Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Databreach. Show all posts
Notepad++
Chinese Actors Cyber Attacks Cyberattack Databreach Notepad++

A Quiet Breach of a Familiar Tool, Notepad++

For six months last year the update system of Notepad++, one of the world’s most widely used Windows text editors, was quietly subverted by hackers linked by investigators to the Chinese state. The attackers used their access not to disrupt the software openly, but to deliver malicious versions of it to carefully chosen targets. 

According to a statement published this week on the project’s official website, the intrusion began in June with an infrastructure-level compromise that allowed attackers to intercept and redirect update traffic meant for notepad-plus-plus.org. Selected users were silently diverted to rogue update servers and served backdoored versions of the application. Control over the update infrastructure was not fully restored until December. 

The developers said the attackers exploited weaknesses in how older versions of Notepad++ verified updates. By manipulating traffic between users and the update servers, they were able to substitute legitimate downloads with malicious ones. 

Although update packages were signed, earlier design choices meant those signatures were not always robustly checked, creating an opening for tampering by a well-resourced adversary. Security researchers say the campaign was highly targeted. 

The attackers installed a previously unknown backdoor, dubbed Chrysalis, which Rapid7 described as a custom and feature-rich tool designed for persistent access rather than short-term disruption. Such sophistication suggests strategic objectives rather than criminal opportunism. 

Independent researcher Kevin Beaumont reported that several organisations with interests in East Asia experienced hands-on intrusions linked to compromised Notepad++ installations, indicating that attackers were able to take direct control of affected systems. 

He had raised concerns months earlier after a Notepad++ update quietly strengthened its updater against hijacking. The episode underlines a broader vulnerability in the global software supply chain. Open-source tools such as Notepad++ are deeply embedded in corporate and government systems, yet are often maintained with limited resources. That imbalance makes them attractive targets for state-backed hackers seeking discreet access rather than noisy disruption. 

Notepad++ developers have urged users to update manually to the latest version and large organisations to consider restricting automated updates. The incident also serves as a reminder that even modest, familiar software can become a conduit for serious espionage when its infrastructure is neglected.
Read more »
Rhysida
California Databreach Exposed Patient Records Healthcare Privacy ransomware attacks Rhysida

Tribal Health Clinics in California Report Patient Data Exposure

 


Patients receiving care at several tribal healthcare clinics in California have been warned that a cyber incident led to the exposure of both personal identification details and private medical information. The clinics are operated by a regional health organization that runs multiple facilities across the Sierra Foothills and primarily serves American Indian communities in that area.

A ransomware group known as Rhysida has publicly claimed responsibility for a cyberattack that took place in November 2025 and affected the MACT Health Board. The organization manages several clinics in the Sierra Foothills region of California that provide healthcare services to Indigenous populations living in nearby communities.

In January, the MACT Health Board informed an unspecified number of patients that their information had been involved in a data breach. The organization stated that the compromised data included several categories of sensitive personal information. This exposed data may include patients’ full names and government-issued Social Security numbers. In addition to identity information, highly confidential medical details were affected. These medical records can include information about treating doctors, medical diagnoses, insurance coverage details, prescribed medications, laboratory and diagnostic test results, stored medical images, and documentation related to ongoing care and treatment.

The cyber incident caused operational disruptions across MACT clinic systems starting on November 20, 2025. During this period, essential digital services became unavailable, including phone communication systems, platforms used to process prescription requests, and scheduling tools used to manage patient appointments. Telephone services were brought back online by December 1. However, as of January 22, some specialized imaging-related services were still not functioning normally, indicating that certain technical systems had not yet fully recovered.

Rhysida later added the MACT Health Board to its online data leak platform and demanded payment in cryptocurrency. The amount requested was eight units of digital currency, which was valued at approximately six hundred sixty-two thousand dollars at the time the demand was reported. To support its claim of responsibility, the group released sample files online, stating that the materials were taken from MACT’s systems. The files shared publicly reportedly included scans of passports and other internal documents.

The MACT Health Board has not confirmed that Rhysida’s claims are accurate. There is also no independent verification that the files published by the group genuinely originated from MACT’s internal systems. At this time, it remains unclear how many individuals received breach notifications, what method was used by the attackers to access MACT’s network, or whether any ransom payment was made. The organization declined to provide further information when questioned.

In its written notification to affected individuals, MACT stated that it experienced an incident that disrupted its information technology operations. The organization reported that an internal investigation found that unauthorized access occurred to certain files stored on its systems during a defined time window between November 12 and November 20, 2025.

The health organization is offering eligible individuals complimentary identity monitoring services. These services are intended to help patients detect possible misuse of personal or financial information following the exposure of sensitive records.

Rhysida is a cybercriminal group that first became active in public reporting in May 2023. The group deploys ransomware designed to both extract sensitive data from victim organizations and prevent access to internal systems by encrypting files. After carrying out an attack, the group demands payment in exchange for deleting stolen data and providing decryption tools that allow victims to regain access to locked systems. Rhysida operates under a ransomware-as-a-service model, in which external partners pay to use its malware and technical infrastructure to carry out attacks and collect ransom payments.

The group has claimed responsibility for more than one hundred confirmed ransomware incidents, along with additional claims that have not been publicly acknowledged by affected organizations. On average, the group’s ransom demands amount to several hundred thousand dollars per incident.

A significant portion of Rhysida’s confirmed attacks have targeted hospitals, clinics, and other healthcare providers. These healthcare-related incidents have resulted in the exposure of millions of sensitive records. Past cases linked to the group include attacks on healthcare organizations in multiple U.S. states, with ransom demands ranging from over one million dollars to several million dollars. In at least one case, the group claimed to have sold stolen data after a breach.

Researchers tracking cybersecurity incidents have recorded more than one hundred confirmed ransomware attacks on hospitals, clinics, and other healthcare providers across the United States in 2025 alone. These attacks collectively led to the exposure of nearly nine million patient records. In a separate incident reported during the same week, another healthcare organization confirmed a 2025 breach that was claimed by a different ransomware group, which demanded a six-figure ransom payment.

Ransomware attacks against healthcare organizations often involve both data theft and system disruption. Such incidents can disable critical medical systems, interfere with patient care, and create risks to patient safety and privacy. When hospitals and clinics lose access to digital systems, staff may be forced to rely on manual processes, delay or cancel appointments, and redirect patients to other facilities until systems are restored. These disruptions can increase operational strain and place patients and healthcare workers at heightened risk.

The MACT Health Board is named after the five California counties it serves: Mariposa, Amador, Alpine, Calaveras, and Tuolumne. The organization operates approximately a dozen healthcare facilities that primarily serve American Indian communities in the region. These clinics provide a range of services, including general medical care, dental treatment, behavioral health support, vision and eye care, and chiropractic services.


Read more »
Privacy
creditmonitoring Cybersecurity Databreach Dataleak Healthcare IdentityTheft labtesting medicalrecords PlannedParenthood Privacy

Over 1.6 Million Affected in Planned Parenthood Lab Partner Data Breach

 

A cybersecurity breach has exposed the confidential health data of more than 1.6 million individuals—including minors—who received care at Planned Parenthood centers across over 30 U.S. states. The breach stems from Laboratory Services Cooperative (LSC), a company providing lab testing for reproductive health clinics nationwide.

In a notice filed with the Maine Attorney General’s office, LSC confirmed that its systems were infiltrated on October 27, 2024, and the breach was detected the same day. Hackers reportedly gained unauthorized access to sensitive personal, medical, insurance, and financial records.

"The information compromised varies from patient to patient but may include the following:
  • Personal information: Name, address, email, phone number
  • Medical information: Date(s) of service, diagnoses, treatment, medical record and patient numbers, lab results, provider name, treatment location
  • Insurance information: Plan name and type, insurance company, member/group ID numbers
  • Billing information: Claim numbers, bank account details, billing codes, payment card details, balance details
  • Identifiers: Social Security number, driver's license or ID number, passport number, date of birth, demographic data, student ID number"

In addition to patient data, employee information—including details about dependents and beneficiaries—may also have been compromised.

Patients concerned about whether their data is affected can check if their Planned Parenthood location partners with LSC via the FAQ section on LSC’s website or by calling their support line at 855-549-2662.

While it's impossible to reverse the damage of a breach, experts recommend immediate protective actions:

Monitor your credit reports (available weekly for free from all three major credit bureaus)

Place fraud alerts, freeze credit, and secure your Social Security number

Stay vigilant for unusual account activity and report potential identity theft promptly

LSC is offering 12–24 months of credit monitoring through CyEx Medical Shield Complete to impacted individuals. Those affected must call the customer service line between 9 a.m. and 9 p.m. ET, Monday to Friday, to get an activation code for enrollment.

For minors or individuals without an SSN or credit history, a tailored service named Minor Defense is available with a similar registration process. The enrollment deadline is July 14, 2025.
Read more »
Vulnerabilities and Exploits
CyberCrime Cyberfrauds Cybersecurity Cyberthreats Darkweb Databreach Hackers Vulnerabilities and Exploits

FortiGate Vulnerability Exposes 15,000 Devices to Risks

 



Fortinet Firewall Data Breach: 15,000 Devices Compromised by Belsen Group

On January 14, 2025, it was reported that the configuration data of over 15,000 Fortinet FortiGate firewalls was leaked on the dark web. The hacker group, identified as Belsen, shared this data for free on its newly created TOR website. The leaked information includes full firewall configurations, plaintext VPN credentials organized by IP address and country, serial numbers, management certificates, and other sensitive data. This breach poses a significant security risk to affected organizations, as it enables attackers to compromise internal networks with ease.

Exploitation of Critical Vulnerabilities

According to cybersecurity analysts, the Belsen Group exploited a zero-day vulnerability, identified as CVE-2022-40684, to obtain the leaked data. This vulnerability, published in 2022, allowed attackers to bypass administrative authentication through specially crafted HTTP/HTTPS requests. By leveraging this flaw, the attackers exfiltrated configuration files containing sensitive details such as passwords, firewall rules, and advanced settings. These files, though obtained in 2022, remained undisclosed until January 2025, significantly increasing the risk exposure for affected organizations.

In response to this ongoing threat, Fortinet released patches for CVE-2022-40684 and announced a new critical authentication bypass vulnerability, CVE-2024-55591, on the same day the leak was disclosed. This new vulnerability is being actively exploited in campaigns targeting FortiGate firewalls, particularly those with public-facing administrative interfaces. Devices running outdated FortiOS versions are especially at risk.

Impact and Recommendations

The leaked configuration files provide a comprehensive map of victim networks, including firewall rules and administrator credentials. Threat actors can exploit this information to:

  • Bypass perimeter defenses and gain unauthorized access to internal networks.
  • Deploy ransomware, perform lateral movement, and exfiltrate sensitive data.
  • Identify additional vulnerabilities within the network architecture to maximize attack impact.

Organizations affected by this breach must take immediate action to mitigate risks. This includes:

  • Updating credentials for all compromised devices.
  • Applying the latest security patches, including fixes for CVE-2022-40684 and CVE-2024-55591.
  • Conducting thorough security audits to identify and address additional vulnerabilities.

Cybersecurity expert Kevin Beaumont has announced plans to release an IP list from the leak to help FortiGate administrators determine if their devices were affected. Meanwhile, security firms like CloudSEK and Arctic Wolf have emphasized the importance of prioritizing updates and vigilance against future exploitation campaigns.

Fortinet devices' history of vulnerabilities has made them frequent targets for cybercriminals and nation-state actors. Addressing these security gaps is crucial to preventing further breaches and protecting sensitive organizational data.

Read more »
Databreach
Crypto Wallet Cryptocurrency Breach Cyber Fraud Cyberattacks Cybersecurity Databreach

$494 Million Stolen in Cryptocurrency Wallet Breaches This Year

 


As a result of the churning threat landscape, new threats are always emerging while others disappear or fade into irrelevance. Wallet drainers trick their victims into signing malicious transactions in order to steal their assets. As the name implies, Wallet Drainer is a malicious malware that is used on phishing websites in order to steal crypto assets through the enticement of users to sign malicious transactions. It was estimated that such attacks would result in an average loss of about $494 million in 2024. 

As part of its web3 anti-scam platform, Scam Sniffer, which has been monitoring wallet drainer activity for some time, these insights are derived. Previously, the platform has flagged attacks that have affected up to 100,000 people at the same time, and these tools are phishing tools that are intended to swindle cryptocurrency from users' wallets through fake or compromised websites, thereby stealing money from the wallets of users. 

As a result of the thefts, 30 large-scale thefts involving more than $1 million were reported, with the largest single heist being worth $55.4 million. As a result of this, the number of victims increased by a whopping 6.7% compared to 2023, suggesting that victims held higher amounts on average. According to web3's anti-scam platform, Scam Sniffer, which has been tracking wallet drainer activity for some time now has reported attack waves that have affected up to 100,000 individuals at the same time. The large-scale theft incidents in 2024 were characterized by distinct phases of fraud, phishing, and other sophisticated methods for stealing digital assets. 

The purpose of wallet drainers is to trick users into connecting their wallets to suspicious websites or applications in order to steal digital assets. The first halff of the year (January-June) saw frequent, but smaller-scale incidents, resulting in individual losses that ranged from $1-8 million. In August and September, major losses accounted for 52% of the year's total large-scale losses, with $55.48 million and $32.51 million losses respectively during August and September. 

There was a significant reduction in both frequency and scale of losses during the final quarter, with individual losses typically ranging between $2-6 million, which indicated a significant improvement in market awareness of security threats. It was announced in the second quarter of this year that a drainer service known as Pink Drainer had halted operations, previously known for impersonating journalists in phishing attacks, used to compromise Discord and Twitter accounts in the name of cryptocurrency theft, has been seen to be a drainer service. This caused a decrease in phishing activity, but the scammers gradually picked up the pace in the third quarter, with the Inferno service taking the lead in August and September by causing $110 million in losses. 

The final quarter of the year was considered to be one of the quieter quarters of the year. The annual losses were only about 10.3% of the total losses recorded during 2024 as a whole. Acedrainer emerged at that time as a major player as well, claiming 20% of the drainer market, according to ScamSniffer. It was reported that a total of 90,000 victims had been identified in the second and third quarters when the losses combined ttotalled$257 million; an additional 30,000 victims had been observed in the fourth quarter, which resulted in $51 million in losses. 

There were more attacks in 2024 than at the beginning of the year, but in August and September, in particular, the two largest attacks of last year were observed, at $55.48 million and $32.51 million, respectively. According to this report, Q1 was the busiest time of the year for phishing website activity, resulting in a high rate of theft. The market adjustments made in the second half of the year, as well as the exit of major drainers such as Pink and Inferno, contributed to reduced activity levels in the second half of the year." Scam Sniffer notes. 

As far as tactics were concerned, scammers became more creative during 2024. A study by Scam Sniffer found a significant increase in the use of fake CAPTCHAs and Cloudflare pages, as well as IPFS deployments in order to evade detection. Attackers are also heavily reliant on specific signature types in order to evade detection. In 56.7% of thefts, the “Permit” signature is used to authorize token expenditure, whereas in 31.9%, the “setOwner” signature is used to change ownership rights or admin rights in smart contracts. 

It was also noted that Google Adwords and Twitter ads were used by attackers to lure victims to phishing websites. Attackers manipulated compromised accounts, bots, and fake token airdrops to reel people in through these channels. 

Defending Against Cryptocurrency Attacks 

Currently, cryptocurrency scams are on the rise, so users need to take proactive measures to protect their assets from being harmed, as the prevalence of these scams is on the rise. It is emphasized by experts that one should only interact with vetted websites to reduce exposure to fraudulent platforms. 

To prevent falling victim to phishing schemes, it is equally important that one verifies URLs meticulously before engaging in any transaction. Additionally, users are encouraged to carefully review the transaction approval prompts in order to verify that the details presented are accurate. The ability to simulate a transaction before proceeding increases the level of security by allowing individuals to identify potential risks before investing money. This is a key recommendation that should not be overlooked as well. 

In addition to these practices, it is also advisable to use the built-in wallet warnings for malicious activities. It is common for modern wallets to provide users with alerts that can help detect suspicious behaviour, allowing them to take action before it's too late. It is also possible to remove unauthorized or suspicious permissions from wallets by using token revocation tools. In addition, as cryptocurrency adoption grows globally, there will come a rising trend towards the sophistication of scams that will accompany it. 

Users must remain vigilant, and use the best practices and tools available to ensure that they navigate this evolving landscape safely and effectively in the future. In a constantly changing threat environment, it will be imperative to maintain a proactive approach to security in order to safeguard digital assets.
Read more »
Third Party Data
Databreach Personal Data Privacy Safety Security Third Party Data

HealthEquity Data Breach Exposes Personal Information

 

HealthEquity, a leading provider of Health Savings Accounts (HSAs), has confirmed a significant data breach affecting potentially 4.3 million customers. The breach, discovered in March but only confirmed in June, involved unauthorized access to a data repository containing sensitive personal information.

The compromised data may include names, addresses, phone numbers, Social Security numbers, employment details, and partial payment card information. However, HealthEquity emphasizes that the specific data exposed varies for each individual.   

In response to the breach, HealthEquity has taken steps to secure the affected data repository and implemented a global password reset for the third-party vendor involved. The company will be notifying impacted individuals in early August about the incident and providing details on the actions they are taking.   

To help protect customers, HealthEquity is offering two years of free credit monitoring and identity theft protection through Equifax. Impacted individuals will receive a notification letter with instructions on how to enroll in this service.   

While no hacker group has claimed responsibility for the breach and no data has been leaked publicly thus far, experts advise affected individuals to remain vigilant. Monitor bank statements, credit reports, and watch for suspicious emails or text messages.

This ongoing situation highlights the importance of protecting personal information and underscores the need for robust security measures by companies handling sensitive data.
Read more »
UK
Cyber Security Data Theft Databreach NHS Ransomware UK

Cybersecurity Expert Warns NHS Still Vulnerable After Major Ransomware Attack

 

A leading cybersecurity expert has warned that the NHS remains at risk of further cyber-attacks unless it updates its computer systems. This stark warning follows a significant ransomware attack that severely disrupted healthcare services across London. 

Prof Ciaran Martin, the founding CEO of the UK's National Cyber Security Centre (NCSC), told the BBC: "I was horrified, but not completely surprised. Ransomware attacks on healthcare are a major global problem." NHS England announced it was increasing its cybersecurity resilience and had invested $338 million over the past seven years to address the issue. 

However, Prof Martin’s warnings suggest more urgent action is necessary. A recent British Medical Association report highlighted the NHS's ageing IT infrastructure, revealing that doctors waste 13.5 million hours annually due to outdated systems - equivalent to 8,000 full-time medics' time. 

 The cyber-attack on 3 June, described by Prof Martin as one of the most serious in British history, targeted Synnovis, a pathology testing organisation. This severely affected services at Guy's, St Thomas', King's College, and Evelina London Children's Hospitals. 

NHS England declared it a regional incident, resulting in 4,913 outpatient appointments and 1,391 operations being postponed, alongside major data security concerns. The Russian-based hacking group Qilin, believed to be part of a Kremlin-protected cyber army, demanded a $40 million ransom. When the NHS refused to pay, the group published stolen data on the dark web. 

This incident reflects a growing trend of Russian cyber criminals targeting global healthcare systems. Now a professor at the University of Oxford, Prof Martin highlighted three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices.

He further said, "In parts of the NHS estate, it's quite clear that some of the IT is out of date." He stressed the importance of identifying "single points of failure" in the system and implementing better backups. 

Additionally, he emphasized that improving basic security measures could significantly hinder attackers, noting: "Those little things make the point of entry quite a lot harder for the thugs to get in." Emphasizing the severity of the recent attack, he said, "It was obvious that this was going to be one of the most serious cyber incidents in British history because of the disruption to healthcare."
Read more »
Real Estate Scam
Breach Cyber Attacks CyberCrime Databreach Real Estate Scam

Suffolk Cyberattacks: Breach Hamper Suffolk County Real Estate Industry

The local real estate industry has been severely hampered by a breach, that caused the Suffolk County government servers to shut down for more than 20 days.

Since September 8, the cyberattack has prevented access to county websites, servers, and databases, making it impossible to check property titles or submit records. Consequently, obstructing most of the transactions from going through.

According to Sheri Winter Parker, a Corcoran broker, confusion over the situation and when it might end means “my phone is ringing with nonstop texts and emails.”

According to The Suffolk Times, hacking group BlackCat claims credit for the Suffolk cyberattacks and demands a ransom payment in order to restore access to government servers. The BlackCat threat actors state that they have access to around four terabytes of data including individual residents, while much of the data is from the clerk.county.suf domain.

Although County officials have resorted to restoring some records in person, online databases remain inaccessible. Furthermore, County email addresses are offline too, resulting in a massive disruption for brokers, lawyers, and title companies, along with buyers and sellers.

According to Michael Gulotta, founding partner of Gulotta & Gulotta, a Ronkokoma-based law firm, “Real estate transactions are on hold[...]About 45 percent of our business is real estate. This has impacted our staff, clients, and affiliates in a major way.”

Computer experts, on the other hand, are raising concerns that Palo Alto, the cybersecurity company providing the front-line firewall of Suffolk’s defense against cyberattacks, is serving as the main forensic auditor to investigate what happened when the county’s system was hacked.

Palo Alto and RedLand (another cybersecurity company) are both responsible to safeguard Suffolk’s computer system since 2019. Besides, both companies were awarded new contracts in order to manage the county’s response to the attacks, analyse the breach and help resolve the issue.

Suffolk is yet to announce how exactly the threat actors breached its systems. However, the company has not blamed RedLand or Palo Alto for the attacks.

Since the county is still repairing damages from the attack, the police department, the Department of Health Services, and the Traffic and Parking Violations Agency have all taken a hit. 

Read more »
Spain
Cyber Attacks Data Stolen Databreach Iberdrola Spain

1.3 million Iberdrola Customers Hit In Cyberattack

 

A few days ago, the Iberdrola group was hit by a cyberattack that successfully exposed the sensitive credentials of 1.3 million customers, the company confirmed. 

The company further added that the computer breach was stopped within a few hours and the matter was resolved the same day. However, unfortunately, the attack has affected 1.3 million users. The hackers, reportedly, could only access name, surname, and ID. They failed to get access to bank, tax, or electricity consumption data. The next day, once the breach was closed, the company detected massive attacks that did not achieve its objective. 

Following the attack, a statement was released by the company for its customers in which Iberdrola assured that all the necessary steps have been taken to mitigate the impact of the attack and no financial data such as bank details, account numbers, or credit cards details have been violated. Additionally, for future safety, the company has recommended its customers be more cautious of any emails or communications impersonating to be from Iberdrola. 

"If you have received the statement issued by the company, you must be vigilant and regularly monitor what information circulates on the Internet to detect if your private data is being used without your consent," the representatives added. 

The group was chaired by Ignacio Galán who brought forth the same attacks that took place in the Cercanías service in Madrid, in the Congress of Deputies, or in other European institutions. However, he said that the attackers have not had access to critical data. Further, Iberdrola revealed that “we were warned by the United States government about the possibility of a cyber-attack after the invasion of Ukraine.”

Iberdrola is a giant Spanish multinational electric utility company that has more than 34,000 employees serving around 31.67 million customers. The company has the largest shareholders in the global market. According to the 2013 report, the largest shareholder of the company was Qatar Investment Holding, Norges Bank, Kutxabank, and CaixaBank.

Read more »
Subscribe to: Comments (Atom)