Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ShinyHunters. Show all posts
Workiva
Cloud Server CloudFlare CRM Cybersecurity Data Breach phishing Salesforce ShinyHunters Vulnerabilities Workday Workiva

Workiva Confirms Data Breach in Wake of Salesforce Security Incident


 

A recent cyberattack on Salesforce customers has prompted Workiva to disclose a breach linked to a recent wave of attacks, serving as a reminder of the increasing cybersecurity risks faced by global organisations. Workiva provides financial reporting, compliance, and audit software, as well as financial reporting and compliance software, based in the cloud. 

As the company confirmed, attackers have accessed a third-party customer relationship management system (CRM), exposing information about limited company contact details, including names, email addresses, phone numbers, and support ticket information. As an important note, Workiva stressed that its own platform and customer data remain safe and secure. 

According to the ShinyHunters extortion group, the breach is part of a broader campaign that has been carried out by the threat actors to gain unauthorized access to sensitive business information, including exploiting OAuth tokens and conducting voice phishing. As a result of these attacks, Workiva has warned customers that spear phishing attempts should not be ignored and emphasized that all official communications will continue to come from its verified support channels only. 

According to Workiva, whose cloud-based platform is widely used for financial reporting, compliance and audit processes, the breach could be traced back to unauthorized access to the customer relationship management system of a third party. There has been a breach of security at Adobe. 

In notifications sent to clients who may be affected, the company disclosed that attackers were able to access a limited set of business contact details, such as names, email addresses, phone numbers, and support tickets data. As Workiva clarified, its core platform and any customer data stored inside it have not been compromised, rather the intrusion originated via a connected third-party application that was managed by the vendor responsible for Workiva's customer relationship management system. 

Over 6,300 customers are included in the company, including 85 percent of Fortune 500 companies and prominent names like Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, and Mercedes-Benz, so the company stressed the importance of staying vigilant and warned that the stolen data could be used to conduct spear-phishing scams. 

It was reiterated that Workiva would never solicit sensitive information by text or phone, nor would it seek to communicate with customers through official channels other than its trusted support channels, as a means of reassuring customers. Due to the fact that even the most prominent security vendors were not spared from the wave of intrusions, the cybersecurity community has been on their toes due to the wave of intrusions. 

A simple example of this, Cloudflare, reported that attackers bypassed traditional social engineering by exploiting credential compromises linked to Salesloft Drift, one of the third-party applications that are integrated with Salesforce, instead of taking advantage of traditional social engineering techniques. 

Using this access, threat actors were able to infiltrate Cloudflare's Salesforce environment on August 12, and spend two days mapping the system before conducting a rapid exfiltration operation which, within minutes of the operation, sucked off sensitive data, deleted log files and attempted to erase digital traces. 

Earlier, Palo Alto Networks confirmed that a similar breach had occurred during the period between August 8 and 18, with attackers leveraging stolen OAuth tokens to gain access to the Salesforce system that the Salesforce integration was integrated into. In this period, adversaries were able to extract customer contact information, sales records, and case data. 

After obtaining these items, the adversaries later scanned the stolen data for passwords and cloud service credentials, which were used to facilitate secondary attacks targeting AWS and Snowflake platforms. Analysts point out that these incidents do not imply that core defences have collapsed, but rather that trust dependencies within digital ecosystems are fragile. 

With the use of weak access controls and third-party connections, groups like Scattered Spider, Lapsus$, and ShinyHunters have exploited stolen data and ransom profits on underground channels to make a profit, raising the concern that a much bigger scope of exposure may be uncovered than has been revealed.

Despite being one of the world's largest HR software providers, Workday has confirmed that it also became a victim of a cyberattack campaign utilizing Salesforce's customer relationship management platform. There is a possibility that the incident, which was first reported on August 6, could have impacted the personal information of up to 70 million individuals as well as 11,000 corporate clients' business information. 

Despite Workday stressing that its core HR systems that are known as customer tenants remain unaffected by this attack, it admits that attackers were able to access business contact details in its Salesforce integration, including names, email addresses, phone numbers, and facsimiles. A growing list of victims has included Google, Cisco, Qantas, and Pandora as well as other large companies. 

The breach underscores how adversaries are increasingly targeting third-party service providers that are acting as gateways to vast amounts of personal data. As roughly 60% of Fortune 500 companies use Workday's platform for their digital supply chains, the incident emphasizes the risks involved in a digital supply chain that is interconnected. 

A number of security experts have warned that these SaaS and CRM systems, which were once treated as routine business tools, have now become very valuable attack surfaces for cyber criminals. As analysts point out that ShinyHunters seems to be the likely culprit, attention has now turned to their tactics, namely, phishing campaigns designed to trick employees into giving them their credentials by impersonating HR and IT staff. 

The breach has reignited debate among cybersecurity professionals regarding whether the breaches indicate the development of sophisticated social engineering techniques, or whether they reveal persistent shortcomings in organizational awareness and training. In light of the string of breaches tied to Salesforce integrations, enterprises have reached the point of reassessing, monitoring, and securing third-party platforms that are woven into the daily operation of their companies. 

The incidents were unprecedented in their scope and severity, and although some companies haven't been able to contain the fallout as quickly as others has, the incidents illustrate that even some of the most trusted vendors cannot be made to appear invulnerable. The majority of cybersecurity specialists believe that organizations need to build a wider security posture beyond perimeter defense, including vendor risk management and zero-trust frameworks, as well as tighter controls on identity and access. 

Auditing integrations on a regular basis, minimizing permissions granted through OAuth, and monitoring API usage are no longer optional safeguards, but are strategic imperatives in an environment where many attackers thrive on exploiting overlooked trust relationships in order to achieve the greatest possible gain. 

Additionally, greater focus on employee awareness about spear-phishing and impersonation schemes can be a critical component in reducing the chances of credential theft, which is an entry point that appears to be becoming more prevalent each year. In the case of organizations reliant on SaaS ecosystems, the lesson is clear - securing extended supply chains is as important as protecting internal infrastructure as it is in keeping business resilient, and the adaptors will be the ones best positioned to withstand the next wave of attack.
Read more »
Workday
Data Breach Salesforce ShinyHunters Social Engineering Workday

Workday Suffers Data Breach in Broader Salesforce Campaign

 

Workday, a major player in the human resources sector, has disclosed a recent data breach caused by a social engineering attack targeting a third-party customer relationship management (CRM) system—specifically, a Salesforce instance.

Although Workday, headquartered in Pleasanton, California, provides services to over 11,000 organizations worldwide (including over 60% of the Fortune 500), the company reports that its main customer data environments known as "customer tenants" were not accessed or impacted by the breach. 

The breach, uncovered nearly two weeks before disclosure, exposed business contact information such as names, emails, and phone numbers contained in the compromised CRM. 

Workday clarified that the compromised data was mostly publicly available information frequently used for business contact purposes, but acknowledged that this exposure could still facilitate further social engineering or phishing attempts by malicious parties. Employees were alerted that attackers may attempt to contact them, impersonating HR or IT staff, to extract sensitive details or credentials. 

This incident is part of a larger ongoing campaign allegedly orchestrated by the ShinyHunters extortion group. BleepingComputer reports that this group specializes in targeting Salesforce CRM instances at major firms through tactics like voice phishing and social engineering. 

Their modus operandi often involves convincing employees to link a fraudulent OAuth application to the company's Salesforce environment, granting attackers access to download vital company databases. Subsequently, stolen data is used for extortion, and the attack group’s ransom notes have consistently identified themselves as ShinyHunters. 

Several other global corporations—including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and Google—have fallen victim to similar attacks over the past few months, with activity believed to have started at the beginning of the year. 

Although Workday didn't confirm direct involvement with Salesforce in their public statement, a company spokesperson indicated the breach was associated with business contact data in the Salesforce platform. The attackers primarily leveraged social engineering, not technical vulnerabilities, to obtain unauthorized access. This breach highlights the increasing effectiveness of well-crafted social engineering attacks targeting SaaS platforms and the persistent threat posed by organized groups such as ShinyHunters. While the compromise did not reach more sensitive internal systems, Workday and similar organizations face ongoing risks of secondary attacks fueled by the exposed contact data.
Read more »
ShinyHunters
Adidas data breach Allianz Life breach Data Breach LVMH hack Qantas cyberattack Salesforce data breach ShinyHunters

ShinyHunters’ Voice Phishing Attacks Target Salesforce Users, Breaches Hit Qantas, LVMH, Adidas, and Allianz

 

A recent wave of high-profile data breaches affecting global brands such as Qantas, Allianz Life, LVMH, and Adidas has been traced to the ShinyHunters extortion group. The group has been exploiting voice phishing tactics to compromise Salesforce CRM instances, according to Google’s Threat Intelligence Group (GTIG).

In June, GTIG reported that a threat actor tracked as UNC6040 was conducting sophisticated social engineering campaigns targeting Salesforce users. The attackers posed as IT support over phone calls, directing victims to the Salesforce connected app setup page and instructing them to enter a “connection code.” This action granted access to a malicious version of Salesforce’s Data Loader OAuth app. In some cases, the Data Loader tool was disguised as “My Ticket Portal” to appear legitimate.

While most attacks involved vishing (voice phishing), credentials and MFA tokens were also stolen through fake Okta login pages. Around this time, several companies disclosed breaches involving third-party customer service or cloud CRM systems.

LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. confirmed unauthorized access to customer databases, with Tiffany Korea stating the breach stemmed from “a vendor platform used for managing customer data.” Similarly, Adidas, Qantas, and Allianz Life reported incidents linked to external systems. Allianz Life confirmed that on July 16, 2025, a “malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America.”

Although Qantas has not confirmed whether Salesforce was involved, local media reports claim the stolen data came from its Salesforce instance. Court filings also reveal that the attackers targeted “Accounts” and “Contacts” — both native Salesforce database objects.

BleepingComputer has since verified that all affected companies were targeted as part of the same campaign highlighted by Google. So far, the breaches have not resulted in public data leaks, with ShinyHunters allegedly attempting private email extortion. Experts warn that if these efforts fail, mass data leaks similar to the group’s previous Snowflake incidents could follow.

"We have not identified any data leak sites associated with this activity," said Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG. "It is plausible that the threat actor intends to sell the data instead of sharing it publicly. This approach would align with prior ShinyHunters Group activity."

Google notes that it is tracking these incidents under separate designations: UNC6040 for the initial breaches and UNC6240 for the subsequent extortion attempts.

The ShinyHunters group has long been associated with large-scale data theft and extortion schemes. Their methods sometimes overlap with those used by Scattered Spider (UNC3944), another notorious hacking group targeting sectors like aviation, retail, and insurance. While Scattered Spider typically conducts full network breaches — sometimes deploying ransomware — ShinyHunters often focus on cloud-based platforms and web applications.

Some security researchers believe there is significant crossover between UNC6040/UNC6240 and UNC3944, with both groups potentially sharing members or operating within the same online circles. The network is also suspected to overlap with “The Com,” a cybercriminal collective of English-speaking hackers.

Theories suggest that ShinyHunters may operate as an extortion-as-a-service model, conducting extortion campaigns for other hacking groups in exchange for a profit share. The group has been tied to past breaches at PowerSchool, Oracle Cloud, Snowflake, AT&T, Wattpad, and others. Even after multiple arrests of individuals linked to the name, fresh attacks continue, with the group often identifying itself as a “collective.”

Salesforce maintains that its systems remain uncompromised, with the breaches resulting from social engineering targeting customer accounts rather than platform vulnerabilities.

"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform… customers also play a critical role in keeping their data safe — especially amid a rise in sophisticated phishing and social engineering attacks," the company told BleepingComputer.

 
Read more »
Ticketmaster data breach
BreachForums cybercriminal group Data Breach NC5537 Ransomware Gang Santander Bank data theft Scattered Spider ShinyHunters Ticketmaster data breach

Cybercriminal Group UNC5537 Strikes with Major Data Breaches

 

In recent weeks, the cybercriminal group UNC5537 has made significant waves. This ransomware gang, potentially linked to ShinyHunters or Scattered Spider, stole over 560 million customer records from Ticketmaster. On May 28, they listed this data for sale on their revamped leak site, BreachForums, with a price tag of $500,000. Just two days later, the group claimed to have obtained 30 million account records from Santander Bank in Spain, demanding $2 million for the data. Both companies confirmed the breaches after these announcements.

A June 10 analysis by Mandiant, an incident-response firm now part of Google, revealed that these data leaks, along with at least 163 other breaches, were not due to system vulnerabilities but rather the exploitation of stolen credentials and inadequate multifactor authentication (MFA) controls. According to Mandiant, no evidence indicates that the breaches stemmed from Snowflake's enterprise environment. Instead, all incidents are traced back to compromised customer credentials.

While implementing MFA could have prevented the data theft from Snowflake's systems, the companies involved have broader issues beyond this single control. Businesses must ensure visibility into their attack surfaces, promptly disable accounts of former employees and contractors, and minimize entry points for attackers. Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, emphasizes that attackers often exploit basic security lapses. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities," he notes.

Key Lessons from Recent Cloud Breaches

1. Start With MFA and Then Go Beyond

There is significant room for improvement in MFA adoption. Despite reports showing that 64% of workers and 90% of administrators use MFA, over 60% of organizations still have at least one root user or administrator without MFA enabled. According to Ofer Maor, co-founder and CTO at Mitiga, achieving consistent and verifiable MFA implementation is crucial. He suggests that companies enforce and require MFA, disable non-SSO logins, and enhance security measures with device- or hardware-based authentication for sensitive infrastructure.

2. Use Access Control Lists to Limit Authorized IP Addresses

Organizations should implement access control lists (ACLs) to restrict user access to cloud services or at least review access logs daily for anomalies. Jake Williams, a faculty analyst at IANS Research, recommends restricting IP addresses for cloud infrastructure access and emphasizes the importance of access reviews to identify unexpected access points.

3. Maximize Visibility Into Cloud Services

Continuous monitoring of applications, log data, access activity, and data aggregation services is essential for detecting and preventing attacks. Organizations need to alert on specific behaviors or threats, which could have identified the cybercriminals' attempts to access cloud data, says Brian Soby, CTO and co-founder at AppOmni.

4. Don't Rely on Your Cloud Providers' Defaults

Cloud providers often prioritize usability over security, so relying solely on their default settings can be risky. For example, Snowflake's default settings do not require MFA, making it easier for attackers with compromised credentials to gain full access. Companies must go beyond these defaults and enforce higher security standards.

5. Check Your Third Parties

Even if a company does not directly use Snowflake or another cloud service, third-party providers might, exposing their data to risk. Ensuring that all service providers handling company data follow proper security measures is essential, as highlighted by IANS Research's Williams. Reaching out to service providers to confirm their security practices is crucial in protecting data in today's complex supply chain environment.
Read more »
Ticketmaster
cloud storage Cyber Attacks Data Security Breach Google Mandiant Hacker attack ShinyHunters Ticketmaster

Hackers Exploit Snowflake Data, Targeting Major Firms

 

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they gained access to some Snowflake accounts by breaching a Belarusian-founded contractor working with those customers. Approximately 165 customer accounts were potentially affected in this hacking campaign targeting Snowflake’s clients, with a few identified so far. 

It was a Snowflake account, with stolen data including bank details for 30 million customers and other sensitive information. Lending Tree and Advance Auto Parts might also be victims. Snowflake has not detailed how the hackers accessed the accounts, only noting that its network was not directly breached. Google-owned security firm Mandiant, involved in investigating the breaches, revealed that hackers sometimes gained access through third-party contractors but did not name these contractors or explain how this facilitated the breaches. 

A hacker from the group ShinyHunters said they used data from an EPAM Systems employee to access some Snowflake accounts. EPAM, a software engineering firm founded by Belarus-born Arkadiy Dobkin, denies involvement, suggesting the hacker’s claims were fabricated. ShinyHunters has been active since 2020, responsible for multiple data breaches involving the theft and sale of large data troves. EPAM assists customers with using Snowflake's data analytics tools. The hacker said an EPAM employee’s computer in Ukraine was infected with info-stealer malware, allowing them to install a remote-access Trojan and access the employee’s system. 

They found unencrypted usernames and passwords stored in a project management tool called Jira, which were used to access and manage Snowflake accounts, including Ticketmaster’s. The lack of multifactor authentication (MFA) on these accounts facilitated the breaches. Although EPAM denies involvement, hackers did steal data from Snowflake accounts, including Ticketmaster's, and demanded large sums to destroy the data or threatened to sell it. The hacker claimed they directly accessed some Snowflake accounts using the stolen credentials from EPAM’s employee. The incident underscores the growing security risks from third-party contractors and the importance of advanced security measures like MFA. 

Mandiant noted that many credentials used in the breaches were harvested by infostealer malware from previous cyber incidents. Snowflake’s CISO, Brad Jones, acknowledged the breaches were enabled by the lack of MFA and mentioned plans to mandate MFA for Snowflake accounts. This incident highlights the need for robust cybersecurity practices and vigilance, particularly when dealing with third-party contractors, to safeguard sensitive data and prevent similar breaches in the future.
Read more »
Ticketmaster
CISO cyber threat Data Breach MFA Santander ShinyHunters Ticketmaster

Ticketmaster and Santander Breaches Expose Cloud Security Flaws


Recent data breaches at Ticketmaster and Santander Bank have exposed major security vulnerabilities in the use of third-party cloud storage services. These breaches highlight the urgent need for robust security measures as more organisations move their data to the cloud.

On May 20, Ticketmaster experienced a data breach involving a third-party cloud storage provider. The breach, disclosed in a regulatory filing by its parent company Live Nation Entertainment, compromised the data of approximately 550 million customers. This stolen data, including sensitive personal information, was reportedly put up for sale on a Dark Web forum by a group known as "ShinyHunters."

Just a week earlier, on May 14, Santander Bank revealed a similar breach. Unauthorised access to a cloud-hosted database exposed data belonging to customers and employees, primarily affecting those in Spain, Chile, and Uruguay. ShinyHunters also claimed responsibility for this breach, offering the stolen data—which includes 30 million customer records, 28 million credit card numbers, and other sensitive information—for sale at $2 million.

Both breaches have been linked to Snowflake, a renowned cloud storage provider serving numerous high-profile clients like MasterCard, Disney, and JetBlue. Although Snowflake acknowledged recent malicious activities targeting its customers, an investigation by Mandiant and CrowdStrike found no evidence of a vulnerability or breach within Snowflake’s own platform. The attackers apparently exploited single-factor authentication credentials obtained through infostealer malware, highlighting the importance of robust authentication measures.

David Bradbury, Chief Security Officer at Okta, stressed the importance of implementing multi factor authentication (MFA) and network IP restrictions for securing SaaS applications. However, he pointed out that attackers are increasingly bypassing MFA by targeting post-authentication processes, such as stealing session tokens. This highlights the need for additional security mechanisms like session token binding.

Michael Lyborg, CISO at Swimlane, emphasised the shared responsibility model in cloud security. While cloud providers like Snowflake offer best practices and security guidelines, it is ultimately up to customers to follow these protocols to protect their data. Lyborg suggested that enforcing MFA and adopting a zero-trust security model by default could enhance data protection by a notable measure.


Challenges in Enforcing Security Standards

Patrick Tiquet, VP of Security and Architecture at Keeper Security, argued that while uniform security measures might enhance protection, they could also limit the flexibility and customization that customers seek from cloud services. He noted that some organizations might have their own robust security protocols tailored to their specific needs. However, the recent breaches at Ticketmaster and Santander highlight the dangers of relying solely on internal security measures without adhering to industry best practices.

The breaches at Ticketmaster and Santander serve as critical reminders of the risks associated with inadequate cloud security measures. As organisations increasingly transition to cloud-based operations, both cloud providers and their customers must prioritise robust security strategies. This includes implementing strong authentication protocols, adhering to best practices, and fostering a culture of security awareness. Ensuring comprehensive protection against cyber threats is essential to safeguarding sensitive data in the digital age.


Read more »
User Data Leak
Data Breach Financial Credentials phishing ShinyHunters Ticketmaster User Data Leak

Ticketmaster Data Breach Affects Over 500 Million Customers


 


We are all music fans at heart, and recently the most eye-catching tour is the three-hour Taylor Swift concert. The platform that sells tickets for these in-demand tours, Ticketmaster, has taken a hit. In a substantial blow to one of the world’s largest ticketing services, Ticketmaster has reportedly suffered a massive data breach impacting over half a billion customers. According to Mashable, the hacker group known as ShinyHunters claims responsibility for stealing customer data from nearly 560 million users. Although Ticketmaster has yet to confirm the breach, ShinyHunters has a history of high-profile hacks and is now selling the stolen data on a popular hacking forum for $500,000.


Details of the Stolen Data

ShinyHunters alleges they have obtained a substantial 1.3 terabytes of data, including sensitive information such as full names, addresses, and phone numbers. Additionally, the breach encompasses detailed order histories, which reveal ticket purchase details and event information. Alarmingly, partial payment information, including names, the last four digits, and expiration dates of credit cards, is also among the compromised data.


While waiting for Ticketmaster's official response, it is crucial for affected customers to take proactive steps to protect themselves. The stolen data could be used for targeted phishing attacks, making it essential to remain vigilant when checking emails, messages, or mail. Cybercriminals may impersonate reputable companies to trick individuals into revealing passwords or financial information.


To mitigate risks, users should avoid clicking on links or downloading attachments from unknown senders and always verify the legitimacy of the sender’s email address. Implementing robust cybersecurity measures, such as using the best antivirus software for PCs, Macs, and Android devices, can provide additional protection against potential malware infections.


Steps to Take Following a Data Breach

In the wake of a data breach, companies typically offer guidance and access to identity theft protection services. However, Ticketmaster has not yet confirmed the breach or announced any support for affected customers. Until more information is available, individuals should monitor their accounts for suspicious activity and consider changing passwords for any online accounts associated with the compromised email addresses.


Given ShinyHunters' notorious track record, including the 2021 leak of 70 million AT&T subscribers’ information, the claims warrant serious attention.


This incident surfaces the importance of cybersecurity and the potential vulnerabilities even large companies face. As the situation develops, staying informed and cautious will be key for those potentially affected by this breach. We will continue to provide updates as more information becomes available from Ticketmaster and other reliable sources.



Read more »
Social Security Number
AT&T Data Breach Data Hacking Mobile Numbers ShinyHunters Social Security Number

AT&T Denies Involvement in Massive Data Leak Impacting 71 Million People

 


AT&T has categorically denied any involvement in a significant data breach affecting approximately 71 million individuals. The leaked data, disseminated by a hacker on a cybercrime forum, allegedly originates from a 2021 breach of the company's systems. Despite assertions made by the hacker, known as ShinyHunters, and subsequent releases by another threat actor named MajorNelson, AT&T maintains its position, asserting that the leaked information did not originate from its infrastructure.

While the authenticity of the entire dataset remains unconfirmed, the verification of some entries suggests potential accuracy. This includes personal data that is not readily accessible for scraping, such as names, addresses, mobile phone numbers, encrypted dates of birth, encrypted social security numbers, and other internal details.

Despite refuting claims of a breach within its systems, AT&T has not provided definitive evidence to support its stance. Speculation persists regarding the involvement of third-party service providers or vendors, with AT&T yet to respond to inquiries seeking clarification on this matter.

While the leaked data purportedly includes sensitive personal information, such as social security numbers and dates of birth, decryption efforts by threat actors have rendered this data accessible. However, the precise origin of the leaked information remains elusive, fueling speculation and concern among affected individuals and cybersecurity experts alike.

For individuals who were AT&T customers before and during 2021, caution is advised, as the leaked data could potentially be exploited in various forms of targeted attacks, including SMS and email phishing, as well as SIM swapping schemes. Users are urged to exercise heightened caution and verify the authenticity of any communications purportedly from AT&T, refraining from disclosing sensitive information without direct confirmation from the company.

As investigations into the origins of the leaked data continue, the implications for affected individuals underscore the importance of robust cybersecurity measures and heightened awareness of potential threats. The incident serves as a telling marker of the ever-present risks associated with the digital realm and the imperative for proactive measures to safeguard personal information.

While AT&T denies any involvement in the data leak, concerns regarding the security and privacy of affected individuals persist. The unprecedented nature of cyber threats necessitates ongoing vigilance and collaborative efforts to combat risks and ensure the protection of personal data in an increasingly interconnected world.


Read more »
ShinyHunters
Baphomet BreachForums Cyber Attacks CyberCrime Cybersecurity Dark Web FBI ShinyHunters

Baphomet Revives BreachForums: Return of the Infamous Cybersecurity Platform

 


In recent days, BreachForums, one of the most well-known dark web hacking forums on the dark web, was reported to be shut down after one of its top administrators was arrested by United States federal authorities, including the Federal Bureau of Information (FBI). 

A dark web forum named BreachForums was a popular cybercrime forum. It has grown to become a significant platform for trafficking illicit content on the dark web. 

A wide range of topics were discussed on the site, including issues related to breaches of personal information, hacking, phishing, exploiting, and fraud against financial institutions. Many of its users are involved in trading various types of stolen information, including databases, documents, and compromised accounts that contain email addresses, passwords, and credit card details, such as stolen addresses, passwords, and credit card numbers. Threat actors and cybercriminals used the forum as a means to communicate with each other. 

On March 20, 2023, BreachForums, which had been one of the most popular forums for hacking and data leaks this year, will cease to exist. Conor Brian Fitzpatrick (also known as 'pompompurin') has been arrested for a crime relating to the website and has had the site closed down. There was a remaining administrator of the forum, Baphomet, who claimed that the servers of the forum were accessed by law enforcement, which caused him to shut it down.  

It is believed that the shutdown was prompted by suspicions that law enforcement might have obtained access to the site's configurations, source code, and user information in the forum. This was to compile a report on the forum. 

However, despite BreachForums being shut down and Raidforums being seized, those forums' databases are still easily accessible through top hacking forums such as XSS and Exploit, which are competing with BreachForums in popularity. 

In April 2022, after the arrest of Omnipotent, the founder of BreachForums, in the UK, the FBI confiscated and closed the site for violating its terms and conditions, causing it to be seized by the FBI. 

A sudden turn of events occurred on March 19, 2023, when Baphomet, the current admin of BreachForums, informed the public in an update that the hacking forum had been officially closed since it had posted its last post. However, he stressed that "it was not the end." 

In addition to this, there has appeared along with Baphomet a Telegram account with the alias ShinyHunters (@shinycorp), which will be responsible for dealing with the former BreachForums users. It has already begun disseminating information and updates related to the forum's operations through its Twitter account, and it has drawn both the attention of potential members and those who are concerned about the forum's development. 

The BreachForums community has been filling the void left behind by RaidForums last year in a major way, becoming a lucrative marketplace where stolen databases have been purchased and sold by a variety of organizations and companies. 

There has also been a development regarding the arrest of Conor Brian Fitzpatrick (aka pompompurin) who is facing one count of conspiracy to commit fraud against access devices and has already been charged with one count of conspiracy to commit fraud against access devices.

Baphomet says neither they nor Pompompurin has access to these domains at present since neither of them has access to them. 

The timing of the disinformation campaign was noted as suspicious. Baphomet posited that the disinformation campaign was meant to undermine the revived community's credibility by using disinformation. 

There is no doubt that the resurrected BreachForums presents a promising opportunity to its loyal users. However, Baphomet said that it would continue to warn against a "continued campaign against the community" and a "disinformation campaign", without providing any details regarding the campaign.

On April 4th, 2023, an online hacking forum was established using a name similar to the one seized by the FBI in April 2022. It is known as RaidForums. In terms of the admins of the new forum, there has been no indication that they are affiliated with the old forum in any way. As well as forums for discussion of hacking and leaks, there is also a section dedicated to the marketplace and tutorials, alongside discussions of exchanges and the marketplace. There are currently 1,725 members on the forum since it was launched on April 9, 2023, and plans to grow in the future. 

In the wake of BreacheForums' closure, cybercriminals have been faced with the challenge of finding a new replacement forum, which has impacted the cybercriminal community. Even though the emergence of online forums such as LeakBase and RAID FORUM indicates that there is still a large demand for platforms like these. These platforms include forums that trade stolen data and discuss hacking, which suggests that the market for such platforms will continue to grow. 

The usage of the top hacking forums such as XSS and Exploit has already seen a sudden increase as a result of these migrations. The fact that such platforms exist on the deep and dark web, as well as the fact that they can be monitored to provide the cybersecurity community with an accurate picture of evolving threats and sources, shows yet again why monitoring the dark web in general and dark web platforms, in particular, is so important.   
Read more »
Subscribe to: Posts (Atom)