Found 155 bookmarks
Custom sorting
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
  • Daily Dark Web - dailydarkweb.net October 3, 2025 The newly formed cybercrime alliance, “Scattered LAPSUS$ Hunters,” has launched a new website detailing its claims of a massive data breach affecting Salesforce and its extensive customer base. This development is the latest move by the group, a notorious collaboration between members of the established threat actor crews ShinyHunters, Scattered Spider, and LAPSUS$. On their new site, the group is extorting Salesforce directly, threatening to leak nearly one billion records with a ransom deadline of October 10, 2025. This situation stems from a widespread and coordinated campaign that targeted Salesforce customers throughout mid-2025. According to security researchers, the attacks did not exploit a vulnerability in Salesforce’s core platform. Instead, the threat actors, particularly those from the Scattered Spider group, employed sophisticated social engineering tactics. The primary method involved voice phishing (vishing), where attackers impersonated corporate IT or help desk staff in phone calls to employees of target companies. These employees were then manipulated into authorizing malicious third-party applications within their company’s Salesforce environment. This action granted the attackers persistent access tokens (OAuth), allowing them to bypass multi-factor authentication and exfiltrate vast amounts of data. The alliance has now consolidated the data from these numerous breaches for this large-scale extortion attempt against Salesforce itself. The website lists dozens of high-profile Salesforce customers allegedly compromised in the campaign. The list of alleged victims posted by the group includes: Toyota Motor Corporations (🇯🇵): A multinational automotive manufacturer. FedEx (🇺🇸): A global courier delivery services company. Disney/Hulu (🇺🇸): A multinational mass media and entertainment conglomerate. Republic Services (🇺🇸): An American waste disposal company. UPS (🇺🇸): A multinational shipping, receiving, and supply chain management company. Aeroméxico (🇲🇽): The flag carrier airline of Mexico. Home Depot (🇺🇸): The largest home improvement retailer in the United States. Marriott (🇺🇸): A multinational company that operates, franchises, and licenses lodging. Vietnam Airlines (🇻🇳): The flag carrier of Vietnam. Walgreens (🇺🇸): An American company that operates the second-largest pharmacy store chain in the United States. Stellantis (🇳🇱): A multinational automotive manufacturing corporation. McDonald’s (🇺🇸): A multinational fast food chain. KFC (🇺🇸): A fast food restaurant chain that specializes in fried chicken. ASICS (🇯🇵): A Japanese multinational corporation which produces sportswear. GAP, INC. (🇺🇸): A worldwide clothing and accessories retailer. HMH (hmhco.com) (🇺🇸): A publisher of textbooks, instructional technology materials, and assessments. Fujifilm (🇯🇵): A multinational photography and imaging company. Instructure.com – Canvas (🇺🇸): An educational technology company. Albertsons (Jewel Osco, etc) (🇺🇸): An American grocery company. Engie Resources (Plymouth) (🇺🇸): A retail electricity provider. Kering (🇫🇷): A global luxury group that manages brands like Gucci, Balenciaga, and Brioni. HBO Max (🇺🇸): A subscription video on-demand service. Instacart (🇺🇸): A grocery delivery and pick-up service. Petco (🇺🇸): An American pet retailer. Puma (🇩🇪): A German multinational corporation that designs and manufactures athletic footwear and apparel. Cartier (🇫🇷): A French luxury goods conglomerate. Adidas (🇩🇪): A multinational corporation that designs and manufactures shoes, clothing, and accessories. TripleA (aaa.com) (🇺🇸): A federation of motor clubs throughout North America. Qantas Airways (🇦🇺): The flag carrier of Australia. CarMax (🇺🇸): A used vehicle retailer. Saks Fifth (🇺🇸): An American luxury department store chain. 1-800Accountant (🇺🇸): A nationwide accounting firm. Air France & KLM (🇫🇷/🇳🇱): A major European airline partnership. Google Adsense (🇺🇸): A program run by Google through which website publishers serve advertisements. Cisco (🇺🇸): A multinational digital communications technology conglomerate. Pandora.net (🇩🇰): A Danish jewelry manufacturer and retailer. TransUnion (🇺🇸): An American consumer credit reporting agency. Chanel (🇫🇷): A French luxury fashion house. IKEA (🇸🇪): A Swedish-founded multinational group that designs and sells ready-to-assemble furniture. According to the actor, the breach involves nearly 1 billion records from Salesforce and its clients. The allegedly compromised data includes: Sensitive Personally Identifiable Information (PII) Strategic business records that could impact market position Data from over 100 other demand instances hosted on Salesforce infrastructure
#dailydarkweb.net#EN#2025#data-breach#extortion#Salesforce#Scattered#Lapsus$#Hunters#scattered-spiderShinyHunters#supply-chain-attack#vishing
·dailydarkweb.net·
Scattered LAPSUS$ Hunters Ransomware Group Claims New Victims on New Website
Update on a Security Incident Involving Third-Party Customer Service
Update on a Security Incident Involving Third-Party Customer Service
discord.com Discord October 3, 2025 At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information. Discord recently discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. This incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams. This unauthorized party did not gain access to Discord directly. No messages or activities were accessed beyond what users may have discussed with Customer Support or Trust & Safety agents. We immediately revoked the customer support provider’s access to our ticketing system and continue to investigate this matter. We’re working closely with law enforcement to investigate this matter. We are in the process of emailing the users impacted. ‍ At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information. Recently, we discovered an incident where an unauthorized party compromised one of Discord’s third-party customer service providers. The unauthorized party then gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams. As soon as we became aware of this attack, we took immediate steps to address the situation. This included revoking the customer support provider’s access to our ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support our investigation and remediation efforts, and engaging law enforcement. We are in the process of contacting impacted users. If you were impacted, you will receive an email from noreply@discord.com. We will not contact you about this incident via phone – official Discord communications channels are limited to emails from noreply@discord.com. What happened? An unauthorized party targeted our third-party customer support services to access user data, with a view to extort a financial ransom from Discord. What data was involved? The data that may have been impacted was related to our customer service system. This may include: Name, Discord username, email and other contact details if provided to Discord customer support Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account IP addresses Messages with our customer service agents Limited corporate data (training materials, internal presentations) The unauthorized party also gained access to a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination. If your ID may have been accessed, that will be specified in the email you receive. What data was not involved? Full credit card numbers or CCV codes Messages or activity on Discord beyond what users may have discussed with customer support Passwords or authentication data What are we doing about this? Discord has and will continue to take all appropriate steps in response to this situation. As standard, we will continue to frequently audit our third-party systems to ensure they meet our security and privacy standards. In addition, we have: Notified relevant data protection authorities. Proactively engaged with law enforcement to investigate this attack. Reviewed our threat detection systems and security controls for third-party support providers. Taking next steps Looking ahead, we recommend impacted users stay alert when receiving messages or other communication that may seem suspicious. We have service agents on hand to answer questions and provide additional support. We take our responsibility to protect your personal data seriously and understand the inconvenience and concern this may cause.
#discord.com#EN#2025#Discord#data-breach#incident
·discord.com·
Update on a Security Incident Involving Third-Party Customer Service
ShinyHunters launches Salesforce data leak site to extort 39 victims
ShinyHunters launches Salesforce data leak site to extort 39 victims
bleepingcomputer.com By Sergiu Gatlan October 3, 2025 An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks. The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters." Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached. The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA. "All of them have been contacted long ago, they saw the email because I saw them download the samples multiple times. Most of them chose to not disclose and ignore," ShinyHunters told BleepingComputer. "We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always. We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter," they warned on the leak site. The threat actors also added a separate entry requesting that Salesforce pay a ransom to prevent all impacted customers' data (approximately 1 billion records containing personal information) from being leaked. "Should you comply, we will withdraw from any active or pending negotiation indiviually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay," they added. The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers' data as required by the European General Data Protection Regulation (GDPR).
#bleepingcomputer.com#EN#2025#Breach#Data-Breach#Leak#Salesforce#Scattered-Lapsus$-Hunters#ShinyHunters
·bleepingcomputer.com·
ShinyHunters launches Salesforce data leak site to extort 39 victims
Security update: Incident related to Red Hat Consulting GitLab instance
Security update: Incident related to Red Hat Consulting GitLab instance
We are writing to provide an update regarding a security incident related to a specific GitLab environment used by our Red Hat Consulting team. Red Hat takes the security and integrity of our systems and the data entrusted to us extremely seriously, and we are addressing this issue with the highest priority. What happened We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance. We have now implemented additional hardening measures designed to help prevent further access and contain the issue. Scope and impact on customers We understand you may have questions about whether this incident affects you. Based on our investigation to date, we can share: Impact on Red Hat products and supply chain: At this time, we have no reason to believe this security issue impacts any of our other Red Hat services or products, including our software supply chain or downloading Red Hat software from official channels. Consulting customers: If you are a Red Hat Consulting customer, our analysis is ongoing. The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, and internal communications about consulting services. This GitLab instance typically does not house sensitive personal data. While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time. We will notify you directly if we believe you have been impacted. Other customers: If you are not a Red Hat Consulting customer, there is currently no evidence that you have been affected by this incident. For clarity, this incident is unrelated to a Red Hat OpenShift AI vulnerability (CVE-2025-10725) that was announced yesterday. Our next steps We are engaging directly with any customers who may be impacted. Thank you for your continued trust in Red Hat. We appreciate your patience as we continue our investigation.
#redhat.com#EN#2025#GitLab#Consulting#TheCrimsonCollective#incident#data-breach
·redhat.com·
Security update: Incident related to Red Hat Consulting GitLab instance
Red Hat confirms security incident after hackers claim GitHub breach
Red Hat confirms security incident after hackers claim GitHub breach
bleepingcomputer.com By Lawrence Abrams October 2, 2025 02:15 AM 0 An extortion group calling itself the Crimson Collective claims to have breached Red Hat's private GitHub repositories, stealing nearly 570GB of compressed data across 28,000 internal projects. An extortion group calling itself the Crimson Collective claims to have breached Red Hat's private GitHub repositories, stealing nearly 570GB of compressed data across 28,000 internal projects. This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer's network and platforms. A CER is a consulting document prepared for clients that often contains infrastructure details, configuration data, authentication tokens, and other information that could be abused to breach customer networks. Red Hat confirmed that it suffered a security incident related to its consulting business, but would not verify any of the attacker's claims regarding the stolen GitHub repositories and customer CERs. "Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," Red Hat told BleepingComputer. "The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain." While Red Hat did not respond to any further questions about the breach, the hackers told BleepingComputer that the intrusion occurred approximately two weeks ago. They allegedly found authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. The hacking group also published a complete directory listing of the allegedly stolen GitHub repositories and a list of CERs from 2020 through 2025 on Telegram. The directory listing of CERs include a wide range of sectors and well known organizations such as Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Navy’s Naval Surface Warfare Center, Federal Aviation Administration, the House of Representatives, and many others. The hackers stated that they attempted to contact Red Hat with an extortion demand but received no response other than a templated reply instructing them to submit a vulnerability report to their security team. According to them, the created ticket was repeatedly assigned to additional people, including Red Hat's legal and security staff members. BleepingComputer sent Red Hat additional questions, and we will update this story if we receive more information. The same group also claimed responsibility for briefly defacing Nintendo’s topic page last week to include contact information and links to their Telegram channel
#bleepingcomputer.com#EN#2025#Crimson-Collective#Data-Breach#Extortion#GitHub#Red-Hat#Repository
·bleepingcomputer.com·
Red Hat confirms security incident after hackers claim GitHub breach
Update: Kering confirms Gucci and other brands hacked; claims no conversations with hackers?
Update: Kering confirms Gucci and other brands hacked; claims no conversations with hackers?
databreaches.net Posted on September 15, 2025 by Dissent On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined. Kering never responded to emailed inquiries, but ShinyHunters provided DataBreaches with samples from both attacks that appeared legitimate. They also provided chat logs from negotiations they claimed took place with someone presenting themselves as Balenciaga’s safety manager. Those negotiations appeared to go on for more than a month and a half between June 20 and mid-August. According to the logs, it appeared Kering agreed to pay a ransom of 500,000 euros, but then they went silent and never followed through. Kering Issues a Statement Although they did not respond to DataBreaches’ questions at the time, Kering issued a statement that they provided to other news sites, including LeMagIT and The Guardian. Their statement, as reported by LeMagIT, does not answer all of the questions DataBreaches had, but it’s a start. Kering states: « En juin 2025, nous avons constaté qu’un tiers non autorisé avait temporairement accédé à nos systèmes et consulté des données clients limitées provenant de certaines de nos Maisons », explique le service de presse de Kering dans une déclaration adressée à la rédaction. Celle-ci ajoute que « nos Maisons ont immédiatement signalé cette intrusion aux autorités compétentes et ont informé les clients conformément aux réglementations locales ». Et de préciser qu’aucune « information financière, telle que des numéros de compte bancaire ou de carte de crédit, ni aucun numéro d’identification personnelle (numéro de sécurité sociale), n’ont été compromise lors de cet incident ». Selon le service de presse de Kering « l’intrusion a été rapidement identifiée et des mesures appropriées ont été prises pour sécuriser les systèmes concernés et éviter que de tels incidents ne se reproduisent à l’avenir ». A machine translation roughly yields: In June 2025, we found that an unauthorized third party had temporarily accessed our systems and accessed limited customer data from some of our Houses. Our Houses immediately reported this intrusion to the competent authorities and informed the customers in accordance with local regulations….. No financial information, such as bank account or credit card numbers, nor any personal identification number (social security number), was compromised during this incident. According to Kering’s statement, “the intrusion was quickly identified and appropriate measures were taken to secure the affected systems and prevent such incidents from recurring in the future.” They do not name the brands affected, they do not disclose the total number of affected individuals, and when asked what countries were affected, Kering reportedly declined to answer Reuter’s question. An Inconsistent Statement? It appears that neither Kering nor any of the affected brands detected the breaches on their own, and they only first found out when ShinyHunters contacted them in June. Why they did not discover the breaches by their own means is unknown to DataBreaches. DataBreaches can confirm that there was no financial information in the samples of records that DataBreaches inspected. However, Kering’s statement to another news outlet contradicts claims made by ShinyHunters to DataBreaches.net in important respects. As previously reported, ShinyHunters provided this site with chat logs of negotiations between ShinyHunters and someone claiming to be a representative of Balenciaga. But Kering has apparently told the BBC that it did not engage in conversations with the criminal(s), and it didn’t pay any ransom, consistent with long-standing law enforcement advice. Their denial appears to be factually inaccurate, at least in part. At the time of our first publication, DataBreaches reported that Balenciaga had made a small test payment in BTC to ShinyHunters. This site did not include specific proof in that article, but ShinyHunters had provided this site with evidence at the time. We are posting that proof now in light of Kering’s denial that they engaged in any conversations or paid any ransom. The chat log provided to this site showed that Balenciaga was to make a small test payment in BTC to ShinyHunters on or about July 4. The amount mentioned in the chat log was 0,00045 BTC. The chat log also showed the BTC address as bc1qzwpshyadethrqum0yyjh7uxxzhsnjjgapdmr4c. DataBreaches had redacted that address from the published report. On July 4, Balenciaga’s “user” told ShinyHunters that the test payment had been made: [en attente] : 2025-07-04 [03:09:08] shinycorp: Bonjour, vous nous aviez promis un paiement hier, mais nous n’avons rien reçu. des nouvelles ? [04:23:45] Utilisateur: Bonjour [04:24:05] Utilisateur: nous avons eu du retard pour la création du compte [04:24:09] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b [04:24:18] Utilisateur: ci joint la preuve du paiement test [04:24:24] Utilisateur: je vous invite à vérifier [04:52:42] shinycorp: Reçu pour la première fois [06:17:52] shinycorp: Veuillez diffuser la transaction. [07: 45: 06] Utilisateur: fichier: / / / C: / Utilisateurs / X / Bureau / flux de blocs.htm [07:46:28] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b DataBreaches had looked up the wallet address and found confirmation of the payment. The following is a screengrab showing the payment. Btcpaid Kering’s reported claims about no conversations and no payment appear to be refuted by the chat log and corresponding BTC transaction. ShinyHunters did not claim that Kering paid their ransom demand, but they do claim that there were extensive negotiations and that a small test payment was made, and there seems to be proof of that. Kering’s statement to other news sites also leaves a lot of other unanswered questions. They told the BBC that they had emailed all affected customers, but that raises other questions. DataBreaches emailed Kering again today to ask for additional details. Specifically, DataBreaches asked them: Have you notified data protection regulators in all of the countries where your customers reside? When did you send emails to customers to notify them? Have you notified store customers by postal mail if the customers did not provide email addresses? If not, how have you notified those without email addresses? Your statement claims that you did not have any conversations with the attackers. Has your legal department obtained IP addresses from qtox to find out the IP address of the person representing themself as Balenciaga’s negotiator? Are you claiming that ShinyHunters was lying about negotiations, or are you saying something else? No reply has been received. Furthermore, we still do not know how many unique customers, total, were affected by these attacks on their brands. The BBC reported that it might be less than 7.4 million based on the number of unique email addresses. But the 7.4 million unique email addresses were only for the Balenciaga, Brioni, and Alexander McQueen data. There were more than 43 million records for the Gucci data set, so there would be a significant number of unique email addresses and customers there, too, and not all customers provide an email address. Although Kering does not seem to be embracing public transparency in its incident response, we may eventually find out more if investors demand accountability or if data protection regulators report on any investigations and findings.
#databreaches.net#EN#2025#Kering#Gucci#Data-Breach#Salesforce#ShinyHunters
·databreaches.net·
Update: Kering confirms Gucci and other brands hacked; claims no conversations with hackers?
Lovesac confirms data breach after ransomware attack claims
Lovesac confirms data breach after ransomware attack claims
bleepingcomputer.com By Bill Toulas September 8, 2025 American furniture brand Lovesac is warning that it suffered a data breach impacting an undisclosed number of individuals, stating their personal data was exposed in a cybersecurity incident. Lovesac is a furniture designer, manufacturer, and retailer, operating 267 showrooms across the United States, and having annual net sales of $750 million. They are best known for their modular couch systems called 'sactionals,' as well as their bean bags called 'sacs.' According to the notices sent to impacted individuals, between February 12, 2025, and March 3, 2025, hackers gained unauthorized access to the company's internal systems and stole data hosted on those systems. Lovesac discovered the breach on February 28, 2025, which means it took them three days to fully remediate the situation and block the threat actor's access to its network. The data that has been stolen includes full names and other personal information that hasn't been disclosed in the notice sample shared with the Attorney General's offices. The company has not clarified whether the incident impacts customers, employees, or contractors, and neither has it disclosed the exact number of individuals affected. Enclosed in the notification letter, recipients will find instructions on enrolling in 24 24-month credit monitoring service through Experian, redeemable until November 28, 2025. The company noted that it currently has no indication that the stolen information has been misused, but urges impacted individuals to remain vigilant against phishing attempts. Ransomware gang claimed attack on Lovesac Although Lovesac does not name the attackers and didn't mention data encryption in the letters, the RansomHub ransomware gang claimed an attack on March 3, 2025. The threat actors added Lovesac onto their extortion portal, announcing the breach, indicating plans to leak the stolen data if a ransom payment isn't made. We were unable to determine if they followed up with this threat. The RansomHub ransomware-as-a-service (RaaS) operation emerged in February 2024 and has since amassed a roster of high-profile victims, including staffing firm Manpower, oilfield services giant Halliburton, the Rite Aid pharmacy chain, Kawasaki's European division, the Christie's auction house, U.S. telecom provider Frontier Communications, the Planned Parenthood healthcare nonprofit, and Italy's Bologna Football Club. The ransomware operation quietly shut down in April 2025, with many of their affiliates moving to DragonForce. BleepingComputer has contacted Lovesac to learn more about the incident, its impact, and how many customers were impacted, and will update this post if we receive a response.
#bleepingcomputer.com#EN#2025#Customer-Data#Data-Breach#LoveSac#Notification#RansomHub#Ransomware
·bleepingcomputer.com·
Lovesac confirms data breach after ransomware attack claims
Vietnam’s national credit registration and reporting agency hacked; most of the population affected – DataBreaches.Net
Vietnam’s national credit registration and reporting agency hacked; most of the population affected – DataBreaches.Net
databreaches.net Posted on September 8, 2025 by Dissent Some data breaches make headlines for the number of people affected globally, such as a Facebook scraping incident in 2019 that affected 553 million people worldwide. Then there are breaches that affect a country’s entire population or much of it, such as a misconfigured database that exposed almost the entire population of Ecuador in 2019, an insider breach that compromised the information of almost all Israelis in 2006, a misconfigured voter database that exposed more than 75% of Mexican voters in 2016, and the UnitedHealth Change Healthcare ransomware incident in 2024 that affected more than 190 million Americans. And now there’s Vietnam. ShinyHunters claims to have successfully attacked and exfiltrated more than 160 million records from the Credit Institute of Vietnam, which manages the country’s state-run National Credit Information Center. Vietnam National Credit Information Center is a public non-business organization directly under the State Bank of Vietnam, performing the function of national credit registration; collecting, processing, storing and analyzing credit information; preventing and limiting credit risks; scoring and rating the credit of legal entities and natural persons within the territory of Vietnam; and providing credit information products and services in accordance with the provisions of the State Bank and the law. While those affiliated with ShinyHunters bragged on Telegram that Vietnam was “owned within 24 hours,” ShinyHunters listed the data for sale on a hacking forum, and provided a large sample of data from what they described as more than 160 million records with “very sensitive information including general PII, credit payment, risks analysis, Credit cards (require you’re own deciphering of the FDE algorithm), Military ID’s, Government ID’s Tax ID’s, Income Statements, debts owed, and more.” DataBreaches asked ShinyHunters for additional details about the incident, including how many unique individuals were in the data, because the country’s entire population is slightly under 102 million. ShinyHunters responded that the data set included historical data. They stated that they did not know how many unique individuals were involved, but were pretty sure they got the entire population. Because this incident did not seem to be consistent with ShinyHunters’ recent campaigns, DataBreaches asked how they picked the target and how they gained access. According to ShinyHunters, they picked the target because it held a massive amount of data. The total amount or records (line) across all tables was like 3 billion or more, they said, and they gained access by an n-day exploit. On follow-up, DataBreaches asked whether this was an exploit that CIC could have been able to patch. There was no actual patch available, Shiny stated, as the software was end-of-life. In response to a question as to whether the CIC had responded to any extortion or ransom demands, ShinyHunters stated that there had been no ransom attempt at all because ShinyHunters assumed they would not get any response at all. DataBreaches emailed the CIC to ask them about the claims, but has received no reply by publication. If CIC responds to DataBreaches’ inquiries, this post will be updated, but it is important to note that there is no confirmation of ShinyHunters’ claims at this point, however credible their claims may appear. It is also important to note that this post has referred to this as an attack by ShinyHunters and has not attributed it to Scattered Spider or Lapsus$. When DataBreaches asked which group(s) to attribute this to, ShinyHunters had replied, “It wasn’t a Scattered Spider type of hack … so ShinyHunters.” ShinyHunters acknowledged that they need to deal with the name situation, but said, “I don’t know how to fix the name problem considering for years everyone thought both are completely different groups.”
#databreaches.net#EN#Vietnam#data-breach#ShinyHunters#agency#national#credit#registration
·databreaches.net·
Vietnam’s national credit registration and reporting agency hacked; most of the population affected – DataBreaches.Net
Important Notice of Security Incident - Announcements - Plex Forum
Important Notice of Security Incident - Announcements - Plex Forum
forums.plex.tv Important Notice of Security Incident - Announcements - Plex Forum We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remai What happened An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data. Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident. What we’re doing We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks. What you must do If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password. If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal. Additional Security Measures You Can Take We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so. Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring. For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
#plex.tv#EN#2025#security-notices#plex#Announcement#databases#password#data-breach
·forums.c·
Important Notice of Security Incident - Announcements - Plex Forum
SaaS giant Workiva discloses data breach after Salesforce attack
SaaS giant Workiva discloses data breach after Salesforce attack
bleepingcomputer.com By Sergiu Gatlan September 3, 2025 Update September 04, 06:27 EDT: Updated the list of cybersecurity companies whose Salesforce instances were breached in the Salesloft supply chain attack. Workiva, a leading cloud-based SaaS (Software as a Service) provider, notified its customers that attackers who gained access to a third-party customer relationship management (CRM) system stole some of their data. The company's cloud software helps collect, connect, and share data for financial reports, compliance, and audits. It had 6,305 customers at the end of last year and reported revenues of $739 million in 2024. Its customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, Mercedes-Benz, and more. According to a private email notification sent to affected Workiva customers last week and seen by BleepingComputer, the threat actors exfiltrated a limited set of business contact information, including names, email addresses, phone numbers, and support ticket content. "This is similar to recent events that have targeted several large organizations. Importantly, the Workiva platform and any data within it were not accessed or compromised," the company explained. "Our CRM vendor notified us of unauthorized access via a connected third-party application." Workiva also warned impacted customers to remain vigilant, as the stolen information could be used in spear-phishing attacks. "Workiva will never contact anyone by text or phone to request a password or any other secure details. All communications from Workiva come through our trusted official support channels," it said. Salesforce data breaches While Workiva didn't share more details regarding this attack, BleepingComputer has learned that this incident was part of the recent wave of Salesforce data breaches linked to the ShinyHunters extortion group that impacted many high-profile companies. Most recently, Cloudflare disclosed that it was forced to rotate 104 Cloudflare platform-issued tokens stolen by ShinyHunters threat actors, who gained access to the Salesforce instance used for customer support and internal customer case management in mid-August. ShinyHunters has been targeting Salesforce customers in data theft attacks using voice phishing (vishing) since the start of the year, impacting companies such as Google, Cisco, Allianz Life, Farmers Insurance, Workday, Qantas, Adidas, and LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co. More recently, the extortion group has shifted to using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to gain access to customer Salesforce instances and extract sensitive information, such as passwords, AWS access keys, and Snowflake tokens, from customer messages and support tickets. Using this method, ShinyHunters also gained access to a small number of Google Workspace accounts in addition to stealing Salesforce CRM data and breaching the Salesforce instances of multiple cybersecurity companies, including Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks.
#bleepingcomputer.com/#EN#2025#CRM#Data-Breach#Salesforce#Salesloft#Workiva#Security#InfoSec#Computer-Security
·bleepingcomputer.com·
SaaS giant Workiva discloses data breach after Salesforce attack
Cloudflare hit by data breach in Salesloft Drift supply chain attack
Cloudflare hit by data breach in Salesloft Drift supply chain attack
bleepingcomputer.com By Sergiu Gatlan September 2, 2025 Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week. The internet giant revealed on Tuesday that the attackers gained access to a Salesforce instance it uses for internal customer case management and customer support, which contained 104 Cloudflare API tokens. Cloudflare was notified of the breach on August 23, and it alerted impacted customers of the incident on September 2. Before informing customers of the attack, it also rotated all 104 Cloudflare platform-issued tokens exfiltrated during the breach, even though it has yet to discover any suspicious activity linked to these tokens. "Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens," Cloudflare said. "Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel." The company's investigation found that the threat actors stole only the text contained within the Salesforce case objects (including customer support tickets and their associated data, but no attachments) between August 12 and August 17, after an initial reconnaissance stage on August 9. These exfiltrated case objects contained only text-based data, including: The subject line of the Salesforce case The body of the case (which may include keys, secrets, etc., if provided by the customer to Cloudflare) Customer contact information (for example, company name, requester's email address and phone number, company domain name, and company country) "We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks," Cloudflare added. "Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations." Wave of Salesforce data breaches Since the start of the year, the ShinyHunters extortion group has been targeting Salesforce customers in data theft attacks, using voice phishing (vishing) to trick employees into linking malicious OAuth apps with their company's Salesforce instances. This tactic enabled the attackers to steal databases, which were later used to extort victims. Since Google first wrote about these attacks in June, numerous data breaches have been linked to ShinyHunters' social engineering tactics, including those targeting Google itself, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, as well as LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. While some security researchers have told BleepingComputer that the Salesloft supply chain attacks involve the same threat actors, Google has found no conclusive evidence linking them. Palo Alto Networks also confirmed over the weekend that the threat actors behind the Salesloft Drift breaches stole some support data submitted by customers, including contact info and text comments. The Palo Alto Networks incident was also limited to its Salesforce CRM and, as the company told BleepingComputer, it did not affect any of its products, systems, or services. The cybersecurity company observed the attackers searching for secrets, including AWS access keys (AKIA), VPN and SSO login strings, Snowflake tokens, as well as generic keywords such as "secret," "password," or "key," which could be used to breach more cloud platforms to steal data in other extortion attacks.
#bleepingcomputer.com#EN#2025#Breach#Cloudflare#Data-Breach#Salesforce#Salesloft#Salesloft-Drift#Supply-Chain-Attack
·bleepingcomputer.com·
Cloudflare hit by data breach in Salesloft Drift supply chain attack
Salesloft Drift Supply Chain Incident: Key Details and Zscaler’s
Salesloft Drift Supply Chain Incident: Key Details and Zscaler’s
zscaler.com August 30, 2025 Zscaler swiftly mitigates a security incident impacting Salesloft Drift, and ensuring robust protection against potential vulnerabilities. At Zscaler, protecting your data and maintaining transparency are core to our mission to secure, simplify and accelerate businesses transformation. We are committed to keeping you informed about key developments that may impact your organization. What Happened? Zscaler was made aware of a campaign targeted at Salesloft Drift (marketing software-as-a-service) and impacting a large number of Salesforce customers. This incident involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information. The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler's products, services or underlying systems and infrastructure. As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information. What Information May Be Affected? The information accessed was limited to commonly available business contact details for points of contact and specific Salesforce related content, including: Names Business email addresses Job titles Phone numbers Regional/location details Zscaler product licensing and commercial information Plain text content from certain support cases [this does NOT include attachments, files, and images] After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information. If anything changes, we will provide further communications and updates. What Did Zscaler Do? Zscaler acted swiftly to address the incident and mitigate risks. Steps taken include: Revoking Salesloft Drift’s access to Zscaler’s Salesforce data Out of an abundance of caution, rotating other API access tokens. Launching a detailed investigation into the scope of the event, working closely with Salesforce to assess and understand impacts as they continue investigating. Implementing additional safeguards and strengthening protocols to defend against similar incidents in the future. Immediately launched a third party risk management investigation for third party vendors used by Zscaler. Zscaler Customer Support team has further strengthened customer authentication protocol when responding to customer calls to safeguard against potential phishing attacks. What You Can Do Although the incident’s scope remains limited (as stated above) and no evidence of misuse has been found, we recommend that customers maintain heightened vigilance. Please be wary of potential phishing attacks or social engineering attempts, which could leverage exposed contact details. Given that other organizations have suffered similar incidents stemming from Salesloft Drift, it’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information. Always verify the source of communication and never disclose passwords or financial data via unofficial channels. Zscaler Support will never request authentication or authorization details through unsolicited outreach, including phone calls or SMS. All official Zscaler communications come from trusted Zscaler channels. Please exercise caution and report any suspicious phishing activity to security@zscaler.com.
#zscaler.com#EN#2025#SalesloftDrift#Supply-Chain-attack#Salesloft#Zscaler#Data-Breach
·zscaler.com·
Salesloft Drift Supply Chain Incident: Key Details and Zscaler’s
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
bleepingcomputer.com By Lawrence Abrams August 25, 2025 - U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks. Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide. The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025. "On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the data breach notification on its website. "The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities." The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach. Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted. While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year. BleepingComputer contacted Farmers with additional questions about the breach and will update the story if we receive a response. The Salesforce data theft attacks Since the beginning of the year, threat actors classified as 'UNC6040' or 'UNC6240' have been conducting social engineering attacks on Salesforce customers. During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. The extortion demands come from the ShinyHunters cybercrime group, who told BleepingComputer that the attacks involve multiple overlapping threat groups, with each group handling specific tasks to breach Salesforce instances and steal data. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." Other companies impacted in these attacks include Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
#bleepingcomputer.com#EN#2025#Data-Breach#Data-Theft#Farmers-Insurance#Insurance#Salesforce#ShinyHunters
·bleepingcomputer.com·
Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Speed cameras knocked out after cyber attack
Speed cameras knocked out after cyber attack
bitdefender.com 19.08.2025 - A hack of the Netherlands' Public Prosecution Service has had an unusual side effect - causing some speed cameras to be no longer capturing evidence of motorists breaking the rules of the road. Last month, Dutch media reports confirmed that Openbaar Ministerie (OM), the official body responsible for bringing suspects before the criminal court in the Netherlands, had suffered a security breach by hackers. The National Cybersecurity Centre (NCSC) and data protection regulators in The Netherlands were informed that a data breach had potentially occurred, and an internal memo from the organisation's director of IT warned of the risks of reconnecting systems to the internet without knowing that the hackers had been expelled from the network. And it is the disconnection of systems which has left many speed cameras in a non-functioning state - news that will bemuse cybercriminals, delight errant motorists, but is unlikely to be welcomed by those who care about road safety. Local media reports claim that fixed speed cameras, average speed checks, and portable speed cameras that are usually in one location for about two months before relocation are impacted by the outage - with the only type to escape the problem being those which look out for motorists who are using their mobile phone while driving. According to evidence seen by journalists, the Public Prosecution Service took itself offline on July 17, following suspicions that hackers had exploited vulnerabilities in Citrix devices to gain unauthorised access. The organisation's disconnection from the internet left workers still able to email each other internally, but any communications or documents that were needed outside the organisation had to be printed out on paper. Marthyne Kunst, a member of the crisis team dealing with the hack, told the media that this meant messages were having to be sent by post, lawyers were having to bring paperwork to their cases. The consequence? Cases may be prevented from going ahead in a timely fashion. "Unfortunately, it all takes more time," said Kunst. And as for the speed cameras? Well, apparently it is not possible to reactivate them while the prosecution service's systems are down. So this isn't a case of police cameras being hacked (although that has happened before), but it is another example of how all manner of connected systems can be impacted in the aftermath of a cyber attack. The outage of speed cameras in the Netherlands is a timely reminder to us that cyber attacks do not just steal data - they can cause repercussions in sometimes strange and dangerous ways. In this instance, a hack hasn't only slowed down court cases and forced lawyers back to their filing cabinets, it has also blinded cameras designed to keep roads safe.
#bitdefender.com#EN#2025#Netherlands#data-breach#Citrix#disconnection#speed-camera
·bitdefender.com·
Speed cameras knocked out after cyber attack
TPG Telecom reveals iiNet order management system breached
TPG Telecom reveals iiNet order management system breached
itnews.com.au - TPG Telecom has revealed that iiNet’s order management system was breached by an unknown attacker who abused legitimate credentials to gain access. The telco said [pdf] that it “appears” that a list of email addresses and phone numbers was extracted from the system. “Based on current analysis, the list contained around 280,000 active iiNet email addresses and around 20,000 active iiNet landline phone numbers, plus inactive email addresses and numbers,” TPG said. “In addition, around 10,000 iiNet usernames, street addresses and phone numbers and around 1700 modem set-up passwords, appear to have been accessed.” The order management system is used to create and track orders for iiNet services. TPG Telecom said that the system does not store “copies or details of identity documents, credit card or banking information.” The telco apologised “unreservedly” for the incident and said it would contact all iiNet customers, both those impacted as well as “all non-impacted iiNet customers to confirm they have not been affected.” Investigations so far have not uncovered any escalation of the breach by the attacker beyond the order management system. TPG Telecom has advised relevant government agencies of the incident.
#itnews.com.au#EN#Australia#TPG#Telecom#breached#data-breach
·itnews.com.au·
TPG Telecom reveals iiNet order management system breached
AT&T may pay customers up to $7,500 in $177 million data breach settlement
AT&T may pay customers up to $7,500 in $177 million data breach settlement
edition.cnn.com | CNN Business - Millions of AT&T customers can file claims worth up to $7,500 in cash payments as part of a $177 million settlement related to data breaches in 2024. The telecommunications company had faced a pair of data breaches, announced in March and July 2024, that were met with lawsuits. Here’s a breakdown. What happened? On March 30, 2024, AT&T announced it was investigating a data leak that had occurred roughly two weeks prior. The breach had affected data until 2019, including Social Security numbers, and the information of 73 million former and current customers was found in a dataset on the dark web. Four months later, the company blamed an “illegal download” on a third-party cloud platform that it learned about in April for a separate breach. This leak included telephone numbers of “nearly all” of AT&T cellular customers and customers of providers that used the AT&T network between May 1 and October 31, 2022, the company said. The class-action settlement includes a $149 million cash fund for the first breach and a $28 million payout for the second breach. Am I eligible for a claim? AT&T customers whose data was involved in either breach, or both, will be eligible. Customers eligible to file a claim will receive an email notice, according to the settlement website. AT&T said Kroll Settlement Administration is notifying current and former customers. How do I file a claim? The deadline to submit a claim is November 18. The final approval hearing for the settlement is December 3, according to the settlement website, and there could be appeals following an approval “and resolving them can take time.” “Settlement Class Member Benefits will begin after the Settlement has obtained Court approval and the time for all appeals has expired,” the website states. How much can I claim? Customers impacted by the March incident are eligible for a cash payment of up to $5,000. Claims must include documentation of losses that happened in 2019 or later, and that are “fairly traceable” to the AT&T breach.
#edition.cnn.com#EN#2025#AT&T#data-breach#settlement#US
·edition.cnn.com·
AT&T may pay customers up to $7,500 in $177 million data breach settlement
Hackers leak Allianz Life data stolen in Salesforce attacks
Hackers leak Allianz Life data stolen in Salesforce attacks
bleepingcomputer.com - Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks. Last month, Allianz Life disclosed that it suffered a data breach when the personal information for the "majority" of its 1.4 million customers was stolen from a third-party, cloud-based CRM system on July 16th. While the company did not name the provider, BleepingComputer first reported the incident was part of a wave of Salesforce-targeted thefts carried out by the ShinyHunters extortion group. Over the weekend, ShinyHunters and other threat actors claiming overlap with "Scattered Spider" and "Lapsus$" created a Telegram channel called "ScatteredLapsuSp1d3rHunters" to taunt cybersecurity researchers, law enforcement, and journalists while taking credit for a string of high-profile breaches. Many of these attacks had not previously been attributed to any threat actor, including the attacks on Internet Archive, Pearson, and Coinbase. One of the attacks claimed by the threat actors is Allianz Life, for which they proceeded to leak the complete databases that were stolen from the company's Salesforce instances. These files consist of the Salesforce "Accounts" and "Contacts" database tables, containing approximately 2.8 million data records for individual customers and business partners, such as wealth management companies, brokers, and financial advisors. The leaked Salesforce data includes sensitive personal information, such as names, addresses, phone numbers, dates of birth, and Tax Identification Numbers, as well as professional details like licenses, firm affiliations, product approvals, and marketing classifications. BleepingComputer has been able to confirm with multiple people that their data in the leaked files is accurate, including their phone numbers, email addresses, tax IDs, and other information contained in the database. BleepingComputer contacted Allianz Life about the leaked database but was told that they could not comment as the investigation is ongoing. The Salesforce data-theft attacks The Salesforce data theft attacks are believed to have started at the beginning of the year, with the threat actors conducting social engineering attacks to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. Extortion demands were sent to the companies via email and were signed as coming from ShinyHunters. This notorious extortion group has been linked to many high-profile attacks over the years, including those against AT&T, PowerSchool, and the SnowFlake attacks. While ShinyHunters is known to target cloud SaaS applications and website databases, they are not known for these types of social engineering attacks, causing many researchers and the media to attribute some of the Salesforce attacks to Scattered Spider. However, ShinyHunters told BleepingComputer the "ShinyHunters" group and "Scattered Spider" are now one and the same. "Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer. "They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake." It is also believed that many of the group's members share their roots in another hacking group known as Lapsus$, which was responsible for numerous attacks in 2022-2023, before some of their members were arrested. Lapsus$ was behind breaches at Rockstar Games, Uber, 2K, Okta, T-Mobile, Microsoft, Ubisoft, and NVIDIA. Like Scattered Spider, Lapsus$ was also adept at social engineering attacks and SIM swap attacks, allowing them to run over billion and trillion-dollar companies' IT defenses. Over the past couple of years, there have been many arrests linked to all three collectives, so it's not clear if the current threat actors are old threat actors, new ones who have picked up the mantle, or are simply utilizing these names to plant false flags.
#bleepingcomputer.com#EN#2025#llianz-Life#Data-Breach#Lapsus$#Personal-Information#Salesforce#Scattered-Spider#ShinyHunters
·bleepingcomputer.com·
Hackers leak Allianz Life data stolen in Salesforce attacks
Google discovered a new scam—and also fell victim to it
Google discovered a new scam—and also fell victim to it
arstechnica.com - Disclosure comes two months after Google warned the world of ongoing spree. In June, Google said it unearthed a campaign that was mass-compromising accounts belonging to customers of Salesforce. The means: an attacker pretending to be someone in the customer's IT department feigning some sort of problem that required immediate access to the account. Two months later, Google has disclosed that it, too, was a victim. The series of hacks are being carried out by financially motivated threat actors out to steal data in hopes of selling it back to the targets at sky-high prices. Rather than exploiting software or website vulnerabilities, they take a much simpler approach: calling the target and asking for access. The technique has proven remarkably successful. Companies whose Salesforce instances have been breached in the campaign, Bleeping Computer reported, include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. Better late than never The attackers abuse a Salesforce feature that allows customers to link their accounts to third-party apps that integrate data with in-house systems for blogging, mapping tools, and similar resources. The attackers in the campaign contact employees and instruct them to connect an external app to their Salesforce instance. As the employee complies, the attackers ask the employee for an eight-digit security code that the Salesforce interface requires before a connection is made. The attackers then use this number to gain access to the instance and all data stored in it. Google said that its Salesforce instance was among those that were compromised. The breach occurred in June, but Google only disclosed it on Tuesday, presumably because the company only learned of it recently. “Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” the company said. Data retrieved by the attackers was limited to business information such as business names and contact details, which Google said was “largely public” already. Google initially attributed the attacks to a group traced as UNC6040. The company went on to say that a second group, UNC6042, has engaged in extortion activities, “sometimes several months after” the UNC6040 intrusions. This group brands itself under the name ShinyHunters. “In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google said. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.” With so many companies falling to this scam—including Google, which only disclosed the breach two months after it happened—the chances are good that there are many more we don’t know about. All Salesforce customers should carefully audit their instances to see what external sources have access to it. They should also implement multifactor authentication and train staff how to detect scams before they succeed.
#arstechnica.com#EN#2025#Salesforce#instance#Google#data-breach#UNC6040
·arstechnica.com·
Google discovered a new scam—and also fell victim to it
KLM, Air France latest major orgs to have data looted
KLM, Air France latest major orgs to have data looted
theregister.com - European airline giants Air France and KLM say they are the latest in a string of major organizations to have their customers' data stolen by way of a break-in at a third party org. The airlines, which share a parent company, Air France-KLM Group, said in a joint statement that they "detected unusual activity on an external platform we use for customer service," which led to attackers accessing customer data. "Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access," the statement read. "Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected. "No sensitive data such as passwords, travel details, Flying Blue miles, passport, or credit card information was stolen." The airlines did not publicly specify the types of data that were stolen, but the exclusion of sensitive data suggests basic personal information was involved. However, customer notifications circulating online noted that first and family names, along with contact details, Flying Blue numbers and tier levels, and the subject lines of service request emails were accessed. KLM and Air France advised customers to be on heightened alert for phishing attempts. Both said they had referred themselves to the Dutch and French data protection authorities, respectively. The customer notice from Barry ter Voert, chief experience officer at KLM, read: "We recommend staying alert when receiving messages or other communication using your personal information, and to be cautious of any suspicious activity. The data involved in this breach could be used to make phishing messages appear more credible. If you receive unexpected messages or phone calls, especially asking for personal information or urging you to take action, please check their authenticity. "We understand the concern this may cause, and we deeply regret any inconvenience this may have caused you." The Register approached the companies for additional information but they did not comment beyond the public statement. The attack marks the latest in a string of data lapses at major organizations that also blamed a third party. In recent weeks, luxury retailers Dior, Chanel, and Pandora all reported similar leaks at third party providers, as did Google, Qantas, and Allianz. All of the above declined to identify the third party in question except for Google, which said this week that one of its Salesforce instances was raided. None of the victims have attributed their attacks to any group – yet – but the prime suspect behind all of these intrusions is the ShinyHunters cybercrime crew, which is perhaps best known for its role in last year's attacks on Snowflake customers. Scattered Spider also changed its focus toward airlines earlier this year, and some researchers said it could be behind the attack on Hawaiian Airlines in June. Check Point said last month that the attacks on Qantas and WestJet, which all occurred within three weeks of one another, bore hints of Scattered Spider's involvement, mainly due to the tradecraft that led to the intrusions.
#theregister.com#EN#2025#KLM#airlines#data-breach#AirFrance
·theregister.com·
KLM, Air France latest major orgs to have data looted
Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.
Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.
databreaches.net - Chatox and Brosix are communications platforms that advertise for personal use and team use. They are owned by Stefan Chekanov. The only statement Chatox makes about its data security is “Chatox employs encryption across all communications, making it an extremely secure communication and collaboration platform.” Brosix Enterprise advertises its security: Brosix provides you with an efficient and secure communication environment, and Text Chat is a central element of this. With this feature you can instantly send, and receive, text messages to your network contacts. Better yet, all messages sent with Brosix are fully encrypted using end-to-end encryption technology, guaranteeing that your communication remains secure. Brosix uses AES (Advanced Encryption Standard, used by US government) with 256 bit keys. Which means the encryption can’t be broken in a reasonable time. All communication channels are direct, peer-to-peer, between the users and are not routed through Brosix servers. In some cases, if user firewalls do not allow direct connection, data is routed through Brosix servers. In these rare cases, the channels through the servers are built in a way that Brosix cannot decrypt and see the user data that flows. So why did a researcher find a lot sensitive chats in plain text with individuals’ first and last names, username, password, IP address, chat message, and attached files — all unencrypted? What to Know A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. There was a total of 980,972 entries in the users’ tables, with entries going back to 2006. The researcher first logged the backup as exposed in late April. From the logs, the researcher stated that the files in question were exposed from at least May 11th 2024 – July 4th 2025 . Because logging only began in late April, the server could have been exposed before then. The top email domains for each of the two platforms are listed below: Brosix Enterprise Database Chatox Database 14826 gmail.com 5472 yahoo.com 2086 hotmail.com 1805 mail.ru 1111 allstate.com 679 rankinteractive.com 633 yandex.ru 582 issta.co.il 376 outlook.com 353 gp-servicedirect.com 63291 mail.ru 48075 gmail.com 20099 yandex.ru 13789 yahoo.com 7868 hotmail.com 6734 bk.ru 4541 allstate.com 3316 rambler.ru 3297 inbox.ru 3204 list.ru
#databreaches.net#EN#2025#Brosix#Chatox#data-breach#decrypt
·databreaches.net·
Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.
Exclusive: Confidential informants exposed in Louisiana sheriff's office hack
Exclusive: Confidential informants exposed in Louisiana sheriff's office hack
san.com - Data stolen by a ransomware gang has exposed highly sensitive information from a Louisiana sheriff’s office, including the names, telephone numbers and Social Security numbers of confidential informants in criminal investigations. Straight Arrow News obtained a copy of the data from DDoSecrets, a non-profit that archives hacked and leaked documents in the public interest. Medusa, a suspected Russian cybercrime group, said on its Dark Web blog in April 2024 that it had pilfered more than 90 gigabytes of data from the East Baton Rouge Sheriff’s Office. The sheriff’s office initially claimed the intrusion had been quickly detected and stopped, allowing the hackers to obtain only a limited amount of data, such as “screenshots of file folders and still images from video files, WBRZ-TV reported. 65,000 files A sample of the stolen files shared at the time by Medusa included payroll information, showing that the breach was more substantial than first claimed by the sheriff’s office. Medusa threatened to release all of the data, which contains over 65,000 files, unless the sheriff’s office paid $300,000. There’s no indication the ransom was ever paid. The East Baton Rouge Sheriff’s Office did not respond to a request for comment from SAN. SAN’s analysis of the full data cache provides an insight into just how damaging the breach was. Given the sensitivity of the data, DDoSecrets is only sharing it with approved journalists, researchers and defense attorneys practicing in Baton Rouge. The data covers both the banal day-to-day operations of a law enforcement agency and the potentially life-and-death details of drug cases and other criminal investigations. “The East Baton Rouge Sheriff’s Office data is an extraordinary example of the inner workings of a police department, down to Internal Affairs investigations and details about the use of confidential informants,” DDoSecrets co-founder Emma Best told SAN. “While the police are obviously of public interest and deserve no privacy, their targets and victims do. With that in mind, we’re refraining from republishing the full data to the public while encouraging journalists and civil rights advocates to engage with it.” Best said the data cache was posted by Medusa to the messaging app Telegram, but that their channels were repeatedly shut down. The contents of the breach have not been extensively reported on until now. Law enforcement entities are common targets for ransomware gangs. In 2021, the Metropolitan Police Department in Washington, D.C., was hacked by a Russian-speaking ransomware group known as Babuk, resulting in the leak of 250 gigabytes of data after the department refused to pay a ransom. The data also included sensitive information on informants and police officers. Confidential informants Contracts signed by 34 confidential informants in 2023 are among the exposed data from Louisiana. A document titled “CI Information” lists the names, dates of birth and Social Security numbers of 200 confidential informants involved in narcotics investigations. Names of deputies overseeing informants and case numbers are included, as well as whether the informants are still active. Deactivation dates, indicating when an informant’s work ended, range from 2020 to 2023. A folder titled “C.I. G.P.S. routes” contains numerous images of maps detailing the movements of informants across Baton Rouge. Seized devices A document last edited in August 2023 lists devices seized by the sheriff’s office, primarily mobile phones. The document notes whether a warrant had been requested or obtained, as well as additional steps that may have been needed to access a device’s contents. Several phones were turned over to the FBI, the data indicates. Some files mention that cellphone hacking tools were needed to pull data from the devices. Files refer to both Cellebrite, an Israeli company that produces tools for extracting data from mobile devices, and GrayKey, a mobile forensics tool developed by the US-based company Grayshift that similarly unlocks and extracts data from phones. The data also shows that the Drug Enforcement Agency sought access to historical location data and other information from a target’s cell phone. Cell phone surveillance Pen trap and trace search warrants — court orders that allow law enforcement to collect cell phone metadata such as numbers dialed — were issued to cellular service providers T-Mobile, AT&T and Verizon. Many of the warrants mention the use of a “cell site simulator,” also known as an IMSI catcher, to reveal a suspect’s whereabouts. Cell site simulators, commonly referred to as Stingrays, are devices that mimic cell phone towers and can be used to pinpoint the location of specific phones. Sock puppet accounts A presentation about online investigations advises officers to create “sock puppet accounts,” a term used to describe a false online identity created to conceal an individual’s real one. For instance, deputies were told to use a free VPN browser add-on for Google Chrome to hide their IP addresses. The website thisxdoesnotexist.com is also listed as a resource for deputies to create AI-generated images of everything from fake people to resumes. Hidden cameras and drones A folder titled “Tech” includes brochures listing an array of surveillance technology, such as GPS trackers and hidden cameras that can be placed inside items such as clothing, vape pens and Newport menthol cigarette packs. A list of hidden cameras contains IP addresses, login credentials for remote access and identifying information for both the devices and SIM cards used. One list shows 19 drones operated by the sheriff’s office, the majority of which are made by the Chinese manufacturer DJI. The drones are used by several divisions of the sheriff’s office, including SWAT and narcotics, for suspect apprehension and search and rescue missions. A PowerPoint presentation in the data cache shows the default password used to access the internal system for logging drone usage. A folder titled “Operation Photos & Videos” shows both surveillance of criminal suspects as well as overhead images of sheriff’s deputies at a shooting range. Internal affairs Internal affairs data, including complaints made against the sheriff’s office, accuse deputies of racial profiling, unwarranted searches and excessive force. Incidents range from a deputy being reprimanded for letting his 10- and 12-year-old children drive his patrol vehicle to another being arrested for battery and suspended for 30 days after being involved in a “road rage-type” episode. Polygraph results Other files detail the results of polygraph tests given to both deputies and suspects. One file graphically details an alleged sexual assault and concludes that the person being tested had been deceitful. A deputy was also accused of being deceitful after being asked whether he’d referred to homosexuals as “disgusting” when discussing a fellow deputy believed to be gay.
#san.com#EN#2025#Ransomware#Medusa#US#Louisiana#sheriff#data-breach
·san.com·
Exclusive: Confidential informants exposed in Louisiana sheriff's office hack
Tea app hacked: 13,000 photos leaked after 4chan call to action
Tea app hacked: 13,000 photos leaked after 4chan call to action
nbcnews.com - Hackers have breached the Tea app, which went viral as a place for women to talk about men, and tens of thousands of women’s photos have now been leaked online. A spokesperson confirmed the hack Friday afternoon. The company estimates that 72,000 images, including 13,000 verification photos and images of government IDs, were accessed. Tea is designed to function as a virtual whisper network for women, allowing them to upload photos of men and search for them by name. Users can leave comments describing specific men as a “red flag” or “green flag,” and share other information about them. It’s recently gained such popularity that it became the top free app in the Apple App Store this week. The app claimed Thursday to have recently gained nearly a million new signups. Signing up for Tea requires users to take selfies, which the app says are deleted after review, to prove they are women. All users who get accepted are promised anonymity outside of the usernames they choose. Taking screenshots of what’s in the app is also blocked. The hacker accessed a database from more than two years ago, the Tea spokesperson said, adding that “This data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention.” The Tea spokesperson said that the company has hired third-party cybersecurity experts and is “working around the clock to secure our systems.”
#nbcnews.com#EN#2025#Tea-app#Tea#women#data-breach#4chan
·nbcnews.com·
Tea app hacked: 13,000 photos leaked after 4chan call to action
Dior begins sending data breach notifications to U.S. customers
Dior begins sending data breach notifications to U.S. customers
bleepingcomputer.com - The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information. The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information. Dior is a French luxury fashion house, part of the LVMH (Moët Hennessy Louis Vuitton) group, which is the world's largest luxury conglomerate. The Dior brand alone generates an annual revenue of over $12 billion, operating hundreds of boutiques worldwide. The security incident occurred on January 26, 2025, but the company only became aware of it on May 7, 2025, launching internal investigations to determine its scope and impact. "Our investigation determined that an unauthorized party was able to gain access to a Dior database that contained information about Dior clients on January 26, 2025," reads the notice sent to affected individuals. "Dior promptly took steps to contain the incident, and we have no evidence of subsequent unauthorized access to Dior systems." Based on the findings of the investigation, the following information has been exposed: Full names Contact details Physical address Date of birth Passport or government ID number (in some cases) Social Security Number (in some cases) The company clarifies that no payment details, such as bank account or payment card information, were contained in the compromised database, so this information remains safe.
#bleepingcomputer.com#EN#2025#Computer#Dior#Customer#Clothing#Data-Breach
·bleepingcomputer.com·
Dior begins sending data breach notifications to U.S. customers
Seychelles Commercial Bank Confirms Customer Data Breach
Seychelles Commercial Bank Confirms Customer Data Breach
bankinfosecurity.com - Hacker Claims to Have Exploited Flaw in Oracle WebLogic Server, Sold Stolen Data A hacker claims to have stolen and sold the personal data of clients of Seychelles Commercial Bank. The bank, which provides personal and corporate services on Seychelles, one of the world's smallest countries, notified customers of a hack, but said only personal information - not money - was stolen. The archipelago nation in the Indian Ocean, located northeast of Madagascar, sports 98,000 inhabitants, ranks as the richest country in Africa and has a reputation for being a tax haven. Seychelles Commercial Bank on Friday said it "recently identified and contained a cybersecurity incident, which has resulted in its internet banking services being temporarily suspended," and requested customers "make use of our ATMs or visit one of our branches during normal banking hours." In its breach notification, the bank told customers: "SCB regrets to inform that this cyber incident resulted in unintentional exposure of personal information of internet banking customers only. The bank reassures all its internet banking customers that no funds have been accessed."
#bankinfosecurity.com#EN#2025#data-breach#SCB#Seychelles#bank
·bankinfosecurity.com·
Seychelles Commercial Bank Confirms Customer Data Breach
Thousands of Afghans relocated to UK under secret scheme after data leak
Thousands of Afghans relocated to UK under secret scheme after data leak
theguardian.com - Conservative government used superinjuction to hide error that put Afghans at risk and led to £2bn mitigation scheme. Thousands of Afghans relocated to UK under secret scheme after data leak Conservative government used superinjuction to hide error that put Afghans at risk and led to £2bn mitigation scheme What we know about the secret Afghan relocation scheme Afghan nationals: have you arrived in the UK under the Afghan Response Route? Dan Sabbagh and Emine Sinmaz Tue 15 Jul 2025 22.07 CEST Share Conservative ministers used an unprecedented superinjunction to suppress a data breach that led the UK government to offer relocation to 15,000 Afghans in a secret scheme with a potential cost of more than £2bn. The Afghan Response Route (ARR) was created in haste after it emerged that personal information about 18,700 Afghans who had applied to come to the UK had been leaked in error by a British defence official in early 2022. Panicked ministers and officials at the Ministry of Defence learned of the breach in August 2023 after data was posted to a Facebook group and applied to the high court for an injunction, the first sought by a British government – to prevent any further media disclosure. It was feared that publicity could put the lives of many thousands of Afghans at risk if the Taliban, who had control of the country after the western withdrawal in August 2021, were to become aware of the existence of the leaked list and to obtain it. The judge in the initial trial, Mr Justice Knowles, granted the application “contra mundum” – against the world – and ruled that its existence remain secret, resulting in a superinjunction which remained in place until lifted on Tuesday. The gagging order meant that both the data breach and the expensive mitigation scheme remained hidden despite its size and cost until the near two-year legal battle was brought to a close in the high court. At noon on Tuesday, the high court judge Mr Justice Chamberlain said it was time to end the superinjuction, which he said had the effect of concealing discussions about spending “the sort of money which makes a material difference to government spending plans and is normally the stuff of political debate”. A few minutes later, John Healey, the defence secretary, offered a “sincere apology” for the data breach. In a statement to the Commons, he said he had felt “deeply concerned about the lack of transparency” around the data breach and “deeply uncomfortable to be constrained from reporting to this house”.
#theguardian.com#EN#UK#2025#Ministry#data-breach#data-leak#Afghans#relocations
·theguardian.com·
Thousands of Afghans relocated to UK under secret scheme after data leak
Nippon Steel Subsidiary Blames Data Breach on Zero-Day Attack
Nippon Steel Subsidiary Blames Data Breach on Zero-Day Attack
securityweek.com - Nippon Steel Solutions has disclosed a data breach that resulted from the exploitation of a zero-day in network equipment. Japan-based Nippon Steel Solutions on Tuesday disclosed a data breach that resulted from the exploitation of a zero-day vulnerability. Nippon Steel Solutions, also called NS Solutions, offers cloud, cybersecurity and other IT solutions. The company is a subsidiary of Japanese steel giant Nippon Steel, which recently acquired US Steel in a controversial deal. Nippon Steel Solutions said in a statement posted on its Japanese-language website that it detected suspicious activity on some servers on March 7. An investigation showed that hackers had exploited a zero-day flaw in unspecified network equipment, and gained access to information on customers, partners and employees. In the case of customers, the attackers may have stolen information such as name, company name and address, job title, affiliation, business email address, and phone number. The exposed information in the case of partners includes names and business email addresses, while in the case of employees the attackers may have obtained names, business email addresses, job titles, and affiliation. Nippon Steel Solutions said the information may have been exfiltrated, but to date it has found no evidence of a data leak on the dark web or elsewhere. The notorious ransomware group BianLian claimed to have stolen hundreds of gigabytes of data from Nippon Steel USA in mid-February, including files related to finances, employees, and production. The cybercriminals at the time threatened to leak all of the stolen data, but the group went dark a few weeks later. Nippon Steel does not appear to have confirmed a data breach in response to BianLian’s claims and it’s unclear if the two incidents are related. SecurityWeek has reached out to NS Solutions for clarifications and will update this
#securityweek.com#EN#2025#Nippon#Steel#Solutions#BianLian#Japan#Data-Breach
·securityweek.com·
Nippon Steel Subsidiary Blames Data Breach on Zero-Day Attack
Bitcoin Depot breach exposes data of nearly 27,000 crypto users
Bitcoin Depot breach exposes data of nearly 27,000 crypto users
Bitcoin Depot, an operator of Bitcoin ATMs, is notifying customers of a data breach incident that has exposed their sensitive information. In the letter sent to affected individuals, the company informs that it first detected suspicious activity on its network last year on June 23. Although the internal investigation was completed on July 18, 2024, a parallel investigation by federal agencies dictated that public disclosure of the incident should be withheld until it was completed. “On July 18, 2024, the investigation was complete, and we identified your personal information contained within documents related to certain of our customers that the unauthorized individual obtained,” explains Bitcoin Depot in the letter. “Unfortunately, we were not able to inform you sooner due to an ongoing investigation. Federal law enforcement requested that Bitcoin Depot wait to provide you notice until after they completed the investigation.” The type of data that has been exposed in this incident varies from individual to individual and may include: Full name Phone number Driver’s license number Address Date of birth Email address Bitcoin Depot is one of the largest Bitcoin ATM networks in the United States, operating 8,800 machines in the U.S., Canada, and Australia.
#bleepingcomputer#EN#2025#Bitcoin#Bitcoin-Depot#Customer-Data#Data-Breach#Notification
·bleepingcomputer.com·
Bitcoin Depot breach exposes data of nearly 27,000 crypto users
Johnson Controls starts notifying people affected by 2023 breach
Johnson Controls starts notifying people affected by 2023 breach
Building automation giant Johnson Controls is notifying individuals whose data was stolen in a massive ransomware attack that impacted the company's operations worldwide in September 2023. Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, HVAC systems, and fire safety equipment for buildings. The company employs over 100,000 people through its corporate operations and subsidiaries across 150 countries, reporting sales of $27.4 billion in 2024. As BleepingComputer first reported, Johnson Controls was hit by a ransomware attack in September 2023, following a breach of the company's Asian offices in February 2023 and subsequent lateral movement through its network. "Based on our investigation, we determined that an unauthorized actor accessed certain Johnson Controls systems from February 1, 2023 to September 30, 2023 and took information from those systems," the company says in data breach notification letters filed with California's Attorney General, redacted to conceal what information was stolen in the attack. "After becoming aware of the incident, we terminated the unauthorized actor's access to the affected systems. In addition, we engaged third-party cybersecurity specialists to further investigate and resolve the incident. We also notified law enforcement and publicly disclosed the incident in filings on September 27, 2023; November 13, 2023; and December 14, 2023."
#bleepingcomputer#EN#2025#Breach#Cyberattack#Dark-Angels#Data-Breach#Johnson-Controls#Ransomware
·bleepingcomputer.com·
Johnson Controls starts notifying people affected by 2023 breach
UK watchdog fines 23andMe over 2023 data breach
UK watchdog fines 23andMe over 2023 data breach
The ICO said over 150,000 U.K. residents had data stolen in the breach. The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach. The Information Commissioner’s Office (ICO) said on Tuesday it has fined the genetic testing company as it “did not have additional verification steps for users to access and download their raw genetic data” at the time of its cyberattack. In 2023, hackers stole private data on more than 6.9 million users over a months-long campaign by accessing thousands of accounts using stolen credentials. 23andMe did not require its users to use multi-factor authentication, which the ICO said broke U.K. data protection law. The ICO said over 155,000 U.K. residents had their data stolen in the breach. In response to the fine, 23andMe told TechCrunch that it had rolled out mandatory multi-factor authentication for all accounts. The ICO said it is in contact with 23andMe’s trustee following the company’s filing for bankruptcy protection. A hearing on 23andMe’s sale is expected later on Wednesday.
#techcrunch#EN#2025#UK#ICO#23andMe#data-breach#fine
·techcrunch.com·
UK watchdog fines 23andMe over 2023 data breach
No, the 16 billion credentials leak is not a new data breach
No, the 16 billion credentials leak is not a new data breach
News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks. To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials. Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet. Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide. ... The infostealer problem has gotten so bad and pervasive that compromised credentials have become one of the most common ways for threat actors to breach networks.
#bleepingcomputer#EN#2025#Credential-Stuffing#Data-Breach#FUD#Infostealer#Leaked-Credentials
·bleepingcomputer.com·
No, the 16 billion credentials leak is not a new data breach