Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Leak. Show all posts
data security
ADT ADT data breach customer data leak customer data privacy Data Breach Data Extortion Data Leak data security

ADT Data Breach Confirmed After ShinyHunters Threatens Leak of Stolen Customer Information

 

Now comes word that ADT, a provider of home security systems, suffered a data breach following threats by the hacking collective ShinyHunters to expose purloined records if payment isn’t made. This event joins others recently where attackers gain access via compromised credentials or outside service providers. 

On April 20, the company noticed unusual activity within its systems - response teams moved quickly to limit exposure and launch a review from within. It turned out some customer and prospective customer details were reached and copied by those responsible. Names, contact numbers, and home locations made up most of what was seen; in a few cases, birth dates showed up alongside incomplete identification digits used for tax or government purposes. Though only a narrow collection of files was involved, steps followed to assess how far the breach extended. 

What ADT made clear is that financial details of high sensitivity stayed secure. It turned out bank accounts, credit cards, along with any payment records, remained untouched through the incident. On top of this, home security setups and active monitoring kept running without interference. Evidently, the breach never reached operational systems - only certain data areas felt its effect. After claims surfaced on a hacker forum, ShinyHunters stated they accessed more than 10 million records - some containing personal details and private business files. 
Despite the threat to publish everything unless met with demands, confirmation of the full extent remains unverified by ADT. Still, notification letters have gone out to impacted users during ongoing review efforts. What happens next depends on internal assessments already underway. One claim points to vishing as the starting point - a tactic aimed at one worker. Posing as known contacts, hackers won entry through a company-wide login system. 

Once inside, they navigated sideways into linked environments without immediate detection. Access likely extended to cloud services including Salesforce, where information was pulled from storage. Identity theft now drives many cyber intrusions, moving past old tactics that hunted software bugs. Instead of probing code flaws, hackers aim at sign-in systems like Okta, Microsoft Entra, or Google logins. Breaching one verified profile opens doors to numerous company tools. 

With entry secured, stolen information gets pulled out quietly. That data then becomes leverage - no malware needed to lock files. What happened lately isn’t new for ADT - earlier leaks of staff and client details came out earlier this year. Facing repeated issues, many companies struggle to protect digital identities while handling permissions in linked platforms. 

Still under investigation, the incident highlights how often social engineering now shapes current cyber attacks. Rather than exploiting software flaws, hackers rely on mistakes people make - slipping past defenses by tricking users. 

Because of this shift, training staff to spot risks matters just as much as strong login protections. Preventing future breaches depends less on technology alone, more on understanding human behavior. Awareness becomes a shield when passwords fail.
Read more »
Stryker
Business Security Cyber Attacks Data Leak Medical Tech Stryker

Stryker Attack Wipes Thousands of Devices Without Malware

 

Stryker’s latest cyber incident is a stark reminder that attackers do not always need malware to cause major damage. The medical technology company said the breach was confined to its internal Microsoft environment and did not affect its products, including connected and life-saving devices, which remain safe to use. Even so, the attack disrupted business operations and forced customers to place orders manually while electronic ordering systems stayed offline. 

According to the report, the incident was not a ransomware attack, and Stryker emphasized that no malware was deployed on its systems. Instead, the threat actor appears to have used legitimate Microsoft Intune tools to remotely wipe devices after compromising an administrator account and creating a new Global Administrator account. That method made the attack especially dangerous because it relied on trusted enterprise controls rather than suspicious malicious software. 

The scale of the wipe was severe. A source familiar with the attack told BleepingComputer that nearly 80,000 devices were erased between 5:00 and 8:00 a.m. UTC on March 11. Employees across multiple countries reportedly woke up to find company-managed laptops and mobile devices wiped overnight. The group Handala, believed to be linked to Iran, claimed responsibility and said it had destroyed over 200,000 systems and stolen 50 terabytes of data, though investigators did not confirm those claims. 

What makes this case notable is that the attack appears to have used “living off the land” tactics, meaning the intruder abused legitimate administrative access rather than deploying custom code. That approach can be harder to detect because security tools often look for malware signatures or known exploit behavior, not authorized commands executed by a compromised admin account. The result is a fast, high-impact disruption that can spread across a corporate fleet in hours. 

For enterprises, the Stryker case reinforces the need for stronger identity protection, tighter administrator controls, and better monitoring of cloud management platforms. Privileged access should be minimized, account creation should be closely audited, and wipe capabilities should require strong checks before execution. In this incident, the attacker did not need an exploit or a virus; a stolen credential and a legitimate tool were enough to cripple a large organization.
Read more »
Hacking Group
Cyber Security Ransomware Attacks Data Breach Data Leak Data protection data security Hacker attack Hacking Group

ShinyHunters Targets McGraw Hill In Salesforce Data Leak Dispute Over Breach Scope

 

A breach at McGraw Hill came to light when details appeared on a leak page run by ShinyHunters, a hacking collective now seeking payment. Appearing online without warning, the listing suggested sensitive data had been taken. The firm acknowledged something went wrong only after outsiders pointed to the published claims. Instead of silence, there followed a brief statement - no elaborate explanations, just confirmation. What exactly was accessed remains partly unclear, though the criminals promise more leaks if demands go unmet. Their method? Take data first, then pressure victims publicly through exposure. 

Though the collective says it pulled around 45 million records from Salesforce setups, McGraw Hill challenges how serious the incident really was. A flaw in a cloud-based Salesforce setup - misconfigured, not hacked - led to what occurred, according to the company. Public release looms unless money changes hands by their stated date. Not a breach of core infrastructure, they clarify. Timing hinges on whether terms get fulfilled. What surfaced came via access error, not forced entry. 

Later came confirmation from the firm: only minor data sat exposed through a public page tied to Salesforce. Not part of deeper networks - systems handling daily operations stayed untouched. Customer records? Still secure. Educational material platforms? Unreached. Personal identifiers like income traces or school files showed no signs of exposure. The breach never reached those layers. A single weak link elsewhere might open doors wider than expected. Problems often start outside core networks, hidden in connected tools. 

One misstep in setup could ripple across several teams relying on Salesforce. When outside systems slip, sensitive details sometimes follow. Security gaps far from the main system still carry risk close to home. What seems distant can quickly become immediate. Even with those reassurances, ShinyHunters insists the breached records include personal details - setting their version against the firm’s own review. Contradictions like this often surface when attacks aim to extort, as hackers sometimes inflate what they took to push targets into responding. 

Now operating at a steady pace, ShinyHunters stands out within the underground scene by focusing less on locking files and more on quietly siphoning information. Instead of scrambling networks, they pressure victims using material already taken - payment demands follow exposure threats. Their name surfaced after breaches hit well-known companies, where leaked datasets served as leverage. Rather than causing immediate downtime, their power lies in what could be revealed. 

What stands out lately is how this group exploited a security gap at Anodet, an analytics company, gaining entry through leaked access tokens aimed squarely at cloud-based data systems. Alongside that incident came the public drop of massive corporate datasets - another sign their main goal remains pulling vast amounts of information from high-profile targets. Among recent breaches, the one involving McGraw Hill stands out - not because of its scale, but due to how it reveals weaknesses hidden within standard cloud setups. 

Instead of breaking through strong defenses, hackers often slip in via small errors made during setup steps handled by outside teams. What makes this case notable is less about immediate damage, more about what follows: sensitive information pulled quietly into unauthorized hands. While systems keep running without interruption, stolen data becomes the weapon - threatening public release unless demands are met. 

Over time, such tactics have shifted the focus of digital attacks away from crashes toward silent leaks. With probes still underway, one thing becomes clear: oversight of outside connections matters more now than ever. When digital intruders challenge what companies say, credibility hinges on openness. Tight rules around setup adjustments help reduce weak spots. How firms handle disclosures can shape public trust just as much as technical fixes. Clarity during crises often separates measured responses from confusion.
Read more »
leaked sensitive data
cybercriminals Ransomware Attack Data Breach Data Hackers Data Leak data security Hacker attack leaked sensitive data

Qilin Ransomware Targets Die Linke in Suspected Politically Motivated Cyberattack

 

A major digital attack hit Die Linke when hackers using the name Qilin said they broke into internal networks and copied confidential files. Because of this breach, private details may appear online unless demands are met - raising alarms about rising cyber threats tied to political agendas across European nations. 

On March 27, the group made public what had just been noticed - odd behavior inside their digital setup. Though Die Linke admitted someone got in without permission, they did not at once call it a complete breakdown of data safety. Later signs point toward intruders possibly reaching inner networks. Some organizational details might now be exposed. One report suggests hackers aimed at company systems plus staff details, mainly tied to central offices. 

What got taken stays uncertain right now - no clear picture on volume or leaks so far. Still, authorities admit: chances of sensitive material being exposed feel real enough. Though gaps remain in understanding the full reach, concern holds steady. Notably, Die Linke confirmed its member records stayed untouched. That means information tied to more than 123,000 individuals likely avoided exposure. 

So, the incident may be narrower than first feared. Early in April, the Qilin ransomware crew named Die Linke among those hit, posting details on their public leak page. Despite holding back actual files until now, these moves often aim to push targets toward payment. Pressure builds when sensitive material might go live - this is how cyber gangs tighten control mid-talks. Something like this might point beyond mere hacking. Die Linke sees signs of coordination, possibly tied to Russian-speaking cybercriminal networks. Not accidental, they argue - the timing matters. 

A move within wider hybrid campaigns emerges here, blending digital strikes with influence efforts. Institutions become targets when data breaches align with disinformation. Cyber actions gain weight when paired with political pressure. This event fits a pattern some have seen before. Digital intrusions serve larger goals when linked to real-world disruption. Following the incident, German officials received official notification along with submission of a criminal report. To examine the security lapse, limit consequences, and repair compromised infrastructure, outside cyber specialists are now assisting the organization. 

Far from unique, such attacks mirror past patterns seen in Germany. State-backed hacking efforts have struck before - especially those tied to APT29 - with political groups often in their sights. Surprisingly, cyber operations against Die Linke reveal how digital security now intertwines with global power struggles - political groups face rising risks from attackers motivated by profit or belief alike. 

While once seen as separate realms, online threats today frequently mirror international tensions, pulling parties like Die Linke into the crosshairs without warning. Because motives differ, so do methods; yet all exploit vulnerabilities in systems meant to serve public discourse. Thus, a breach isn’t merely technical - it reflects broader shifts in who gets targeted, and why.
Read more »
User Privacy
Chrome Extensions Data Breach Data Leak Linkedin User Privacy

LinkedIn Secretly Scans 6,000+ Chrome Extensions, Collects Device Data

 

LinkedIn is facing renewed scrutiny after a report alleged that its website secretly scans browsers for more than 6,000 Chrome extensions and collects device data tied to user profiles . The company says the detection is meant to identify scraping and other policy-violating extensions, not to infer sensitive personal information.

LinkedIn’s critics say the practice goes far beyond basic security checks because the platform can connect extension data to real identities, employers, and job roles. That makes the scanning especially controversial, since the results could reveal which tools workers or companies use, including products that compete with LinkedIn’s own sales offerings.

BleepingComputer said it independently confirmed part of the behavior during testing, observing a LinkedIn-loaded JavaScript file with a randomized name that checked for 6,236 browser extensions . The script reportedly did this by probing extension-related file resources, a known method for determining whether specific extensions are installed . 

The report also says the script gathers broader browser and device details, including CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio information, and storage features . That kind of data can contribute to browser fingerprinting, which may allow websites to build a more unique profile of a visitor across sessions . 

LinkedIn, however, rejects the allegation that it is using the data to profile users in a harmful way . The company says it looks for extensions that scrape data without consent or violate its terms, and that it uses the findings to improve defenses and protect site stability . The dispute also appears to be tied to a broader legal fight involving a LinkedIn-related browser extension developer, with LinkedIn pointing to a German court ruling that sided with the company .
Read more »
Information Security
Cyber Breach Cyber Security Cyberattacks Data Exposure Data Leak Data Privacy data security Information Security

Mazda Reports Limited Data Exposure After Warehouse System Breach

 

Early reports indicate Mazda Motor Corporation faced a data leak following suspicious activity uncovered in its systems during December 2025. Information belonging to staff members, along with details tied to external partners, became accessible due to the intrusion. Investigation results point to a weak spot found within software managing storage logistics. This particular setup supports component sourcing tasks based in Thailand. Findings suggest the flaw allowed outside parties to enter without permission. 

Despite early concerns, investigators confirmed the breach touched only internal systems - no client details were involved. A count later showed 692 records may have been seen by unauthorized parties. Among what was accessed: login codes, complete names, work emails, firm titles, along with tags tied to collaboration networks. What escaped exposure? Anything directly linked to customers. 

After finding the issue, Mazda notified Japan’s privacy regulator while launching a probe alongside outside experts focused on digital security. So far, no signs have appeared showing the leaked details were exploited. Still, people touched by the event are being urged to watch closely for suspicious messages or fraud risks tied to the breach. Despite limited findings now, caution remains key given how personal information might be used later.  

Mazda moved quickly, rolling out several upgrades to protect its digital infrastructure. With tighter controls on who can enter systems, fewer services exposed online now limit entry points. Patches went live where needed most, closing known gaps before they could be used. Monitoring grew sharper, tuned to catch odd behavior faster than before. Each change connects to a clear goal - keeping past problems from repeating. Protection improves not by one fix but through layers put in place over time. 

Mazda pointed out the breach showed no signs of ransomware or malicious software, yet operations remain unaffected. Though certain hacking collectives once said they attacked Mazda’s networks, the firm clarified this event holds no connection - no communication from any threat actor occurred. 

Now more than ever, protection across suppliers and daily operations demands attention - the car company keeps watch, adjusts defenses continuously. Emerging risks push updates to digital safeguards forward steadily.
Read more »
underground hacking forums
data breach forum shutdown Data Leak Europol cybercrime operation LeakBase takedown underground hacking forums

Global Crackdown Dismantles LeakBase Data Breach Forum, Dozens Targeted in Europol Operation

 

A large-scale international law enforcement effort has reportedly led to multiple arrests as authorities moved to shut down a well-known underground data leak marketplace.

Europol revealed details of a coordinated operation that successfully dismantled LeakBase, a platform it described as “established itself as a central hub in the cybercrime ecosystem”.

Launched in 2021, the forum rapidly grew in scale, amassing over 142,000 registered members within four years. During this time, users created approximately 32,000 posts and exchanged more than 215,000 private messages. Operating openly on the web and primarily in English, the platform enabled users to trade and distribute stolen or compromised data sourced from individuals and organizations worldwide. Notably, content related to Russia was prohibited, with the forum restricting any sale or publication of such data.

On March 3, 2026, authorities from multiple countries carried out nearly 100 coordinated actions, including house searches, “knock-and-talk” interventions, and arrests as part of the crackdown.

While officials did not disclose the exact number of individuals detained, their locations, or specific charges, they confirmed that enforcement measures were taken against 37 of the forum’s most active participants.

The following day, authorities seized control of the forum’s domain and replaced its content. Investigators also obtained the platform’s database, which is now being analyzed to identify users. Officials have reportedly already “engaged directly with several suspects”.

“This operation shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable,” said Edvardas Å ileris, Head of Europol’s European Cybercrime Centre.

“This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.”
Read more »
France
Cyber Attacks Data Leak FICOBA Financial Fraud France

French FICOBA Breach Exposes 1.2M Bank Accounts

 

A major cyberattack struck France's national bank account registry, FICOBA, exposing sensitive data from over 1.2 million accounts.The breach occurred in late January 2026 when hackers stole login credentials from a civil servant and impersonated an authorized user to access the database. This incident highlights vulnerabilities in government systems handling financial records.

FICOBA serves as France's central repository for all bank accounts opened in domestic institutions, storing identifiers like RIB and IBAN numbers, holder names, and postal addresses. Attackers extracted this information but could not access balances or perform transactions, according to officials. The French Ministry of Finance confirmed tax IDs were not compromised, though early reports varied.

Authorities detected the intrusion swiftly, immediately restricting access and taking the database offline temporarily.It was restored with enhanced security measures after collaboration with the National Cybersecurity Agency (ANSSI). A formal complaint was filed with the National Commission for Information Technology and Civil Liberties (CNIL), and notifications are underway to affected individuals and banks.

The exposure raises alarms for phishing scams and SEPA direct debit fraud, with banks already noting increased suspicious SMS and emails.Criminals could exploit IBANs and personal details for identity theft or unauthorized payments. French tax authorities warn they never request banking info via unsolicited messages.

Safety recommendations 

To protect yourself post-breach, monitor bank statements daily for unauthorized activity and enable transaction alerts. Change passwords on financial accounts, using unique strong ones via a password manager, and activate multi-factor authentication (MFA) everywhere possible. Avoid clicking links in unsolicited emails or texts claiming breach notifications—contact your bank directly through official apps or sites.

Further, freeze credit reports if available in your country to block new accounts in your name, and consider credit monitoring services. Report suspicious activity to your bank and local cyber police immediately.Regularly update software and use antivirus tools to prevent credential theft, emphasizing least-privilege access in organizations. These steps minimize risks from exposed data like in the FICOBA incident.
Read more »
Google Gemini
API Keys Data Breach Data Leak Google Gemini

Google API Keys Expose Gemini AI Data via Leaked Credentials

 

Google API keys, once considered harmless when embedded in public websites for services like Maps or YouTube, have turned into a serious security risk following the integration of Google's Gemini AI assistant. Security researchers at Truffle Security uncovered this issue, revealing that nearly 3,000 live API keys—prefixed with "AIza"—are exposed in client-side JavaScript code across popular sites.

Truffle Security's scan of the November 2025 Common Crawl dataset, which captures snapshots of major websites, identified 2,863 active keys from diverse sectors including finance, security firms, and even Google's own infrastructure. These keys, deployed sometimes years ago (one traced back to February 2023), were originally safe as mere billing identifiers but gained unauthorized access to Gemini endpoints without developers' knowledge.Attackers can simply copy a key from page source, authenticate to Gemini, and extract sensitive data like uploaded files, cached contexts, or datasets via simple prompts.

The danger extends beyond data theft to massive financial abuse, as Gemini API calls consume tokens that rack up charges—potentially thousands of dollars daily per compromised account, depending on the model and context window. Truffle Security demonstrated this by querying the /models endpoint with exposed keys, confirming access to private Gemini features. One reported case highlighted an $82,314 bill from a stolen key, underscoring the real-world impact.

Google acknowledged the flaw as "single-service privilege escalation" after Truffle's disclosure on November 21, 2025, and implemented fixes by January 2026, including blocking leaked keys from Gemini access, defaulting new AI Studio keys to Gemini-only scope, and sending proactive leak notifications. Despite these measures, the "retroactive privilege expansion" caught many off-guard, as enabling Gemini in projects silently empowered old keys.

Developers must immediately audit Google Cloud projects for Gemini API enablement, rotate all exposed keys, and restrict scopes to essentials—avoiding the default "unrestricted" setting. Tools like TruffleHog can scan code repositories for leaks, while regular monitoring prevents future exposures in an era where AI services amplify API risks. This incident highlights the need for vigilance as cloud features evolve.
Read more »
Personal Data
Cloud Conduent Cyber Attacks Data Leak Personal Data

Conduent Leak: One of the Largest Breaches in The U.S


Conduent, a business that offers printing, payment, and document processing services to some of the biggest health insurance companies in the nation, has had at least 25 million people's personal information stolen. Addresses, social security numbers, and health information were exposed to ransomware hackers in what some have already dubbed one of the biggest data breaches in American history. 

According to a letter the business issued online, Conduent initially learned it was the victim of a "cyber incident" more than a year ago on January 13, 2025. The actual breach occurred between October 21, 2024, and January 13, 2025, and it included Conduent's data because the company offers services to health plans.

Names, social security numbers, health insurance details, and unspecified medical information were among the data. In its notice, the business stressed that "not every data element was present for every individual," which implies that some individuals may have had their health insurance information taken but not their social security number, or vice versa. 

According to Bleeping Computer, the Safepay ransomware organization claimed responsibility for the attack, which allegedly captured more than 8 gigabytes of data. Conduent stated online, "Presently, we are unaware of any attempted or actual misuse of any information involved in this incident," while it is unclear if Safepay has demanded payment for the information's recovery.

10.5 million people were affected by the incident, according to Oregon's consumer protection website, although it's unknown how many people in Oregon alone were affected. According to Wisconsin, the national total is more than 25 million. 

Notifications have also been sent to residents of other states, such as California, Delaware, Massachusetts, New Hampshire, and New Mexico. According to the state's attorney general, just 374 people's data was compromised in Maine, one of the states with very tiny numbers. Conduent, a New Jersey-based company, did not reply to emails on Tuesday inquiring about the full extent of the incident and what victims could do about it.

Conduent is providing free credit monitoring and identity restoration services through Epiq to certain individuals, but those affected must join before April 30, 2026, according to a letter given to victims in California.

Read more »
leaked sensitive data
API Keys Data Breach Data Leak Data protection Data Safety User Data data security leaked sensitive data

Critical better-auth Flaw Enables API Key Account Takeover

 

A flaw in the better-auth authentication library could let attackers take over user accounts without logging in. The issue affects the API keys plugin and allows unauthenticated actors to generate privileged API keys for any user by abusing weak authorization logic. Researchers warn that successful exploitation grants full authenticated access as the targeted account, potentially exposing sensitive data or enabling broader application compromise, depending on the user’s privileges. 

The better-auth library records around 300,000 weekly downloads on npm, making the issue significant for applications that rely on API keys for automation and service-to-service communication. Unlike interactive logins, API keys often bypass multi-factor authentication and can remain valid for long periods. If misused, a single key can enable scripted access, backend manipulation, or large-scale impersonation of privileged users. 

Tracked as CVE-2025-61928, the vulnerability stems from flawed logic in the createApiKey and updateApiKey handlers. These functions decide whether authentication is required by checking for an active session and the presence of a userId in the request body. When no session exists but a userId is supplied, the system incorrectly skips authentication and builds user context directly from attacker-controlled input. This bypass avoids server-side validation meant to protect sensitive fields such as permissions and rate limits. 

In practical terms, an attacker can send a single request to the API key creation endpoint with a valid userId and receive a working key tied to that account. The same weakness allows unauthorized modification of existing keys. Because exploitation requires only knowledge or guessing of user identifiers, attack complexity is low. Once obtained, the API key allows attackers to bypass MFA and operate as the victim until the key is revoked. 

A patched version of better-auth has been released to fix the authorization checks. Organizations are advised to upgrade immediately, rotate potentially exposed API keys, review logs for suspicious unauthenticated requests, and tighten key governance through least-privilege permissions, expiration policies, and monitoring. 

The incident highlights broader risks tied to third-party authentication libraries. Authorization flaws in widely adopted components can silently undermine security controls, reinforcing the need for continuous validation, disciplined credential management, and zero-trust approaches across modern, API-driven environments.
Read more »
User Privacy
Conduent Data Breach Data Leak Ransomware attack User Privacy

Conduent Data Breach Expands to Tens of Millions of Americans

 

A massive data breach at Conduent, a leading government technology contractor, has escalated dramatically, now affecting tens of millions of Americans across multiple states. Initially detected in January 2025, the intrusion originated from an unauthorized access on October 21, 2024, allowing hackers to lurk undetected for nearly three months. Recent disclosures reveal the scope far exceeds early estimates, with Texas alone reporting 15.4 million victims, Oregon 10.5 million, and additional hundreds of thousands in Washington, Maine, and beyond.

Conduent provides critical back-end services like payments, printing, and processing for state agencies, transit systems, and insurers serving over 100 million users nationwide. The stolen data trove includes highly sensitive details: names, Social Security numbers, dates of birth, medical records, health insurance IDs, and treatment information. This breach, linked to ransomware group SafePay, exposes victims to severe identity theft and fraud risks, prompting lawsuits and regulatory scrutiny.

The cyberattack disrupted operations briefly, delaying child support payments in states like Wisconsin and affecting insurers such as Premera Blue Cross and Blue Cross Blue Shield of Montana. Conduent, aided by Palo Alto Networks and other forensics experts, secured systems swiftly but incurred $25 million in direct response costs by Q1 2025. No misuse of data has surfaced as of late 2025 notifications, but experts warn of looming phishing and extortion campaigns.

Legal fallout has been swift, with at least nine class-action suits filed over the 10.5 million+ record exposure, marking it as 2025's largest healthcare breach.Notifications began rolling out in October 2025 to state attorneys general in Maine, California, and others, advising credit freezes and fraud alerts—without offering free monitoring. Victims, primarily government program beneficiaries, face heightened vulnerability in an era of persistent ransomware targeting public sector vendors.

Cybersecurity analysts highlight Conduent's prolonged undetected access as a stark reminder of supply chain risks in govtech. The firm's SEC filings underscore ongoing financial strain from notifications and potential liabilities. As investigations continue into 2026, this incident amplifies calls for stricter vendor oversight and zero-trust architectures in handling citizen data.

In response, affected states and insurers urge proactive measures: monitor credit reports, enable multi-factor authentication, and watch for suspicious IRS or healthcare scams. Conduent assures full cooperation with authorities, but the ballooning victim count underscores the fragility of centralized data troves in government services.This breach serves as a pivotal case study in evolving cyber threats to public infrastructure.
Read more »
ShinyHunters
Data Breach Data Leak Harvard Breach Upenn Hack ShinyHunters

ShinyHunters Leak Exposes Harvard and UPenn Personal Data

 

Hacking group ShinyHunters has reportedly published more than a million records stolen from Harvard University and the University of Pennsylvania (UPenn) on its dark web site, putting a vast trove of sensitive personal data within reach of cybercriminals worldwide. The leaked data appears to contain sensitive details about the students, employees, alumni, donors, and family members of the breached organizations. This has expanded the scope of the compromised data to a wide range of people. Initial verification of the leaked data has revealed that at least some of the leaked data is genuine. 

The UPenn breach is believed to have begun in early November 2025, when the hackers gained access to an employee’s single sign-on (SSO) account by claiming to have obtained full access to the UPenn employee’s SSO account. This has essentially turned the SSO account into a master key that has allowed the hackers to access the UPenn VPN system, Salesforce data, the Qlik analytics platform, SAP business intelligence tools, and SharePoint. During the course of the attack, the hackers also used the compromised login credentials to send offensive emails to 700,000 people. Initially, UPenn believed that the emails were fake, but they later turned out to be real.

Harvard confirmed a related compromise roughly three weeks after the UPenn disclosure, tying its own incident to a successful voice phishing (vishing) campaign. In this case, attackers are said to have infiltrated Alumni Affairs and Development systems, exposing data on past and present students, donors, some faculty and staff, and even spouses, partners, and parents of alumni and students. The stolen records reportedly include names, dates of birth, home addresses, phone numbers, estimated net worth, donation history, and sensitive demographic attributes such as race, religion, and sexual orientation.

Unlike traditional ransomware operations that both encrypt systems and steal data, ShinyHunters appears to have focused solely on data theft and extortion, deploying no encryptors in these campaigns. The group allegedly attempted to negotiate payment in cryptocurrency in exchange for promising to delete the stolen files, following the now-common double extortion model. When talks broke down and the universities did not pay, the hackers responded by dumping the data openly on their dark web leak site, amplifying the risk of identity theft, harassment, and targeted scams for victims.

For Harvard and UPenn, the breaches highlight the dangers of over-reliance on SSO accounts and human-centric weaknesses such as vishing, where convincing phone calls trick staff into revealing or approving access. For affected individuals, the publication of highly personal and demographic information raises concerns around fraud, doxxing, discrimination, and reputational harm that could persist for years. The incidents reinforce the need for stronger multifactor authentication, rigorous phishing and vishing awareness training, and tighter controls around high-value institutional accounts holding large volumes of sensitive data.
Read more »
Offline Security
Air Gaps Black hat Cyber Security Data Leak Offline Security

Black Hat Researcher Proves Air Gaps Fail to Secure Data

 

Air gaps, long hailed as the ultimate defense for sensitive data, are under siege according to Black Hat researcher Mordechai Guri. In a compelling presentation, Guri demonstrated multiple innovative methods to exfiltrate information from supposedly isolated computers, shattering the myth of complete offline security. These techniques exploit everyday hardware components, proving that physical disconnection alone cannot guarantee protection in high-stakes environments like government and military networks.

Guri's BeatCoin malware turns computer speakers into covert transmitters, emitting near-ultrasonic sounds inaudible to humans but detectable by nearby smartphones up to 10 meters away. This allows private keys or other secrets to leak out effortlessly. Even disabling speakers fails, as Fansmitter modulates fan speeds to alter blade frequencies, creating acoustic signals receivable by listening devices within 8 meters. For scenarios without microphones, the Mosquito attack repurposes speakers as rudimentary microphones via GPIO manipulation, enabling ultrasonic data transmission between air-gapped machines.

Electromagnetic exploits further erode air-gap defenses. AirHopper manipulates monitor cables to radiate FM-band signals, capturable by a smartphone's built-in receiver. GSMem leverages CPU-RAM pathways to generate cellular-like transmissions detectable by basic feature phones, while USBee transforms USB ports into antennas for broad leakage. These methods highlight how standard peripherals become unwitting conduits for data escape.

Faraday cages, designed to block electromagnetic waves, offer no sanctuary either. Guri's ODINI attack generates low-frequency magnetic fields from CPU cores, penetrating these shields.PowerHammer goes further by inducing parasitic signals on building power lines, tappable by attackers monitoring electrical infrastructure.Such persistence underscores the vulnerability of even fortified setups.

While these attacks assume initial malware infection—often via USB or insiders—real-world precedents like Stuxnet validate the threat. Organizations must layer defenses with anomaly detection, hardware restrictions, and continuous monitoring beyond mere air-gapping. Guri's work urges a reevaluation of "secure" isolation strategies in an era of sophisticated side-channel threats.
Read more »
Spain
Data Breach Data Leak Education ministry of science Online Platforms Spain

Spain’s Science Ministry Partially Shuts Online Systems After Suspected Cyber Incident

 



Spain’s Ministry of Science, Innovation and Universities has temporarily disabled parts of its digital infrastructure following what it described as a technical problem. The disruption has affected several online services used by citizens, universities, researchers, and businesses for official procedures and submissions. These platforms support important administrative functions and process sensitive information, which is why access was restricted as a precaution.

The ministry oversees national science policy, research programs, innovation initiatives, and higher education administration. Its systems handle high-value data, including academic and research records, application materials, and personal information linked to students and professionals. Because of the incident, multiple digital services were made unavailable, and active procedures were placed on hold to limit any potential risk to data or system integrity.

In a public notice on its official website, the ministry stated that the incident is under technical assessment and did not disclose further details at the time. The announcement clarified that the ministry’s online portal is only partially operational and that ongoing administrative processes have been paused to protect the rights and lawful interests of affected users. To reduce the impact of the outage, authorities confirmed that deadlines for affected procedures will be extended in line with Spain’s administrative law provisions, so applicants and institutions are not penalized for delays caused by the shutdown.

Separately, claims surfaced on underground online platforms from an individual alleging unauthorized access to the ministry’s systems. The person shared what they presented as sample data to support the claim and stated that additional information was available for sale. The material reportedly includes personal records, email information, application-related documents, and images of official paperwork. These claims have not been independently verified, and the online space where the samples were shared later became inaccessible.

The same individual alleged that access was gained by exploiting a security weakness that can allow users to reach restricted resources without proper authorization. Such flaws, when present in web applications, can expose internal systems if not properly secured. At this stage, the technical details of the claim remain unconfirmed by authorities.

Spanish media outlets have reported that a ministry spokesperson acknowledged that the service disruption is linked to a cybersecurity incident. However, officials have not confirmed whether any data was accessed or taken, nor have they outlined the scope of any potential compromise. The ministry has indicated that investigations are ongoing to determine what occurred and to restore services safely.

Cybersecurity experts consistently warn that public sector systems are frequent targets because of the volume and sensitivity of data they manage. Strong access controls, continuous monitoring, and timely security updates are critical to reducing exposure to such risks. Further updates from the ministry are expected once technical assessments are completed and the situation is fully clarified.

Read more »
Dating Apps
Consumer Information Cyber Phishing Data Breach Data Leak data security Data Theft dating app security Dating Apps

ShinyHunters Claims Match Group Data Breach Exposing 10 Million Records

 

A new data theft has surfaced linked to ShinyHunters, which now claims it stole more than 10 million user records from Match Group, the U.S. company behind several major swipe-based dating platforms. The group has positioned the incident as another major addition to its breach history, alleging that personal data and internal materials were taken without authorization. 

According to ShinyHunters, the stolen data relates to users of Hinge, Match.com, and OkCupid, along with hundreds of internal documents. The Register reported seeing a listing on the group’s dark web leak site stating that “over 10 million lines” of data were involved. The exposure was also linked to AppsFlyer, a marketing analytics provider, which was referenced as the likely source connected to the incident. 

Match Group confirmed it is investigating what it described as a recently identified security incident, and said some user data may have been accessed. The company stated it acted quickly to terminate the unauthorized access and is continuing its investigation with external cybersecurity experts. Match Group also said there was no indication that login credentials, financial information, or private communications were accessed, and added that it believes only a limited amount of user data was affected. 

It said notifications are being issued to impacted individuals where appropriate. However, Match Group did not disclose what categories of data were accessed, how many users were impacted, or whether any ransom demand was made or paid, leaving key details about the scope and motivation unresolved. Cybernews, which reviewed samples associated with the listing, reported that the dataset appears to include customer personal data, some employee-related information, and internal corporate documents. 

The analysis also suggested the presence of Hinge subscription details, including user IDs, transaction IDs, payment amounts, and records linked to blocked installations, along with IP addresses and location-related data. In a separate post published the same week, ShinyHunters also claimed it had stolen data from Bumble. The group uploaded what it described as 30 GB of compressed files allegedly sourced from Google Drive and Slack. The claims come shortly after researchers reported that ShinyHunters targeted around 100 organizations by abusing stolen Okta single sign-on credentials. The alleged victim list included well-known SaaS and technology firms such as Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, Iron Mountain, RingCentral, and ZoomInfo, among others. 

Bumble has issued a statement saying that one contractor’s account had been compromised in a phishing incident. The company said the account had limited privileges but was used for brief unauthorized access to a small portion of Bumble’s network. Bumble stated its security team detected and removed the access quickly, confirmed the incident was contained, engaged external cybersecurity experts, and notified law enforcement. Bumble also emphasized that there was no access to its member database, member accounts, the Bumble app, or member direct messages or profiles.
Read more »
Google security
AI tools Data Breach Data Leak Digital Personal Data Protection Gemini AI Gemini Flaw Gemini vulnerability Google Gemini Google security

Google Gemini Calendar Flaw Allows Meeting Invites to Leak Private Data

 

Though built to make life easier, artificial intelligence helpers sometimes carry hidden risks. A recent study reveals that everyday features - such as scheduling meetings - can become pathways for privacy breaches. Instead of protecting data, certain functions may unknowingly expose it. Experts from Miggo Security identified a flaw in Google Gemini’s connection to Google Calendar. Their findings show how an ordinary invite might secretly gather private details. What looks innocent on the surface could serve another purpose beneath. 

A fresh look at Gemini shows it helps people by understanding everyday speech and pulling details from tools like calendars. Because the system responds to words instead of rigid programming rules, security experts from Miggo discovered a gap in its design. Using just text that seems normal, hackers might steer the AI off course. These insights, delivered openly to Hackread.com, reveal subtle risks hidden in seemingly harmless interactions. 

A single calendar entry is enough to trigger the exploit - no clicking, no downloads, no obvious red flags. Hidden inside what looks like normal event details sits coded directions meant for machines, not people. Rather than arriving through email attachments or shady websites, the payload comes disguised as routine scheduling data. The wording blends in visually, yet when processed by Gemini, it shifts into operational mode. Instructions buried in plain sight tell the system to act without signaling intent to the recipient. 

A single harmful invitation sits quietly once added to the calendar. Only after the user poses a routine inquiry - like asking about free time on Saturday - is anything set in motion. When Gemini checks the agenda, it reads the tainted event along with everything else. Within that entry lies a concealed instruction: gather sensitive calendar data and compile a report. Using built-in features of Google Calendar, the system generates a fresh event containing those extracted details. 

Without any sign, personal timing information ends up embedded within a new appointment. What makes the threat hard to spot is its invisible nature. Though responses appear normal, hidden processes run without alerting the person using the system. Instead of bugs in software, experts point to how artificial intelligence understands words as the real weak point. The concern grows as behavior - rather than broken code - becomes the source of danger. Not seeing anything wrong does not mean everything is fine. 

Back in December 2025, problems weren’t new for Google’s AI tools when it came to handling sneaky language tricks. A team at Noma Security found a gap called GeminiJack around that time. Hidden directions inside files and messages could trigger leaks of company secrets through the system. Experts pointed out flaws deep within how these smart tools interpret context across linked platforms. The design itself seemed to play a role in the vulnerability. Following the discovery by Miggo Security, Google fixed the reported flaw. 

Still, specialists note similar dangers remain possible. Most current protection systems look for suspicious code or URLs - rarely do they catch damaging word patterns hidden within regular messages. When AI helpers get built into daily software and given freedom to respond independently, some fear misuse may grow. Unexpected uses of helpful features could lead to serious consequences, researchers say.
Read more »
Vulnerabilities and Exploits
Cl0p Ransomware Data Leak Korean Air Supply-Chain Attack Vulnerabilities and Exploits

Korean Air Employee Data Exposed in Cl0p Ransomware Supply-Chain Attack

 

Korean Air has acknowledged the theft of sensitive data belonging to 30,000 current and former employees in a serious data breach. The breach occurred via a supply-chain compromise at KC&D Service, the airline's former catering subsidiary. Hackers exploited a critical flaw in Oracle E-Business Suite, tracked as CVE-2025-61882, that enabled code execution remotely without requiring any user interaction or authentication to login. Cl0p ransomware operators claimed responsibility for the attack, and after ransom demands were apparently ignored, they dumped almost 500 GB of stolen archives on their dark web site. 

The intrusion occurred at KC&D, which, though it was sold to Hahn & Company in 2020, was still handling in-flight meals and duty-free services. Korean Air continues to own a 20% stake and has continued sharing employee data through KC&D's ERP server. The attackers targeted Oracle EBS versions 12.2.3 through 12.2.14 to bypass authentication and reach sensitive systems. The vulnerability was publicly disclosed in early October 2025, after initial exploitation that started in August. Although Oracle promptly released patches, the combination of late detection and widespread exposure caused data exfiltration to spread across many victims. 

The stolen information includes full names and bank account numbers, which increases the risk of identity theft, financial fraud and phishing attacks for those whose information was compromised. Importantly, no customer data, including flight records or payment information, was compromised, preventing wider impact on operations. Korean Air on Dec. 29, 2025, advised the employees to be cautious of scams and took emergency security measures, disconnecting the KC&D servers and filing a report with the Korea Internet and Security Agency (KISA).

This attack is reminiscent of the 2023 MOVEit Transfer breach conducted by Cl0p, a similar file-transfer exploit that resulted in the compromise of millions of records from hundreds of companies. Dozens of EBS victims have surfaced, including Envoy Air, Harvard University, Schneider Electric, Emerson, Cox Enterprises, Logitech, and Barts Health NHS Trust, underscoring the campaign's global scale. Cl0p, a Russia-nexus extortion group linked to FIN11, prioritizes data theft over encryption for high-value targets. 

The incident emphasizes enduring supply-chain risk in aviation and enterprise software, underscoring the importance of timely patching, third-party risk assessments, and zero-trust architectures. Korean Air Vice Chairman Woo Kee-hong confirmed full dedication to breach scoping and support for its employees in the midst of South Korea's wave of cyberattacks, which also targeted Coupang and SK Telecom in recent days. Organizations around the globe need to review their Oracle EBS exposures and keep an eye on Cl0p leak sites in order to reduce risk.
Read more »
Personal Information
2FA API Data Breach Data Leak Instagram Meta Personal Information

Instagram Refutes Breach Allegations After Claims of 17 Million User Records Circulating Online

 



Instagram has firmly denied claims of a new data breach following reports that personal details linked to more than 17 million accounts are being shared across online forums. The company stated that its internal systems were not compromised and that user accounts remain secure.

The clarification comes after concerns emerged around a technical flaw that allowed unknown actors to repeatedly trigger password reset emails for Instagram users. Meta, Instagram’s parent company, confirmed that this issue has been fixed. According to the company, the flaw did not provide access to accounts or expose passwords. Users who received unexpected reset emails were advised to ignore them, as no action is required.

Public attention intensified after cybersecurity alerts suggested that a large dataset allegedly connected to Instagram accounts had been released online. The data, which was reportedly shared without charge on several hacking forums, was claimed to have been collected through an unverified Instagram API vulnerability dating back to 2024.

The dataset is said to include information from over 17 million profiles. The exposed details reportedly vary by record and include usernames, internal account IDs, names, email addresses, phone numbers, and, in some cases, physical addresses. Analysis of the data shows that not all records contain complete personal details, with some entries listing only basic identifiers such as a username and account ID.

Researchers discussing the incident on social media platforms have suggested that the data may not be recent. Some claim it could originate from an older scraping incident, possibly dating back to 2022. However, no technical evidence has been publicly provided to support these claims. Meta has also stated that it has no record of Instagram API breaches occurring in either 2022 or 2024.

Instagram has previously dealt with scraping-related incidents. In one earlier case, a vulnerability allowed attackers to collect and sell personal information associated with millions of accounts. Due to this history, cybersecurity experts believe the newly surfaced dataset could be a collection of older information gathered from multiple sources over several years, rather than the result of a newly discovered vulnerability.

Attempts to verify the origin of the data have so far been unsuccessful. The individual responsible for releasing the dataset did not respond to requests seeking clarification on when or how the information was obtained.

At present, there is no confirmation that this situation represents a new breach of Instagram’s systems. No evidence has been provided to demonstrate that the data was extracted through a recently exploited flaw, and Meta maintains that there has been no unauthorized access to its infrastructure.

While passwords are not included in the leaked information, users are still urged to remain cautious. Such datasets are often used in phishing emails, scam messages, and social engineering attacks designed to trick individuals into revealing additional information.

Users who receive password reset emails or login codes they did not request should delete them and take no further action. Enabling two-factor authentication is fiercely recommended, as it provides an added layer of security against unauthorized access attempts.


Read more »
Oracle E-Business Suite
Clop Ransomware Clop Ransomware Gang customer data leak Data Breach Data Leak Data protection data security Oracle E-Business Suite

University of Phoenix Data Breach Exposes Records of Nearly 3.5 Million Individuals

 

The University of Phoenix has confirmed a major cybersecurity incident that exposed the financial and personal information of nearly 3.5 million current and former students, employees, faculty members, and suppliers. The breach is believed to be linked to the Clop ransomware group, a cybercriminal organization known for large-scale data theft and extortion. The incident adds to a growing number of significant cyberattacks reported in 2025. 

Clop is known for exploiting weaknesses in widely used enterprise software rather than locking systems. Instead, the group steals sensitive data and threatens to publish it unless victims pay a ransom. In this case, attackers took advantage of a previously unknown vulnerability in Oracle Corporation’s E-Business Suite software, which allowed them to access internal systems. 

The breach was discovered on November 21 after the University of Phoenix appeared on Clop’s dark web leak site. Further investigation revealed that unauthorized access may have occurred as early as August 2025. The attackers used the Oracle E-Business Suite flaw to move through university systems and reach databases containing highly sensitive financial and personal records.  

The vulnerability used in the attack became publicly known in November, after reports showed Clop-linked actors had been exploiting it since at least September. During that time, organizations began receiving extortion emails claiming financial and operational data had been stolen from Oracle EBS environments. This closely mirrors the methods used in the University of Phoenix breach. 

The stolen data includes names, contact details, dates of birth, Social Security numbers, and bank account and routing numbers. While the university has not formally named Clop as the attacker, cybersecurity experts believe the group is responsible due to its public claims and known use of Oracle EBS vulnerabilities. 

Paul Bischoff, a consumer privacy advocate at Comparitech, said the incident reflects a broader trend in which Clop has aggressively targeted flaws in enterprise software throughout the year. In response, the University of Phoenix has begun notifying affected individuals and is offering 12 months of free identity protection services, including credit monitoring, dark web surveillance, and up to $1 million in fraud reimbursement. 

The breach ranks among the largest cyber incidents of 2025. Rebecca Moody, head of data research at Comparitech, said it highlights the continued risks organizations face from third-party software vulnerabilities. Security experts say the incident underscores the need for timely patching, proactive monitoring, and stronger defenses, especially in education institutions that handle large volumes of sensitive data.
Read more »
Subscribe to: Posts (Atom)