Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
Ransomware
Data Breach Data Theft eCommerce Japan MFA Ransomware

Askul Discloses Scope of Customer Data Theft Following October Ransomware Incident

 



Japanese e-commerce firm Askul Corporation has officially confirmed that a ransomware attack earlier this year led to the unauthorized access and theft of data belonging to nearly 740,000 individuals. The company made the disclosure after completing a detailed investigation into the cyber incident that occurred in October.

Askul operates a large-scale online platform that provides office supplies and logistics services to both corporate clients and individual consumers. The company is part of the Yahoo! Japan corporate group and plays a significant role in Japan’s business-to-business supply chain.

The cyberattack caused serious disruptions to Askul’s internal systems, resulting in an operational shutdown that forced the company to suspend product shipments. This disruption affected a wide range of customers, including major retail partners such as Muji.

Following the conclusion of its internal review, Askul clarified the categories of data that were compromised. According to the company, service-related records of approximately 590,000 business customers were accessed. Data connected to around 132,000 individual customers was also involved. In addition, information related to roughly 15,000 business partners, including outsourcing firms, agents, and suppliers, was exposed. The incident further affected personal data linked to about 2,700 executives and employees, including those from group companies.

Askul stated that it is deliberately limiting the disclosure of specific details related to the stolen data to reduce the risk of further exploitation. The company confirmed that affected customers and business partners will be informed directly through individual notifications.

Regulatory authorities have also been notified. Askul reported the data exposure to Japan’s Personal Information Protection Commission and has implemented long-term monitoring measures to identify and prevent any potential misuse of the compromised information.

System recovery remains ongoing. As of December 15, shipping operations had not fully returned to normal, and the company continues to work toward restoring all affected services.

Responsibility for the attack has been claimed by the ransomware group known as RansomHouse. The group publicly disclosed the breach at the end of October and later released portions of the stolen data in two separate leaks in November and December.

Askul shared limited technical findings regarding how the attackers gained access. The company believes the intrusion began through stolen login credentials associated with an administrator account belonging to an outsourced partner. This account did not have multi-factor authentication enabled, making it easier for attackers to exploit.

After entering the network, the attackers conducted internal reconnaissance, collected additional authentication information, and expanded their access to multiple servers. Askul reported that security defenses, including endpoint detection and response tools, were disabled during the attack. The company also noted that several ransomware variants were deployed, some of which bypassed existing detection mechanisms despite recent updates.

The attack resulted in both data encryption and widespread system failures. The ransomware was executed simultaneously across multiple servers, and backup files were deliberately erased to prevent rapid system recovery.

In response, Askul disconnected affected networks, restricted communication between data centers and logistics facilities, isolated compromised devices, and strengthened endpoint security controls. Multi-factor authentication has since been enforced across critical systems, and all administrator account passwords have been reset.

The financial consequences of the incident have not yet been determined. Askul has postponed its earnings report to allow additional time for a comprehensive assessment of the impact.



Read more »
Rockrose Development data breach
construction company cyberattack Data Breach July 2025 ransomware attack Play ransomware gang real estate Rockrose Development data breach

Rockrose Development Notifies Over 47,000 People of July 2025 Data Breach Linked to Play Ransomware Gang

 

Rockrose Development confirmed over the weekend that it has notified 47,392 individuals about a data breach that occurred in July 2025. The incident exposed sensitive personal information belonging to both residents and employees.

According to the company, the compromised data includes names, Social Security numbers, taxpayer identification numbers, driver’s license and passport details, financial account and routing numbers, health insurance information, medical records, and online account credentials.

Soon after the breach, a ransomware group known as Play claimed responsibility. The group alleged it had accessed and stolen documents related to Rockrose’s clients, budgeting, payroll, accounting, and tax records, along with identification and financial information. Rockrose has not confirmed the authenticity of Play’s claims.

At this time, it remains unclear whether Rockrose paid a ransom, how much was demanded, or the specific method attackers used to gain access to the company’s systems. Comparitech has reached out to Rockrose for comment and stated it will update its reporting if a response is received.

“Rockrose determined that unauthorized individuals accessed Rockrose’s systems and claim to have acquired confidential information stored in certain of those systems,” the company stated in its notification to affected individuals.

To mitigate potential harm, Rockrose is offering eligible victims 24 months of complimentary identity protection services through Experian. Impacted individuals must enroll by March 31, 2026.

Play is a ransomware operation that has been active since June 2022, targeting organizations across sectors such as healthcare, finance, manufacturing, real estate, and education. The group uses a double-extortion strategy, demanding payment not only to decrypt compromised systems but also to prevent stolen data from being leaked or sold.

So far in 2025, Play has taken credit for 41 confirmed ransomware attacks, in addition to 339 unverified claims that have not been publicly acknowledged by the affected organizations.

Rockrose is not the only construction-related firm allegedly targeted by Play this year. Other organizations that have reported breaches attributed to the group include Rock Solid Stabilization & Reclamation, Gorham Sand & Gravel, Thomas Safran & Associates, and All States Materials Group.

Ransomware Trends in Construction and Real Estate

Comparitech researchers report that, as of 2025, there have been 12 confirmed ransomware attacks against U.S. construction companies and real estate developers, impacting a total of 69,513 records. The Rockrose incident accounts for the majority of these exposed records and is the largest such attack recorded since tracking began in 2018.

Additional recent incidents include breaches at Abhe & Svoboda and Barr & Barr, both reportedly linked to the Akira ransomware group.

Ransomware attacks can severely disrupt construction and real estate firms by locking access to systems, stealing sensitive data, and interrupting critical operations such as payroll, billing, communications, and website functionality. Organizations often face the difficult choice of paying a ransom or enduring prolonged downtime and increased fraud risk for customers.

Established in 1970, Rockrose Development has acquired, developed, or repositioned approximately 15,000 residential apartments across New York and Washington, DC. The company also manages nearly 6 million square feet of office space, according to information published on its website.
Read more »
Personal Data Breach
Cyberattacks Data Breach Data breaches attacks Data Leak data security INC Ransom gang Inc ransomware Library Personal Data Breach

Pierce County Library System Data Breach Exposes Information of Over 340,000 People

 

A cyber attack on the Pierce County Library System in the state of Washington has led to the compromise of personal data of over 340,000 people, which is indicative of the rising threat of cybersecurity breaches being posed to public services. This attack has impacted library services in the entire county, along with library users and staff. The incident was made known to the public through breach notification letters published on the website of the Pierce County Library System. 

The incident, as revealed in the notification letters, occurred when the library system detected the incident on April 21 and decided to shut all library systems in an effort to control the breach. The library system conducted an investigation that confirmed the breach had taken place. 

The library network was also able to identify that the exfiltration of data from individuals who utilized or were part of the institution was successful on May 12. It was established that the hackers had access to the network from April 15 to April 21. Access to sensitive information was gained and exfiltrated during this time. The level of information that was vulnerable varied depending on who was targeted. 

The data that was breached for the benefit of the library patrons included names and dates of birth. Though very limited compared to the data for employees, this data is still significant for use in identity-related fraud. The breach had severe implications for current and former employees who worked within the library system. The data that was stolen for them included Social Security numbers, financial accounts, driver’s license numbers, credit card numbers, passports, health insurance, and certain data related to medical matters. 

This particular ransomware assault would later be attributed to the INC ransomware gang, which has been responsible for a number of highly detrimental attacks on government bodies over 2025. The gang has previously conducted attacks on bodies such as the Office of the Attorney General of Pennsylvania and a countrywide emergency alert service used by local authority bodies. This type of situation is not the first that has occurred on the level of Pierce County. 

In the year 2023, Pierce County was the victim of a ransomware attack on the public transit service that the community utilized heavily because the service was used by 18,000 riders on a daily basis. Public library networks have become a common target for ransomware attacks in recent years. This is because cybercriminals also perceive public libraries as high-stakes targets since community members depend on them for internet access to their catalogs and other digital services, creating a challenge where an organization may feel pressured into paying a ransom demand to resume operations. Such attacks also include national and city library networks in North America. 

The current threat environment has led to calls for developing targeted programs within the government in the United States that would evaluate risks for libraries' cybersecurity environments. This involves enhancing data sharing related to cyber attacks and providing libraries with more support and advanced services from firewalls that target libraries specifically. 

The increasing digitization efforts by libraries as government institutions further solidify that a breach such as that which Pierce County experienced is a reminder that a continued investment in cybersecurity measures is a necessity.
Read more »
Third-Party Vendor Risk
Akira Ransomware Group Data Breach Healthcare Cyber Threats HIPAA Business Associate Medical Supply Cybersecurity Ransomware attack Third-Party Vendor Risk

Data Breach at Fieldtex Affects 274000 as Ransomware Gang Takes Credit

The Fieldtex Products Corporation, a company that makes contract sewing products and fulfills medical supply orders from U.S. manufacturers, has notified hundreds of thousands of individuals after confirming an attack which compromised sensitive health-related information as a result of ransomware. 

It was found out that the incident occurred after the company detected strange activity within its network in the middle of August, which led to an internal investigation that went on for a while, but which eventually revealed an unauthorized intrusion into systems containing protected health information relating to affiliated health plans. 

According to Fieldtex's breach notification, which was published on November 20, exposed data may include information about people's names, residential addresses, dates of birth, health insurance membership number, plan information, and coverage, as well as genders, health insurance insurance membership numbers and member identification numbers.

It has been reported that the breach has affected approximately 238,615 individuals, according to regulatory filings submitted by the U.S. Department of Health and Human Services. The disclosure came in the wake of a public claim made by Akira, a ransomware group that listed Fieldtex's E-First Aid Supplies division on its Tor-based leak site on November 5, asserting that it had exfiltrated over 14 gigabytes of internal data, such as employee, customer, and financial data. 

Despite the group's threat of publishing the stolen data, Fieldtex's notice was issued only after no materials had been made public. It has been disclosed that Fieldtex has submitted the incident disclosures to federal regulators in its capacity as a HIPAA business associate, stating that the company is providing direct notice to affected individuals on behalf of clients who have authorized the company to do so.

According to Fieldtex's breach disclosure, the organization is a medical supply fulfillment company that provides members with over-the-counter healthcare products delivered through their respective health plans. Fieldtex's role involves handling certain categories of protected health information, which is necessary in the fulfillment of the breach disclosure. As the company reported, it became aware of unauthorized activity on or around August 19. 

The company responded by securing its network as well as engaging an independent forensic investigation company to determine the nature and extent of the intrusion. The breach has been caused by the way Fieldtex handled protected health information obtained from members' health plans in its healthcare fulfillment operations, which resulted in this breach. 

In a statement issued by the company on August 19, it is said that it detected unauthorized activities within the company's computer systems. As soon as the company became aware of the intrusion, it immediately secured its network and retained an external forensic firm to determine the extent of the breach. However, Fieldtex stated that there is no indication that any data has been misused, even though Fieldtex did not have any conclusive findings of access to protected health information. 

It is likely that patients' names, residential addresses, dates of birth, health insurance member identification numbers, plan names, coverage periods, and gender were potentially exposed information. Fieldtex reported that by September 30 it had finished its analysis of the affected data and had immediately notified the associated health plans, which had subsequently offered complimentary credit monitoring services to individuals whose information could have been exposed. 

Furthermore, the company added that it has tightened up its network security controls and has reviewed its data protection policies to respond to the incident in response. Requests for more information, including whether any data was exfiltrated or a ransom demand was issued, were not immediately returned. 

The Fieldtex team conducted an extensive internal review after becoming aware that sensitive information was in danger of being accessed. This review included determining the type of information contained in the affected files and identifying the individuals whose information was involved. In addition to assessing potentially impacted data, the company also informed the appropriate health plans promptly on September 30, 2025, initiating coordinated response efforts to address the situation. 

The company is acting on behalf of clients of the health plan that authorized Fieldtex to provide direct notice to their members and is providing credit monitoring services as a precautionary measure in order to inform potentially affected members. 

Meanwhile, the company also reported that it has strengthened security controls across all areas of its network and is currently undergoing a broader review of its data protection policies and procedures with the aim of reducing the likelihood of similar incidents occurring again. 

According to Fieldtex, there has been no evidence of an actual or attempted misuse of the information related to the incident, but they advised affected individuals to remain vigilant and to review their account statements and explanations of benefits regularly for any irregularities or errors.

In addition to recommending individuals to place fraud alerts with the major credit reporting agencies, such as Equifax, TransUnion, and Experian, in order to provide additional protection, the company also advised them to do so. In the wake of this incident, healthcare-related vendors, who operate behind the scenes of patient care, but tend to deal with large volumes of sensitive personal and insurance data, are being exposed to an increasing risk of cyberattacks. 

The cyber security community has repeatedly warned that ransomware groups target third-party service providers with increasing frequency, observing them as a high-value entry point into complex healthcare ecosystems where multiple undesirable effects can be manifested. 

It is important that people affected by the breach maintain an active level of vigilance in order to avoid becoming victims of such attacks in the future. This vigilance includes reviewing insurance statements regularly, monitoring credit activity, and responding promptly to any anomalies that may arise.

As the Fieldtex incident shows, healthcare organizations and their vendors must take serious steps to ensure they manage their vendors' risk appropriately, monitor their activity continuously, and perform regular security audits in order to reduce their chances of suffering similar attacks in the future. 

Organizations that handle protected health information may be faced with increasing pressure as regulatory scrutiny continues to intensify and threat actors refine their tactics. 

It is imperative that organizations handle protected health information demonstrate not only compliance with federal requirements, but also a commitment to fostering cybersecurity resilience in order to protect patient trust and operational continuity in the future.
Read more »
Vetco security lapse
Data Breach IDOR vulnerability pet medical records exposed Petco Petco Vetco leak Vetco Clinics Vetco security lapse

Petco Takes Vetco Clinics Site Offline After Major Data Exposure Leaves Customer Records Accessible Online

 

Pet wellness brand Petco has temporarily taken parts of its Vetco Clinics website offline after a security failure left large amounts of customer information publicly accessible.

TechCrunch notified the company about the exposed Vetco customer and pet data, after which Petco acknowledged the issue in a statement, saying it is investigating the incident at its veterinary services arm. The company declined to share further details.

The lapse meant that anyone online could directly download customer files from the Vetco site without needing an account or login credentials. At least one customer file was publicly visible and had even been indexed by Google, making it searchable.

According to data reviewed by TechCrunch, the exposed records included visit notes, medical histories, prescriptions, vaccination details, and other documents linked to Vetco customers and their pets.

These files contained personal information such as customer names, home addresses, phone numbers and email addresses, along with clinic locations, medical evaluations, diagnoses, test results, treatment details, itemized costs, veterinarian names, signed consent forms, and service dates.

Pet details were also disclosed, including pet names, species, breed, sex, age, date of birth, microchip numbers, medical vitals, and prescription histories.

TechCrunch reported the flaw to Petco on Friday. The company acknowledged the exposure on Tuesday after receiving follow-up communication that included examples of the leaked files.

Petco spokesperson Ventura Olvera told TechCrunch that the company has “implemented, and will continue to implement, additional measures to further strengthen the security of our systems,” though Petco did not provide proof of these measures. Olvera also declined to clarify whether the company has logging tools capable of determining whether the data was accessed or extracted during the exposure.

The vulnerability stems from how Vetco’s website generates downloadable PDFs for customers. Vetco’s portal, petpass.com, gives customers access to their vet records. However, TechCrunch discovered that the PDF-generation page was left publicly accessible without any password protection.

This allowed anyone to retrieve sensitive documents simply by altering the URL to include a customer’s unique identification number. Because Vetco’s customer IDs are sequential, adjusting the number by small increments exposed other customers’ records as well.

By checking ID numbers in increments of 100,000, TechCrunch estimated that the flaw could have exposed information belonging to millions of Petco customers.

The issue is identified as an insecure direct object reference (IDOR), a common security oversight where servers fail to verify whether the requester is authorized to access specific files.

It remains unknown how long the data was publicly exposed, but the record visible on Google dated back to mid-2020.

This marks the third data incident involving Petco in 2025, according to TechCrunch’s reporting.

Earlier in the year, hackers linked to the Scattered Lapsus$ Hunters group reportedly stole a large trove of customer data from a Salesforce-hosted Petco database and sought ransom payments to avoid leaking the data.

In September, Petco disclosed another breach involving a misconfigured software setting that mistakenly made certain files available online. That incident exposed highly sensitive data—including Social Security numbers, driver’s license details, and payment information like credit and debit card numbers.

Olvera did not confirm how many customers were affected by the September breach. Under California law, organizations must publicly report breaches affecting more than 500 state residents.

TechCrunch believes the newly discovered Vetco data exposure is a separate event because Petco had already begun notifying customers about the earlier breach months prior.
Read more »
Vendor Breach
Data Breach Data Leak Mixpanel OpenAI User Privacy Vendor Breach

OpenAI Vendor Breach Exposes API User Data

 

OpenAI revealed a security incident in late- November 2025 that allowed hackers to access data about users via its third-party analytics provider, Mixpanel. The breach, which took place on November 9, 2025, exposed a small amount of personally identifiable information for some OpenAI API users, although OpenAI stressed that its own systems had not been the target of the attack.

Breach details 

The breach occurred completely within Mixpanel’s own infrastructure, when an attacker was able to gain access and exfiltrate a dataset containing customer data. Mixpanel became aware of the compromise on 9 November 2025, and following an investigation, shared the breached dataset with OpenAI on 25 November, allowing the technology firm to understand the extent of potential exposure. 

The breach specifically affected users who accessed OpenAI's API via platform.openai.com, rather than regular ChatGPT users. The compromised data included several categories of user information collected through Mixpanel's analytics platform. Names provided to accounts on platform.openai.com were exposed, along with email addresses linked to API accounts. 

Additionally, coarse approximate location data determined by IP addresses, operating system and browser types, referring websites, and organization and user IDs saved in API accounts were part of the breach. However, OpenAI confirmed that more sensitive information remained secure, including chat content, API requests, API usage data, passwords, credentials, API keys, payment details, and government IDs. 

Following the incident, OpenAI took immediate action by removing Mixpanel from its services while conducting its investigation. The company notified affected users on November 26, 2025, right before Thanksgiving, providing details about the breach and emphasizing that it was not a compromise of OpenAI's own systems. OpenAI has suspended its integration with Mixpanel pending a thorough investigation of the incident.

Recommended measures 

OpenAI also encouraged the affected users to stay on guard for potential second wave attacks using the stolen information. Users need to be especially vigilant for phishing and social engineer attacks that could be facilitated by the leaked information, such as names, e-mail addresses and company information. A class action has also been brought against OpenAI and Mixpanel, claiming the companies did nothing to stop the breach of data that revealed personally identifiable information for thousands of users.
Read more »
TruffleHog leak
Data Breach GitHub repositories breach NPM malware Shai-Hulud attack Supply Chain Attack TruffleHog leak

Shai-Hulud 2.0 Breach Exposes 400,000 Secrets After Massive NPM Supply-Chain Attack

 

The second wave of the Shai-Hulud malware attack last week led to the exposure of nearly 400,000 raw secrets after compromising hundreds of NPM (Node Package Manager) packages and leaking stolen data across more than 30,000 GitHub repositories.

While only around 10,000 of those secrets were confirmed as valid using the TruffleHog open-source scanning tool, cloud security company Wiz reports that over 60% of the NPM tokens leaked in this incident were still active as of December 1st.

Shai-Hulud first surfaced in mid-September, infecting 187 NPM packages with a worm-like payload. The malware scanned systems for account tokens using TruffleHog, injected a harmful script into the targeted packages, and then automatically republished them.
In the latest attack, the threat escalated—impacting more than 800 packages (including all affected versions) and adding a destructive feature capable of wiping a victim’s home directory under specific conditions.

During their review of the secrets spilled by Shai-Hulud 2.0 into over 30,000 GitHub repositories, Wiz researchers found several types of sensitive files exposed:

  • About 70% of repositories contained a contents.json file with GitHub usernames, tokens, and file snapshots

  • Around 50% stored truffleSecrets.json with TruffleHog scan results

  • Nearly 80% included environment.json, which revealed OS details, CI/CD metadata, npm package information, and GitHub credentials

  • 400 repositories had actionsSecrets.json, exposing GitHub Actions workflow secrets

Wiz notes that the malware used TruffleHog without the --only-verified flag, meaning the full set of 400,000 leaked secrets only matched valid formats—they weren’t necessarily functional. Even so, the dataset still contained active credentials.

While the secret data is extremely noisy and requires heavy deduplication efforts, it still contains hundreds of valid secrets, including cloud, NPM tokens, and VCS credentials,” Wiz explained.

To date, these credentials pose an active risk of further supply chain attacks. For example, we observe that over 60% of leaked NPM tokens are still valid.

From the 24,000 environment.json files analyzed, nearly half were unique. About 23% originated from developer machines, with the remainder linked to CI/CD systems or similar automated environments.

The investigation also showed that 87% of compromised machines were running Linux, and 76% of infections occurred within containerized environments. Among CI/CD services, GitHub Actions was the most affected, followed by Jenkins, GitLab CI, and AWS CodeBuild.

When examining which packages were hit hardest, Wiz identified @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3 as the most impacted—together accounting for over 60% of all infections. Researchers believe the overall damage could have been significantly reduced if these key packages had been flagged and taken down early.

The infection pattern also revealed that 99% of attacks triggered during the preinstall event, specifically through the node setup_bun.js script. The few anomalies observed were likely test runs.

Wiz warns that the operators behind Shai-Hulud are likely to continue refining their methods. The team expects more waves of supply-chain attacks powered by the extensive trove of leaked credentials gathered so far.

Read more »
Data Breach
CrowdStrike data breach cyber attack Cybernews Data Breach

CrowdStrike Fires Insider Who Leaked Internal Screenshots to Hacker Groups, Says no Customer Data was Breached

 

American cybersecurity company CrowdStrike has confirmed that screenshots taken from its internal systems were shared with hacker groups by a now-terminated employee. 

The disclosure follows the appearance of the screenshots on Telegram, posted by the cybercrime collective known as Scattered Lapsus$ Hunters. 

In a statement to BleepingComputer, a CrowdStrike spokesperson said the company’s security was not compromised as a result of the insider activity and that customers remained fully protected. According to the spokesperson, the employee in question was identified during an internal investigation last month. 

The individual was later terminated and the matter has been reported to law enforcement. CrowdStrike did not clarify which threat group was behind the leak or what drove the employee to share sensitive images. 

However, the company offered the statement after BleepingComputer reached out regarding screenshots of CrowdStrike systems circulating on Telegram. Those screenshots were posted by members of ShinyHunters, Scattered Spider, and the Lapsus$ group, who now operate collectively under the name Scattered Lapsus$ Hunters. ShinyHunters told BleepingComputer that they allegedly paid the insider 25,000 dollars for access to CrowdStrike’s network. 

The threat actors claimed they received SSO authentication cookies, but CrowdStrike had already detected the suspicious activity and revoked the employee’s access. 

The group also claimed it attempted to buy internal CrowdStrike reports on ShinyHunters and Scattered Spider but never received them. 

Scattered Lapsus$ Hunters have been responsible for a large-scale extortion campaign against companies using Salesforce. Since the beginning of the year, the group has launched voice phishing attacks to breach Salesforce customers. Their list of known or claimed victims includes Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, and luxury brands under LVMH such as Dior, Louis Vuitton, and Tiffany & Co. 

They have also attempted to extort numerous high-profile organizations including FedEx, Disney, McDonald’s, Marriott, Home Depot, UPS, Chanel, and IKEA. 

The group has previously claimed responsibility for a major breach at Jaguar Land Rover that exposed sensitive data and disrupted operations, resulting in losses estimated at more than 196 million pounds. 

Most recently, ShinyHunters asserted that over 280 companies were affected in a new wave of Salesforce-related data theft. Among the names mentioned were LinkedIn, GitLab, Atlassian, Verizon, and DocuSign. 

Though, DocuSign has denied being breached, stating that internal investigations have shown no evidence of compromise.
Read more »
Ransomware Breach
Critical Systems Security Cybersecurity Threats Dark Web Claims Data Breach Digital Risk Management Gaming Infrastructure IGT Cyberattack Lottery Technology Ransomware Breach

IGT Responds to Reports of Significant Ransomware Intrusion

 


An investigation by the Russian-linked ransomware group Qilin has raised fresh concerns within the global gaming and gambling industry after they claimed responsibility for the cyber intrusion that targeted global gambling giant IGT in recent weeks. 

A dark-web leak site that listed the company on Wednesday stated that it had exfiltrated ten gigabytes of data, or more than two thousand files, which is an amount that would equal around ten gigabytes of internal data. The posting itself didn’t provide many details about this. 

As can be seen by the entry stamped in bright green with the word “Publicated”, IGT does not appear to have communicated with Qilin or they refuse to accept ransom demands from him. IGT offers a complete suite of products and services to casinos, retailers, and online operators worldwide that range from gaming machines to lottery technology to PlaySports betting platforms to iGaming systems. 

Through its suite of products, IGT supports millions of players every day. This recent breach has prompted increased scrutiny of a leading technology provider’s security posture, and raised questions about the potential impact on operations and the broader gaming infrastructure of this company. According to a recent filing submitted to the Securities and Exchange Commission, International Game Technology (IGT) has acknowledge that it is in the middle of managing a major cyber incident. 

In the filing, IGT confirmed an unauthorized attempt to access portions of its internal IT system on November 17 was detected. There is a note in the disclosure that indicates that the company's incident response procedures were immediately activated after the intrusion. 

These procedures included a number of steps commonly associated with attempts to contain suspected ransomware activities, including taking certain systems offline and engaging external forensic specialists to assist in the investigation. 

In the midst of it assessing the extent of the disruption, the notorious ransomware group Qilin also has mentioned IGT, claiming that around 10GB of data, or over 21,000 files, has been stolen from its dark-web leak portal. Despite the fact that Qilin has not yet provided proof of compromise samples, the group has labeled the archive as published, a term criminals frequently use to indicate that exfiltrated data is now circulating beyond the victim's control. This adds further urgency to IGT's efforts to contain and remediate the data in question.

A report from Cybernews claims that Qilin's leak page also offers a link to an FTP file believed to contain a complete cache of allegedly stolen information, but no verification has been made and the amount of information available is limited at this point. To date, IGT has not either confirmed or denied the gang's assertions and has not responded to media inquiries seeking clarification. 

As one of the world's biggest gaming companies, GTECH offers a range of lottery technology products across more than 100 jurisdictions, including electronic gaming machines, iLottery systems, and sports betting platforms. Its headquarters are in London, with major operations centers in Las Vegas, Rome, and Providence. IGT is the primary technology partner for 26 U.S. lotteries and casinos, serving dozens of lottery operators and casino operators across the country. 

The entire lottery industry has been facing increasing cyber threats; earlier this year, the Ohio Lottery suffered a ransomware attack that disrupted jackpot information, delayed prize claim processing, and exposed sensitive consumer and retailer information. 

With such a backdrop in mind, IGT’s statement to the SEC underscored the company’s commitment to minimizing operational disruptions while restoring systems and maintaining transparency with its customers. In order to ensure service stability while forensic specialists continue their assessment, the company has deployed contingency solutions under its business continuity framework. 

It is vital that IGT maintains trust among lottery operators, casino customers and millions of daily users as it navigates the aftermath of the breach. IGT continues to work to secure that trust as the recovery proceeds. In light of the ongoing investigation, this incident underscores the widening threat landscape that operators of high-value digital games and lotteries face.

In order to achieve the best results for IGT, it is imperative that they reinforce cyber-resilience, accelerate security modernization, and strengthen partnerships with regulators and industry partners. It is widely believed that maintaining transparency, rapid threat intelligence sharing, and investing in robust incident response capabilities will be crucial not only for restoring confidence, but also for safeguarding interconnected gaming ecosystems from increasingly sophisticated ransomware actors who are eager to exploit any vulnerabilities that may arise.
Read more »
Personal Data
CyberCrime Data Breach Data Leak Data Privacy Concerns Data Safety User Data data security Personal Data

WhatsApp Enumeration Flaw Exposes Data of 3.5 Billion Users in Massive Scraping Incident

 

Security researchers in Austria uncovered a significant privacy vulnerability in WhatsApp that enabled them to collect the personal details of more than 3.5 billion registered users, an exposure they believe may be the largest publicly documented data leak to date. The issue stems from a long-standing feature that allows users to search WhatsApp accounts by entering phone numbers. While meant for convenience, the function can be exploited to automatically compile profiles at scale. 

Using phone numbers generated with a custom tool built on Google’s libphonenumber system, the research team was able to query account details at an astonishing rate—more than 100 million accounts per hour. They reported exceeding 7,000 automated lookups per second without facing IP bans or meaningful rate-limiting measures. Their findings indicate that WhatsApp’s registered user base is larger than previously disclosed, contradicting the platform’s statement that it serves “over two billion” users globally. 

The scraped records included phone numbers, account names, profile photos, and, in some cases, personal text attached to accounts. Over half of the identified users had public profile images, and a substantial portion contained identifiable human faces. About 29 percent included text descriptions, which researchers noted could reveal sensitive personal information such as sexuality, political affiliation, drug use, professional identities, or links to other platforms—including LinkedIn and dating apps.  
The study also revealed that millions of accounts belonged to phone numbers registered in countries where WhatsApp is restricted or banned, including China, Myanmar, and North Korea. Researchers warn that such exposure could put users in those regions at risk of government monitoring, penalties, or arrest. 

Beyond state-level dangers, experts stress that the harvested dataset could be misused by cybercriminals conducting targeted phishing campaigns, fraudulent messaging schemes, robocalling, and identity-based scams. The team emphasized that the persistence of phone numbers poses an ongoing risk: half of the numbers leaked during Facebook’s large-scale 2021 data scraping incident were still active in WhatsApp’s ecosystem. 

Meta confirmed receiving the researchers’ disclosure through its bug bounty process. The company stated that it has since deployed updated anti-scraping defenses and thanked the researchers for responsibly deleting collected data. According to WhatsApp engineering leadership, the vulnerability did not expose private messages or encrypted content. 

The researchers validated Meta’s claim, noting that the original enumeration method is now blocked. However, they highlighted that verifying security completeness remains difficult and emphasized the nearly year-long delay between initial reporting and effective remediation.  
Whether this incident triggers systemic scrutiny or remains an isolated cautionary case, it underscores a critical reality: even services built around encryption can expose sensitive user metadata, creating new avenues for surveillance and exploitation.
Read more »
User Privacy
Data Breach Data Leak Gainsight Salesforce User Privacy

Salesforce Probes Gainsight Breach Exposing Customer Data

 

Salesforce has disclosed that some of its customers' data was accessed following a breach of Gainsight, a platform used by businesses to manage customer relationships. The breach specifically affected Gainsight-published applications that were connected to Salesforce, with these apps being installed and managed directly by customers. 

Salesforce emphasized that the breach did not stem from vulnerabilities in its own platform, but rather from Gainsight's external connection to Salesforce. The company is actively investigating the incident and directed further inquiries to its dedicated incident response page.

Gainsight confirmed it was investigating a Salesforce connection issue, but did not explicitly acknowledge a breach, stating that its internal investigation was ongoing. Notable companies using Gainsight's services include Airtable, Notion, and GitLab. GitLab confirmed that its security team is investigating and will share more details as they become available.

The hacking group ShinyHunters claimed responsibility for the breach, stating that if Salesforce does not negotiate with them, they will set up a new website to advertise the stolen data—a common tactic for cybercriminals seeking financial gain. The group reportedly stole data from nearly a thousand companies, including details from Salesloft and GainSight campaigns. 

This breach mirrors a previous incident in August, where ShinyHunters exploited vulnerabilities in AI marketing chatbot maker Salesloft, compromising numerous customers' Salesforce instances and accessing sensitive information such as access tokens.

In the earlier Salesloft breach, victims included major organizations like Allianz Life, Bugcrowd, Cloudflare, Google, Kering, Proofpoint, Qantas, Stellantis, TransUnion, and Workday. The hackers subsequently launched a website to extort victims, threatening to release over a billion records. Gainsight was among those affected in the Salesloft-linked breaches, but it remains unclear if the latest wave of attacks originated from the same compromise or a separate incident.

Overall, this incident highlights the risks associated with third-party integrations in major cloud platforms and the growing sophistication of financially-motivated cybercriminals targeting customer data through supply chain vulnerabilities. Both Salesforce and Gainsight are continuing their investigations, with cybersecurity teams across affected organizations actively working to assess the extent of the breach and mitigate potential damage.
Read more »
ransomware data leak
Almaviva cyberattack Data Breach FS Italiane Italian IT provider breach Italy railway hack ransomware data leak

Massive Data Breach Hits Italy’s FS Italiane After Cyberattack on IT Provider Almaviva

 

Data belonging to Italy’s state-owned railway operator, the FS Italiane Group, has been exposed after a cybercriminal infiltrated the systems of its IT partner, Almaviva.

The attacker claims to have exfiltrated a massive 2.3 terabytes of information, later publishing the stolen files on a dark web forum. The individual behind the breach alleges that the dump contains confidential records and sensitive corporate material.

Almaviva, a major global IT and digital services company, provides solutions ranging from software development and systems integration to consulting and CRM platforms. According to Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, the compromised data appears to be recent and includes documents dating back to the third quarter of 2025. He dismissed speculation that the files originated from the 2022 Hive ransomware incident.

"The threat actor claims the material includes internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies," Draghetti says.
"The structure of the dump, organized into compressed archives by department/company, is fully consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025," he added.

Almaviva employs more than 41,000 people across nearly 80 global locations and reported $1.4 billion in revenue last year. FS Italiane, entirely owned by the Italian government, is among the nation’s largest industrial enterprises, generating over $18 billion annually through its rail, transport, and logistics services.

Although initial press queries from BleepingComputer went unanswered, Almaviva later confirmed the breach in statements provided to local outlets.

“In recent weeks, the services dedicated to security monitoring identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data,” Almaviva said.

“Almaviva immediately activated security and counter-response procedures through its specialized team for this type of incident, ensuring the protection and full operability of critical services.”

The company added that it has notified relevant authorities, including law enforcement, Italy’s national cybersecurity agency, and the data protection authority. Government bodies are currently assisting with the ongoing investigation.

Almaviva has committed to sharing further updates as more findings become available.

It remains unknown whether any passenger information was included in the stolen data or if the breach has affected additional Almaviva clients. BleepingComputer has sent follow-up questions, but no response had been received as of publication.

In another public communication, Almaviva reiterated that it had isolated the cyberattack, stating that it resulted in “the theft of some data.”

"Almaviva immediately activated safety and response procedures through its specialized team for this type of incident, ensuring the protection and full operation of critical services," the company stated, emphasizing that business continuity plans prevented disruptions to its operations.
Read more »
Third-Party Vulnerabilities
Banking Cyberattack Cyber Intrusion Investigation Data Breach Digital Supply Chain Risk Financial Security Infrastructure Security Mortgage Data Leak Third-Party Vulnerabilities

Growing Concern as Authorities Assess Cyber Incident at Real Estate Finance Firm

 


An extreme cyber intrusion which led to considerable concern among U.S. financial institutions over the weekend has been hailed by leading American banks and mortgage lenders as a major development that must be addressed urgently in order to reduce their exposure to various cyber threats. 

According to a statement issued by StatusAMC Group Holdings, LP on November 12, the back-office software provider for hundreds of mortgage origination, servicing, and payments operations for hundreds of institutions was breached. It was possible for unknown actors to gain access to sensitive client information, including accounting files, legal agreements, and possibly extensive personal data from loan applications, by hacking into their systems. 

However, while the company claims its operations remain fully operational, and that the incident has been contained without using any encryption malware, the extent to which the data was compromised has raised the alarm on Wall Street, since firms such as JPMorgan, Citi, and Morgan Stanley are highly reliant on the vendor's infrastructure for their daily operations. 

The company has been providing clients with near-daily updates while collaborating with federal law enforcement and outside forensic experts to determine exactly what was taken after the millions of records may have been stolen. This reflects a growing sense of unease within an industry where third-party vulnerabilities are posing some of the most significant cyber risks to date. 

New York-based StatusAMC provides mortgage services to more than 1,500 clients across residential and commercial markets. This breach has been discovered by the company on November 12, and it has confirmed that portions of the company's corporate data, including accounting records and legal agreements, have been accessed during this intrusion, which occurred on November 12. 

There are no clear indications as yet as to whether the attackers exfiltrated certain data tied to customers of the company's financial-sector clients, or if they simply viewed that information. However, it acknowledges that data tied to customers of its financial-sector clients may also have been compromised. 

There is no doubt that the company is a major processor of mortgage applications, and they handle highly sensitive personal information, ranging from Social Security numbers to passport information to employment histories. However, after recent reports suggested that certain information related to residential loan files was compromised, further concerns were raised. 

A report by the New York Times reported that JPMorgan Chase, Citi, and Morgan Stanley may have been affected by the breach; JPMorgan said that its own banking systems were not directly compromised, but Citi declined to comment and Morgan Stanley refused to answer questions. It has already been reported that the FBI has opened a probe, and SitusAMC has already begun contacting impacted customers as it continues the investigation. As a result, the federal investigators are now taking an increasingly active role in investigating the breach. 

The FBI announced in a press release that they are working closely with SitusAMC and the affected institutions to determine the full extent of the breach. According to Director Kash Patel, no operational disruptions have yet been identified to banking services. He added that the bureau continues to focus on tracing the perpetrators and strengthening security measures for critical infrastructure systems. 

A longstanding vulnerability in the financial sector despite its reputation for strong cybersecurity defenses has been heightened by the incident, as a result of systemic risks associated with third-party technology providers. Despite being essential to the banking industry, SitusAMC is often overlooked outside of industry circles, and the company receives far less oversight than the major banks it supports, which can lead to the exposure of millions of records. 

As the investigation continues, neither JPMorgan Chase nor Morgan Stanley indicated what they experienced regarding the investigation. Additionally, SitusAMC's chief executive officer, Michael Franco, declined to respond to inquiries regarding the investigation, leaving many questions unanswered. 

Despite the fact that large banks invest hundreds of millions of dollars in cybersecurity each year and are widely regarded as the best-protected institutions in the private sector, experts warn that even though the banking industry is under constant pressure from increasingly sophisticated cyber threats, it is still highly vulnerable to these threats. In spite of the fact that lenders, data processors, and software providers are connected through a dense network of relationships, it is quite possible for those institutions that appear the most secure to introduce weaknesses inadvertently. 

The breach has underscored the fact that deeply embedded vulnerabilities can emerge in the most unexpected places when they are deeply embedded, as Muish Walther-Puri, head of critical digital infrastructure at TPO Group, said. The failure of a single trusted vendor can be very detrimental to the entire financial ecosystem, exposing the "unseen" risks woven into its operations, he added. He emphasized that true resilience cannot just be achieved by internal defenses alone, but also through the collective vigilance of the entire supply chain as well. 

Several industry experts are predicting that as the investigation continues, the incident will serve as a catalyst for deeper scrutiny of digital supply chains as well as a more rigorous oversight of the vendors that power critical financial operations. 

The argument goes that even if banks and lenders have formidable defenses, they still need to set higher security expectations for third parties, demanding a greater level of transparency, continuous monitoring, and greater accountability as part of their security practices. 

Having been exposed to the security breach, many people in the sector have taken note that the development of resilience these days is reliant not only on advanced technology, but also on a shared commitment to safeguard the interconnected systems that are vital to keeping the nation's financial machinery afloat.
Read more »
Synthient
Credential Stuffing Cyber Security Data Breach exposed emails Have I Been Pwned password leak Synthient

Massive Leak Exposes 1.3 Billion Passwords and 2 Billion Emails — Check If Your Credentials Are at Risk

 

If you haven’t recently checked whether your login details are floating around online, now is the time. A staggering 1.3 billion unique passwords and 2 billion unique email addresses have surfaced publicly — and not due to a fresh corporate breach.

Instead, this massive cache was uncovered after threat-intelligence firm Synthient combed through both the open web and the dark web for leaked credentials. You may recognize the company, as they previously discovered 183 million compromised email accounts.

Much of this enormous collection is made up of credential-stuffing lists, which bundle together login details stolen from various older breaches. Cybercriminals typically buy and trade these lists to attempt unauthorized logins across multiple platforms.

This time, Synthient pulled together all 2 billion emails and 1.3 billion passwords, and with help from Troy Hunt and Have I Been Pwned (HIBP), the entire dataset can now be searched so users can determine if their personal information is exposed.

The compilation was created by Synthient founder Benjamin Brundage, who spent months gathering leaked credentials from countless sources across hacker forums and malware dumps. The dataset includes both older breach data and newly stolen information harvested through info-stealing malware, which quietly extracts passwords from infected devices.

According to Troy Hunt, Brundage provided the raw data while Hunt independently verified its authenticity.

To test its validity, Hunt used one of his old email addresses — one he already knew had appeared in past credential lists. As expected, that address and several associated passwords were included in the dataset.

After that, Hunt contacted a group of HIBP subscribers for verification. By choosing some users whose data had never appeared in a breach and others with previously exposed data, he confirmed that the new dataset wasn’t just recycled information — fresh, previously unseen credentials were indeed present.

HIBP has since integrated the exposed passwords into its Pwned Passwords service. Importantly, this database never links email addresses to passwords, maintaining privacy while still allowing users to check if their passwords are compromised.

To see if any of your current passwords have been leaked, visit the Pwned Passwords page and enter them. Your passwords are never sent to a server — the entire check is processed locally in your browser through an anonymity-preserving method.

If any password you use appears in the results, change it immediately. You can rely on a password manager to generate strong replacements, or use free password generators from tools like Bitwarden, LastPass, and ProtonPass.

The single most important cybersecurity rule remains the same: never reuse passwords. When criminals obtain one set of login credentials, they try them across other platforms — an attack method known as credential stuffing. Because so many people still repeat passwords, these attacks remain highly successful.

Make sure every account you own uses a strong, complex, and unique password. Password managers and built-in password generators are the easiest way to handle this.

Even the best password may not protect you if it’s stolen through a breach or malware. That’s why Two-Factor Authentication (2FA) is crucial. With a second verification step — such as an authenticator app or security key — criminals won’t be able to access your account even if they know the password.

You should also safeguard your devices against malware using reputable antivirus tools on Windows, Mac, and Android. Info-stealing malware, often spread through phishing attacks, remains one of the most common ways passwords are siphoned directly from user devices.

If you’re interested in going beyond passwords altogether, consider switching to passkeys. These use cryptographic key pairs rather than passwords, making them unguessable, non-reusable, and resistant to phishing attempts.

Think of your password as the lock on your home’s front door: the stronger it is, the harder it is for intruders to break in. But even with strong habits, your information can still be exposed through breaches outside your control — one reason many experts, including Hunt, see passkeys as the future.

While it’s easy to panic after reading about massive leaks like this, staying consistent with good digital hygiene and regularly checking your exposure will keep you one step ahead of cybercriminals.
Read more »
Ransomware attack
Adidas Data Breach Fulgar H&M RansomHouse Ransomware attack

RansomHouse Ransomware Hits Fulgar, Key Supplier to H&M and Adidas

 

Fulgar, a major supplier of synthetic yarns to global fashion brands such as H&M, Adidas, Wolford, and Calzedonia, has confirmed it suffered a ransomware attack linked to the notorious RansomHouse group. The attack, which was first noted on RansomHouse’s leak site on November 12, involved the publication of encrypted internal data stolen since October 31. 

Screenshots shared on the leak site displayed sensitive company documents, spreadsheets, communications, and financial records—including bank balances, invoices, and exchanges with external parties. These leaks present a significant risk for targeted phishing attacks, as attackers now possess insider information that can be leveraged to deceive staff and partners.

Fulgar, established in the late 1970s, is one of Europe’s largest spinning mills, producing polyamide 66 and covered elastomers used in hosiery, lingerie, activewear, and technical textiles. The company distributes key brands like Lycra and Elaspan and operates across Italy, Sri Lanka, and Turkey. Its client list includes several of the world’s most recognized fashion retailers. The breach highlights how even large suppliers are vulnerable to cyber threats, especially when a single ransomware group gains access to internal systems.

The RansomHouse group, active since 2021, has claimed more than one hundred victims and is known for encrypting data and demanding ransom payments. US cyber authorities have previously connected the group to Iranian affiliates, who provide encryption support in exchange for a share of the ransom proceeds.

In Fulgar’s case, the attackers issued a direct warning to management: “Dear management of Fulgar S.p.A., we are sure that you are not interested in your confidential data being leaked or sold to a third party. We highly advise you to start resolving that situation.” This underscores the urgency for organizations to respond swiftly to ransomware incidents and mitigate potential reputational and financial damage.

The breach is a stark reminder of the cascading risks posed by compromised supplier networks. Sensitive records exposed in such incidents can fuel targeted identity theft and social engineering attacks, increasing threats for employees and business partners. Experts advise that organizations implement robust cybersecurity measures, including the use of strong antivirus software and properly configured firewalls, to reduce the risk of follow-up intrusions. 

However, even with these precautions, leaked internal documents can still be used to craft highly persuasive phishing campaigns, posing broader risks across manufacturing and supply chain sectors. Overall, the Fulgar breach illustrates the escalating sophistication of ransomware attacks and the critical need for vigilance among global suppliers and their clients to protect sensitive data and prevent further compromise.
Read more »
personal data leak
Customer Data Customer Data Exposed Data Breach Data exposed data security leaked sensitive data personal data leak

DoorDash Data Breach Exposes Customer Information in October 2025 Incident

 

DoorDash has informed its customers that the company experienced a security incident in late October, marking yet another breach for the food delivery platform. According to details first reported by BleepingComputer, DoorDash has begun emailing users to disclose that on October 25, 2025, an unauthorized individual infiltrated parts of its internal systems and accessed selected customer contact information. The type of data exposed varied from person to person but involved key personal details. In its notification email, the company confirmed that names, physical addresses, phone numbers, and email addresses were among the information viewed by the intruder. While financial data does not appear to have been compromised, the collection of exposed fields still carries significant risk because such details can easily be reused in phishing, impersonation, and other forms of social engineering attacks. 

DoorDash stated that the root cause of the breach was a social engineering scam targeting an employee, which ultimately allowed the attacker to obtain credentials and slip past internal safeguards. As soon as the company recognized unusual activity, its security team revoked the unauthorized access, launched a broader investigation, and contacted law enforcement to support further review. However, the company did not specify how many individuals may have been affected. What is clear is that the impacted group includes customers, delivery drivers (known as Dashers), and merchants. Considering DoorDash reported roughly 7 million contractors in 2023, nearly 600,000 partner merchants in 2024, and more than 42 million active users, the number of people touched by the incident could be extensive. 

This latest breach adds to a concerning pattern for the company, which was previously affected by two significant incidents in 2019 and 2022. The 2019 attack exposed information belonging to approximately 5 million customers, Dashers, and merchants, while the 2022 event stemmed from the same campaign that targeted communications provider Twilio. These recurring issues highlight how attractive large consumer platforms remain to cybercriminals. 

For users, the most important step after any data exposure is to immediately update account passwords and ensure they are strong, unique, and not reused across services. A password manager can simplify this process and reduce risk over time. Enabling multi-factor authentication on DoorDash and other critical accounts adds an extra security barrier that often stops attackers even if credentials are stolen. Because personal details were accessed, users should stay alert for phishing messages that may imitate DoorDash or reference suspicious orders. These tactics are common after breaches and can easily lure people into clicking harmful links or providing additional sensitive information. 

Customers may also benefit from using reputable identity theft protection services that monitor financial activity and personal data for signs of misuse. While no single step can eliminate the consequences of a breach, proactive monitoring and cautious digital habits can significantly reduce the likelihood of further harm.
Read more »
Tech Firm
Checkout Data Breach Ransomware ShinyHunters Tech Firm

Checkout Refuses ShinyHunters Ransom, Donates Funds to Cybersecurity Research

 

Checkout, a UK-based financial tech firm, recently suffered a data breach orchestrated by the cybercriminal group ShinyHunters, who have demanded a ransom for stolen merchant data. In response, the company announced it would not pay the ransom but instead donate the equivalent amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime research initiatives.

The breach occurred after ShinyHunters gained unauthorized access to a legacy third-party cloud storage system used by Checkout in 2020 and earlier. This system, which had not been properly decommissioned, contained internal operational documents, onboarding materials, and data from a significant portion of company’s merchant base, including past and current customers. The company estimates that less than 25% of its current merchant base was affected by the incident.

The tech firm provides payment processing services to major global brands such as eBay, Uber Eats, adidas, GE Healthcare, IKEA, Klarna, Pinterest, Alibaba, Shein, Sainsbury’s, Sony, DocuSign, Samsung, and HelloFresh, managing billions in merchandise revenue. The company’s systems include a unified payments API, hosted payment portals, mobile SDKs, and plugins for existing platforms, along with fraud detection, identity verification, and dispute management features.

ShinyHunters is an international threat group known for targeting large organizations, often leveraging phishing, OAuth attacks, and social engineering to infiltrate systems and extort ransom payments. The group has recently exploited the Oracle E-Business Suite zero-day vulnerability (CVE-2025-61884) and carried out attacks on Salesforce and Drift systems affecting multiple organizations earlier in the year.

Despite the pressure to pay a ransom to prevent the leaked data from being published, Checkout has refused and opted for a different strategy. The company will invest in strengthening its own security infrastructure and protecting its customers more effectively in the future. Additionally, the company has committed to supporting academic research in cybersecurity by channeling the intended ransom funds to prestigious universities.

Checkout has not disclosed the identity of the compromised third-party cloud file storage system or the specific breach method. The company continues to work on bolstering its defenses and has emphasized its commitment to transparency and customer protection. This decision sets a notable precedent for organizations facing ransomware demands, highlighting the importance of proactive security investment and responsible action in the face of cyber threats.
Read more »
Nation-State Attack
Chinese Firm Data Breach Data Leak Knownsec Nation-State Attack

Knownsec Breach Exposes Chinese State Cyber Weapons and Global Target List

 

A major data breach at the Chinese security firm Knownsec has exposed more than 12,000 classified documents, providing unprecedented insight into the deep connections between private companies and state-sponsored cyber operations in China. The leaked files reportedly detail a wide array of cyber capabilities, including the use of Remote Access Trojans (RATs) that are capable of infiltrating systems across Windows, Linux, macOS, iOS, and Android platforms.

This breach not only highlights technical vulnerabilities but also reveals how companies like Knownsec can be embedded in national level cyber programs, sometimes carrying out operations on behalf of government agencies. Among the most notable data included in the leak were records stolen from international sources: 95GB of immigration data from India's national databases, 3TB of call logs from South Korea’s LG U Plus, and 459GB of transportation data from Taiwan.

Experts investigating these materials discovered spreadsheets listing 80 foreign targets, including major critical infrastructure and telecommunications enterprises across more than twenty countries and regions, with Japan, Vietnam, India, Indonesia, Nigeria, and the UK among them. The files also described specialized malware for Android—capable of extracting information from popular Chinese messaging apps and Telegram—and referenced the use of hardware-based hacking devices, such as a malicious power bank designed to covertly upload data to victim systems.

Despite efforts to remove the leaked materials from platforms such as GitHub, the contents have already spread among researchers and intelligence circles, offering an unusual glimpse into China’s cyber ecosystem and the scale of its operations. The exposure demonstrates the breadth, organization, and sophistication of these campaigns, suggesting far more coordination between security firms and state entities than previously understood.

In response, Beijing has officially denied any knowledge of a Knownsec breach, reiterating its opposition to cyberattacks but stopping short of disavowing links between the state and private cyber intelligence actors. The researchers emphasize that standard antivirus and firewall protections alone are insufficient against such advanced threats and highlights the need for a multi-layered cyber defense strategy incorporating real-time monitoring, rigorous network segmentation, and AI-driven threat detection to adequately protect organizations from these sophisticated forms of infiltration.
Read more »
Subscribe to: Comments (Atom)