofit transparency group DDoSecrets—spans decades of records, from February 1987 through November 2025. It was allegedly stolen late last year by a hacking group calling itself INTERNET YIFF MACHINE and later shared with media outlet Straight Arrow News and DDoSecrets.

In a statement, a member of the hacker group confirmed responsibility for putting the data up for sale.

“It’s truly not something I want to do and it goes against my principles,” the hacker said. “However, it was out of necessity. Principles are for the well-fed, and I’m unfortunately not in a great place.”

When asked about potential buyers, the hacker indicated that interest had already been shown.

“I assume this will likely attract customers related to fraud, extortion, or at worst, finding and targeting informants,” they said. “Again, this isn’t something I feel good about doing, but it’s necessary.”

The individual also noted that they intend to sell the dataset to only one buyer.

Experts warn the consequences could be severe. Mailyn Fidler, assistant professor at the University of New Hampshire Franklin School of Law, previously stated that if such data becomes widely accessible, it could result in “severe harm and even death to police informants.”

P3 Global Intel’s parent company, Navigate360, has not commented on the reported sale. Earlier, CEO JP Guilbault stated that a third-party forensic investigation had been launched to determine the scope of the incident.

“To this point, we have not confirmed that any sensitive information has been accessed or misused,” Guilbault said at the time.

Since then, no further updates have been released, and the company’s services continue to operate. However, some agencies have taken precautionary steps. The Portland Police Bureau in Oregon recently urged residents to temporarily refrain from submitting tips to its Crime Stoppers program while the situation is being assessed.
Read more »
Vulnerability management
Cybersecurity Data Breach Data protection Digital Infrastructure Incident response Network Security Ransomware Threat Intelligence Vulnerability management

Uffizi Cyber Incident Serves as a Warning for Europe’s Cultural Sector

 


The cyber intrusion at the Uffizi Galleries in early 2026 has quickly evolved from an isolated security lapse into a case study of systemic digital exposure within Europe’s cultural infrastructure. One of the continent’s most prestigious custodians of artistic heritage, the institution disclosed that attackers succeeded in extracting its photographic archive an asset of both scholarly and operational value before containment measures were enacted.

Although restoration from secured backups ensured continuity of operations, the incident has sharpened attention on how legacy systems, often peripheral to core modernization efforts, can quietly become high-risk vectors within otherwise well-defended environments. Subsequent forensic assessments indicate that the breach was neither abrupt nor opportunistic.

Investigative timelines trace initial compromise activity as far back as August 2025, suggesting a calculated persistence campaign rather than a single-point intrusion. The suspected entry vector was an overlooked software component responsible for handling low-resolution image flows on the museum’s public-facing infrastructure an element deemed non-critical and therefore excluded from rigorous patch cycles. This miscalculation enabled attackers to establish a stable foothold, from which they executed disciplined lateral movement across interconnected systems spanning the Uffizi complex, including Palazzo Pitti and the Boboli Gardens.

Operating under a low-and-slow exfiltration model, the actors deliberately avoided triggering conventional detection thresholds, transferring data incrementally over several months. By the time administrative servers exhibited disruption, the extraction phase had largely concluded underscoring a level of operational maturity that challenges traditional assumptions about breach visibility and response timelines. 

Beyond its digital architecture, the Uffizi Galleries safeguards some of Italy’s most iconic works, including The Birth of Venus and Primavera by Sandro Botticelli, alongside Doni Tondo by Michelangelo a cultural weight that amplifies the implications of any security compromise. 

Institutional statements have sought to contextualize the operational impact, indicating that service disruption was limited to the restoration window required for backup recovery, with public disclosure issued post-incident in line with internal verification protocols. 

Reports circulating in Italian media suggested that threat actors had extended their reach across interconnected sites, including Palazzo Pitti and the Boboli Gardens, briefly asserting control over the photographic server and issuing a ransom demand directly to director Simone Verde. 

However, the institution maintains that comprehensive backups remained intact and that parallel developments such as restricted access to sections of Palazzo Pitti and the temporary relocation of select valuables to the Bank of Italy were pre-scheduled measures linked to ongoing renovation cycles rather than reactive security responses.

Similarly, the transition from analogue to digital surveillance infrastructure, initially recommended by law enforcement in 2024, was accelerated within a broader risk recalibration framework influenced in part by high-profile incidents such as the Louvre Museum theft case. 

The convergence of these events including the recent theft of works by Pierre-Auguste Renoir, Paul Cézanne and Henri Matisse from a northern Italian museum reinforces a broader pattern in which physical and cyber threats are increasingly intersecting, demanding integrated security postures across Europe’s cultural institutions. 

The reference to the Louvre Museum is neither incidental nor rhetorical. On 19 October 2025, a highly coordinated physical breach exposed critical lapses in on-site security when individuals, posing as construction workers, accessed restricted areas via a freight lift, breached a second-floor entry point, and removed multiple pieces of the French Crown Jewels within minutes.

Subsequent findings from a Senate-level inquiry pointed to systemic deficiencies, including limited CCTV coverage across exhibition spaces, misaligned external surveillance equipment, and fundamentally weak access controls at the credential level. The incident, which ultimately led to the resignation of director Laurence des Cars in February 2026, remains unresolved, with the stolen artefacts yet to be recovered. 

Against this backdrop, the distinction drawn by the Uffizi Galleries becomes materially significant. Unlike the Louvre breach, the Uffizi incident remained confined to the digital domain, with no evidence of physical intrusion or compromise of exhibition assets. 

Public-facing operations, including ticketing systems and visitor access, continued uninterrupted, with the only measurable impact attributed to backend restoration processes following data recovery. Amid intensifying scrutiny, conflicting narratives have emerged regarding the scope of data exposure. 

Reporting referenced by Cybernews, citing local sources including Corriere della Sera, alleged that attackers exfiltrated operationally sensitive artefacts ranging from authentication credentials and alarm configurations to internal layouts and surveillance telemetry before issuing a ransom demand.

The Uffizi Galleries has firmly contested these assertions, maintaining that forensic validation has yielded no evidence supporting the compromise of architectural maps or restricted security schematics, and emphasizing that certain observational elements, such as camera placement, remain inherently visible within public-facing environments. 

From a technical standpoint, the institution reiterated that core security systems are logically segregated and not externally addressable, limiting the feasibility of direct remote extraction as described. While investigations indicate that threat actors may have leveraged interconnected endpoints—including workstation nodes and peripheral devices to incrementally profile the environment, officials stress that no physical assets were impacted and no confirmed data misuse has been established. 

The ransom communication, reportedly directed to director Simone Verde with threats of dark web exposure, further underscores the psychological dimension often accompanying such campaigns. Notably, precautionary measures observed in parallel such as temporary gallery closures and the transfer of select holdings to the Bank of Italy have been attributed to pre-existing operational planning rather than reactive containment. 

In the broader context of heightened sectoral vigilance following incidents like the breach-linked vulnerabilities exposed at the Louvre Museum, the Uffizi has accelerated its transition from analogue to digital surveillance infrastructure, aligning with law enforcement recommendations issued in 2024. 

In its final clarification, the Uffizi Galleries moved to separate speculation from confirmed facts. While it did not deny that some valuables had been temporarily moved to a secure vault at the Bank of Italy, officials stressed that this step was part of planned renovation work, not a response to the cyber incident.

Reports from Corriere della Sera about sealed doors and restricted staff communication were also addressed, with the museum explaining that certain closures were linked to long-pending fire safety compliance and structural adjustments required for a historic building of its age. 

On the technical front, the Uffizi confirmed that its photographic archive remained safe, clarifying that although the server had been taken offline, it was done to restore data from backups a process now completed without any loss.

Despite the attention surrounding the breach, the museum continues to function normally, with visitor areas and ticketing operations unaffected, underlining how effective backup systems and planning helped limit real-world impact.
Read more »
Subscribe to: Posts (Atom)