Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ShinyHunters. Show all posts
ShinyHunters
Canvas LMS Data Breach Instructure Breach Login Page Defacement Ransomware Attack School Cyberattack ShinyHunters

Threat Campaign Targets School Login Systems After Alleged Instructure Hack


 

The initial appearance of a routine service disruption within one of the most widely used academic learning platforms in the world quickly evolved into a significant cybersecurity issue as threat actors associated with the ShinyHunters group allegedly compromised Instructure's Canvas system. 

A large number of educational institutions experienced widespread operational instability as a result of the incident, which exposed sensitive academic and identity-related records, disrupted coursework timelines, and resulted in the defacement of several school authentication portals. 

A growing concern over the potential release of a data set reportedly affecting thousands of institutions as well as hundreds of millions of students and employees led Instructure to reveal that it had reached an agreement with the unauthorised actor responsible for the intrusion language that cybersecurity analysts interpreted as an indication of ransom negotiations. ShinyHunters collective claims to have successfully compromised Instructure's infrastructure for the second time in just a few weeks, further escalating the issue. 

The breach resulted in school authentication portals were made public and were affected in addition to backend systems. The incidents took place during final examination periods across several institutions using Canvas, causing even more disruption for administrators, educators, and students experiencing intermittent outages as a result of the earlier intrusion disclosed on April 30.

The Instructure platform had acknowledged that "criminal threat actors" were responsible for unauthorized access to parts of its environment, but subsequent activity indicates the attackers were still able to manipulate externally accessible services. 

When threat actors were reportedly injected malicious HTML components into Canvas login pages, unauthorized message prompts were found attributed to ShinyHunters, effectively defacing the authentication screens utilized for coursework management, assignment submissions, and academic communication, multiple Canvas login pages were later found displaying unauthorized messages attributed to ShinyHunters.

According to the message posted by the group, the allegedly stolen data will be made public on May 12 unless the company enters into a "settlement" negotiations. Parts of Instructure's online infrastructure appeared unstable during the escalation process, with some services intermittently returning "too many requests" errors while Canvas displayed maintenance notices indicating ongoing remediation and containment efforts throughout the company's network infrastructure. 

According to further disclosures, the breach affected a wide spectrum of academic stakeholders, including students, faculty, and institutional staff, with portions of information reportedly relating to minors. Despite Instructure's claims that passwords and highly sensitive authentication credentials were not compromised, the attackers are said to have obtained substantial amounts of information regarding personal identification and platform usage, such as usernames, e-mail addresses, student identification numbers, and private communications exchanged within the learning management system. 

According to the company, the initial compromise was terminated, remediation measures were implemented across the affected systems, and Canvas services were restored after containment procedures were initiated to prevent additional intrusions. However, ShinyHunters later stated it had successfully breached the platform again, this time targeting institution-specific authentication portals, thereby putting the company under pressure to enter into a settlement negotiation related to the earlier data theft, despite these efforts. 

As part of the extortion attempt, the group used stolen data as a means of coercion following network intrusions, which is a well-established operational pattern, however, the apparent recurrence of unauthorized access raised concerns regarding residual vulnerability issues within Instructure's network infrastructure. Canvas was brought offline once again following the second disruption, prompted the company to remove the component identified as being at the root of the incident  the Free-for-Teacher environment. 

Instructure acknowledged in an updated incident disclosure that investigators had identified a vulnerability associated with support ticket functionality within the Free-for-Teacher system, which threat actors allegedly exploited to facilitate the latest security breach. By putting the incident on its leak portal, ShinyHunters had earlier accepted public responsibility for the initial intrusion. 

The tactic is commonly used by ransomware and extortion-focused groups to increase pressure on targets by threatening data release under controlled circumstances. In the wake of the recent compromise, the attackers have attempted to reach out directly to media outlets regarding the defaced Canvas login pages, suggesting they are attempting to escalate the attack not only against Instructure but also against the thousands of educational institutions that rely on the platform for their operations. During ongoing negotiations regarding the previously stolen data, cybersecurity analysts viewed the public defacement as an attempt to amplify reputational and operational pressures. 

In spite of the fact that there is no clear indication of how the school-specific authentication pages were compromised, ShinyHunters officials have indicated the breach has been a separate one from the original attack, but declined to provide any further technical information regarding the method used to gain access to the system. 

The group claims to have stolen data from nearly 9,000 educational institutions around the world; these records are believed to belong to approximately 231 million people. Following the earlier compromise, the group claimed to have exfiltrated information related to nearly 9,000 educational institutions. 

A key component of the campaign was a mirroring of the threat group's established operating model, which is typically composed of a combination of network intrusion, public exposure of victims through leak sites, and sustained extortion efforts to maximize financial leverage following the theft of large amounts of data. There has been an increased focus on security architecture of cloud-based education platforms in the wake of the incident, which has become a critical infrastructure for academic operations worldwide.

In addition to disrupting coursework and institutional systems for the immediate period, the exposure of student communications and identity-linked records, particularly involving minors, demonstrates the long-term risks associated with large-scale compromises of digitally centralized learning environments. 

During the remediation and forensic investigation efforts, Instructure is likely to establish the breach as a landmark in the field of ransomware and extortion, which increasingly target educational technology ecosystems where operational urgency and reputational pressure can lead to high-stakes cybersecurity incidents.
Read more »
ShinyHunters
Academic Network Security Canvas cyberattack Data Breach Education Sector Security Phishing Threats Ransomware Attack ShinyHunters

Ransomware Attack Disrupts Grading Platform Used by LBUSD Cal State and LBCC


 

A cyberattack linked to the ShinyHunters extortion group temporarily disrupted educational operations across a number of educational institutions in the United States, causing concern over the potential exposure of sensitive student and faculty data. These institutions continued to restore access to Canvas this week. Although several universities and school districts have been able to resume normal access following recovery efforts coordinated by Canvas parent company Instructure, the incident continues to affect portions of the education sector. 

Administrators have assessed the broader impacts of the breach and reviewed claims regarding the compromise of data belonging to hundreds of millions of platform users around the world. After the incident was triggered on Thursday, teachers and students at Long Beach Unified School District, California State University Long Beach and Long Beach City College were suddenly unable to access Canvas, the cloud-based platform widely used for coursework, grades, assignments and internal communication, the operational impact of the incident became more apparent. 

According to district officials, they were informed earlier this week that Instructure, the company which provides Canvas, had discovered that certain user-identifying information related to customer environments had been accessed without authorization. In spite of the company's initial assertion that the incident had been contained and that core platform operations continued, educators later reported that login attempts redirected users to ransom-style messages allegedly associated with the ShinyHunters cybercriminal group upon attempting to log in.

Apparently, the notice instructed affected institutions to engage a cyber advisory firm and negotiate payment terms before a specified deadline otherwise compromised data could be exposed to the public. Despite the fact that the full extent of the intrusion is still under investigation, notifications sent to campus users indicate that names, email addresses, institutional identification numbers, and confidential communications may have been compromised. 

A response from Instructure was that portions of the platform environment had been disabled, the underlying vulnerability had been rectified, digital forensic specialists were engaged, and federal authorities, including the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, were coordinated. 

A significant number of academic institutions are experiencing the disruption at the same time, with final examinations at California State University Long Beach rapidly approaching. Since Canvas serves as the primary repository for instructional content, coursework, and student records, several educators have described the outage as operationally disrupting, even though some teachers have been able to maintain continuity by using externally hosted materials and collaboration tools through Google. 

Cybersecurity experts caution that, while the current incident has mainly disrupted colleges and universities, K-12 institutions have also faced repeated operational and data security challenges related to attacks against the education technology infrastructure. Researchers referred to the Los Angeles Unified School District cyberattack of 2022, when a ransomware-related intrusion disabled critical district systems over Labor Day weekend, disrupting internal communication, attendance tracking, and classroom instruction. 

Approximately 2,000 student assessment records, together with additional sensitive information, including driver’s license numbers and Social Security numbers accumulated over multiple years, were later published on the dark web as a result of the incident. Recovery efforts lasted for weeks during which administrative and technical staff restored systems and coordinated password resets for over 600,000 user accounts.

According to security researchers, incidents associated with platforms such as Canvas can create long-term phishing and social engineering risks even after services have been restored. A Norton security analyst, Luis Corrons, emphasized that information exposed by the company includes names, institutional email addresses, student identification numbers, and internal academic communications, which could provide threat actors with the necessary context to create highly convincing phishing campaigns impersonating legitimate school notifications regarding grades, coursework, financial aid, and password resets.

In addition to Anton Dahbura's concerns, the executive director of the Johns Hopkins University Information Security Institute advised institutions that residual risk may continue to exist after platform access has been restored, and cautioned against operating under this assumption. According to Dahbura, colleges and universities should encourage students and employees to change their passwords, review authentication tokens, and audit integrations with third-party platforms connected to Canvas environments. 

Likewise, colleges and universities should keep a close eye on follow-on phishing activity targeting them. Further, he emphasized that higher education is increasingly reliant on a single instructional platform, which represents a systemic risk as a whole. He advised academic institutions to develop resilience plans, implement additional security controls, and develop alternative instructional workflows that can support continuity during prolonged service interruptions. 

A centralized cloud-based learning infrastructure in the educational sector has further increased the cybersecurity vulnerability of the sector. As a result of a single third party platform compromise, thousands of academic institutions may be disrupted simultaneously if a single compromise occurs.

A continuing forensic investigation and recovery effort will require security teams on affected campuses to focus on credential protection, phishing monitoring, and access-review procedures, while assessing the degree of integration instructional platforms, such as Canvas, have made with broader institutional networks.
Read more »
User Security
Data Breach Data Theft Medtronic Breach ShinyHunters User Security

Medtronic Confirms ShinyHunters' Theft of 9 Million Records

 

Medtronic, a leading global medical device manufacturer, recently confirmed a significant cybersecurity breach affecting its corporate IT systems. The incident came to light after the notorious hacking group ShinyHunters claimed responsibility, boasting of stealing over 9 million records containing personally identifiable information (PII) and terabytes of internal corporate data. 

On April 17 and 18, 2026, the group listed Medtronic on its Tor-based data leak site, issuing a ransom ultimatum that expired on April 21 without public confirmation of payment or data release. Medtronic publicly disclosed the breach on April 24, 2026, via its website and a U.S. Securities and Exchange Commission Form 8-K filing, acknowledging unauthorized access but emphasizing that the intrusion was contained with no disruption to operations.

The breach targeted non-critical corporate networks, sparing patient-facing systems, medical devices, manufacturing, and distribution channels. Medtronic stated explicitly that products, patient safety, customer connections, financial reporting, and care delivery remained unaffected, as these operate on segregated infrastructure. ShinyHunters, known for high-profile extortion campaigns against over 40 organizations in 2026—including ADT, Amtrak, and Cisco—alleged the haul included sensitive PII from employees, partners, or affiliates, though Medtronic has not verified the exact volume or contents. The group's listing vanished from the leak site shortly after, fueling speculation of behind-the-scenes negotiations.

This incident underscores escalating threats to healthcare giants, where corporate IT often serves as a softer entry point for attackers. ShinyHunters has exploited misconfigured Salesforce Experience Cloud guest permissions in multiple cases, a customer setup issue rather than a platform flaw, according to Salesforce. Medtronic's response involved activating incident protocols with external cybersecurity experts to assess data exfiltration and potential exposure. An ongoing forensic investigation aims to pinpoint compromised information, with commitments to notify and support affected individuals if personal data is confirmed stolen.

The implications ripple beyond Medtronic, highlighting vulnerabilities in the medical technology sector amid rising ransomware and extortion tactics. Law firms like Schubert Jonckheer & Kolbe LLP launched investigations by early May 2026, probing liabilities for the nearly 9 million potentially impacted records. While no widespread data dumps have surfaced publicly, the breach erodes trust in supply chain security, even when clinical operations stay insulated. Healthcare firms face mounting pressure to fortify perimeter defenses as cybercriminals increasingly target administrative data for profit.

To mitigate risks from such incidents, individuals should monitor credit reports, enable two-factor authentication on personal accounts, and freeze credit if notified of exposure. Organizations are advised to segment networks rigorously, conduct regular penetration testing, patch third-party configurations like Salesforce promptly, and develop robust incident response plans. Medtronic's case reinforces the need for proactive cybersecurity hygiene to safeguard sensitive data in high-stakes industries.
Read more »
Telus Digital
Data Breach Data Exposure Microsoft 365 Salesforce ShinyHunters Telus Digital

Telus Digital Faces Scrutiny Following Claims of Large-Scale Data Extraction

 



Canadian outsourcing and digital services firm Telus Digital has confirmed that it experienced a cybersecurity incident after threat actors alleged they had extracted an enormous volume of data, estimated at nearly one petabyte, over a prolonged period of unauthorized access.

Telus Digital operates as the outsourcing and digital solutions division of Telus. The company provides services such as customer support, content moderation, artificial intelligence data operations, and other business process outsourcing functions to organizations around the world. Because firms in this sector often manage customer interactions, billing systems, and internal authentication tools on behalf of multiple clients, they are frequently targeted by attackers aiming to gain access to large datasets through a single compromise.

The breach has been linked to a threat group known as ShinyHunters, which claims it obtained a wide range of customer-related data connected to Telus Digital’s outsourcing services, along with call records tied to Telus’ consumer telecommunications operations.

Reports about a possible breach had surfaced earlier this year, and inquiries were made to the company at the time, though no response was received then. Telus has now acknowledged the incident, stating that it is investigating what information may have been accessed and which customers could be affected.

In its official statement, the company said unauthorized access was identified in a limited number of systems. It added that immediate steps were taken to contain the activity and prevent further intrusion. Telus also stated that its operations remain fully functional, with no evidence of disruption to customer connectivity or services. The company confirmed that external cyber forensics specialists have been engaged and that law enforcement authorities are involved. It further noted that additional safeguards have been implemented and that affected customers will be notified where appropriate.

Sources indicated that the attackers attempted to extort the company, but Telus did not engage in communication with them.


Attack Method and Data Exposure Claims

After learning that the company was not negotiating, the attackers were contacted for further details regarding the incident.

According to their claims, the intrusion began with access to Google Cloud Platform credentials that were previously exposed in data linked to the Salesloft Drift breach. In that earlier incident, attackers extracted Salesforce data belonging to approximately 760 organizations, including customer support tickets. These records were then examined to locate credentials, authentication tokens, and other sensitive information, which could be reused to access additional systems.

The threat actors stated that they identified credentials associated with Telus within that dataset. These credentials allegedly enabled them to access multiple internal systems, including a large BigQuery data environment. After extracting initial data, they reportedly used the tool trufflehog to scan for further secrets, allowing them to expand their access into additional parts of the company’s infrastructure.

The group claims that the total amount of data taken is close to one petabyte, though this figure has not been independently verified. They also shared the names of 28 well-known companies that they allege were affected. However, these claims have not been confirmed, and the identities of those organizations remain undisclosed.

The data described by the attackers covers a wide range of business operations. This includes information related to customer support services, call center activities, agent performance metrics, AI-powered support systems, fraud detection mechanisms, and content moderation processes. In addition, they claim to have accessed source code, financial records, Salesforce data, background verification documents, and recordings of customer service calls.

The breach is also said to affect Telus’ telecommunications operations, particularly its consumer fixed-line services. The allegedly exposed data includes detailed call logs, voice recordings, and campaign-related information. Samples of these call records reportedly contain timestamps, call durations, originating and receiving numbers, and technical metadata such as call quality indicators.

Overall, the nature of the exposed data appears to vary significantly depending on the organization, indicating that multiple business functions across different clients may have been impacted.

The attackers stated that they began extortion attempts in February, demanding $65 million in exchange for not releasing the stolen data. The company did not respond to these demands.

Telus has indicated that further updates may be provided as its investigation progresses.


Who Are ShinyHunters

The name ShinyHunters has been associated with various individuals and cyber incidents over time, but the group currently operating under this identity has emerged as one of the more active data extortion actors in recent months. Their operations have largely focused on compromising cloud-based platforms, particularly those connected to enterprise software ecosystems.

The group has been linked to incidents involving major organizations such as Google, Cisco, and Match Group, among others.

More recently, their tactics have expanded to include voice phishing, or vishing, attacks. In these cases, employees are contacted by individuals posing as IT support staff and are persuaded to reveal login credentials or multi-factor authentication codes through fraudulent websites. The group has also been observed using device code phishing techniques to obtain authentication tokens linked to identity platforms such as Microsoft Entra.

Once valid credentials and authentication codes are obtained, attackers can take control of single sign-on accounts and gain access to interconnected enterprise services, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.


Security Implications

This incident reflects a broader trend in which attackers reuse previously stolen data to launch new intrusions. It also highlights the elevated risk associated with outsourcing providers that centralize sensitive operations for multiple organizations.

Cybersecurity experts increasingly note that modern attacks often occur in stages, where one breach creates opportunities for subsequent compromises. As businesses continue to rely on cloud platforms and third-party service providers, the potential scale and impact of such incidents continue to grow.

The situation is currently under investigation, and additional verified details are expected as more information surfaces.

Read more »
ShinyHunters
Cyber Security Cyberthreats Hackers Hacking ShinyHunters

ShinyHunters Threatens Data Leak After Alleged Salesforce Breach

 

The hacking group ShinyHunters has warned roughly 400 companies that it may publish stolen data online if ransom demands are not met. The group claims it accessed private records through websites built on Salesforce Experience Cloud, a platform companies use to create public portals and customer support sites. 

According to earlier findings by cybersecurity firm Mandiant, the attackers targeted organisations that used Salesforce’s Experience Cloud for external-facing services such as help centres and information portals. 

How the breach allegedly happened? The reported intrusion appears linked to the configuration of public access settings within these websites. 

Salesforce allows websites built on Experience Cloud to include a “guest user” profile so visitors can view limited information without logging in. 

If these settings are configured too broadly, however, the access permissions can expose internal data to the public internet. Investigations suggest the attackers used a modified version of a tool called Aura Inspector to scan websites for such weaknesses. 

Once vulnerabilities were identified, the hackers were able to extract information including names and phone numbers. Security experts say the stolen data may already be fueling vishing attacks. 

In such scams, attackers contact employees by phone and attempt to trick them into revealing additional confidential information. 

Dispute over the root cause There is disagreement over whether the problem stems from a software flaw or from how companies configured their systems. Salesforce has said the platform itself remains secure and that the issue is related to customer settings rather than a vulnerability in the product. 

“Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” the company said in a blog post. 

ShinyHunters disputes that explanation, claiming it discovered a previously unknown flaw that allows it to bypass certain protections even on sites that appear properly configured. 

Independent researchers have not yet verified that claim. Pressure tactics used by hackers ShinyHunters is known for using aggressive extortion strategies to pressure victims into paying ransom demands. The group often releases stolen data in stages to increase pressure on organisations that refuse to negotiate. 

A recent example involved Dutch telecommunications provider Odido and its brand Ben. After the company declined to pay a ransom reportedly worth one million euros, the hackers began publishing large quantities of customer data on the dark web. 

Security guidance for companies Salesforce is urging customers to review their portal configurations and tighten access controls. The company recommends applying a “least privilege” approach, meaning guest users should only have the minimum permissions required to use a site. 

Businesses are also advised to keep data private by default, disable settings that expose internal staff information, and turn off public application programming interfaces where possible. 

These interfaces can allow external systems to exchange data and may create additional entry points if left open. 

The incident highlights the growing risks associated with misconfigured cloud services, which security analysts say have become a common target for cybercriminal groups seeking large volumes of corporate data.
Read more »
ShinyHunters
Data Breach Data Leak Harvard Breach Upenn Hack ShinyHunters

ShinyHunters Leak Exposes Harvard and UPenn Personal Data

 

Hacking group ShinyHunters has reportedly published more than a million records stolen from Harvard University and the University of Pennsylvania (UPenn) on its dark web site, putting a vast trove of sensitive personal data within reach of cybercriminals worldwide. The leaked data appears to contain sensitive details about the students, employees, alumni, donors, and family members of the breached organizations. This has expanded the scope of the compromised data to a wide range of people. Initial verification of the leaked data has revealed that at least some of the leaked data is genuine. 

The UPenn breach is believed to have begun in early November 2025, when the hackers gained access to an employee’s single sign-on (SSO) account by claiming to have obtained full access to the UPenn employee’s SSO account. This has essentially turned the SSO account into a master key that has allowed the hackers to access the UPenn VPN system, Salesforce data, the Qlik analytics platform, SAP business intelligence tools, and SharePoint. During the course of the attack, the hackers also used the compromised login credentials to send offensive emails to 700,000 people. Initially, UPenn believed that the emails were fake, but they later turned out to be real.

Harvard confirmed a related compromise roughly three weeks after the UPenn disclosure, tying its own incident to a successful voice phishing (vishing) campaign. In this case, attackers are said to have infiltrated Alumni Affairs and Development systems, exposing data on past and present students, donors, some faculty and staff, and even spouses, partners, and parents of alumni and students. The stolen records reportedly include names, dates of birth, home addresses, phone numbers, estimated net worth, donation history, and sensitive demographic attributes such as race, religion, and sexual orientation.

Unlike traditional ransomware operations that both encrypt systems and steal data, ShinyHunters appears to have focused solely on data theft and extortion, deploying no encryptors in these campaigns. The group allegedly attempted to negotiate payment in cryptocurrency in exchange for promising to delete the stolen files, following the now-common double extortion model. When talks broke down and the universities did not pay, the hackers responded by dumping the data openly on their dark web leak site, amplifying the risk of identity theft, harassment, and targeted scams for victims.

For Harvard and UPenn, the breaches highlight the dangers of over-reliance on SSO accounts and human-centric weaknesses such as vishing, where convincing phone calls trick staff into revealing or approving access. For affected individuals, the publication of highly personal and demographic information raises concerns around fraud, doxxing, discrimination, and reputational harm that could persist for years. The incidents reinforce the need for stronger multifactor authentication, rigorous phishing and vishing awareness training, and tighter controls around high-value institutional accounts holding large volumes of sensitive data.
Read more »
ShinyHunters
BreachForums BreachForums user database Data Breach Extortion Gang hacking forum leak ShinyHunters

BreachForums Database Breach Exposes Details of Over 324K User Accounts

 

The newest version of the infamous BreachForums cybercrime marketplace has reportedly experienced another security lapse, with its user database table appearing online.

BreachForums refers to a succession of underground hacking forums commonly used for buying, selling, and leaking stolen data, as well as offering access to compromised corporate networks and other illicit cyber services. The platform emerged after RaidForums was taken down by law enforcement and its alleged operator, known as “Omnipotent,” was arrested.

Despite facing previous data breaches and repeated law enforcement interventions, BreachForums has consistently resurfaced under new domains. This pattern has led some observers to speculate that the forum may now be operating as a law-enforcement honeypot.

Recently, a website bearing the name of the ShinyHunters extortion group published a 7Zip archive titled breachedforum.7z. The archive includes three files:
  • shinyhunte.rs-the-story-of-james.txt
  • databoose.sql
  • breachedforum-pgp-key.txt.asc
A spokesperson for the ShinyHunters extortion group told BleepingComputer that they are not connected to the site hosting the archive.

The file breachedforum-pgp-key.txt.asc contains a private PGP key created on July 25, 2023, which BreachForums administrators previously used to sign official communications. Although the key has been exposed, it is protected by a passphrase, preventing misuse without the correct password.

Meanwhile, the databoose.sql file is reportedly a MyBB users table (mybb_users) holding details of 323,988 accounts. The leaked data includes usernames, registration timestamps, IP addresses, and other internal forum information.

According to BleepingComputer’s review, most IP addresses in the dataset resolve to a loopback address (127.0.0.9), limiting their investigative value. However, around 70,296 records do not use this local IP and instead resolve to public addresses. These entries could pose operational security risks to affected users and may be useful to law enforcement or cybersecurity analysts.

The most recent registration date in the leaked database is August 11, 2025—the same day the previous BreachForums instance at breachforums[.]hn was taken offline following arrests linked to its alleged operators. On that day, a ShinyHunters member posted in the “Scattered Lapsus$ Hunters” Telegram channel, alleging that BreachForums was a law-enforcement trap, a claim later denied by forum administrators.

In October 2025, the breachforums[.]hn domain was formally seized after being repurposed for extortion campaigns tied to large-scale Salesforce data thefts attributed to the ShinyHunters group.

The current BreachForums administrator, operating under the alias “N/A,” has confirmed the latest incident. According to the administrator, a backup of the MyBB users table was briefly left in an unsecured directory and downloaded only once.

“We want to address recent discussions regarding an alleged database leak and clearly explain what happened,” N/A wrote on BreachForums.

“First of all, this is not a recent incident. The data in question originates from an old users-table leak dating back to August 2025, during the period when BreachForums was being restored/recovered from the .hn domain.”

“During the restoration process, the users table and the forum PGP key were temporarily stored in an unsecured folder for a very short period of time. Our investigation shows that the folder was downloaded only once during that window.”

While N/A advised members to rely on disposable email addresses and emphasized that most IPs were local, the exposed data could still attract interest from investigators.

Following publication of the article, cybersecurity firm Resecurity informed BleepingComputer that the website hosting the archive has now been updated to include the passphrase for BreachForums’ private PGP key. Another independent security researcher confirmed that the disclosed password successfully unlocks the key.

Read more »
Tech Firm
Checkout Data Breach Ransomware ShinyHunters Tech Firm

Checkout Refuses ShinyHunters Ransom, Donates Funds to Cybersecurity Research

 

Checkout, a UK-based financial tech firm, recently suffered a data breach orchestrated by the cybercriminal group ShinyHunters, who have demanded a ransom for stolen merchant data. In response, the company announced it would not pay the ransom but instead donate the equivalent amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime research initiatives.

The breach occurred after ShinyHunters gained unauthorized access to a legacy third-party cloud storage system used by Checkout in 2020 and earlier. This system, which had not been properly decommissioned, contained internal operational documents, onboarding materials, and data from a significant portion of company’s merchant base, including past and current customers. The company estimates that less than 25% of its current merchant base was affected by the incident.

The tech firm provides payment processing services to major global brands such as eBay, Uber Eats, adidas, GE Healthcare, IKEA, Klarna, Pinterest, Alibaba, Shein, Sainsbury’s, Sony, DocuSign, Samsung, and HelloFresh, managing billions in merchandise revenue. The company’s systems include a unified payments API, hosted payment portals, mobile SDKs, and plugins for existing platforms, along with fraud detection, identity verification, and dispute management features.

ShinyHunters is an international threat group known for targeting large organizations, often leveraging phishing, OAuth attacks, and social engineering to infiltrate systems and extort ransom payments. The group has recently exploited the Oracle E-Business Suite zero-day vulnerability (CVE-2025-61884) and carried out attacks on Salesforce and Drift systems affecting multiple organizations earlier in the year.

Despite the pressure to pay a ransom to prevent the leaked data from being published, Checkout has refused and opted for a different strategy. The company will invest in strengthening its own security infrastructure and protecting its customers more effectively in the future. Additionally, the company has committed to supporting academic research in cybersecurity by channeling the intended ransom funds to prestigious universities.

Checkout has not disclosed the identity of the compromised third-party cloud file storage system or the specific breach method. The company continues to work on bolstering its defenses and has emphasized its commitment to transparency and customer protection. This decision sets a notable precedent for organizations facing ransomware demands, highlighting the importance of proactive security investment and responsible action in the face of cyber threats.
Read more »
ShinyHunters
Cyber Extortion Cyber Security Ransomware ShinyHunters

Red Hat Data Breach Deepens as Extortion Attempts Surface

 



The cybersecurity breach at enterprise software provider Red Hat has intensified after the hacking collective known as ShinyHunters joined an ongoing extortion attempt initially launched by another group called Crimson Collective.

Last week, Crimson Collective claimed responsibility for infiltrating Red Hat’s internal GitLab environment, alleging the theft of nearly 570GB of compressed data from around 28,000 repositories. The stolen files reportedly include over 800 Customer Engagement Reports (CERs), which often contain detailed insights into client systems, networks, and infrastructures.

Red Hat later confirmed that the affected system was a GitLab instance used exclusively by Red Hat Consulting for managing client engagements. The company stated that the breach did not impact its broader product or enterprise environments and that it has isolated the compromised system while continuing its investigation.

The situation escalated when the ShinyHunters group appeared to collaborate with Crimson Collective. A new listing targeting Red Hat was published on the recently launched ShinyHunters data leak portal, threatening to publicly release the stolen data if the company failed to negotiate a ransom by October 10.

As part of their extortion campaign, the attackers published samples of the stolen CERs that allegedly reference organizations such as banks, technology firms, and government agencies. However, these claims remain unverified, and Red Hat has not yet issued a response regarding this new development.

Cybersecurity researchers note that ShinyHunters has increasingly been linked to what they describe as an extortion-as-a-service model. In such operations, the group partners with other cybercriminals to manage extortion campaigns in exchange for a percentage of the ransom. The same tactic has reportedly been seen in recent incidents involving multiple corporations, where different attackers used the ShinyHunters name to pressure victims.

Experts warn that if the leaked CERs are genuine, they could expose critical technical data, potentially increasing risks for Red Hat’s clients. Organizations mentioned in the samples are advised to review their system configurations, reset credentials, and closely monitor for unusual activity until further confirmation is available.

This incident underscores the growing trend of collaborative cyber extortion, where data brokers, ransomware operators, and leak-site administrators coordinate efforts to maximize pressure on corporate victims. Investigations into the Red Hat breach remain ongoing, and updates will depend on official statements from the company and law enforcement agencies.


Read more »
Workiva
Cloud Server CloudFlare CRM Cybersecurity Data Breach phishing Salesforce ShinyHunters Vulnerabilities Workday Workiva

Workiva Confirms Data Breach in Wake of Salesforce Security Incident


 

A recent cyberattack on Salesforce customers has prompted Workiva to disclose a breach linked to a recent wave of attacks, serving as a reminder of the increasing cybersecurity risks faced by global organisations. Workiva provides financial reporting, compliance, and audit software, as well as financial reporting and compliance software, based in the cloud. 

As the company confirmed, attackers have accessed a third-party customer relationship management system (CRM), exposing information about limited company contact details, including names, email addresses, phone numbers, and support ticket information. As an important note, Workiva stressed that its own platform and customer data remain safe and secure. 

According to the ShinyHunters extortion group, the breach is part of a broader campaign that has been carried out by the threat actors to gain unauthorized access to sensitive business information, including exploiting OAuth tokens and conducting voice phishing. As a result of these attacks, Workiva has warned customers that spear phishing attempts should not be ignored and emphasized that all official communications will continue to come from its verified support channels only. 

According to Workiva, whose cloud-based platform is widely used for financial reporting, compliance and audit processes, the breach could be traced back to unauthorized access to the customer relationship management system of a third party. There has been a breach of security at Adobe. 

In notifications sent to clients who may be affected, the company disclosed that attackers were able to access a limited set of business contact details, such as names, email addresses, phone numbers, and support tickets data. As Workiva clarified, its core platform and any customer data stored inside it have not been compromised, rather the intrusion originated via a connected third-party application that was managed by the vendor responsible for Workiva's customer relationship management system. 

Over 6,300 customers are included in the company, including 85 percent of Fortune 500 companies and prominent names like Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, and Mercedes-Benz, so the company stressed the importance of staying vigilant and warned that the stolen data could be used to conduct spear-phishing scams. 

It was reiterated that Workiva would never solicit sensitive information by text or phone, nor would it seek to communicate with customers through official channels other than its trusted support channels, as a means of reassuring customers. Due to the fact that even the most prominent security vendors were not spared from the wave of intrusions, the cybersecurity community has been on their toes due to the wave of intrusions. 

A simple example of this, Cloudflare, reported that attackers bypassed traditional social engineering by exploiting credential compromises linked to Salesloft Drift, one of the third-party applications that are integrated with Salesforce, instead of taking advantage of traditional social engineering techniques. 

Using this access, threat actors were able to infiltrate Cloudflare's Salesforce environment on August 12, and spend two days mapping the system before conducting a rapid exfiltration operation which, within minutes of the operation, sucked off sensitive data, deleted log files and attempted to erase digital traces. 

Earlier, Palo Alto Networks confirmed that a similar breach had occurred during the period between August 8 and 18, with attackers leveraging stolen OAuth tokens to gain access to the Salesforce system that the Salesforce integration was integrated into. In this period, adversaries were able to extract customer contact information, sales records, and case data. 

After obtaining these items, the adversaries later scanned the stolen data for passwords and cloud service credentials, which were used to facilitate secondary attacks targeting AWS and Snowflake platforms. Analysts point out that these incidents do not imply that core defences have collapsed, but rather that trust dependencies within digital ecosystems are fragile. 

With the use of weak access controls and third-party connections, groups like Scattered Spider, Lapsus$, and ShinyHunters have exploited stolen data and ransom profits on underground channels to make a profit, raising the concern that a much bigger scope of exposure may be uncovered than has been revealed.

Despite being one of the world's largest HR software providers, Workday has confirmed that it also became a victim of a cyberattack campaign utilizing Salesforce's customer relationship management platform. There is a possibility that the incident, which was first reported on August 6, could have impacted the personal information of up to 70 million individuals as well as 11,000 corporate clients' business information. 

Despite Workday stressing that its core HR systems that are known as customer tenants remain unaffected by this attack, it admits that attackers were able to access business contact details in its Salesforce integration, including names, email addresses, phone numbers, and facsimiles. A growing list of victims has included Google, Cisco, Qantas, and Pandora as well as other large companies. 

The breach underscores how adversaries are increasingly targeting third-party service providers that are acting as gateways to vast amounts of personal data. As roughly 60% of Fortune 500 companies use Workday's platform for their digital supply chains, the incident emphasizes the risks involved in a digital supply chain that is interconnected. 

A number of security experts have warned that these SaaS and CRM systems, which were once treated as routine business tools, have now become very valuable attack surfaces for cyber criminals. As analysts point out that ShinyHunters seems to be the likely culprit, attention has now turned to their tactics, namely, phishing campaigns designed to trick employees into giving them their credentials by impersonating HR and IT staff. 

The breach has reignited debate among cybersecurity professionals regarding whether the breaches indicate the development of sophisticated social engineering techniques, or whether they reveal persistent shortcomings in organizational awareness and training. In light of the string of breaches tied to Salesforce integrations, enterprises have reached the point of reassessing, monitoring, and securing third-party platforms that are woven into the daily operation of their companies. 

The incidents were unprecedented in their scope and severity, and although some companies haven't been able to contain the fallout as quickly as others has, the incidents illustrate that even some of the most trusted vendors cannot be made to appear invulnerable. The majority of cybersecurity specialists believe that organizations need to build a wider security posture beyond perimeter defense, including vendor risk management and zero-trust frameworks, as well as tighter controls on identity and access. 

Auditing integrations on a regular basis, minimizing permissions granted through OAuth, and monitoring API usage are no longer optional safeguards, but are strategic imperatives in an environment where many attackers thrive on exploiting overlooked trust relationships in order to achieve the greatest possible gain. 

Additionally, greater focus on employee awareness about spear-phishing and impersonation schemes can be a critical component in reducing the chances of credential theft, which is an entry point that appears to be becoming more prevalent each year. In the case of organizations reliant on SaaS ecosystems, the lesson is clear - securing extended supply chains is as important as protecting internal infrastructure as it is in keeping business resilient, and the adaptors will be the ones best positioned to withstand the next wave of attack.
Read more »
Workday
Data Breach Salesforce ShinyHunters Social Engineering Workday

Workday Suffers Data Breach in Broader Salesforce Campaign

 

Workday, a major player in the human resources sector, has disclosed a recent data breach caused by a social engineering attack targeting a third-party customer relationship management (CRM) system—specifically, a Salesforce instance.

Although Workday, headquartered in Pleasanton, California, provides services to over 11,000 organizations worldwide (including over 60% of the Fortune 500), the company reports that its main customer data environments known as "customer tenants" were not accessed or impacted by the breach. 

The breach, uncovered nearly two weeks before disclosure, exposed business contact information such as names, emails, and phone numbers contained in the compromised CRM. 

Workday clarified that the compromised data was mostly publicly available information frequently used for business contact purposes, but acknowledged that this exposure could still facilitate further social engineering or phishing attempts by malicious parties. Employees were alerted that attackers may attempt to contact them, impersonating HR or IT staff, to extract sensitive details or credentials. 

This incident is part of a larger ongoing campaign allegedly orchestrated by the ShinyHunters extortion group. BleepingComputer reports that this group specializes in targeting Salesforce CRM instances at major firms through tactics like voice phishing and social engineering. 

Their modus operandi often involves convincing employees to link a fraudulent OAuth application to the company's Salesforce environment, granting attackers access to download vital company databases. Subsequently, stolen data is used for extortion, and the attack group’s ransom notes have consistently identified themselves as ShinyHunters. 

Several other global corporations—including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and Google—have fallen victim to similar attacks over the past few months, with activity believed to have started at the beginning of the year. 

Although Workday didn't confirm direct involvement with Salesforce in their public statement, a company spokesperson indicated the breach was associated with business contact data in the Salesforce platform. The attackers primarily leveraged social engineering, not technical vulnerabilities, to obtain unauthorized access. This breach highlights the increasing effectiveness of well-crafted social engineering attacks targeting SaaS platforms and the persistent threat posed by organized groups such as ShinyHunters. While the compromise did not reach more sensitive internal systems, Workday and similar organizations face ongoing risks of secondary attacks fueled by the exposed contact data.
Read more »
ShinyHunters
Adidas data breach Allianz Life breach Data Breach LVMH hack Qantas cyberattack Salesforce data breach ShinyHunters

ShinyHunters’ Voice Phishing Attacks Target Salesforce Users, Breaches Hit Qantas, LVMH, Adidas, and Allianz

 

A recent wave of high-profile data breaches affecting global brands such as Qantas, Allianz Life, LVMH, and Adidas has been traced to the ShinyHunters extortion group. The group has been exploiting voice phishing tactics to compromise Salesforce CRM instances, according to Google’s Threat Intelligence Group (GTIG).

In June, GTIG reported that a threat actor tracked as UNC6040 was conducting sophisticated social engineering campaigns targeting Salesforce users. The attackers posed as IT support over phone calls, directing victims to the Salesforce connected app setup page and instructing them to enter a “connection code.” This action granted access to a malicious version of Salesforce’s Data Loader OAuth app. In some cases, the Data Loader tool was disguised as “My Ticket Portal” to appear legitimate.

While most attacks involved vishing (voice phishing), credentials and MFA tokens were also stolen through fake Okta login pages. Around this time, several companies disclosed breaches involving third-party customer service or cloud CRM systems.

LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. confirmed unauthorized access to customer databases, with Tiffany Korea stating the breach stemmed from “a vendor platform used for managing customer data.” Similarly, Adidas, Qantas, and Allianz Life reported incidents linked to external systems. Allianz Life confirmed that on July 16, 2025, a “malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America.”

Although Qantas has not confirmed whether Salesforce was involved, local media reports claim the stolen data came from its Salesforce instance. Court filings also reveal that the attackers targeted “Accounts” and “Contacts” — both native Salesforce database objects.

BleepingComputer has since verified that all affected companies were targeted as part of the same campaign highlighted by Google. So far, the breaches have not resulted in public data leaks, with ShinyHunters allegedly attempting private email extortion. Experts warn that if these efforts fail, mass data leaks similar to the group’s previous Snowflake incidents could follow.

"We have not identified any data leak sites associated with this activity," said Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG. "It is plausible that the threat actor intends to sell the data instead of sharing it publicly. This approach would align with prior ShinyHunters Group activity."

Google notes that it is tracking these incidents under separate designations: UNC6040 for the initial breaches and UNC6240 for the subsequent extortion attempts.

The ShinyHunters group has long been associated with large-scale data theft and extortion schemes. Their methods sometimes overlap with those used by Scattered Spider (UNC3944), another notorious hacking group targeting sectors like aviation, retail, and insurance. While Scattered Spider typically conducts full network breaches — sometimes deploying ransomware — ShinyHunters often focus on cloud-based platforms and web applications.

Some security researchers believe there is significant crossover between UNC6040/UNC6240 and UNC3944, with both groups potentially sharing members or operating within the same online circles. The network is also suspected to overlap with “The Com,” a cybercriminal collective of English-speaking hackers.

Theories suggest that ShinyHunters may operate as an extortion-as-a-service model, conducting extortion campaigns for other hacking groups in exchange for a profit share. The group has been tied to past breaches at PowerSchool, Oracle Cloud, Snowflake, AT&T, Wattpad, and others. Even after multiple arrests of individuals linked to the name, fresh attacks continue, with the group often identifying itself as a “collective.”

Salesforce maintains that its systems remain uncompromised, with the breaches resulting from social engineering targeting customer accounts rather than platform vulnerabilities.

"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform… customers also play a critical role in keeping their data safe — especially amid a rise in sophisticated phishing and social engineering attacks," the company told BleepingComputer.

 
Read more »
Ticketmaster data breach
BreachForums cybercriminal group Data Breach NC5537 Ransomware Gang Santander Bank data theft Scattered Spider ShinyHunters Ticketmaster data breach

Cybercriminal Group UNC5537 Strikes with Major Data Breaches

 

In recent weeks, the cybercriminal group UNC5537 has made significant waves. This ransomware gang, potentially linked to ShinyHunters or Scattered Spider, stole over 560 million customer records from Ticketmaster. On May 28, they listed this data for sale on their revamped leak site, BreachForums, with a price tag of $500,000. Just two days later, the group claimed to have obtained 30 million account records from Santander Bank in Spain, demanding $2 million for the data. Both companies confirmed the breaches after these announcements.

A June 10 analysis by Mandiant, an incident-response firm now part of Google, revealed that these data leaks, along with at least 163 other breaches, were not due to system vulnerabilities but rather the exploitation of stolen credentials and inadequate multifactor authentication (MFA) controls. According to Mandiant, no evidence indicates that the breaches stemmed from Snowflake's enterprise environment. Instead, all incidents are traced back to compromised customer credentials.

While implementing MFA could have prevented the data theft from Snowflake's systems, the companies involved have broader issues beyond this single control. Businesses must ensure visibility into their attack surfaces, promptly disable accounts of former employees and contractors, and minimize entry points for attackers. Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, emphasizes that attackers often exploit basic security lapses. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities," he notes.

Key Lessons from Recent Cloud Breaches

1. Start With MFA and Then Go Beyond

There is significant room for improvement in MFA adoption. Despite reports showing that 64% of workers and 90% of administrators use MFA, over 60% of organizations still have at least one root user or administrator without MFA enabled. According to Ofer Maor, co-founder and CTO at Mitiga, achieving consistent and verifiable MFA implementation is crucial. He suggests that companies enforce and require MFA, disable non-SSO logins, and enhance security measures with device- or hardware-based authentication for sensitive infrastructure.

2. Use Access Control Lists to Limit Authorized IP Addresses

Organizations should implement access control lists (ACLs) to restrict user access to cloud services or at least review access logs daily for anomalies. Jake Williams, a faculty analyst at IANS Research, recommends restricting IP addresses for cloud infrastructure access and emphasizes the importance of access reviews to identify unexpected access points.

3. Maximize Visibility Into Cloud Services

Continuous monitoring of applications, log data, access activity, and data aggregation services is essential for detecting and preventing attacks. Organizations need to alert on specific behaviors or threats, which could have identified the cybercriminals' attempts to access cloud data, says Brian Soby, CTO and co-founder at AppOmni.

4. Don't Rely on Your Cloud Providers' Defaults

Cloud providers often prioritize usability over security, so relying solely on their default settings can be risky. For example, Snowflake's default settings do not require MFA, making it easier for attackers with compromised credentials to gain full access. Companies must go beyond these defaults and enforce higher security standards.

5. Check Your Third Parties

Even if a company does not directly use Snowflake or another cloud service, third-party providers might, exposing their data to risk. Ensuring that all service providers handling company data follow proper security measures is essential, as highlighted by IANS Research's Williams. Reaching out to service providers to confirm their security practices is crucial in protecting data in today's complex supply chain environment.
Read more »
Ticketmaster
cloud storage Cyber Attacks Data Security Breach Google Mandiant Hacker attack ShinyHunters Ticketmaster

Hackers Exploit Snowflake Data, Targeting Major Firms

 

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they gained access to some Snowflake accounts by breaching a Belarusian-founded contractor working with those customers. Approximately 165 customer accounts were potentially affected in this hacking campaign targeting Snowflake’s clients, with a few identified so far. 

It was a Snowflake account, with stolen data including bank details for 30 million customers and other sensitive information. Lending Tree and Advance Auto Parts might also be victims. Snowflake has not detailed how the hackers accessed the accounts, only noting that its network was not directly breached. Google-owned security firm Mandiant, involved in investigating the breaches, revealed that hackers sometimes gained access through third-party contractors but did not name these contractors or explain how this facilitated the breaches. 

A hacker from the group ShinyHunters said they used data from an EPAM Systems employee to access some Snowflake accounts. EPAM, a software engineering firm founded by Belarus-born Arkadiy Dobkin, denies involvement, suggesting the hacker’s claims were fabricated. ShinyHunters has been active since 2020, responsible for multiple data breaches involving the theft and sale of large data troves. EPAM assists customers with using Snowflake's data analytics tools. The hacker said an EPAM employee’s computer in Ukraine was infected with info-stealer malware, allowing them to install a remote-access Trojan and access the employee’s system. 

They found unencrypted usernames and passwords stored in a project management tool called Jira, which were used to access and manage Snowflake accounts, including Ticketmaster’s. The lack of multifactor authentication (MFA) on these accounts facilitated the breaches. Although EPAM denies involvement, hackers did steal data from Snowflake accounts, including Ticketmaster's, and demanded large sums to destroy the data or threatened to sell it. The hacker claimed they directly accessed some Snowflake accounts using the stolen credentials from EPAM’s employee. The incident underscores the growing security risks from third-party contractors and the importance of advanced security measures like MFA. 

Mandiant noted that many credentials used in the breaches were harvested by infostealer malware from previous cyber incidents. Snowflake’s CISO, Brad Jones, acknowledged the breaches were enabled by the lack of MFA and mentioned plans to mandate MFA for Snowflake accounts. This incident highlights the need for robust cybersecurity practices and vigilance, particularly when dealing with third-party contractors, to safeguard sensitive data and prevent similar breaches in the future.
Read more »
Ticketmaster
CISO cyber threat Data Breach MFA Santander ShinyHunters Ticketmaster

Ticketmaster and Santander Breaches Expose Cloud Security Flaws


Recent data breaches at Ticketmaster and Santander Bank have exposed major security vulnerabilities in the use of third-party cloud storage services. These breaches highlight the urgent need for robust security measures as more organisations move their data to the cloud.

On May 20, Ticketmaster experienced a data breach involving a third-party cloud storage provider. The breach, disclosed in a regulatory filing by its parent company Live Nation Entertainment, compromised the data of approximately 550 million customers. This stolen data, including sensitive personal information, was reportedly put up for sale on a Dark Web forum by a group known as "ShinyHunters."

Just a week earlier, on May 14, Santander Bank revealed a similar breach. Unauthorised access to a cloud-hosted database exposed data belonging to customers and employees, primarily affecting those in Spain, Chile, and Uruguay. ShinyHunters also claimed responsibility for this breach, offering the stolen data—which includes 30 million customer records, 28 million credit card numbers, and other sensitive information—for sale at $2 million.

Both breaches have been linked to Snowflake, a renowned cloud storage provider serving numerous high-profile clients like MasterCard, Disney, and JetBlue. Although Snowflake acknowledged recent malicious activities targeting its customers, an investigation by Mandiant and CrowdStrike found no evidence of a vulnerability or breach within Snowflake’s own platform. The attackers apparently exploited single-factor authentication credentials obtained through infostealer malware, highlighting the importance of robust authentication measures.

David Bradbury, Chief Security Officer at Okta, stressed the importance of implementing multi factor authentication (MFA) and network IP restrictions for securing SaaS applications. However, he pointed out that attackers are increasingly bypassing MFA by targeting post-authentication processes, such as stealing session tokens. This highlights the need for additional security mechanisms like session token binding.

Michael Lyborg, CISO at Swimlane, emphasised the shared responsibility model in cloud security. While cloud providers like Snowflake offer best practices and security guidelines, it is ultimately up to customers to follow these protocols to protect their data. Lyborg suggested that enforcing MFA and adopting a zero-trust security model by default could enhance data protection by a notable measure.


Challenges in Enforcing Security Standards

Patrick Tiquet, VP of Security and Architecture at Keeper Security, argued that while uniform security measures might enhance protection, they could also limit the flexibility and customization that customers seek from cloud services. He noted that some organizations might have their own robust security protocols tailored to their specific needs. However, the recent breaches at Ticketmaster and Santander highlight the dangers of relying solely on internal security measures without adhering to industry best practices.

The breaches at Ticketmaster and Santander serve as critical reminders of the risks associated with inadequate cloud security measures. As organisations increasingly transition to cloud-based operations, both cloud providers and their customers must prioritise robust security strategies. This includes implementing strong authentication protocols, adhering to best practices, and fostering a culture of security awareness. Ensuring comprehensive protection against cyber threats is essential to safeguarding sensitive data in the digital age.


Read more »
User Data Leak
Data Breach Financial Credentials phishing ShinyHunters Ticketmaster User Data Leak

Ticketmaster Data Breach Affects Over 500 Million Customers


 


We are all music fans at heart, and recently the most eye-catching tour is the three-hour Taylor Swift concert. The platform that sells tickets for these in-demand tours, Ticketmaster, has taken a hit. In a substantial blow to one of the world’s largest ticketing services, Ticketmaster has reportedly suffered a massive data breach impacting over half a billion customers. According to Mashable, the hacker group known as ShinyHunters claims responsibility for stealing customer data from nearly 560 million users. Although Ticketmaster has yet to confirm the breach, ShinyHunters has a history of high-profile hacks and is now selling the stolen data on a popular hacking forum for $500,000.


Details of the Stolen Data

ShinyHunters alleges they have obtained a substantial 1.3 terabytes of data, including sensitive information such as full names, addresses, and phone numbers. Additionally, the breach encompasses detailed order histories, which reveal ticket purchase details and event information. Alarmingly, partial payment information, including names, the last four digits, and expiration dates of credit cards, is also among the compromised data.


While waiting for Ticketmaster's official response, it is crucial for affected customers to take proactive steps to protect themselves. The stolen data could be used for targeted phishing attacks, making it essential to remain vigilant when checking emails, messages, or mail. Cybercriminals may impersonate reputable companies to trick individuals into revealing passwords or financial information.


To mitigate risks, users should avoid clicking on links or downloading attachments from unknown senders and always verify the legitimacy of the sender’s email address. Implementing robust cybersecurity measures, such as using the best antivirus software for PCs, Macs, and Android devices, can provide additional protection against potential malware infections.


Steps to Take Following a Data Breach

In the wake of a data breach, companies typically offer guidance and access to identity theft protection services. However, Ticketmaster has not yet confirmed the breach or announced any support for affected customers. Until more information is available, individuals should monitor their accounts for suspicious activity and consider changing passwords for any online accounts associated with the compromised email addresses.


Given ShinyHunters' notorious track record, including the 2021 leak of 70 million AT&T subscribers’ information, the claims warrant serious attention.


This incident surfaces the importance of cybersecurity and the potential vulnerabilities even large companies face. As the situation develops, staying informed and cautious will be key for those potentially affected by this breach. We will continue to provide updates as more information becomes available from Ticketmaster and other reliable sources.



Read more »
Social Security Number
AT&T Data Breach Data Hacking Mobile Numbers ShinyHunters Social Security Number

AT&T Denies Involvement in Massive Data Leak Impacting 71 Million People

 


AT&T has categorically denied any involvement in a significant data breach affecting approximately 71 million individuals. The leaked data, disseminated by a hacker on a cybercrime forum, allegedly originates from a 2021 breach of the company's systems. Despite assertions made by the hacker, known as ShinyHunters, and subsequent releases by another threat actor named MajorNelson, AT&T maintains its position, asserting that the leaked information did not originate from its infrastructure.

While the authenticity of the entire dataset remains unconfirmed, the verification of some entries suggests potential accuracy. This includes personal data that is not readily accessible for scraping, such as names, addresses, mobile phone numbers, encrypted dates of birth, encrypted social security numbers, and other internal details.

Despite refuting claims of a breach within its systems, AT&T has not provided definitive evidence to support its stance. Speculation persists regarding the involvement of third-party service providers or vendors, with AT&T yet to respond to inquiries seeking clarification on this matter.

While the leaked data purportedly includes sensitive personal information, such as social security numbers and dates of birth, decryption efforts by threat actors have rendered this data accessible. However, the precise origin of the leaked information remains elusive, fueling speculation and concern among affected individuals and cybersecurity experts alike.

For individuals who were AT&T customers before and during 2021, caution is advised, as the leaked data could potentially be exploited in various forms of targeted attacks, including SMS and email phishing, as well as SIM swapping schemes. Users are urged to exercise heightened caution and verify the authenticity of any communications purportedly from AT&T, refraining from disclosing sensitive information without direct confirmation from the company.

As investigations into the origins of the leaked data continue, the implications for affected individuals underscore the importance of robust cybersecurity measures and heightened awareness of potential threats. The incident serves as a telling marker of the ever-present risks associated with the digital realm and the imperative for proactive measures to safeguard personal information.

While AT&T denies any involvement in the data leak, concerns regarding the security and privacy of affected individuals persist. The unprecedented nature of cyber threats necessitates ongoing vigilance and collaborative efforts to combat risks and ensure the protection of personal data in an increasingly interconnected world.


Read more »
Subscribe to: Posts (Atom)